HOME

TheInfoList



OR:

In
computer security Computer security, cybersecurity (cyber security), or information technology security (IT security) is the protection of computer systems and networks from attack by malicious actors that may result in unauthorized information disclosure, t ...
, mandatory access control (MAC) refers to a type of access control by which the
operating system An operating system (OS) is system software that manages computer hardware, software resources, and provides common services for computer programs. Time-sharing operating systems schedule tasks for efficient use of the system and may also in ...
or database constrains the ability of a ''subject'' or ''initiator'' to access or generally perform some sort of operation on an ''object'' or ''target''. In the case of operating systems, a subject is usually a process or thread; objects are constructs such as files, directories, TCP/ UDP ports, shared memory segments, IO devices, etc. Subjects and objects each have a set of security attributes. Whenever a subject attempts to access an object, an authorization rule enforced by the
operating system kernel The kernel is a computer program at the core of a computer's operating system and generally has complete control over everything in the system. It is the portion of the operating system code that is always resident in memory and facilitates in ...
examines these security attributes and decides whether the access can take place. Any operation by any subject on any object is tested against the set of authorization rules (aka ''policy'') to determine if the operation is allowed. A database management system, in its access control mechanism, can also apply mandatory access control; in this case, the objects are tables, views, procedures, etc. With mandatory access control, this security policy is centrally controlled by a security policy administrator; users do not have the ability to override the policy and, for example, grant access to files that would otherwise be restricted. By contrast,
discretionary access control In computer security, discretionary access control (DAC) is a type of access control defined by the Trusted Computer System Evaluation Criteria (TCSEC) as a means of restricting access to objects based on the identity of subjects and/or groups to ...
(DAC), which also governs the ability of subjects to access objects, allows users the ability to make policy decisions and/or assign security attributes. (The traditional
Unix Unix (; trademarked as UNIX) is a family of multitasking, multiuser computer operating systems that derive from the original AT&T Unix, whose development started in 1969 at the Bell Labs research center by Ken Thompson, Dennis Ritchie, and ot ...
system of users, groups, and read-write-execute permissions is an example of DAC.) MAC-enabled systems allow policy administrators to implement organization-wide security policies. Under MAC (and unlike DAC), users cannot override or modify this policy, either accidentally or intentionally. This allows security administrators to define a central policy that is guaranteed (in principle) to be enforced for all users. Historically and traditionally, MAC has been closely associated with
multilevel security Multilevel security or multiple levels of security (MLS) is the application of a computer system to process information with incompatible classifications (i.e., at different security levels), permit access by users with different security clearan ...
(MLS) and specialized military systems. In this context, MAC implies a high degree of rigor to satisfy the constraints of MLS systems. More recently, however, MAC has deviated out of the MLS niche and has started to become more mainstream. The more recent MAC implementations, such as
SELinux Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for supporting access control security policies, including mandatory access controls (MAC). SELinux is a set of kernel modifications and user-space ...
and
AppArmor AppArmor ("Application Armor") is a Linux kernel security module that allows the system administrator to restrict programs' capabilities with per-program profiles. Profiles can allow capabilities like network access, raw socket access, and the ...
for Linux and
Mandatory Integrity Control Mandatory Integrity Control (MIC) is a core security feature of Windows Vista and later that adds mandatory access control to running processes based on their Integrity Level (IL). The IL represents the level of trustworthiness of an object. This ...
for Windows, allow administrators to focus on issues such as network attacks and malware without the rigor or constraints of MLS.


Historical background and implications for multilevel security

Historically, MAC was strongly associated with
multilevel security Multilevel security or multiple levels of security (MLS) is the application of a computer system to process information with incompatible classifications (i.e., at different security levels), permit access by users with different security clearan ...
(MLS) as a means of protecting US classified information. The
Trusted Computer System Evaluation Criteria Trusted Computer System Evaluation Criteria (TCSEC) is a United States Government Department of Defense (DoD) standard that sets basic requirements for assessing the effectiveness of computer security controls built into a computer system. The ...
(TCSEC), the seminal work on the subject, provided the original definition of MAC as "a means of restricting access to objects based on the sensitivity (as represented by a label) of the information contained in the objects and the formal authorization (i.e., clearance) of subjects to access information of such sensitivity". Early implementations of MAC such as Honeywell's SCOMP, USAF SACDIN, NSA Blacker, and Boeing's MLS LAN focused on MLS to protect military-oriented security classification levels with robust enforcement. The term mandatory in MAC has acquired a special meaning derived from its use with military systems. In this context, MAC implies an extremely high degree of robustness that assures that the control mechanisms can resist any type of subversion, thereby enabling them to enforce access controls that are mandated by order of a government such as the Executive Order 12958 for US classified information. Enforcement is supposed to be more imperative than for commercial applications. This precludes enforcement by best-effort mechanisms; only mechanisms that can provide absolute or near-absolute enforcement of the mandate are acceptable for MAC. This is a tall order and sometimes assumed unrealistic by those unfamiliar with high assurance strategies, and very difficult for those who are.


Strength


Degrees

In some systems, users have the authority to decide whether to grant access to any other user. To allow that, all users have clearances for all data. This is not necessarily true of an MLS system. If individuals or processes exist that may be denied access to any of the data in the system environment, then the system must be trusted to enforce MAC. Since there can be various levels of data classification and user clearances, this implies a quantified scale for robustness. For example, more robustness is indicated for system environments containing classified
Top Secret Classified information is material that a government body deems to be sensitive information that must be protected. Access is restricted by law or regulation to particular groups of people with the necessary security clearance and need to kn ...
information and uncleared users than for one with Secret information and users cleared to at least Confidential. To promote consistency and eliminate subjectivity in degrees of robustness, an extensive scientific analysis and risk assessment of the topic produced a landmark benchmark standardization quantifying security robustness capabilities of systems and mapping them to the degrees of trust warranted for various security environments. The result was documented in CSC-STD-004-85. Two relatively independent components of robustness were defined: Assurance Level and Functionality. Both were specified with a degree of precision that warranted significant confidence in certifications based on these criteria.


Evaluation

The Common Criteria is based on this science and it intended to preserve the Assurance Level as EAL levels and the functionality specifications as
Protection Profile A Protection Profile (PP) is a document used as part of the certification process according to ISO/IEC 15408 and the Common Criteria (CC). As the generic form of a Security Target (ST), it is typically created by a user or user community and provid ...
s. Of these two essential components of objective robustness benchmarks, only EAL levels were faithfully preserved. In one case,
TCSEC Trusted Computer System Evaluation Criteria (TCSEC) is a United States Government Department of Defense (DoD) standard that sets basic requirements for assessing the effectiveness of computer security controls built into a computer system. The TCS ...
level C2 (not a MAC capable category) was fairly faithfully preserved in the Common Criteria, as the
Controlled Access Protection Profile The Controlled Access Protection Profile, also known as CAPP, is a Common Criteria security profile that specifies a set of functional and assurance requirements for information technology products. Software and systems that conform to CAPP standard ...
(CAPP).
Multilevel security Multilevel security or multiple levels of security (MLS) is the application of a computer system to process information with incompatible classifications (i.e., at different security levels), permit access by users with different security clearan ...
(MLS) Protection Profiles (such as MLSOSPP similar to B2) is more general than B2. They are pursuant to MLS, but lack the detailed implementation requirements of their Orange Book predecessors, focusing more on objectives. This gives certifiers more subjective flexibility in deciding whether the evaluated product’s technical features adequately achieve the objective, potentially eroding consistency of evaluated products and making it easier to attain certification for less trustworthy products. For these reasons, the importance of the technical details of the Protection Profile is critical to determining the suitability of a product. Such an architecture prevents an authenticated user or process at a specific classification or trust-level from accessing information, processes, or devices in a different level. This provides a containment mechanism of users and processes, both known and unknown (an unknown program (for example) might comprise an untrusted application where the system should monitor and/or control accesses to devices and files).


Implementations

A few MAC implementations, such as
Unisys Unisys Corporation is an American multinational information technology (IT) services and consulting company headquartered in Blue Bell, Pennsylvania. It provides digital workplace solutions, cloud, applications, and infrastructure solutions, ...
' Blacker project, were certified robust enough to separate Top Secret from Unclassified late in the last millennium. Their underlying technology became obsolete and they were not refreshed. Today there are no current implementations certified by
TCSEC Trusted Computer System Evaluation Criteria (TCSEC) is a United States Government Department of Defense (DoD) standard that sets basic requirements for assessing the effectiveness of computer security controls built into a computer system. The TCS ...
to that level of robust implementation. However, some less robust products exist. * Amon Ott's
RSBAC Rule-set-based access control (RSBAC) is an open source access control framework for current Linux kernels, which has been in stable production use since January 2000 (version 1.0.9a). Features * Free open source GNU General Public License ( GPL) ...
(Rule Set Based Access Control) provides a framework for Linux kernels that allows several different security policy / decision modules. One of the models implemented is Mandatory Access Control model. A general goal of RSBAC design was to try to reach (obsolete) Orange Book (TCSEC) B1 level. The model of mandatory access control used in RSBAC is mostly the same as in Unix System V/MLS, Version 1.2.1 (developed in 1989 by the National Computer Security Center of the USA with classification B1/TCSEC). RSBAC requires a set of patches to the stock kernel, which are maintained quite well by the
project owner In project management, an executive or project executive is a person who has ultimate responsibility for a project, and is a role defined in the recognized project management framework PRINCE2. It is appointed by the customer during the start of t ...
. * TOMOYO Linux is a lightweight MAC implementation for
Linux Linux ( or ) is a family of open-source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991, by Linus Torvalds. Linux is typically packaged as a Linux distribution, which ...
and
Embedded Linux Operating systems based on the Linux kernel are used in embedded systems such as consumer electronics (eg. set-top box A set-top box (STB), also colloquially known as a cable box and historically television decoder, is an information applianc ...
, developed by
NTT Data Corporation is a Japanese multinational information technology (IT) service and consulting company headquartered in Tokyo, Japan. It is a partially-owned subsidiary of Nippon Telegraph and Telephone (NTT). Japan Telegraph and Telephone Public Corporation ...
. It has been merged in Linux Kernel mainline version 2.6.30 in June 2009. Differently from the ''label-based'' approach used by
SELinux Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for supporting access control security policies, including mandatory access controls (MAC). SELinux is a set of kernel modifications and user-space ...
, TOMOYO Linux performs a ''pathname-based''
Mandatory Access Control In computer security, mandatory access control (MAC) refers to a type of access control by which the operating system or database constrains the ability of a ''subject'' or ''initiator'' to access or generally perform some sort of operation on a ...
, separating security domains according to process invocation history, which describes the system behavior. Policy are described in terms of pathnames. A security domain is simply defined by a process call chain, and represented by a string. There are 4 modes: disabled, ''learning'', permissive, enforcing. Administrators can assign different modes for different domains. TOMOYO Linux introduced the "learning" mode, in which the accesses occurred in the kernel are automatically analyzed and stored to generate MAC policy: this mode could then be the first step of policy writing, making it easy to customize later. * SUSE Linux and
Ubuntu Ubuntu ( ) is a Linux distribution based on Debian and composed mostly of free and open-source software. Ubuntu is officially released in three editions: '' Desktop'', ''Server'', and ''Core'' for Internet of things devices and robots. All ...
7.10 have added a MAC implementation called
AppArmor AppArmor ("Application Armor") is a Linux kernel security module that allows the system administrator to restrict programs' capabilities with per-program profiles. Profiles can allow capabilities like network access, raw socket access, and the ...
. AppArmor utilizes a Linux 2.6 kernel feature called
LSM In molecular biology, LSm proteins are a family of RNA-binding proteins found in virtually every cellular organism. LSm is a contraction of 'like Sm', because the first identified members of the LSm protein family were the Sm proteins. LSm pr ...
(Linux Security Modules interface). LSM provides a kernel
API An application programming interface (API) is a way for two or more computer programs to communicate with each other. It is a type of software interface, offering a service to other pieces of software. A document or standard that describes how ...
that allows modules of kernel code to govern ACL (DAC ACL, access-control lists). AppArmor is not capable of restricting all programs and is optionally in the Linux kernel as of version 2.6.36. *
Linux Linux ( or ) is a family of open-source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991, by Linus Torvalds. Linux is typically packaged as a Linux distribution, which ...
and many other Unix distributions have MAC for CPU (multi-ring), disk, and memory; while OS software may not manage privileges well, Linux became famous during the 1990s as being more secure and far more stable than non-Unix alternatives. Linux distributors disable MAC to being at best DAC for some devices – although this is true for any consumer electronics available today. * Android since its 5.0 release has used SELinux to enforce a MAC security model on top of its original UID-based DAC approach. * grsecurity is a patch for the Linux kernel providing a MAC implementation (precisely, it is an
RBAC In computer systems security, role-based access control (RBAC) or role-based security is an approach to restricting system access to authorized users. It is an approach to implement mandatory access control (MAC) or discretionary access control ( ...
implementation). grsecurity is not implemented via the
LSM In molecular biology, LSm proteins are a family of RNA-binding proteins found in virtually every cellular organism. LSm is a contraction of 'like Sm', because the first identified members of the LSm protein family were the Sm proteins. LSm pr ...
API. *
Microsoft Microsoft Corporation is an American multinational technology corporation producing computer software, consumer electronics, personal computers, and related services headquartered at the Microsoft Redmond campus located in Redmond, Washing ...
Starting with
Windows Vista Windows Vista is a major release of the Windows NT operating system developed by Microsoft. It was the direct successor to Windows XP, which was released five years before, at the time being the longest time span between successive releases of ...
and
Server 2008 Windows Server 2008 is the fourth release of the Windows Server operating system produced by Microsoft as part of the Windows NT family of the operating systems. It was released to manufacturing on February 4, 2008, and generally to retail on Fe ...
Windows incorporates
Mandatory Integrity Control Mandatory Integrity Control (MIC) is a core security feature of Windows Vista and later that adds mandatory access control to running processes based on their Integrity Level (IL). The IL represents the level of trustworthiness of an object. This ...
, which adds ''Integrity Levels'' (IL) to processes running in a login session. MIC restricts the access permissions of applications that are running under the same user account and which may be less trustworthy. Five integrity levels are defined: Low, Medium, High, System, and Trusted Installer. Processes started by a regular user gain a Medium IL;
elevated An elevated railway or elevated train (also known as an el train for short) is a rapid transit railway with the tracks above street level on a viaduct or other elevated structure (usually constructed from steel, cast iron, concrete, or bricks ...
processes have High IL. While processes inherit the integrity level of the process that spawned it, the integrity level can be customized on a per-process basis: e.g. IE7 and downloaded executables run with Low IL. Windows controls access to
objects Object may refer to: General meanings * Object (philosophy), a thing, being, or concept ** Object (abstract), an object which does not exist at any particular time or place ** Physical object, an identifiable collection of matter * Goal, an ...
based on ILs, as well as for defining the boundary for window messages via
User Interface Privilege Isolation User Interface Privilege Isolation (UIPI) is a technology introduced in Windows Vista and Windows Server 2008 to combat shatter attack exploits. By making use of Mandatory Integrity Control, it prevents processes with a lower "integrity level" (I ...
. Named
objects Object may refer to: General meanings * Object (philosophy), a thing, being, or concept ** Object (abstract), an object which does not exist at any particular time or place ** Physical object, an identifiable collection of matter * Goal, an ...
, including files,
registry Registry may refer to: Computing * Container registry, an operating-system-level virtualization registry * Domain name registry, a database of top-level internet domain names * Local Internet registry * Metadata registry, information system for re ...
keys or other processes and threads, have an entry in the ACL governing access to them that defines the minimum IL of the process that can use the object. MIC enforces that a process can write to or delete an object only when its IL is equal to or higher than the object’s IL. Furthermore, to prevent access to sensitive data in memory, processes can’t open processes with a higher IL for read access. *
FreeBSD FreeBSD is a free and open-source Unix-like operating system descended from the Berkeley Software Distribution (BSD), which was based on Research Unix. The first version of FreeBSD was released in 1993. In 2005, FreeBSD was the most popular ...
supports ''Mandatory Access Control'', implemented as part of the TrustedBSD project. It was introduced in FreeBSD 5.0. Since FreeBSD 7.2, MAC support is enabled by default. The framework is extensible; various MAC modules implement policies such as
Biba Biba was a London fashion store of the 1960s and 1970s. Biba was started and primarily run by the Polish-born Barbara Hulanicki with help of her husband Stephen Fitz-Simon. Early years Biba's early years were rather humble, with many of the ou ...
and
multilevel security Multilevel security or multiple levels of security (MLS) is the application of a computer system to process information with incompatible classifications (i.e., at different security levels), permit access by users with different security clearan ...
. * Sun's Trusted Solaris uses a mandatory and system-enforced access control mechanism (MAC), where clearances and labels are used to enforce a security policy. However note that the capability to manage labels does not imply the kernel strength to operate in
multilevel security Multilevel security or multiple levels of security (MLS) is the application of a computer system to process information with incompatible classifications (i.e., at different security levels), permit access by users with different security clearan ...
mode. Access to the labels and control mechanisms are not robustly protected from corruption in protected domain maintained by a kernel. The applications a user runs are combined with the security label at which the user works in the session. Access to information, programs and devices are only weakly controlled. * Apple's Mac OS X MAC framework is an implementation of the
TrustedBSD FreeBSD is a free and open-source Unix-like operating system descended from the Berkeley Software Distribution (BSD), which was based on Research Unix. The first version of FreeBSD was released in 1993. In 2005, FreeBSD was the most popular ope ...
MAC framework. A limited high-level sandboxing interface is provided by the command-line function sandbox_init. See the sandbox_init manual page for documentation. * Oracle Label Security is an implementation of mandatory access control in the Oracle DBMS. * SE-PostgreSQL is a work in progress as of 2008-01-27, providing integration into SE-Linux. It aims for integration into version 8.4, together with row-level restrictions. * Trusted RUBIX is a mandatory access control enforcing DBMS that fully integrates with SE-Linux to restrict access to all database objects. *
Astra Linux Astra Linux is a Russian Linux-based computer operating system (OS) that is being widely deployed in the Russian Federation in order to replace Microsoft Windows. https://www.cnews.ru/news/top/2020-11-12_gosorgany_rossii_massovo https://rg.ru/20 ...
OS developed for
Russian Army The Russian Ground Forces (russian: Сухопутные войска ВSukhoputnyye voyska V}), also known as the Russian Army (, ), are the land forces of the Russian Armed Forces. The primary responsibilities of the Russian Ground Force ...
has its own mandatory access control.Ключевые особенности Astra Linux Special Edition по реализации требований безопасности информации
* Smack (''Simplified Mandatory Access Control Kernel'') is a
Linux kernel The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel. It was originally authored in 1991 by Linus Torvalds for his i386-based PC, and it was soon adopted as the kernel for the GNU ope ...
security module that protects data and process interaction from malicious manipulation using a set of custom mandatory access control rules, with simplicity as its main design goal. It has been officially merged since the Linux 2.6.25 release. * ZeroMAC written by Peter Gabor Gyulay is a Linux LSM kernel patch.


See also

*
Bell–LaPadula model The Bell–LaPadula Model (BLP) is a state machine model used for enforcing access control in government and military applications. It was developed by David Elliott Bell and Leonard J. LaPadula, subsequent to strong guidance from Roger R. S ...
*
Access-control list In computer security, an access-control list (ACL) is a list of permissions associated with a system resource (object). An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on give ...
*
Attribute-based access control Attribute-based access control (ABAC), also known as policy-based access control for IAM, defines an access control paradigm whereby a subject's authorization to perform a set of operations is determined by evaluating attributes associated with the ...
(ABAC) *
Context-based access control Context-based access control (CBAC) is a feature of firewall software, which intelligently filters TCP and UDP packets based on application layer protocol session information. It can be used for intranets, extranets and internets. CBAC can ...
(CBAC) *
Discretionary access control In computer security, discretionary access control (DAC) is a type of access control defined by the Trusted Computer System Evaluation Criteria (TCSEC) as a means of restricting access to objects based on the identity of subjects and/or groups to ...
(DAC) *
Lattice-based access control In computer security, lattice-based access control (LBAC) is a complex access control model based on the interaction between any combination of objects (such as resources, computers, and applications) and subjects (such as individuals, groups or org ...
(LBAC) *
Organisation-based access control In computer security, organization-based access control (OrBAC) is an access control model first presented in 2003. The current approaches of the access control rest on the three entities (''subject'', ''action'', ''object'') to control the acces ...
(OrBAC) *
Role-based access control In computer systems security, role-based access control (RBAC) or role-based security is an approach to restricting system access to authorized users. It is an approach to implement mandatory access control (MAC) or discretionary access control ...
(RBAC) * Rule-set-based access control (RSBAC) *
Capability-based security Capability-based security is a concept in the design of secure computing systems, one of the existing security models. A capability (known in some systems as a key) is a communicable, unforgeable token of authority. It refers to a value that refer ...
*
Location-based authentication Location-based authentication is a special procedure to prove an individual's identity on appearance simply by detecting its presence at a distinct location. To enable location-based authentication, a special combination of objects is required. ...
*
Risk-based authentication In Authentication, risk-based authentication is a non-static authentication system which takes into account the profile (IP address, User-Agent HTTP header, time of access, and so on) of the agent requesting access to the system to determine the ri ...
*
Clark–Wilson model The Clark–Wilson integrity model provides a foundation for specifying and analyzing an integrity policy for a computing system. The model is primarily concerned with formalizing the notion of information integrity. Information integrity is ...
*
Classified information Classified information is material that a government body deems to be sensitive information that must be protected. Access is restricted by law or regulation to particular groups of people with the necessary security clearance and need to know, ...
*
Graham–Denning model The Graham–Denning model is a computer security model that shows how subjects and objects should be securely created and deleted. It also addresses how to assign specific access rights. It is mainly used in access control mechanisms for distribu ...
*
Mandatory Integrity Control Mandatory Integrity Control (MIC) is a core security feature of Windows Vista and later that adds mandatory access control to running processes based on their Integrity Level (IL). The IL represents the level of trustworthiness of an object. This ...
* Multiple single-level *
Security modes Generally, security modes refer to information systems security modes of operations used in mandatory access control (MAC) systems. Often, these systems contain information at various levels of security classification. The mode of operation is de ...
*
Smack (software) Smack (full name: Simplified Mandatory Access Control Kernel) is a Linux kernel security module that protects data and process interaction from malicious manipulation using a set of custom mandatory access control (MAC) rules, with simplicity as ...
* Systrace *
Take-grant protection model The take-grant protection model is a formal model used in the field of computer security to establish or disprove the safety of a given computer system that follows specific rules. It shows that even though the question of safety is in general unde ...
*
Type enforcement The concept of type enforcement (TE), in the field of information technology, is an access control mechanism for regulating access in computer systems. Implementing TE gives priority to mandatory access control (MAC) over discretionary access cont ...


Footnotes


References

* P. A. Loscocco, S. D. Smalley, P. A. Muckelbauer, R. C. Taylor, S. J. Turner, and J. F. Farrell.
The Inevitability of Failure: The Flawed Assumption of Security in Modern Computing Environments
'. In Proceedings of the 21st National Information Systems Security Conference, pages 303–314, Oct. 1998. * P. A. Loscocco, S. D. Smalley,
Meeting Critical Security Objectives with Security-Enhanced Linux
' Proceedings of the 2001 Ottawa Linux Symposium. * ISO/IEC DIS 10181-3, Information Technology, OSI Security Model, Security FrameWorks, Part 3: Access Control, 1993 * Robert N. M. Watson.
A decade of OS access-control extensibility
. Commun. ACM 56, 2 (February 2013), 52–63.


External links


Weblog post
on the how virtualization can be used to implement Mandatory Access Control.
Weblog post
from a Microsoft employee detailing Mandatory Integrity Control and how it differs from MAC implementations.
GWV Formal Security Policy Model
A Separation Kernel Formal Security Policy, David Greve, Matthew Wilding, and W. Mark Vanfleet. {{DEFAULTSORT:Mandatory Access Control Computer security models Computer access control Operating system security Access control