Mandatory access control Totally Explained

Everything about Mandatory Access Control totally explained

In computer security, mandatory access control (MAC) refers to a type of access control by which the operating system constrains the ability of a subject or initiator to access or generally perform some sort of operation on an object or target. In practice, a subject is usually a process or thread; objects are constructs such as files, directories, TCP/UDP ports, shared memory segments, etc. Subjects and objects each have a set of security attributes. Whenever a subject attempts to access an object, an authorization rule enforced by the operating system kernel examines these security attributes and decides whether the access can take place. Any operation by any subject on any object will be tested against the set of authorization rules (aka policy) to determine if the operation is allowed.
   With mandatory access control, this security policy is centrally controlled by a security policy administrator; users don't have the ability to override the policy and, for example, grant access to files that would otherwise be restricted. By contrast, discretionary access control (DAC), which also governs the ability of subjects to access objects, allows users the ability to make policy decisions and/or assign security attributes. (The traditional Unix system of users, groups, and rwx permissions is an example of DAC.) MAC-enabled systems allow policy administrators to implement organization-wide security policies. Unlike with DAC, users can't override or modify this policy, either accidentally or intentionally. This allows security administrators to define a central policy that's guaranteed (in principle) to be enforced for all users.
   Historically and traditionally, MAC has been closely associated with multi-level secure (MLS) systems. The Trusted Computer System Evaluation Criteria, the seminal work on the subject which is often referred to as the "Orange Book", defines MAC as "a means of restricting access to objects based on the sensitivity (as represented by a label) of the information contained in the objects and the formal authorization (for example, clearance) of subjects to access information of such sensitivity". Early implementations of MAC such as HPUX BLS, Harris CS/SX, and SGI Trusted IRIX were all focused on MLS.
   More recently, with the advent of implementations such as SELinux (incorporated into Linux kernels after 2.6), MAC has started to become more mainstream and is evolving out of the MLS niche. These more recent MAC implementations have recognized that the narrow Orange Book definition, focused as it was on MLS, isn't sufficient for general use. These implementations provide more depth and flexibility than earlier MLS-focused implementations, allowing (for example) administrators to focus on issues such as network attacks and malware without the rigor or constraints of MLS systems.

Special Information Assurance Implications of the term 'Mandatory'

Executive Order 12958 for US classified information.
   For MAC, the access control decision is contingent on verifying the compatibility of the security properties of the data and the clearance properties of the individual (or the process proxying for the individual). The decision depends on the integrity of the metadata (for example label) that defines the security properties of the data, as well as the security clearance of the individual or process requesting access. For example, if a security label can be changed by a user, a surprisingly common vulnerability in some self-proclaimed 'MAC capable' systems, then that user can corrupt the access controls. Security mechanisms that protect such metadata and the access control decision logic from corruption are MAC-critical objects and require appropriate robustness.
   The term mandatory in MAC has acquired a special meaning derived from its use with military systems. MAC means access controls that are mandated by order of a government and so enforcement is supposed to be more imperative than for commercial applications. This precludes enforcement by best-effort mechanisms, only mechanisms that can provide absolute, or near-absolute enforcement of the mandate are acceptable for MAC. This is a tall order and sometimes assumed unrealistic by those unfamiliar with high assurance strategies, and very difficult for those who are.
   Vendors claiming to enforce MAC are sometimes making claims beyond their capability, and sometimes making claims beyond their understanding. The claim that MAC is enforced implies a claim of very high robustness. Vendors claiming MAC capability do usually have functions that enable defining of MAC privileges and rules but their implementations can be woefully unable to enforce them under even the mildest of attack. Ordinary 'best practices' doesn't produce software that has this kind of assurance level; in fact, no successful software-only approach has ever been documented. The only approach that has succeeded at protecting MAC controls from subversion has been to design the kernel to maintain a domain for its own execution using highly specialized hardware designed into the microprocessor architecture. Besides its cost, this is often unpopular because it affects portability of the operating system.

Degrees of MAC System Strength

In some systems users have the authority to decide whether to grant access to any other user. To allow that, all users have clearances for all data. This isn't necessarily true of a MAC system. If individuals or processes exist that may be denied access to any of the data in the system environment, then the system must be trusted to enforce MAC. Since there can be various levels of data classification and user clearances, this implies a quantified scale for robustness. For example, more robustness is indicated for system environments containing classified Top Secret information and uncleared users than for one with Secret information and users cleared to at least Confidential. To promote consistency and eliminate subjectivity in degrees of robustness, an extensive scientific analysis and risk assessment of the topic produced a landmark benchmark standardization quantifying security robustness capabilities of systems and mapping them to the degrees of trust warranted for various security environments. The result was documented in CSC-STD-004-85. Two relatively independent components of robustness were defined: Assurance Level and Functionality. Both were specified with a degree of precision that warranted significant confidence in certifications based on these criteria.

Rating Evaluation of MAC System Strength

The Common Criteria is based on this science and it intended to preserve the Assurance Level as EAL levels and the functionality specifications as Protection Profiles. Of these two essential components of objective robustness benchmarks, only EAL levels were faithfully preserved. In one case, Orange Book level C2 (not a MAC capable category) was fairly faithfully preserved in the Common Criteria, as the Controlled Access Protection Profile (CAPP). Multilevel security (MLS) Protection Profiles (such as MLSOSPP similar to B2) is more general than B2. They are pursuant to MLS, but lack the detailed implementation requirements of their Orange Book predecessors, focusing more on objectives. This gives certifiers more subjective flexibility in deciding whether the evaluated product’s technical features adequately achieve the objective, potentially eroding consistency of evaluated products and making it easier to attain certification for less trustworthy products. For these reasons, the importance of the technical details of the Protection Profile is critical to determining the suitability of a product.
Such an architecture prevents an authenticated user or process at a specific classification or trust-level from accessing information, processes, or devices in a different level. This provides a containment mechanism of users and processes, both known and unknown (an unknown program (for example) might comprise an untrusted application where the system should monitor and/or control accesses to devices and files).

Implementations

A few MAC implementations, such as Unisys' BLACKER project, were certified robust enough to separate Top Secret from Unclassified late in the last millennium. Their underlying technology became obsolete and they were not refreshed. Today there are no current implementations certified by TCSEC to that level of robust implementation. However, some less robust products exist.

An NSA research project called SELinux (Security-Enhanced Linux) added a Mandatory Access Control architecture to the Linux Kernel, which was merged into the mainline version of Linux in August 2003. It utilizes a Linux 2.6 kernel feature called LSM (Linux Security Modules interface). Red Hat Enterprise Linux version 4 (and later versions) come with an SELinux-enabled kernel. Although SELinux is capable of restricting all processes in the system, the default targeted policy in RHEL confines the most vulnerable programs from the unconfined domain in which all other programs run. RHEL 5 ships 2 other binary policy types: strict, which attempts to implement least privilege, and MLS, which is based on strict and adds MLS labels. RHEL 5 contains additional MLS enhancements and received 2 LSPP/RBACPP/CAPP/EAL4+ certifications in June 2007.

SUSE Linux (now supported by Novell) and Ubuntu 7.10 have added a MAC implementation called AppArmor. AppArmor utilizes a Linux 2.6 kernel feature called LSM (Linux Security Modules interface). LSM provides a kernel API that allows modules of kernel code to govern access control. AppArmor isn't capable of restricting all programs and isn't yet included in the kernel.org kernel source tree. In most Linux distributions MAC isn't installed.

Beginning with version 5.0, the work of the TrustedBSD project has been incorporated into releases of the FreeBSD operating system. Development is a work in progress, and the implementation models as well as the capabilities are constantly improving. MAC on FreeBSD comes with pre-built structures for implementing MAC models such as Biba and Multi-Level Security.

Sun's Trusted Solaris uses a mandatory and system-enforced access control mechanism (MAC), where clearances and labels are used to enforce a security policy. However note that the capability to manage labels doesn't imply the kernel strength to operate in Multi-Level Security mode. Access to the labels and control mechanisms are not robustly protected from corruption in protected domain maintained by a kernel. The applications a user runs are combined with the security label at which the user works in the session. Access to information, programs and devices are only weakly controlled.

Apple's Mac OS X MAC framework is an implementation of the TrustedBSD MAC framework. A limited high-level sandboxing interface is provided by the command-line function sandbox_init. See the sandbox_init manual page for documentation.Further Information

Get more info on 'Mandatory Access Control'.

External Link Exchanges

Do you know how hard it is to get a link from a large encyclopaedia? Well we're different and will prove it. To get a link from us just add the following HTML to your site on a relevant page:

<a href="http://mandatory_access_control.totallyexplained.com">Mandatory access control Totally Explained</a>

Then simply click through this link from your web page. Our crawlers will verify your link, extract the title of your web page and instantly add a link back to it. If you like you can remove the words Totally Explained and embed the link in article text.
As long as your link remains in place, we'll keep our link to you right here. Please play fair - our crawlers are watching. Your site must be closely related to this one's topic. Any kind of spamming, dubious practises or removing the link will result in your link from us being dropped and, potentially, your whole site being banned.