The present invention relates to techniques of preventing an illegal access to a file stored in an information processing system and ensuring high security.
In an information processing system using a computer, hardware resources are effectively utilized generally by using an operating system (OS) which provides a fundamental architecture for executing many application programs.
In the information processing system, files are protected by using a file access function which is one of the functions of OS. An OS widely used presently controls files through discretionary access control (DAC) in many cases. A user or a file owner (generally a file creator) arbitrarily sets users permitted to access the file and an access type (read only, read and alter, and the like) to thereby control file access.
In such an OS, a user having a special privilege called a system administrator is generally permitted to change all settings of the information processing system.
Some dedicated OSes assumed to be used in a high security environment are provided with a file access control function of mandatory access control (MAC) which is a more severe access control method. For example, in order to be authorized as class B1 or higher among the classes defined by Trusted Computer System Evaluation Criteria (TCSEC) of U.S.A. which is one of evaluation criteria of secure systems, OS is required to have the mandatory access control function.
TCSEC and mandatory access control are detailed in the document “Department of Defense Trusted Computer System Evaluation Criteria (DOD 5200.28-STD) December 1985.
In the information processing system having the mandatory access control, all files are assigned security levels (e.g., “top secret”, “secret”, “confidential”, “unclassified” and the like in the order of higher level) and all users are assigned reliability, i.e., permission levels (called clearance) representative of the security levels of accessible files, e.g., “top secret”, “secret”, “confidential”, “unclassified” and the like in the order of higher level. In accordance with these information, the system performs access control mandatorily.
Security functions such as file security levels and user clearance levels of the above-described dedicated OS are often managed by a user called a security administrator different from a system administrator. In this case, the information processing system can be managed more securely because not only the file creator but also the system administrator cannot lower the system security.
In an information processing system whose architecture for preventing illegal accesses to files relies upon OS having the access control function of discretionary access control, a user of file owner can set the accessible range of the file so that the user may intentionally or inadvertently leak important information.
In an information processing system having OS with the mandatory access control function, since such OS is not so usual to the user, user application programs are required to be developed newly so that it takes a cost and user convenience is lost.
Under these circumstances, techniques capable of improving the system safety at low cost have been long desired.