The present invention relates generally to digital computer systems, and more specifically to a system and method for controlling user access to data within a computer system.
In the short history of computers, data security was originally relatively unimportant and synonymous with physical security of the computer. But the importance of data security has grown steadily as the quantity, value and sensitivity of the data stored in, and operated upon by, computers has increased. The rate of growth of the quantity, value and sensitivity of computerized data is increasing rapidly. In addition, the importance and pervasiveness of data communications has rendered physicall security alone insufficient to protect a computer system and its sensitive data from unauthorized access.
Current security measures for computer systems usually utilize an access control list (ACL) or equivalent mechanism. An ACL is associated with an object within the computer system, such object generally being a program, file, or directory. The ACL is a list which describes who may access that object, and in what manner it may be accessed. Typical types of access are read, write, execute, and delete. A summary overview of typical computer security systems can be found in "Operating System Concepts", J. Peterson and A. Silberschatz, chapter 11, Addison-Wesley Publishing Co., 1985.
As described in "Secure Computing: The Secure Ada Target Approach", Scientific Honeyweller, vol. 6, no. 2, July 1985, the use of ACLs does not protect a computer system from all kinds of intrusion. In particular, programs known as "trojan horses" and "viruses" can bypass the protection provided by ACLs. ACLs do not provide the level of security necessary to protect sensitive, classified defense documents.
In the Defense Department of the United States, all information has one of four classification levels: unclassified, confidential, secret, or top secret. Within the secret and top secret classifications, information is further subdivided into categories called "compartments". For example, within the top secret classification, information may be divided into compartments related to troop dispositions, star wars defense system, nuclear weapons construction, and nuclear weapons disposition. Simply having a top secret clearance does not allow a person or computer process access to all this information; they must also be cleared for access to each particular compartment. Thus, for a user to have access to information and programs on a computer system, he must have clearance for access to both the proper classification and compartment.
In 1975, Bell & Padula, as described in "Secure Computer System: Unified Exposition and Multics Interpretation", MITRE Technical Report MTR 2997, July 1975, developed a security policy model which was sufficient to provide security adequate to meet Defense Department standards. The description of their system still provides the basic definition of a secure computer system used by the Defense Department.
In the Bell & Padula system, access is granted to information on a per process basis. Every file or program has a classification, including one or more compartments, and only users and processes which are cleared for access to that type of information and program may utilize them.
The general approach taken by such prior art systems is to group information into "containers". A container contains a collection of related data, such as a file, or a logical executable block code, such as a program or subprogram. All data in a container is classified at the same level, simply because it is in the container. It is very common for some data in a container to be overclassified because of its location. There is no attempt to classify data items individually. This is analogous to classifying an entire printed document at a high level because it containes 2 sensitive paragraphs, even though the remainder of the document would not otherwise be classified.
For example, if any data in a file is sensitive enough to require a high classification, the entire file must be so classified. There is no straightforward, reliable mechanism for separating these sensitive and non-sensitive data within a particular file. Thus, whenever an item of sensitive information is placed in the file, most of the file may be overclassified because of its association with the sensitive data. Over time, this situation can lead to a large number of files and programs being highly classified, when such high classification is not necessary for most of the data. Information which is unclassified or classified at a low level, and which must become classified at a higher level because of its association with one or more highly classified items, can be said to be "tainted".
It would be desirable for a computer system to be able to classify data only at the level which is needed. Data which must be highly classified should be assured of such classification, while data with a lower classification would avoid becoming tainted and would retain such lower classification.
It is therefore an object of the present invention to provide a security technique for a computer system in which all data retains its classification, and in which no data is overclassified.
Thus, according to the present invention, in a computer system every word in the memory has a corresponding label. This label indicates the security classification, and compartments if any, of that word of data. Each time a word is accessed by any instruction, its classification is checked to see if access is allowed.
The classification labels are contained in a security memory which is separate from the user accessable data memory. Consideration of the label of each word is made in a security unit which is likewise inaccessible to the user. Any attempt to improperly access any word within the computer system's memory generates a security violation and prohibits further execution of the currently running process.
The novel features which characterize the present invention are defined by the appended claims. The foregoing and other objects and advantages of the present invention will hereafter appear, and for purposes of illustration, but not of limitation, a preferred embodiment is shown in the accompanying drawings.