Mandatory Access Control

Tags: security

An access control system which [see page 9, associates] subjects and objects with special security attributes (classes) which are used as the basis for subject-access-object decisions.

Note: changing these attributes/classes is tightly controlled and rarely done.

Bell La Padula

Each object (file) in a MAC system is assigned a class indicating their sensitivity. Subjects (users/processes) are assigned a see page 17, clearance.

[see page 19, No Read Up]

A subject may only read objects at or below its clearance.

Restricting read access isn't sufficient to provide protection. A subject with a high clearance could copy a highly protected object to another object with a lower class and thus compromise itself.

[see page 21, No Write Down]

A object may only write to objects at or above its clearance.

Effective Policy

We define the [see page 22, current clearance] as the maximum clearance user is assigned to at a point in time. Users can both read and write objects at this clearance, with the above rules about higher and lower classes still in affect.

Users can choose their current clearance willingly, so they may restrict their permissions appropriately.

Confidentiality Over Integrity

The model described above focuses on confidentiality over integrity. The big goal is preventing information being leaked, but this comes at the cost of being able to verify the integrity of files. A user with a lower clearance can write up to and invalidate a higher clearance file at discretion (assuming they know the file exists without being able to read it).

An [see page 45, alternative model] that focuses on integrity over confidentiality could adopt a no write up and no read down policy instead.