Previous | Table of Contents | Next |
Most systems allow processes to interact with each other directly via signaling or a more complex inter-process communication (IPC) mechanism, which must be controlled as well. In type enforcement, control is achieved by creating a table similar to the DDT called the domain interaction table (DIT), shown in Exhibit 2.In this example, the WWW is completely isolated, and the mail system and the word processor can communicate. Type enforcement involves defining the DDT and DIT such that the applications meet the least privilege requirement. Complete isolation is often not desirable, because applications must share data. Type enforcement allows the appropriate balance between least privilege and information sharing.
Exhibit 3. Type Enforcement Structure.
An important property of type enforcement is that the DDT and DIT tables cannot be modified while the system is running. This limitation stops attacks that modify data used for making security decisions. The static nature of type enforcement does not affect the usability of the system, because the type-enforcement tables describe only how the applications interact with data and each other. Thus, the type-enforcement tables change only if the way in which the applications interact changes. Type enforcement partitions a system into a number of strong buckets. Each bucket has a domain and a list of all the types that that domain can access. The bucket also includes IPC channels to other processes in other buckets, as shown in Exhibit 3. Type enforcement provides a structure that separates applications and controls user access to applications. A file or application must be in a users domain for the user to access it. Users are allowed into a domain or bucket depending on their duties or roles on the system.
Now that a mechanism exists that closely matches the basic bucket principle, a variety of protection measures are possible. First and foremost, applications can be separated completely in different buckets, which ensures that two different applications do not interfere with each other. Type enforcement establishes the security level of separate computers while maintaining a linked system.
One possible security configuration that has been proposed to maintain Internet security is to have a different machine for each Internet service. The rationale behind this configuration is that many attacks over the network involve wedging open one service just enough to get a toe hold on the system. From the toe hold, the attacker expands his or her control by attacking the other Internet services in a sort of domino game. For example, a recently discovered Telnet vulnerability cannot be taken advantage of unless the attacker has write access to the system. If the site has an anonymous ftp site from which the attacker can download the key file, the system can be compromised. It is the combination of the two services that provides the vulnerability.
Exhibit 4. Type Enforcement Assured Pipeline.
However, buying one machine for each Internet service is expensive. Type enforcement allows separate Internet services to be combined onto one system, on which each Internet service is placed in its own bucket. Thus, type enforcement prevents attacks that use combinations of Internet services.
If information will move from one application to another, providing separation of applications is not enough to ensure security. The method by which the information flows through the system must also be controlled. This step uses type enforcement to create a kind of pipeline to organize data flow between programs, called an assured pipeline. Type enforcement places tight control on how each program interacts with the next program in the pipeline.
This process is different from trusting the applications to interface with each other correctly. Many applications that need to be part of a system are large software components with less than reliable track records for obeying the interface definition. Using type enforcement is like having a net in the operating system that can catch the applications when they fail to follow the rules for the interface.
Type enforcement creates the pipeline by controlling access between programs. Each program has permission only to read from the stage in front of it and to write to the next stage of the pipeline. No stage of the pipeline can be bypassed. Exhibit 4 is a representation of how type enforcement controls data flow between applications through assured pipelines.
Assured pipelines provide a divide and conquer approach to building secure applications. Splitting a large piece of software into smaller pieces facilitates the process of analyzing and ensuring that the pieces are operating correctly. For example, consider the DoD requirement that any document printed is labeled correctly with its security label. It is not difficult to modify the printer driver to label the document, but it is difficult to prove that the printer driver labels the document accurately. The printer driver is a large program, and any modification to a large program has the potential to introduce other flaws. On the other hand, if the labeling is done by a small program that only labels the data, the entire labeling program could be checked, and the printer driver left unmodified. Exhibit 5 shows how assured pipelines allow for the creation of smaller programs that can be analyzed for greater reliability than modifications to large software systems. In this example, type enforcement ensures that data cannot reach the printer driver unless it has gone through the labeler process.
Exhibit 5. Print Driver with Type Enforcement Compared to Conventional Print Driver.
Three key elements are needed to prove that the requirement of proper labeling is satisfied:
The labeler is a trusted program that ensures that only data that has been properly labeled moves from the user bucket to the printer bucket.
Previous | Table of Contents | Next |