Mandatory access control

The Orange Book defines mandatory access control as:
"A means of restricting access to objects based on the sensitivity (as represented by a label) of the information contained in the objects and the formal authorization (i.e., clearance) of subjects to access information of such sensitivity."

The most important aspect of this is that sensitivity must be inherited, i.e. with Unix-like permissions it must not be possible for a member of a group to copy a file that has read permission for that group, but not others, and make it world-readable.

This will usually be enforced by labelling processes with the highest sensitivity of the objects that have been their input so far. Output of the process will then be labelled accordingly.

Moon will support multiple independent sets of security labels. E.g. besides sensitivity, reliability could be defined. While combining objects with different sensitivity creates an object with the upper bound of the sensitivity labels, combining objects with different reliability labels will result in an object with the lower bound of the labels.

Communication channels might be configured to only allow objects below a certain limit of sensitivity to pass, and additionally reduce the reliability to a certain limit.

Back to the main page.

Page created: Jul 25, 1997 - last update: Nov 26, 2002 - version 2.1
Jörg Czeranski (Impressum)