Previous Table of Contents Next


For those leaks that are necessary, special programs can monitor data transfers between buckets to ensure that only the proper data is leaving the bucket. These programs are “trusted,” in that they guarantee that only the proper data is transferred. Writing a program that performs a guarantee is difficult. The best approach with current technology is to write the program as small as possible, so that it can be analyzed for potential error by a network administrator.

The goal of a secure system is to strike the proper balance between guarding and sharing data. A rough measure of how secure a system is can be obtained by considering these three factors:

  The number of buckets.
  The amount of overlap between buckets.
  The level of trust for the programs protecting data channels (if information is allowed to move between buckets).

The more overlap that exists between buckets, the more information can flow through the system, and the more analysis is required to ensure that the system is secure.

Another consideration for the security of a system is any exception to the bucket policy. For example, many systems allow an administrator to access any bucket on the system. The problem is not that administrators cannot be trusted, but rather that this situation gives attackers an opportunity to gain complete access. Instead of trying to find a leaky bucket, an attacker can try to trick the system into thinking he or she is the administrator.

TYPE ENFORCEMENT

Type enforcement was first proposed as part of the LOCK system to fulfill DoD requirements for secure systems. Most DoD secure systems in the late 1980s focused on the traditional classification levels of the DoD, such as unclassified, confidential, secret, and top secret. These systems implemented very strict buckets, with a one-way information flow between buckets. However, data and application interactions rarely fall into such a constrained security policy. In the course of an application transaction, data may flow in a complete circle through many different buckets with different security requirements.

The goal of type enforcement is to give each program only the permissions that the program requires to do its job. This concept is called “least privilege.” Type enforcement assigns each type of critical program its own bucket. All the files that the program needs to access are placed in the bucket as well. Many programs need the same files, because they are doing the same kinds of tasks. Type enforcement categorizes individual programs and files into general groups that describe the abstract behavior of the components. Programs are grouped into domains, and files are grouped into types. For example, two mail reader programs like Elm and Pine require the same permissions; thus, they are grouped together in the mail reader domain.

Exhibit 1. Type Enforcement Domain Definition Table (DDT)
  File Types
 
Process Domains Web pages Mailbox file Mail Aliases Public files

WWW Server r
Mail System rw r
ftp rw

r = read; w = write; blank squares indicate no access is allowed

Exhibit 2. Type Enforcement Domain Interaction Table (DIT)
Process Domains

Process Domains World Wide Web Mail System Word Processor

World Wide Web so
Mail System so so
Word Processor so so

s = signal; o = observer; blank squares indicate no access is allowed

Type enforcement works by grouping all the processes into domains and types based on least privilege. Grouping by types organizes the files much like abstract data types. The type indicates how the data in the file was created and how it can be used. Then, a table, called a domain definition table (DDT), is defined to indicate how the process can access the files. Exhibit 1 shows an example of a type enforcement DDT. As shown in the sample DDT, the World Wide Web (WWW) server can only access web files, and the mail system can only access mail files, such as the mailbox and mail alias files.


Previous Table of Contents Next

Copyright © CRC Press LLC