In a mandatory access control, what are the elements that are protected called?
|
Read section 3 on Discretionary Access Control (DAC) and section 4 on Mandatory Access Control (MAC). Why is DAC called discretionary and MAC non-discretionary? What is the main drawback or vulnerability presented when using DAC, and why is MAC not vulnerable as well? What do no read-up and
no write-down mean? MAC security policies govern the access on the basis of the classifications of subjects and objects in the system [6]. Objects are the passive entries storing information for example relations, tuples in a relation etc. Subjects are active entities that access the objects, usually, active processes operating on behalf of users. An access class consists of two components: a security level and a set
of categories. The security level is an element of a hierarchically ordered set. The levels often considered are Top Secret (TS), Secret (S), Confidential (C) and Unclassified (U), where TS>Sgt;C>U. The set of categories is an unordered set, for example, NATO, Nuclear, Army etc. The security level of the access class associated with an object reflects the sensitivity of the information contained in the object which means the potential damage which could result from
unauthorized disclosure of information [7]. The security level of the access class associated with a user is called clearance, which reflects the users trustworthiness not to disclose sensitive information to users not cleared to it. Access control in mandatory protection systems is based on the following two principles: No read-up/Read down: A subject can read only those objects whose access class is dominated by the access class of the subject. No write-down/Write up: A subject can write only those objects whose access class dominates the access class of the subject. Satisfaction of these principles prevents information that is more sensitive to flow to objects at lower levels hence prevents the confidentiality of sensitive information. The effect of these rules can be diagrammatically represented as shown in fig. 5. Fig 4: Example of Trojan horse  Fig 5: Controlling information flow for secrecyMAC can as well be applied for the protection of information integrity [7]. For example, the integrity levels could be Crucial (C), Important (I) and Unknown (U). The integrity level associated with an object reflects the degree of trust that can be placed in the information stored in the object, and the potential damage that could result from unauthorized modification of the information. The integrity level associated with a user reflects the user's trustworthiness for inserting, modifying, or deleting data programs at that level. The principles that are required to hold are as follows.
The effect of these rules can be diagrammatically represented as shown in fig. 6. MAC models are not vulnerable to Trojan horse attacks: Consider fig. 4, if Tom is not allowed read access to table Market, under MAC control, table Market will have an access class that is either higher than or incomparable to the access class given to Tom. But then a subject able to read Market would not be able to write table Stolen and hence Trojan horse would not be able to complete its function. Mandatory Access ControlMandatory access control (MAC) is a system-enforced access control mechanism that is based on label relationships. The system associates a sensitivity label with all processes that are created to execute programs. MAC policy uses this label in access control decisions. In general, processes cannot store information or communicate with other processes, unless the label of the destination is equal to the label of the process. MAC policy permits processes to read data from objects at the same label or from objects at a lower label. However, the administrator can create a labeled environment in which few lower-level objects or no lower-level objects are available. By default, MAC policy is invisible to you. Regular users cannot see objects unless they have MAC access to those objects. In all cases, users cannot take any action that is contrary to MAC policy. Sensitivity Labels and Clearances
A label has the following two components: Trusted Extensions maintains two types of labels: sensitivity labels and clearances. A user can be cleared to work at one or more sensitivity labels. A special label, known as the user clearance, determines the highest label at which a user is permitted to work. In addition, each user has a minimum sensitivity label. This label is used by default during login to a multilevel desktop session. After login, the user can choose to work at other labels within this range. A user could be assigned Public as the minimum sensitivity label and Confidential: Need to Know as the clearance. At first login, the desktop workspaces are at the label Public. During the session, the user can create workspaces at Confidential: Internal Use Only and Confidential: Need to Know. Figure 1-2 Typical Industry Sensitivity Labels All subjects and objects have labels on a system that is configured with Trusted Extensions. A subject is an active entity, usually a process. The process causes information to flow among objects or changes the system state. An object is a passive entity that contains or receives data, such as a data file, directory, printer, or other device. In some cases, a process can be an object, such as when you use the kill command on a process. Figure 1–3 shows a typical multilevel Trusted Extensions session. The trusted stripe is at the top. The Trusted Path menu is invoked from the trusted stripe. To assume a role, click the user name to invoke the roles menu. The workspace switches in the bottom panel display the color of the workspace label. The window list in the bottom panel displays the color of the window's label. Figure 1-3 Typical Multilevel Session Containers and LabelsTrusted Extensions uses containers for labeling. Containers are also called zones. The global zone is an administrative zone and is not available to users. Non-global zones are called labeled zones. Labeled zones are available to users. The global zone shares some system files with users. When these files are visible in a labeled zone, the label of these files is ADMIN_LOW. Users can read, but cannot change, the contents of an ADMIN_LOW file. Network communication is restricted by label. By default, zones cannot communicate with each other because their labels are different. Therefore, one zone cannot write into another zone. However, the administrator can configure specific zones to be able to read specific directories from other zones. The other zones could be on the same host, or on a remote system. For example, a user's home directory in a lower-level zone can be mounted by using the automount service. The pathname convention for such lower-level home mounts includes the zone name, as follows: /zone/name-of-lower-level-zone/home/usernameThe following terminal window illustrates lower-level home directory visibility. A user whose login label is Confidential: Internal Use Only can view the contents of the Public zone when the automount service is configured to make lower-level zones readable. The textfileInfo.txt file has two versions. The Public zone version contains information that can be shared with the public. The Confidential: Internal Use Only version contains information that can be shared within the company only. Figure 1-4 Viewing Public Information From a Higher-Label Zone Labels and Transactions
Trusted Extensions software manages all attempted security-related transactions. The software compares the subject's label with the object's label, then allows or disallows the transaction depending on which label is dominant. An entity's label is said to dominate another entity's label if the following two conditions are met: Two labels are said to be equal if the labels have the same classification and the same set of compartments. If the labels are equal, the labels dominate each other. Therefore, access is permitted. If one of the following conditions is met, then the first label is said to strictly dominate the second label.
A label that strictly dominates a second label is permitted access to the second label. Two labels are said to be disjoint if neither label dominates the other label. Access is not permitted between disjoint labels. For example, consider the following figure.
Four labels can be created from these components: TOP SECRET AB dominates itself and strictly dominates the other labels. TOP SECRET A dominates itself and strictly dominates TOP SECRET. TOP SECRET B dominates itself and strictly dominates TOP SECRET. TOP SECRET A and TOP SECRET B are disjoint. In a read transaction, the subject's label must dominate the object's label. This rule ensures that the subject's level of trust meets the requirements for access to the object. That is, the subject's label includes all compartments that are allowed access to the object. TOP SECRET A can read TOP SECRET A and TOP SECRET data. Similarly, TOP SECRET B can read TOP SECRET B and TOP SECRET data. TOP SECRET A cannot read TOP SECRET B data. Nor can TOP SECRET B read TOP SECRET A data. TOP SECRET AB can read the data at all labels. In a write transaction, that is, when a subject creates or modifies an object, the resulting object's labeled zone must equal the subject's labeled zone. Write transactions are not allowed from one zone to a different zone. In practice, subjects and objects in read and write transactions usually have the same label and strict dominance does not have to be considered. For example, a TOP SECRET A subject can create or modify a TOP SECRET A object. In Trusted Extensions, the TOP SECRET A object is in a zone that is labeled TOP SECRET A. The following table illustrates dominance relationships among U.S. Government labels and among a set of industry labels. Table 1-1 Examples of Label Relationships in Trusted Extensions
When you transfer information between files with different labels, Trusted Extensions displays a confirmation dialog box if you are authorized to change the label of the file. If you are not authorized to do so, Trusted Extensions disallows the transaction. The security administrator can authorize you to upgrade or downgrade information. For more information, see Performing Trusted Actions. What are the elements of access control?The three elements of access control. Identification: For access control to be effective, it must provide some way to identify an individual. ... . Authentication: Identification requires authentication. ... . Authorization: The set of actions allowed to a particular identity makes up the meat of authorization.. What is mandatory based access control?Mandatory access control is a method of limiting access to resources based on the sensitivity of the information that the resource contains and the authorization of the user to access information with that level of sensitivity. You define the sensitivity of the resource by means of a security label.
Which of the following is type of mandatory access control?Mandatory access control (MAC) is a model of access control where the operating system provides users with access based on data confidentiality and user clearance levels. In this model, access is granted on a need to know basis: users have to prove a need for information before gaining access.
Which two terms are related to mandatory access control?See also. Bell–LaPadula model.. Access-control list.. Attribute-based access control (ABAC). Context-based access control (CBAC). Discretionary access control (DAC). Lattice-based access control (LBAC). Organisation-based access control (OrBAC). Role-based access control (RBAC). |
