Mandatory Access Control (MAC) is an access control model that is used in highly classified environments. It relies on a system-wide security policy to control access rather than allowing individuals to control access. The policy dictates who can access what. MAC implements mandatory integrity control in Windows Vista based on the Biba model, which ensures integrity by controlling writes and deletions. It defines four integrity levels (low, medium, high, system) and usually inherits levels between processes, but customization is allowed.
2. Access Control Overview
• Access Controls: The security features that control how users and systems
communicate and interact with one another
• Access: The flow of information between subject and object
• Subject: An active entity that requests access to an object or the data in an object
• Object: A passive entity that contains information
http://www.ifour-consultancy.com Offshore software development company India
3. Security Principles
The three main security principles also pertain to access control:
Confidentiality
Availability
http://www.ifour-consultancy.com Offshore software development company India
4. Access Control Models
Discretionary Mandatory Role based
http://www.ifour-consultancy.com Offshore software development company India
5. MAC: Mandatory Access Control
• A system-wide policy decrees who is allowed to have access
• Relies on the system to control access rather than individuals
• This model is used in highly classified and confidential environments (e.g. the military)
• Example: The law allows a court to access driving records without the owners’
permission
http://www.ifour-consultancy.com Offshore software development company India
6. Security Policy Model
• A security policy model is a concise statement of the protection properties that a
system, or generic type of system, must have
• Traditional MAC mechanisms have been tightly coupled to a few security models
• Recently, systems support flexible security models (e.g., SELinux, Trusted Solaris,
TrustedBSD, etc.)
http://www.ifour-consultancy.com Offshore software development company India
7. Why MAC?
• Need for consistency of global polices which cannot be met by DAC
• Control of information flow one object to another, so that access to a copy is not
possible if the owner of the original does not provide access
• Control to prevent malicious/flawed software from modifying system policies. DAC
cannot prevent this if program runs by owner access.
http://www.ifour-consultancy.com Offshore software development company India
8. Multilevel Security
• People and Information are classified into different levels of trust and sensitivity
• Clearance level : Indicates the highest level of classified information to be stored or
handled by the person, device, or location
• Classification level : Indicate the degree of damage the country could suffer if the
information is disclosed to an enemy
• Security level is a generic term for either a clearance level or a classification level
http://www.ifour-consultancy.com Offshore software development company India
9. The Bell-LaPadula Security Policy Model
• Proposed by David Bell and Len LaPadula in 1973
• The most widely recognized MLS model
• Deals with confidentiality only
http://www.ifour-consultancy.com Offshore software development company India
10. The Bell-LaPadula Security Policy Model
• Two properties: No read up and No write down
◦ Simple security property: Subject A is allowed to read object O only if
class(O) ≤ class(A)
◦ * property: Subject A is allowed to write object O only if class(A) ≤ class(O)
• The * property was Bell and LaPadula’s critical innovation
http://www.ifour-consultancy.com Offshore software development company India
11. The BibaModel
• Proposed by Ken Biba
• Deals with integrity alone and ignores confidentiality entirely
• Covers integrity levels, which are analogous to sensitivity levels in Bell-LaPadula
• Integrity levels cover inappropriate modification of data
http://www.ifour-consultancy.com Offshore software development company India
12. The BibaModel
• Read Up, Write Down : Subjects cannot read objects of lesser integrity, subjects
cannot write to objects of higher integrity
• Two properties:
◦ Simple Integrity Property: A low integrity subject will not write or modify high
integrity data
◦ * Property: The high integrity subject will not read low integrity data
http://www.ifour-consultancy.com Offshore software development company India
13. Multilateral Security
• To protect information from leaking between compartments on the same level
• Also known as compartmentation
• Example: Customers of an Internet bank can not see each others’ data nor can
they make their data visible to others (not even accidentally)
http://www.ifour-consultancy.com Offshore software development company India
14. Multilateral Security
Different types
Organizational
Privilege-based
A mix
Multilateral security models:
The Chinese Wall Model
The BMA Model (British Medical Association)
http://www.ifour-consultancy.com Offshore software development company India
15. The Chinese Wall Model
• Proposed by David Brewer and Michael Nash 1989
• Rules to prevent conflict of interest
• Rule: There must be no information flow that causes a conflict of interest
• Conflict of Interest (CoI) classes: indicate which companies are in competition.
http://www.ifour-consultancy.com Offshore software development company India
16. Eg :- COI
Bank A Bank B School 1 School 2
School 3
Company datasets
files
Conflict of interest (CoI) class
http://www.ifour-consultancy.com Offshore software development company India
17. The Chinese Wall Model
Simple security rule(Read rule):
A subject s can access company c’s data only if
◦ s has already accessed c’s data
OR
◦ s has not accessed any of c’s competitors’data
*Property (Write Rule):
S can write to c’s data only if s can not read any other company’s sensitive data
http://www.ifour-consultancy.com Offshore software development company India
18. BMA Model(British Medical Association)
• Protects medical information
• Protects personal information of clients
• Famous in the health information sciences
http://www.ifour-consultancy.com Offshore software development company India
19. BMA Model
BMA security policy is consists on the nine principles
1. Access Control – access control list
2. Record Opening
3. Control
4. Consent and Notification
5. Persistence – delete only after time period has expired
6. Attribution – record name, date and time
7. Information Flow – append if there is common access list
8. Aggregation Control – measures to prevent aggregation of personal health
information
9. Trusted Computing base
http://www.ifour-consultancy.com Offshore software development company India
20. MAC Implementation in Windows Vista
• It is called Mandatory Integrity Control (MIC) in Windows Vista
• MIC implements a form of the Biba model, which ensures integrity by
controlling writes and deletions
1. Label on Subjects
2. Label on Objects
3. Access Control Policy
4. Relationship to DAC
5. Default levels
6. Integrity Levels
http://www.ifour-consultancy.com Offshore software development company India
21. MAC Implementation in Windows Vista
Integrity levels: Windows Vista defines four integrity levels
Low Everyone can access
Medium Standard users, authenticated users.
High Local service, network service, elevated users
System System services
http://www.ifour-consultancy.com Offshore software development company India
22. MAC Implementation in Windows Vista
• Usually, child processes inherit the integrity level of their parents, unless the
executable program running in the child process has a lower integrity level.
For example: downloaded executables
• The integrity level can also be customized on a per-process basis
For example: Internet Explorer 8
http://www.ifour-consultancy.com Offshore software development company India
23. References
1. CIS/CSE 643: Computer Security (Syracuse University)
2. www.Wikipedia.com
3. http://www.cs.cornell.edu/courses/cs5430/2011sp/NL.accessControl.html
4. http://www.techotopia.com/index.php/Mandatory,_Discretionary,_Role_and_Rule_Based_Access_Control
5. Symbiosis students
1. Aswathi Jayaram
2. Manikaran Singh
3. Priti Patil
4. Sabari Nair
http://www.ifour-consultancy.com Offshore software development company India
Editor's Notes
Offshore development company India – http://www.ifour-consultancy.com
user: a human
subject: a process executing on behalf of a user
object: a piece of data or a resource.
Offshore development company India – http://www.ifour-consultancy.com
Offshore development company India – http://www.ifour-consultancy.com
Discretionary Access Control
Unlike Mandatory Access Control (MAC) where access to system resources is controlled by the operating system (under the control of a system administrator), Discretionary Access Control (DAC) allows each user to control access to their own data. DAC is typically the default access control mechanism for most desktop operating systems.
Instead of a security label in the case of MAC, each resource object on a DAC based system has an Access Control List (ACL) associated with it. An ACL contains a list of users and groups to which the user has permitted access together with the level of access for each user or group. For example, User A may provide read-only access on one of her files to User B, read and write access on the same file to User C and full control to any user belonging to Group 1.
It is important to note that under DAC a user can only set access permissions for resources which they already own. A hypothetical User A cannot, therefore, change the access control for a file that is owned by User B. User A can, however, set access permissions on a file that she owns. Under some operating systems it is also possible for the system or network administrator to dictate which permissions users are allowed to set in the ACLs of their resources.
Discretionary Access Control provides a much more flexible environment than Mandatory Access Control but also increases the risk that data will be made accessible to users that should not necessarily be given access.
# A discretionary access control (DAC) policy is a means of assigning access rights based on rules specified by users. This class of policies includes the file permissions model implemented by nearly all operating systems. In Unix, for example, a directory listing might yield "... rwxr-xr-x ... file.txt", meaning that the owner of file.txt may read, write, or execute it, and that other users may read or execute the file but not write it. The set of access rights in this example is {read, write, execute}, and the operating system mediates all requests to perform any of these actions. Users may change the permissions on files they own, making this a discretionary policy.
A mechanism implementing a DAC policy must be able to answer the question: "Does subject S have right R for object O?" Abstractly, the information needed to answer this question can be represented as a mathematical relation D on subjects, objects, and rights: if (S,O,R) is in D, then S does have right R for object O; otherwise, S does not. More practically, the same information could also be represented as an access control matrix. Each row of the matrix corresponds to a subject and each column to an object. Each cell of the matrix contains a set of rights. #
Role Based Access Control
Role Based Access Control (RBAC), also known as Non discretionary Access Control, takes more of a real world approach to structuring access control. Access under RBAC is based on a user's job function within the organization to which the computer system belongs.
Essentially, RBAC assigns permissions to particular roles in an organization. Users are then assigned to that particular role. For example, an accountant in a company will be assigned to theAccountant role, gaining access to all the resources permitted for all accountants on the system. Similarly, a software engineer might be assigned to the developer role.
Roles differ from groups in that while users may belong to multiple groups, a user under RBAC may only be assigned a single role in an organization. Additionally, there is no way to provide individual users additional permissions over and above those available for their role. The accountant described above gets the same permissions as all other accountants, nothing more and nothing less.
Offshore development company India – http://www.ifour-consultancy.com
In computer security, mandatory access control (MAC) refers to a type of access control by which the operating system constrains the ability of a subject or initiator to access or generally perform some sort of operation on an object or target. In practice, a subject is usually a process or thread; objects are constructs such as files, directories, TCP/UDP ports, shared memory segments, IO devices etc. Subjects and objects each have a set of security attributes. Whenever a subject attempts to access an object, an authorization rule enforced by the operating systemkernel examines these security attributes and decides whether the access can take place. Any operation by any subject on any object will be tested against the set of authorization rules (akapolicy) to determine if the operation is allowed.
Offshore development company India – http://www.ifour-consultancy.com
Offshore development company India – http://www.ifour-consultancy.com
DAC: Discretionary Access Control
– Definition: An individual user can set an access control mechanism to allow or deny access to an object.
– Relies on the object owner to control access.
– DAC is widely implemented in most operating systems, and we are quite familiar with it.
– Strength of DAC: Flexibility: a key reason why it is widely known and implemented in main- stream operating systems.
Limitation of DAC:
– Global policy: DAC let users to decide the access control policies on their data, regardless of whether those policies are consistent with the global policies. Therefore, if there is a global policy, DAC has trouble to ensure consistency.
– Information flow: information can be copied from one object to another, so access to a copy is possible even if the owner of the original does not provide access to the original copy. This has been a major concern for military.
– Malicious software: DAC policies can be easily changed by owner, so a malicious program (e.g., a downloaded untrustworthy program) running by the owner can change DAC policies on behalf of the owner.
– Flawed software: Similarly to the previous item, flawed software can be “instructed” by attackers to change its DAC policies.
Offshore development company India – http://www.ifour-consultancy.com
In national security and military environments, documents are labeled according to their sensitivity levels. In the US, these range from Unclassified (anyone can see this) to Confidential to Secret and finally (we believe) toTop Secret; other countries use similar classifications. These levels correspond to the risk associated with release of the information.
But it is not sufficient to use only sensitivity levels to classify objects if one wants to comply with the need to know principle: access to information should only be granted if it is necessary to perform one's duties. Compartments are used to handle this decomposition of information. Every object is associated with a set of compartments (e.g. crypto, nuclear, biological, reconnaissance, etc.). An object associated with {crypto, nuclear} may be accessed only by subjects who need to know about both cryptography and nuclear weapons.
A label is a pair of a sensitivity level and a set of compartments. A document might have the label (Top Secret, {crypto,nuclear}) if it contained extremely sensitive information regarding cryptography and nuclear weapons. In practice, each paragraph in a document is assigned a set of compartments and a sensitivity. The classification of the entire document would then be the most restrictive classification given to a paragraph in that document.
Users are also labelled according to their security clearance. A user's clearance, just like a document's label, is a pair of a sensitivity level and a set of compartments.
Given two labels L1 = (S1, C1) and L2 = (S2, C2), we write that L1 ≤ L2---meaning that L1 is no more restrictive than L2---when
S1 ≤ S2, where Unclassified ≤ Confidential ≤ Secret ≤ Top Secret, and
C1 ⊆ C2.
Notice that ≤ is a partial order: it is possible to have two labels that are incomparable (e.g. (secret, {crypto}) vs. (top secret, {nuclear})) according to ≤ . The following diagram depicts some of the ≤ relationships as alattice, where a line from a label L1 lower in the lattice to a label L2 higher in the lattice denotes that L1 ≤ L2.
Offshore development company India – http://www.ifour-consultancy.com
Offshore development company India – http://www.ifour-consultancy.com
Proposed by David Bell and Len Lapadula in 1973, in response to U.S. Air Force concerns over the security of time-sharing mainframe systems.
The *-property was Bell and LaPadula’s critical innovation. It was driven by the fear that a user with “Secret” clearance might be “tricked” by attackers (e.g., through Trojan horse programs or software vulnerabilities) to copy down the information to a ”Unclassified” area where the attackers can read.
Offshore development company India – http://www.ifour-consultancy.com
Offshore development company India – http://www.ifour-consultancy.com
Offshore development company India – http://www.ifour-consultancy.com
Offshore development company India – http://www.ifour-consultancy.com
Offshore development company India – http://www.ifour-consultancy.com
Offshore development company India – http://www.ifour-consultancy.com
All corporate information is stored in a hierarchically arranged filing system such as that shown in figure
1. There are three levels of significance:
at the lowest level, we consider individual items of information, each concerning a single corporation. In keeping with BLP, we will refer to the files in which such information is stored as objects;
at the intermediate level, we group all objects which concern the same corporation together into what we will call a company dataset;
at the highest level, we group together all company datasets whose corporations are in competition. We will refer to each such group as a conflict of interest class.
Offshore development company India – http://www.ifour-consultancy.com
Access is only granted if the object requested:
is in the same company dataset as an object already accessed by that subject, i.e. within the Wall,
or belongs to an entirely different conflict of interest class.
T1) Once a subject has accessed an object the only other objects accessible by that subject lie within the same company dataset or within a different conflict of interest class.
T2) A subject can at most have access to one company dataset in each conflict of interest class.
*-Property
Suppose two subjects, User-A and User-B, have between them access to the three datasets, Oil Company-A, Oil Company-B and Bank-A, in particular User-A has access to Oil Company-A and Bank-A and User-B has access to Oil Company-B and Bank-A. If User-A reads information from Oil Company-A and writes it to Bank-A then User-B can read Oil Company-A information. This should not be permitted, however, because of the conflict of interest between Oil Company-A and Oil Company-B. Thus indirect violations of the Chinese Wall policy are possible.
We can prevent such violations by insisting that:
Write access is only permitted if
access is permitted by the simple security rule, and
no object can be read which is in a different company dataset to the one for which write access is requested and contains unsanitized information.
Offshore development company India – http://www.ifour-consultancy.com
Offshore development company India – http://www.ifour-consultancy.com
Access control: each identifiable clinical record shall be marked with an access control list naming the people or groups of people who may read it and append data to it. The system shall prevent anyone not on the access control list from accessing the record in any way.
2) Record opening: a clinician may open a record with herself and the patient on the access control list. Where a patient has been referred, she may open a record with herself, the patient and the referring clinician(s) on the access control list.
3) Control: one of the clinicians on the access control list must be marked as being responsible. Only she may alter the access control list, and she may only add other health care professionals to it.
4) Consent and notification: the responsible clinician must notify the patient of the names on his record’s access control list when it is opened, of all subsequent additions, and whenever responsibility is transferred. His consent must also be obtained, except in emergency or in the case of statutory exemptions.
5) Persistence: no-one shall have the ability to delete clinical information until the appropriate time period has expired.
6) Attribution: all accesses to clinical records shall be marked on the record with the subject’s name, as well as the date and time. An audit trail must also be kept of all deletions.
7) Information flow: information derived from record A may be appended to record B if and only if B’s access control list is contained in A’s.
8) Aggregation control: there shall be effective measures to prevent the aggregation of personal health information. In particular, patients must receive special notification if any person whom it is proposed to add to their access control list already has access to personal health information on a
large number of people.
9) Trusted Computing Base: computer systems that handle personal health information shall have a subsystem that enforces the above principles in an effective way. Its effectiveness shall be subject to evaluation by independent experts.
Offshore development company India – http://www.ifour-consultancy.com
Label on Subjects: When a user logs on, Windows Vista assigns an integrity SID to the users access token. Included in the SID is an integrity label that determines the level of access the token (and thus the user) can achieve.
Label on Objects: Objects, such as files, pipes, processes, threads, registry keys, services, printers, etc., are also assigned an integrity SID, which is stored in the system access control list (SACL) of the objects security descriptor. The label in the SID specifies the integrity level of the object.
Access Control Policy: To write to or delete an object, the integrity level of subject must be equal to or greater than the object’s level.
Relationship to DAC: Vista checks MAC first, if passed, it then checks DAC (e.g. access control list). Therefore, MAC provides a layer of access control in addition to DAC; it does not overwrite DAC.
Default levels: Objects that lack an integrity label are treated as medium by the operating system. This prevents low integrity code from modifying unlabeled objects
Offshore development company India – http://www.ifour-consultancy.com
Windows Vista defines four integrity levels: low, medium, high, and system. Standard users receive medium, elevated users receive high. Processes you start and objects you create receive your integrity level (medium or high) or low if the executable file’s level is low; system services receive system integrity. Objects that lack an integrity label are treated asmedium by the operating system—this prevents low integrity code from modifying unlabeled objects.
For those keeping track… Yes, there’ve been some changes since I spoke about MIC at TechEd. First, the label numbers have changed from 100/200/300/400 to 4096/8192/12288/16384, which in hex are 1000/2000/3000/4000. So don’t use the numbers when referring to labels, because they might change again! Second, processes no longer receive the lower of your integrity or the file’s integrity—instead, process integrity behaves as I described above. Third, we no longer use MIC to enforce Windows resource protection (WRP). All operating system files are now unlabeled, meaning they default tomedium integrity. The files are ACLed such that only the trusted installer has write access; everyone else, including administrators, has only read and execute access.
Consider a scenario. Say you receive an attachment in email. When you save it, it’s written with low integrity because it came from the Internet—an untrusted source. When you execute the attachment, its process runs at low integrity because the file object is labeled low; therefore, your data (labeled medium or high) is protected from malicious writes by the attachment. It will, however be able to read your data. MIC implements a form of the Biba model, which ensures integrity by controlling writes and deletions. Contrast this with the more well-known Bell-LaPadula model, which describes levels of confidentiality by controlling reads.
Offshore development company India – http://www.ifour-consultancy.com
Usually, child processes inherit the integrity level of their parents, unless the executable program running in the child process has a lower integrity level.
For example, all the downloaded executables will run with Low integrity level because the labels of the executable programs are marked as Low when they are downloaded from the Internet.
The integrity level can also be customized on a per-process basis.
For example, Internet Explorer 8 runs has an Low integrity level only. This means that IE has limited opportunities to be able to alter files on the machine without triggering an elevation prompt that the user must agree to.
Objects created by processes inherit the IL of the process. So files downloaded by IE still have an IL of Low – this explains why downloaded executables will only run with Low integrity level.
Offshore development company India – http://www.ifour-consultancy.com
Offshore development company India – http://www.ifour-consultancy.com