Over time, computer security has taken on many different forms. The security model presently used by most operating systems is called “Discretionary Access Control” (DAC). DAC enforces security based on ownership. Therefore, if a particular user owns a file, he has full control of the file and can set the read, write, and execute permissions for the file. DAC allows users to control the data at their discretion. The problem with the DAC model is that if a system is compromised, an attacker can take control of the system and its data simply by pretending to be the user. Alternatively, a user can be tricked into executing code from a hostile source having the full capabilities of the user. Therefore, the DAC model is limited in the ability to protect a user or system state when the user is running software at different levels of trustworthiness.
An example of the limitation of the DAC model is the potential risk to the system by any code executed by system administrators. Untrustworthy or malicious software run by an administrator can modify critical operating system configuration or image files by executing with administrator privilege.
A different security model from DAC, called “Mandatory Access Control” (MAC) provides a different mechanism for enforcing a security policy defined by the system that is not under the discretion of the user to change. MAC makes enforcement of security policies mandatory instead of discretionary, as with DAC. MAC allows security policies to be established by the system and require object owners and users to be subject to these policies. Once the security policies are in place, users cannot override them.
Mandatory Integrity Control (MIC) applies an mandatory security policy in regards to the trustworthiness of a user or application file. A MIC security policy is narrower in scope than a MAC security policy. Instead of providing security based on the sensitivity or classification of the subject and the object as with MAC, MIC enforces access security based on the integrity of the subject and the object. MIC is designed to protect the computer system and user data from unauthorized modification by untrustworthy users, or untrustworthy code run by privileged users. MIC does not address the confidentiality of data. A typical Mandatory Integrity Control implementation enforces a policy where processes of lower trustworthiness cannot modify files or system objects of higher trustworthiness, and where subjects of high trustworthiness are not compromised by accepting input of lower trustworthiness.
Traditional mandatory integrity models, while providing adequate security, have also had a number of limiting practical affects on the operation of a computer system. For example, the Biba hierarchical integrity model created in the 1970s, is a strict integrity model that limits the ability to modify an object only when a subject's integrity level dominates an object's integrity level. The Biba model also prevents a subject from reading data from a lower integrity object or writing up to a higher object integrity.
Other integrity models developed in the 1970s and 1980s provided alternative integrity models. For example, certain integrity models allowed higher integrity subjects to read or execute lower integrity objects. Other integrity models permitted modification only by “certified” programs. Nevertheless, because of challenges in the design and implementation of integrity models in commercial operating systems their use has been limited.
Therefore, there is a need to implement an integrity model in a way that does not interfere or significantly change the existing behavior of a commercial operating system. Users and programs need to use the operating system that enforces an integrity model with a high degree of compatibility with behavior of previous versions of the operating system that do not implement an integrity model. Changes in the computer security environment brought about by widespread Internet access creates a need for a security mechanism that prevents unknown, untrustworthy and potentially malicious code from modifying or deleting operating system or user data files.