1. Field of the Invention
This invention relates to automated data processing information security, especially in preventing the exposure of restricted data to individuals not authorized to view it, and controlling the flow of labeled data.
2. Description of Prior Art
The field of Automated Data Processing Security is growing rapidly in response to the vast use of ADP equipment within government and industry. Some government systems handle data that bears various levels of classification and handling restrictions. Many private data base systems contain information that relates to individuals to which general access should be restricted. New security tools and practices that provide multiple levels of access privileges to special categories of data are of growing interest in ADP activities.
Often information about employees or individuals is stored on the same automated data processing equipment that is used to store corporate business data. General users of the information processing equipment should not have access to personnel data which has come to be known as privacy data. Other kinds of data also exist on government and private computers that should have access limiting controls on it.
Vendors of data base management software sometimes offer protection for data by requiring users attempting to access it to provide additional passwords. But there is evidence that password protection does not protect data if a skilled technician accesses the files through other software or by direct access to the files using utility software. Software vendors that sell operating systems are now attempting to develop software that can be submitted to the Department of Defense Computer Security Division for testing and certification of its secure features. But even certified operating systems fail to provide protection if the computer hardware should malfunction and inadvertently read an area of data storage, that was not intended to be addressed, and consequently deliver unexpected data to the user.
Some methods of protection are in use that encrypt or scramble the protected data, and `keys` are required to decrypt or unscramble the data when it is accessed. The additional computer activity to accomplish this results in a very high burden for the computer and slows responses to user requests considerably, which makes this technique very expensive in terms of computer resources.
A large unit of data may be referred to as a record. Many computer protection schemes attempt to protect data at the record level. Record level protection usually means that before an entire record or large body of data is released for access, a security label for the document or record is tested. This label is tested against the known users access rights. But often there is data within records that should be given different levels of protection. When provided, this is called field level protection and is provided in some data bases, but is only effective when the data base management system is being used to access the data. A skilled computer user may access it directly.
For documents in text data bases only the document is labeled with no field protection available. This is also true for electronic mail. The invention described herein will provide protection for record level and field level data even if other security measures have failed, and even if the computer should malfunction and attempt to send data to an output device to which it should not be delivered.
Within the field of ADP security the language refers to protected objects and authorized processes. A computer program is regarded as a process and all processes must have the correct permissions to access any of the objects within the ADP environment. Records, files, peripherals and even other programs can be labeled objects.
The labeling method herein described can also be an effective security tool for software developers working within a computing environment where several levels of labeled data are handled. Engineers developing software for these multi-level systems are required to design tests within their software that will adequately test the data as it is processed, and verify that the data matches all access rights in effect at that point in time. This can be a difficult problem for a programmer, since the data can not usually be analyzed by its content to resolve how it should be protected. The program data, when retrieved, are provided with a label for the entire contents of the package that the program must accept as accurate. It is during the attempt to retrieve data that most access restriction schemes are applied. After the delivery process starts, there is no way for a process to verify that the following blocks of data being delivered are in fact in agreement with the original label. If some retrieval failure occurs the program can not evaluate the data to determine if the label/object integrity is still intact. With no way of determining the security level of the data itself, a non-valid label can cause security failures within a trusted process. If the given label for an object is stored in a file header, or some other location outside the real data, the options available to a programmer to verify that the label is correct for a given object are limited. The ratio of the amount of data protected per label is indicative of the level of risk of a label compare failure. Vastly increasing the labeling within a system would multiply the opportunity to apply security procedures and reduce the level of loss for a single label/object compare failure. The invention described herein vastly increases the labeling within a system and provides a means of limiting losses due to a label/object failure to 79 characters or less. The system described herein may be an adjunct to exiting security methods with little or no re-engineering of the system.
In the prior art most of the security concerns are related to controlling access to a computer and authenticating users. But one idea that is in the prior art, (U.S. Pat. No. 4,128,874 Pertl et al Dec. 5, 1978) was related to addressing some of the problems of data being inadvertently directed out of the computer. The idea was to assign a key field within each word in the computer, when stored in memory. After data was retrieved to be output from the computer the key field which traveled with the data was checked against a lock known to be valid for the output session. If an equipment failure occurred, the output data bearing an inappropriate key field would be tested and detected at the lock and the data would be stopped. To implement this idea the mainframe computer architecture was re-designed to provide the key field testing in the i/o subassemblies and system software modification would be required to implement the design. The major architecture changes in the mainframe computer could not be applied retroactively to machines deployed and in service. A very high overhead would be incurred providing space for key fields within every data word. The definition of the data word is interpreted to mean the computer word that the computer used for its bus operations. This key/labeling of every word would mean at least every bus operation handling the data would be capable of handling at least one less character per transfer. On a 16 bit processor using 8 bit characters, the key field would occupy some portion of one of the fields of 8 bits within the 16 bit word and would preclude the use of the key field for transfer of a character. The eight bits so occupied would create a 50% overhead for character data operations on a 16 bit machine which would seriously degrade throughput. Even a 25% overhead on a 32 bit machine, which is the primary word size in use today, would be a high price in computer resources. The overhead may be acceptable for some very heavy security facilities, but not likely to be acceptable for a private enterprise that may wish to provide some protection for privacy data.
It is generally accepted that additional controls are needed to secure data on most machines. If a user should circumvent a data protection scheme all the data thus protected becomes available to him. A method of limiting losses from a given security failure will enhance a system's general security by increasing the amount of time an intruder would spend attempting to steal a given quantity of information. This increase in effort limits the total quantity of data that can be stolen over a given amount of time, `bandwidth of a covert channel`, as they are called, and exposes the channel to audit trails and other forms of detection if the intruder persists in his attempts for extended periods.