1. Field of the Invention
The present invention relates to the field of inter-networked devices. Specifically, an embodiment of the present invention relates to a method and system of labeling data to transfer data attributes along with the data.
2. Background Art
Estimates of the worldwide damage caused by malware (e.g., viruses, trojan horses, etc.) exceed $1 trillion per year in wasted effort to repair problems, reconstruct damaged data, etc. Trusted operating systems take a proactive approach to the problem by providing strong security features and assurances in accordance with formally stated requirements. They provide a trusted computing base built from the ground up for the purpose of enforcing a security policy (e.g., the set of rules that determine who accesses what and how). The trustworthiness comes from the guarantee, to a certain level of assurance, that all accesses to objects by subjects from software running on the trusted computing base are controlled and cannot compromise the protection mechanisms of the trusted computing base.
Multilevel security is being increasingly considered outside the traditional governmental and military circles, as it has the potential to meet emerging information technology security needs, when combined with other technologies. In order to guarantee that information is protected to a certain level of assurance, multilevel secure operating systems enforce a set of mandatory access control (MAC) rules that can be evaluated according to predefined criteria.
In order to enforce those access controls across a network, routing needs to be controlled so as to select specific network links in accordance with the security policy. Also, hosts need to retrieve the security attributes of data coming from the network and to communicate those of their own processes to remote hosts.
Information in a Multilevel-Secure Operating System, such as Trusted Solaris™, is assigned a label. The label contains attributes used to enforce the access controls required by a security policy. However, the label may be used for purposes other than security. The label of a process (e.g., program) may represent the credentials (e.g., owner, clearance, and privileges) or other attributes of that process. The label of an object (e.g., file, device, etc.) may represent the sensitivity (e.g., confidential, secret, public, engineering use only, etc.), the integrity, or other attributes of the data.
Implicit labeling is one way of labeling information. A conventional implicit labeling scheme is dedicating an IPsec (Internet Protocol Security) security association for each sensitivity level. However, implicit labeling has numerous shortcomings. First, scalability is limited when using implicit labeling. Implicitly binding security attributes to a security association may be sufficient when the set of values (e.g., sensitivity levels) is small. However, some attributes have a multitude of sensitivity levels. Thus, there needs to be a separate security association for each combination.
Another shortcoming of implicit labeling is the cost of establishing the security establishment. For example, an IPsec security association may be able to scale down to selectively protect a single socket (one connection/liaison). However, due to the cost of establishing the security association (including the key exchange), it is more efficient to aggregate the flows by broader selectors, such as host or subnet addresses or transport level port numbers.
A further shortcoming of implicit labeling is the inherent difficulty of using the implicit information to route data packets. For example, a router will not necessarily be a member of the security association. Unless the router is a member, it will not know the security attributes of the packets and hence is unable to route based on the attributes.
Explicit labeling is another way of labeling information. One conventional method using explicit labeling is an Internet Protocol Version 4 (IPv4) Security Option. However, this method was designed for only a small number of possible labels that are generally not well suited for commercial applications. Furthermore, emerging standards are making IPv4 antiquated.
Therefore, a problem with conventional methods of labeling information is scalability. Another problem with conventional methods is efficiency. Still another problem with conventional methods is not being able to use the labeling information to route data. A further problem is that some methods lack commercial applicability and are becoming antiquated.