1. Field of the Invention
The present invention relates to a method, program, and computer system for switching a folder to be accessed based on a confidential mode, and more particularly to a file access control scheme according to security levels.
2. Description of the Related Art
A scheme of strengthening access control of files or the like in a computer has been known in a conventional file access control method. In this scheme, security levels of “confidential” and “normal” are assigned in advance to an access target (object) such as a file and an access subject (subject) such as a user process, respectively. Accessibility from the subject to the object is determined by comparing the security levels of both the subject and object. This scheme is generally called “multi-level security (MLS)”.
The concept of this MLS has been practically introduced as mandatory access control (MAC) into various kinds of “trusted OSs” which have been spotlighted, for example, as OS (Operating System) having a strengthened security function. Under this mandatory access control, a user process cannot perform writing into a file of a lower security level than the user process (this is called an “NWD principle: No Write-Down Principle”) and, inversely, cannot read a file of a higher security level than the user process (this is called an “NRU principle: No Read-Up Principle”). In this manner, information of a high security level is strictly prevented from being transferred to a user at an only low security level. In place of the NWD principle, a principle that a user process can perform only writing at the same security level as the user process itself is still often used. As a result, upgrade to an unintended security level can be prevented although flexibility is sacrificed.
With respect to a scheme of implementing the file access control according to security levels as described above, there have been two known implementation schemes as follows.
(First Conventional Technique)
In one of the known schemes, each file is provided with attribute information concerning a security level. At the time of I/O (inputting/outputting) of a file, the attribute information is compared with the security level of the currently running process. As a result, if access does not satisfy the NWD principle or NRU principle, the access to the file is blocked. This is carried out using a dedicated file system created specially. If a file having a lower security level than a security level of a process is accessed, the security level of the file is raised up to the same security level as that of the process.
(Second Conventional Technique)
Another one of the schemes is implemented in Trusted Solaris (commercial name) manufactured by SUN MICROSYSTEMS, INC. In this scheme, two kinds of special directories, i.e., a multi-level directory (MLD) and a single-level direction (SLD) are included to correspond to confidential modes. The MLD is a special directory which allows plural SLDs to be located directly below it. The SLD is a special directory which corresponds to a particular security level by one-to-one. By combining these special directories, directories observable from a user can be matched with the security level of the user.
Conventional-art documents relating to the above schemes include the following: JP-A-2002-288030, JP-A-2004-126634, JP-A-1996-249238, and JP-A-1998-312335.
As described above, a technique (first conventional technique) of managing files by providing each file with an attribute concerning a security level, and another technique (second conventional technique) of arranging directories divided into security levels have been known as conventional art which practices the MLS. Each of these techniques adopts a method of enhancing an existing file system. The following problems have hence arisen.
A first problem is that the user finds difficulties in working by operating processes simultaneously in a normal mode and confidential mode in one application (AP). This is because, if both APs output the same temporary file in the first conventional technique, security levels conflict each other, and therefore, the applications cannot coexist simultaneously. This causes a limitation to operation of AP.
A second problem is that different configuration files inevitably have to be used in the normal mode and confidential mode. The user hence is confused by differences in setting between the modes of the operation environment. This is because, in the first conventional technique, if a configuration file is updated in the confidential mode, the security level of the file is raised and cannot be read from a process of the normal level. On the other side, in the second conventional technique, directories in which configuration files are to be located are located in different single level directories.
A third problem is that there is no compatibility with existing file systems. It is therefore difficult to implant an application created based on a presumption of presence of access-right management managed by an existing file system. This is because the file system is enhanced by providing each file with enhanced attribute information or by providing a unique directory attribute.