1. Technical Field
The present invention relates to system security for computer related devices, and more particularly to models based on fuzzy logic for multiple security levels.
2. Description of the Related Art
The traditional multi-level secure (MLS) mandatory access control is based on the Bell-LaPadula model (See, David E. Bell and Leonard J. LaPadula; “Computer Security model: Unified Exposition and Multics Interpretation”; Technical Report ESD-TR-75-306, The MITRE Corporation, Bedford, Mass., HQ Electronic Systems Division, Hanscom AFB, Mass., June 1975), where each subject or object is tagged with a <sensitivity level (SL), categories set (CS)> tuple. All such tuples in a system form a partial-order relation set where <SL1,CS1>≧<SL2,CS2> if and only if SL1≧SL2 and CS1⊃CS2. Information can flow from a source to a destination only if tagdestination≧tagsource; the source or destination can be either a subject or object. So a subject can read an object only if tagsubject≧tagobject. A subject is usually a person or an application running on behalf of a person; its sensitivity level reflects the degree of trust placed on the subject; its categories set specifies the categories of objects the subject has a need to know or to access. A subject's sensitivity level is also called the subject's clearance.
An object is usually a data storage element such as a file or data transportation apparatus such as a network connection; its sensitivity level indicates how sensitive the data are or the magnitude of the damage incurred by an unauthorized disclosure of the data; its categories set specifies the categories to which the data belong.
This kind of traditional MLS model is a time-honored tradition that has been in practice since before computers came into wide existence. The model is easy to understand, and is also easy to make access control decisions based on the model by simply comparing two tags. If the tags associated with a subject and an object correctly reflect the subject's trustworthiness, need-to-know and the object's sensitivity and categories, then the access control decision is likely to avoid leakage of the information in the object and therefore the risk associated with such leakage. In short, the model is geared toward risk avoidance.
The traditional MLS model does have some drawbacks, however. Especially in today's environment where the need for information is ever greater, a subject may not be associated with a proper tag that would grant access to those objects which are needed to complete a job. Since a subject's tag reflects the degree of trust placed on the subject, it would be a bad practice to dynamically adjust the tag to a particular job. In other words, the policy model may not be flexible enough to permit a system or an organization to fulfill its goals and responsibilities.