The subject invention relates to a security policy for controlling access to data, and specifically to the control of access to files on a storage device such as smart cards.
A formal model of security is essential when reasoning about the security of a system. Security models can be broken down into three major categories: (1) models that protect against unauthorized disclosure of information, (2) models that protect against unauthorized tampering or sabotage, and (3) models that protect against denial of service. Protection against disclosure of information has been understood the longest and has the simplest models. Protection against tampering or sabotage has been less well understood and appropriate models are only now under development. Protection against denial of service is not well understood today.
A first requirement of many security systems is preventing unauthorized disclosure of information. Classes of mechanisms include discretionary access controls and mandatory access controls. Discretionary access controls are the commonly available security controls based on the fully general Lampson access matrix . (Lampson, B. W., Protection. Operating Systems Review, January 1974. 8(1): p. 18-24. originally published in Proceedings of the Fifth Princeton Conference on Information Sciences and Systems, March 1971.) They are called discretionary, because the access rights to an object may be determined at the discretion of the owner or controller of the object. Both access control list and capability systems are examples of discretionary access controls. The presence of Trojan horses in the system can cause great difficulties with discretionary controls. The Trojan horse could surreptitiously change the access rights on an object or could make a copy of protected information and give threat copy to some unauthorized user. All forms of discretionary controls are vulnerable to this type of Trojan horse attack. A Trojan horse in a capability system could make a copy of a capability for a protected object and then store that capability in some other object to which a penetrator would have read access. In both cases, the information is disclosed to an unauthorized recipient.
Lampson (Lampson, B. W., A note on the confinement problem. Communications of the ACM, October 1973. 16(10): p. 613-615.) has defined the confinement problem as determining whether there exists a series of operations in a security system that will ultimately leak some information to some unauthorized individual. Harrison, Ruzzo, and Ullman (Harrison, M. A., W. L. Ruzzo, and J. D. Ullman, Protection in Operating Systems. Communications of the ACM, August 1976. 19(8): p. 461-471.) have shown that there is no solution to the confinement problem for fully general, discretionary access controls, such as either a general access control list or capability system. Their argument is based on modeling the state transitions of the access matrix as the state transitions of a Turing machine. They show that solving the confinement problem is equivalent to solving the Turing machine halting problem.
The paths over which a Trojan horse leaks information are called covert channels. Covert channels can be divided into two major categories: storage channels and timing channels. Information can be leaked through a storage channel by changing the values of any of the state variables of the system. Thus, contents of files, names of files, and amount of disk space used are all examples of potential storage channels. A Trojan horse can leak information through a storage channel in a purely asynchronous fashion. There are no timing dependencies.
By contrast, information can be leaked through a timing channel by modifying the length of time that system functions take to complete. For example, a Trojan horse could encode information into deliberate modifications of the system page fault rate. Timing channels all use synchronous communication and require some form of external clocking.
Mandatory access controls have been developed to deal with the Trojan horse problems of discretionary access controls. The distinguishing feature of mandatory access controls is that the system manager or security officer may constrain the owner of an object in determining who may have access rights to that object. All mandatory controls, to date, have been based on lattice security models.
Various models describing security properties of computing systems and users exist in the art. Because access is at the heart of the security requirements of computing systems, access control is the basis of many of these models. Of particular interest are lattice security models. A lattice security model consists of a set of access classes that form a partial ordering. Access classes that are not ordered are called disjoint. Any two access classes may be less than, greater than, equal to, or not ordered with respect to one another. Furthermore, there exists a lowest access class, called system low, such that system low is less than or equal to all other access classes. There also exists a highest access class, called system high, such that all other access classes are less than or equal to system high.
A very simple lattice might consist of two access classes: LOW and HIGH. LOW is less than HIGH. LOW is system low, and HIGH is system high. A slightly more complex example might be a list of secrecy levels, such as UNCLASSIFIED, CONFIDENTIAL, SECRET, and TOP SECRET. In this case, UNCLASSIFIED is system low, and TOP SECRET is system high. Each level in the list represents data of increasing secrecy.
There is no requirement for strict hierarchical relationships between access classes. The U.S. military services use a set of access classes that have two parts: a secrecy level and a set of categories. Categories represent compartments of information for which an individual must be specially cleared. To gain access to information in a category, an individual must be cleared, not only for the secrecy level of the information, but also for the specific category. For example, if there were a category NUCLEAR, and some information classified SECRET-NUCLEAR, then an individual with a TOP SECRET clearance would not be allowed to see that information, unless the individual were specifically authorized for the NUCLEAR category.
Information can belong to more than one category, and category comparison is done using subsets. Thus, in the military lattice model, for access class A to be less than or equal to access class B, the secrecy level of A must be less than or equal to the secrecy level of B, and the category set of A must be an improper subset of the category set of B. Since two category sets may be disjoint, the complete set of access classes has only a partial ordering. There is a lowest access class, {UNCLASSIFIED-no categories}, and a highest access class, {TOP SECRET-all categories}. The access classes made up of levels and category sets form a lattice.
Lattice models were first developed at the MITRE Corporation by Bell and LaPadula (Bell, D. E. and L. J. LaPadula, Secure Computer Systems: A Mathematical Model, ESD-TR-73-278, Vol. II, November 1973, The MITRE Corporation, Bedford, Mass.: HQ Electronic Systems Division, Hanscom AFB, Mass.) and at Case Western Reserve University by Walter (Walter, K. G., W. F. Ogden, W. C. Rounds, F. T. Bradshaw, S. R. Ames, and D. G. Shumway, Primitive Models for Computer Security, ESD-TR-74-117, Jan. 23, 1974, Case Western Reserve University, Cleveland, Ohio: HQ Electronic Systems Division, Hanscom AFB, Mass.) to formalize the military security model and to develop techniques for dealing with Trojan horses that attempt to leak information. At the time, dealing with Trojan horses was difficult, yet it was found that two quite simple properties could prevent a Trojan horse from compromising sensitive information.
First, the simple security property says that if a subject wishes to gain read access to an object, the access class of the object must be less than or equal to the access of the subject. This is just a formalization of military security clearance procedures that one may not read a document unless one is properly cleared. Second, the confinement property requires that if a subject wishes to gain write access to an object, the access class of the subject must be less than or equal to the access class of the object. The net effect of enforcing the confinement property is that any Trojan horse that attempts to steal information from a particular access class cannot store that information anywhere except in objects that are classified at an access class at least as high as the source of the information. Thus, the Trojan horse could tamper with the information, but it could not disclose the information to any unauthorized individual.
Biba (Biba, K. J., Integrity Considerations for Secure Computer Systems, ESD-TR-76-732, April 1977, The MITRE Corporation, Bedford, Mass.: HQ Electronic Systems Division, Hanscom AFB, Mass.) later developed a model of mandatory integrity that is a mathematical dual of the Bell and LaPadula mandatory security model. Biba defines a set of integrity access classes that are analogous to security access classes and defines simple integrity and integrity confinement properties that are analogous to the simple security and confinement properties. The difference between integrity and security is that the direction of the less than signs are all reversed, so that a program of high integrity is prevented form reading or executing low integrity objects that could be the source of tampering or sabotage. The principal difficulty with the Biba integrity model is that it does not model any practical system. Unlike the security models that developed from existing military security systems, the Biba integrity model developed from a mathematical analysis of the security modes.
Lipner developed a commercial integrity model (Lipner, S. B. Non-Discretionary Controls for Commercial Applications. in Proceedings of the 1982 Symposium on Security and Privacy, Apr. 26-28, 1982. Oakland, Calif.: IEEE Computer Society, pp. 2-10) that uses both the mandatory security and mandatory integrity models to represent a software development environment in a bank. It tied the integrity modeling much closer to reality than the Biba model did, but it was still quite complex. The inventors are not aware of any effort to actually implement the Lipner commercial integrity mode.
A more recent development in preventing tampering and sabotage is the Clark and Wilson commercial integrity model (Clark, D. D. and D. R. Wilson. A Comparison of Commercial and Military Computer Security Policies. in 1987 IEEE Symposium on Security and Privacy. Apr. 27-29, 1987. Oakland, Calif.: IEEE Computer Society, pp. 184-194.). They have proposed a model of data integrity that they assert more accurately describes the needs of a commercial application than the
Bell and LaPadula lattice security model (Bell, D. E. and L. J. LaPadula, Computer Security Model: Unified Exposition and Multics Interpretation, ESD-TR-75-306, Jun. 1975, The MITRE Corporation, Bedford, Mass.: HQ Electronic Systems Division, Hanscom AFB, Mass.). Clark and Wilson""s model focuses on two notions: well formed transactions and separation of duties. Separation of duties is commonly used in commercial organizations to protect against fraud. Clark and Wilson contrasted their work with Lipner""s commercial security interpretation of the lattice security and integrity models and concluded that Lipner""s commercial model does not adequately deal with limiting data manipulation to specific programs to implement the well formed transactions.
Secure Karger (Karger, P. A. Implementing Commercial Data Integrity with Secure Capabilities, in Proceedings of the 1988 IEEE Symposium on Security and Privacy. Apr. 18-21, 1988. Oakland, Calif. IEEE Computer Society, pp. 130-139) proposed an implementation of Clark and Wilson""s commercial security model and showed how a restricted capability model combined with the lattice security model can aid in that implementation. The paper also discusses why Clark and Wilson""s security model may present much more difficult problems than the relatively simple lattice security models. In the implementation, audit trails take a much more active role in security enforcement than in previous systems. In particular, access control decisions are based on historical information retrieved from the audit trail, as well as on descriptive rules of who may have access to what. The need for historical audit trails, however, may make such a model impossible to implement on a smart card, due to the extreme lack of memory available to hold the audit data.
A difficult problem in the field of security enforcement is preventing denial of service attacks. This is because there is no good definition of what denial of service actually means. Furthermore, it can be argued informally that detecting and preventing a malicious denial of service attack may be equivalent to solving the Turing machine halting problem. Various systems have been devised for allocating quotas and limiting resource expenditures in computer systems, but none of these have dealt with malicious denial of service attacks that might be implemented in the form of Trojan horses or trap doors. While the integrity models could provide some assistance, denial of service remains a major unsolved problem in computer security.
A method and apparatus control access to files by accessing programs, where files comprise other files, programs and data. The method comprises the steps of assigning an initial access class to each file and to each accessing program. An access class comprises an integrity access class and a secrecy access class. An integrity access class comprises rules governing modification of data contained in files and a security access class comprises rules governing disclosure of data contained in files. An integrity access class comprises a set of rules for allowing the performance of a read function, and another set of rules for allowing the performance of write/execute function. An execute function comprises transferring and chaining, where chaining comprises starting another process running at potentially different secrecy and integrity access classes. A secrecy access class comprises a set of rules for allowing the performance of a write function, and another set of rules for allowing the performance of read/execute function. The respective access classes of the target file, target program, and accessing program are compared. If the comparison results meet the security requirements of the particular function, then the function is performed.