Mandatory access control

Last updated

In computer security, mandatory access control (MAC) refers to a type of access control by which a secured environment (e.g., an operating system or a database) constrains the ability of a subject or initiator to access or modify on an object or target. [1] In the case of operating systems, the subject is a process or thread, while objects are files, directories, TCP/UDP ports, shared memory segments, or IO devices. Subjects and objects each have a set of security attributes. Whenever a subject attempts to access an object, the operating system kernel examines these security attributes, examines the authorization rules (aka policy) in place, and decides whether to grant access. A database management system, in its access control mechanism, can also apply mandatory access control; in this case, the objects are tables, views, procedures, etc.

Contents

In mandatory access control, the security policy is centrally controlled by a policy administrator and is guaranteed (in principle) to be enforced for all users. Users cannot override the policy and, for example, grant access to files that would otherwise be restricted. By contrast, discretionary access control (DAC), which also governs the ability of subjects to access objects, allows users the ability to make policy decisions or assign security attributes.

Historically and traditionally, MAC has been closely associated with multilevel security (MLS) and specialized military systems. In this context, MAC implies a high degree of rigor to satisfy the constraints of MLS systems. More recently,[ when? ] however, MAC has deviated out of the MLS niche and has started to become more mainstream. The more recent MAC implementations, such as SELinux and AppArmor for Linux and Mandatory Integrity Control for Windows, allow administrators to focus on issues such as network attacks and malware without the rigor or constraints of MLS.

History and background

Historically, MAC was strongly associated with multilevel security (MLS) as a means of protecting classified information of the United States. The Trusted Computer System Evaluation Criteria (TCSEC), the seminal work on the subject and often known as the Orange Book, provided the original definition of MAC as "a means of restricting access to objects based on the sensitivity (as represented by a label) of the information contained in the objects and the formal authorization (i.e., clearance) of subjects to access information of such sensitivity". [2] Early implementations of MAC such as Honeywell's SCOMP, USAF's SACDIN, NSA's Blacker, and Boeing's MLS LAN focused on MLS to protect military-oriented security classification levels with robust enforcement.

The word "mandatory" in MAC has acquired a special meaning derived from its use with military systems. In this context, MAC implies an extremely high degree of robustness that assures that the control mechanisms can resist any type of subversion, thereby enabling them to enforce access controls that are mandated by the order of a government such as the Executive Order 12958. Enforcement is supposed to be more imperative than for commercial applications. This precludes enforcement by best-effort mechanisms. Only mechanisms that can provide absolute or near-absolute enforcement of the mandate are acceptable for MAC. This is a tall order and sometimes assumed unrealistic by those unfamiliar with high assurance strategies, and very difficult for those who are.

In some systems, users have the authority to decide whether to grant access to any other user. To allow that, all users have clearances for all data. This is not necessarily true of an MLS system. If individuals or processes exist that may be denied access to any of the data in the system environment, then the system must be trusted to enforce MAC. Since there can be various levels of data classification and user clearances, this implies a quantified scale for robustness. For example, more robustness is indicated for system environments containing classified "Top Secret" information and uncleared users than for one with "Secret" information and users cleared to at least "Confidential." To promote consistency and eliminate subjectivity in degrees of robustness, an extensive scientific analysis and risk assessment of the topic produced a landmark benchmark standardization quantifying security robustness capabilities of systems and mapping them to the degrees of trust warranted for various security environments. The result was documented in CSC-STD-004-85. [3] Two relatively independent components of robustness were defined: Assurance level and functionality. Both were specified with a degree of precision that warranted significant confidence in certifications based on these criteria.

The Common Criteria standard [4] is based on this science and it intended to preserve the assurance level as EAL levels and the functionality specifications as Protection Profiles. Of these two essential components of objective robustness benchmarks, only EAL levels were faithfully preserved. In one case, TCSEC level C2 [5] (not a MAC-capable category) was fairly faithfully preserved in the Common Criteria, as the Controlled Access Protection Profile (CAPP). [6] MLS Protection Profiles (such as MLSOSPP similar to B2) [7] is more general than B2. They are pursuant to MLS, but lack the detailed implementation requirements of their Orange Book predecessors, focusing more on objectives. This gives certifiers more subjective flexibility in deciding whether the evaluated product’s technical features adequately achieve the objective, potentially eroding consistency of evaluated products and making it easier to attain certification for less trustworthy products. For these reasons, the importance of the technical details of the Protection Profile is critical to determining the suitability of a product.

Such an architecture prevents an authenticated user or process at a specific classification or trust-level from accessing information, processes, or devices in a different level. This provides a containment mechanism of users and processes, both known and unknown. An unknown program might comprise an untrusted application where the system should monitor or control accesses to devices and files.

A few MAC implementations, such as Unisys' Blacker project, were certified robust enough to separate Top Secret from Unclassified late in the last millennium. Their underlying technology became obsolete and they were not refreshed. Today there are no current implementations certified by TCSEC to that level of robust implementation. However, some less robust products exist.

In operating systems

Microsoft

Starting with Windows Vista and Server 2008, Microsoft has incorporated Mandatory Integrity Control (MIC) in the Windows operating system, which adds integrity levels (IL) to running processes. The goal is to restrict access of less trustworthy processes to sensitive info. MIC defines five integrity levels: Low, medium, high, system, and trusted installer. [8] By default, processes started at medium IL. Elevated processes receive high IL. [9] Child processes, by default, inherit their parent's integrity, although the parent process can launch them with a lower IL. For example, Internet Explorer 7 launches its subprocesses with low IL. Windows controls access to objects based on ILs. Named objects, including files, registry keys or other processes and threads, have an entry in their ACL indicating the minimum IL of the process that can use the object. MIC enforces that a process can write to or delete an object only when its IL is equal to or higher than the object’s IL. Furthermore, to prevent access to sensitive data in memory, processes can’t open processes with a higher IL for read access. [10]

Apple

Apple Inc. has incorporated an implementation of the TrustedBSD framework in its iOS and macOS operating systems. [11] (The word "mac" in "macOS" is short for "Macintosh" and has nothing to do with the abbreviation of "mandatory access control.") The command-line function sandbox_init provides a limited high-level sandboxing interface. [12]

Google

Version 5.0 and later of the Android operating system, developed by Google, use SELinux to enforce a MAC security model on top of its original UID-based DAC approach. [13]

Linux family

Linux and many other Unix distributions have MAC for CPU (multi-ring), disk, and memory. While OS software may not manage privileges well, Linux became famous during the 1990s as being more secure and far more stable than non-Unix alternatives.[ citation needed ]

Amon Ott's RSBAC (Rule Set Based Access Control) provides a framework for Linux kernels that allows several different security policy / decision modules. One of the models implemented is Mandatory Access Control model. A general goal of RSBAC design was to try to reach (obsolete) Orange Book (TCSEC) B1 level. The model of mandatory access control used in RSBAC is mostly the same as in Unix System V/MLS, Version 1.2.1 (developed in 1989 by the National Computer Security Center of the USA with classification B1/TCSEC). RSBAC requires a set of patches to the stock kernel, which are maintained quite well by the project owner.

Smack (Simplified Mandatory Access Control Kernel) is a Linux kernel security module that protects data and process interaction from malicious manipulation using a set of custom mandatory access control rules, with simplicity as its main design goal. [14] It has been officially merged since the Linux 2.6.25 release. [15]

TOMOYO Linux is a lightweight MAC implementation for Linux and Embedded Linux, developed by NTT Data Corporation. It has been merged in Linux Kernel mainline version 2.6.30 in June 2009. [16] Differently from the label-based approach used by SELinux, TOMOYO Linux performs a pathname-based Mandatory Access Control, separating security domains according to process invocation history, which describes the system behavior. Policy are described in terms of pathnames. A security domain is simply defined by a process call chain, and represented by a string. There are 4 modes: disabled, learning, permissive, enforcing. Administrators can assign different modes for different domains. TOMOYO Linux introduced the "learning" mode, in which the accesses occurred in the kernel are automatically analyzed and stored to generate MAC policy: this mode could then be the first step of policy writing, making it easy to customize later.

SUSE Linux and Ubuntu 7.10 have added a MAC implementation called AppArmor, which utilizes the Linux Security Modules (LSM) interface of Linux 2.6. LSM provides a kernel API that allows modules of kernel code to govern ACL (DAC ACL, access-control lists). AppArmor is not capable of restricting all programs and is optionally in the Linux kernel as of version 2.6.36. [17]

grsecurity is a patch for the Linux kernel providing a MAC implementation (precisely, it is an RBAC implementation). grsecurity is not implemented via the LSM API. [18]

Astra Linux OS developed for Russian Army has its own mandatory access control. [19]

Other OSes

FreeBSD supports Mandatory Access Control, implemented as part of the TrustedBSD project. It was introduced in FreeBSD 5.0. Since FreeBSD 7.2, MAC support is enabled by default. The framework is extensible; various MAC modules implement policies such as Biba and multilevel security.

Sun's Trusted Solaris uses a mandatory and system-enforced access control mechanism (MAC), where clearances and labels are used to enforce a security policy. However note that the capability to manage labels does not imply the kernel strength to operate in multilevel security mode[ citation needed ]. Access to the labels and control mechanisms are not[ citation needed ] robustly protected from corruption in protected domain maintained by a kernel. The applications a user runs are combined with the security label at which the user works in the session. Access to information, programs and devices are only weakly controlled[ citation needed ].

See also

Access control

Other topics

Footnotes

  1. Belim, S. V.; Belim, S. Yu. (December 2018). "Implementation of Mandatory Access Control in Distributed Systems". Automatic Control and Computer Sciences. 52 (8): 1124–1126. doi:10.3103/S0146411618080357. ISSN   0146-4116. S2CID   73725128.
  2. "Trusted Computer Evaluation Criteria" (PDF). National Institute of Standards and Technology. 15 August 1983. Archived (PDF) from the original on 13 April 2023. Retrieved 25 June 2023.
  3. "Technical Rational Behind CSC-STD-003-85: Computer Security Requirements". 1985-06-25. Archived from the original on July 15, 2007. Retrieved 2008-03-15.
  4. "The Common Criteria Portal". Archived from the original on 2006-07-18. Retrieved 2008-03-15.
  5. US Department of Defense (December 1985). "DoD 5200.28-STD: Trusted Computer System Evaluation Criteria" . Retrieved 2008-03-15.
  6. "Controlled Access Protection Profile, Version 1.d". National Security Agency. 1999-10-08. Archived from the original on 2012-02-07. Retrieved 2008-03-15.
  7. "Protection Profile for Multi-Level Operating Systems in Environments Requiring Medium Robustness, Version 1.22" (PDF). National Security Agency. 2001-05-23. Retrieved 2018-10-06.
  8. Matthew Conover. "Analysis of the Windows Vista Security Model". Symantec Corporation. Archived from the original on 2008-03-25. Retrieved 2007-10-08.
  9. Steve Riley. "Mandatory Integrity Control in Windows Vista" . Retrieved 2007-10-08.
  10. Mark Russinovich. "PsExec, User Account Control and Security Boundaries" . Retrieved 2007-10-08.
  11. TrustedBSD Project. "TrustedBSD Mandatory Access Control (MAC) Framework" . Retrieved 2008-03-15.
  12. "sandbox_init(3) man page". 2007-07-07. Archived from the original on 2008-07-25. Retrieved 2008-03-15.
  13. "Security-Enhanced Linux in Android". Android Open Source Project. Archived from the original on 19 June 2023. Retrieved 25 June 2023.
  14. "Official SMACK documentation from the Linux source tree". Archived from the original on 2013-05-01.
  15. Jonathan Corbet. "More stuff for 2.6.25". Archived from the original on 2012-11-02.
  16. "TOMOYO Linux, an alternative Mandatory Access Control". Linux 2 6 30. Linux Kernel Newbies.
  17. "Linux 2.6.36 released 20 October 2010". Linux 2.6.36. Linux Kernel Newbies.
  18. "Why doesn't grsecurity use LSM?".
  19. (in Russian) Ключевые особенности Astra Linux Special Edition по реализации требований безопасности информации Archived 2014-07-16 at the Wayback Machine

Related Research Articles

In the security engineering subspecialty of computer science, a trusted system is one that is relied upon to a specified extent to enforce a specified security policy. This is equivalent to saying that a trusted system is one whose failure would break a security policy.

<span class="mw-page-title-main">Security-Enhanced Linux</span> Linux kernel security module

Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for supporting access control security policies, including mandatory access controls (MAC).

In computer security, an access-control list (ACL) is a list of permissions associated with a system resource. An ACL specifies which users or system processes are granted access to resources, as well as what operations are allowed on given resources. Each entry in a typical ACL specifies a subject and an operation. For instance,

The Bell–LaPadula model (BLP) is a state machine model used for enforcing access control in government and military applications. It was developed by David Elliott Bell, and Leonard J. LaPadula, subsequent to strong guidance from Roger R. Schell, to formalize the U.S. Department of Defense (DoD) multilevel security (MLS) policy. The model is a formal state transition model of computer security policy that describes a set of access control rules which use security labels on objects and clearances for subjects. Security labels range from the most sensitive, down to the least sensitive.

Capability-based security is a concept in the design of secure computing systems, one of the existing security models. A capability is a communicable, unforgeable token of authority. It refers to a value that references an object along with an associated set of access rights. A user program on a capability-based operating system must use a capability to access an object. Capability-based security refers to the principle of designing user programs such that they directly share capabilities with each other according to the principle of least privilege, and to the operating system infrastructure necessary to make such transactions efficient and secure. Capability-based security is to be contrasted with an approach that uses traditional UNIX permissions and Access Control Lists.

The Biba Model or Biba Integrity Model developed by Kenneth J. Biba in 1975, is a formal state transition system of computer security policy describing a set of access control rules designed to ensure data integrity. Data and subjects are grouped into ordered levels of integrity. The model is designed so that subjects may not corrupt data in a level ranked higher than the subject, or be corrupted by data from a lower level than the subject.

Rule-set-based access control (RSBAC) is an open source access control framework for current Linux kernels, which has been in stable production use since January 2000.

Trusted Solaris is a discontinued security-evaluated operating system based on Solaris by Sun Microsystems, featuring a mandatory access control model.

In computer security, discretionary access control (DAC) is a type of access control defined by the Trusted Computer System Evaluation Criteria (TCSEC) as a means of restricting access to objects based on the identity of subjects and/or groups to which they belong. The controls are discretionary in the sense that a subject with a certain access permission is capable of passing that permission on to any other subject.

Multilevel security or multiple levels of security (MLS) is the application of a computer system to process information with incompatible classifications, permit access by users with different security clearances and needs-to-know, and prevent users from obtaining access to information for which they lack authorization. There are two contexts for the use of multilevel security.

Linux Security Modules (LSM) is a framework allowing the Linux kernel to support, without bias, a variety of computer security models. LSM is licensed under the terms of the GNU General Public License and is a standard part of the Linux kernel since Linux 2.6. AppArmor, SELinux, Smack, and TOMOYO Linux are the currently approved security modules in the official kernel.

The concept of type enforcement (TE), in the field of information technology, is an access control mechanism for regulating access in computer systems. Implementing TE gives priority to mandatory access control (MAC) over discretionary access control (DAC). Access clearance is first given to a subject accessing objects based on rules defined in an attached security context. A security context in a domain is defined by a domain security policy. In the Linux security module (LSM) in SELinux, the security context is an extended attribute. Type enforcement implementation is a prerequisite for MAC, and a first step before multilevel security (MLS) or its replacement multi categories security (MCS). It is a complement of role-based access control (RBAC).

Multi categories security (MCS) is an access control method in Security-Enhanced Linux that uses categories attached to objects (files) and granted to subjects at the operating system level. The implementation in Fedora Core 5 is advisory because there is nothing stopping a process from increasing its access. The eventual aim is to make MCS a hierarchical mandatory access control system. Currently, MCS controls access to files and to ptrace or kill processes. The level of control MCS should have over access to directories and other file system objects has not yet been decided.

The XTS-400 is a multilevel secure computer operating system. It is multiuser and multitasking that uses multilevel scheduling in processing data and information. It works in networked environments and supports Gigabit Ethernet and both IPv4 and IPv6.

Solaris Trusted Extensions is a set of security extensions incorporated in the Solaris 10 operating system by Sun Microsystems, featuring a mandatory access control model. It succeeds Trusted Solaris, a family of security-evaluated operating systems based on earlier versions of Solaris.

Low Water-Mark Mandatory Access Control (LOMAC) is a Mandatory Access Control model which protects the integrity of system objects and subjects by means of an information flow policy coupled with the subject demotion via floating labels. In LOMAC, all system subjects and objects are assigned integrity labels, made up of one or more hierarchical grades, depending on their types. Together, these label elements permit all labels to be placed in a partial order, with information flow protections and demotion decisions based on a dominance operator describing the order.

Mandatory Integrity Control (MIC) is a core security feature of Windows Vista and later that adds mandatory access control to running processes based on their Integrity Level (IL). The IL represents the level of trustworthiness of an object. This mechanism's goal is to restrict the access permissions for potentially less trustworthy contexts, compared with other contexts running under the same user account that are more trusted.

<span class="mw-page-title-main">Kernel (operating system)</span> Core of a computer operating system

The kernel is a computer program at the core of a computer's operating system and generally has complete control over everything in the system. The kernel is also responsible for preventing and mitigating conflicts between different processes. It is the portion of the operating system code that is always resident in memory and facilitates interactions between hardware and software components. A full kernel controls all hardware resources via device drivers, arbitrates conflicts between processes concerning such resources, and optimizes the utilization of common resources e.g. CPU & cache usage, file systems, and network sockets. On most systems, the kernel is one of the first programs loaded on startup. It handles the rest of startup as well as memory, peripherals, and input/output (I/O) requests from software, translating them into data-processing instructions for the central processing unit.

<span class="mw-page-title-main">Tomoyo Linux</span> Linux kernel security module

Tomoyo Linux is a Linux kernel security module which implements mandatory access control (MAC).

<span class="mw-page-title-main">Trusted Computer System Evaluation Criteria</span>

Trusted Computer System Evaluation Criteria (TCSEC) is a United States Government Department of Defense (DoD) standard that sets basic requirements for assessing the effectiveness of computer security controls built into a computer system. The TCSEC was used to evaluate, classify, and select computer systems being considered for the processing, storage, and retrieval of sensitive or classified information.

References

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.