Previous | Table of Contents | Next |
For those leaks that are necessary, special programs can monitor data transfers between buckets to ensure that only the proper data is leaving the bucket. These programs are trusted, in that they guarantee that only the proper data is transferred. Writing a program that performs a guarantee is difficult. The best approach with current technology is to write the program as small as possible, so that it can be analyzed for potential error by a network administrator.
The goal of a secure system is to strike the proper balance between guarding and sharing data. A rough measure of how secure a system is can be obtained by considering these three factors:
The more overlap that exists between buckets, the more information can flow through the system, and the more analysis is required to ensure that the system is secure.
Another consideration for the security of a system is any exception to the bucket policy. For example, many systems allow an administrator to access any bucket on the system. The problem is not that administrators cannot be trusted, but rather that this situation gives attackers an opportunity to gain complete access. Instead of trying to find a leaky bucket, an attacker can try to trick the system into thinking he or she is the administrator.
Type enforcement was first proposed as part of the LOCK system to fulfill DoD requirements for secure systems. Most DoD secure systems in the late 1980s focused on the traditional classification levels of the DoD, such as unclassified, confidential, secret, and top secret. These systems implemented very strict buckets, with a one-way information flow between buckets. However, data and application interactions rarely fall into such a constrained security policy. In the course of an application transaction, data may flow in a complete circle through many different buckets with different security requirements.
The goal of type enforcement is to give each program only the permissions that the program requires to do its job. This concept is called least privilege. Type enforcement assigns each type of critical program its own bucket. All the files that the program needs to access are placed in the bucket as well. Many programs need the same files, because they are doing the same kinds of tasks. Type enforcement categorizes individual programs and files into general groups that describe the abstract behavior of the components. Programs are grouped into domains, and files are grouped into types. For example, two mail reader programs like Elm and Pine require the same permissions; thus, they are grouped together in the mail reader domain.
File Types | ||||
---|---|---|---|---|
Process Domains | Web pages | Mailbox file | Mail Aliases | Public files |
WWW Server | r | |||
Mail System | rw | r | ||
ftp | rw | |||
r = read; w = write; blank squares indicate no access is allowed |
Process Domains | |||
---|---|---|---|
Process Domains | World Wide Web | Mail System | Word Processor |
World Wide Web | so | ||
Mail System | so | so | |
Word Processor | so | so | |
s = signal; o = observer; blank squares indicate no access is allowed |
Type enforcement works by grouping all the processes into domains and types based on least privilege. Grouping by types organizes the files much like abstract data types. The type indicates how the data in the file was created and how it can be used. Then, a table, called a domain definition table (DDT), is defined to indicate how the process can access the files. Exhibit 1 shows an example of a type enforcement DDT. As shown in the sample DDT, the World Wide Web (WWW) server can only access web files, and the mail system can only access mail files, such as the mailbox and mail alias files.
Previous | Table of Contents | Next |