Historically, access control models are classified in two broad categories: discretionary and mandatory. Traditional operating systems rely on discretionary access control (DAC) mechanisms for system security. However, these mechanisms are vulnerable to tampering and bypass. Discretionary access control mechanisms are purely based on user identity and file ownership and are relatively easy to compromise. This is due to the existence of a superuser that has unlimited access. Once superuser status is granted to a process, it can access all critical data and execute all processes including malicious code intentionally or unwittingly. Mandatory access control (MAC) mechanisms, on the other hand, can be defined to enforce security policies over all the objects and subjects in the system including the superuser. Minimum privileges can be configured for each user, object or subject. Even processes initiated by the superuser may not access an object unless permitted by the current security policy and the security properties of the process and the object being accessed.
Access control mechanisms can be classified according to an access matrix model that identifies subjects (typically processes) and objects (such as files) and that assigns privilege sets. The access matrix model organizes the security of a system into a two-dimensional matrix of authorizations, in which each subject-object pair corresponds to a set of allowed access modes. Access matrix models can be further classified into two groups, those that allow no privilege revision (NPR) and those that do allow privilege revision (PR). In systems based on NPR models, the privileges of subjects will never change, while systems based on PR models will permit change in privilege of certain subjects. How privileges are changed depends on the fundamental operations that trigger the revision. Privileged revision (PR) models may be further divided into privilege revision on invocation (PRI) models, privilege revision on observe (PRO) models and privilege revision on modify (PRM) models.
Existing mandatory access control mechanisms have largely focused on processes. Thus processes are carefully evaluated to check if a requested operation should be granted while objects are normally passive. Mandatory access control mechanisms employ security models or security policies to dictate whether requested operation should be granted. Sometimes such polices will concentrate on confidentiality (the Bell-LaPadula model, for example) while others concentrate on integrity (the Biba and Clark-Wilson models, for example). A popular integrity protection model in use today is the Low Water-Mark mandatory access control mechanism. The Low Water-Mark mechanism was first proposed by Biba as a PR model. The Low Water-Mark model defines two functional parts: access mediation and access monitoring. In the Low Water-Mark model all subjects (processes) and objects (files, etc.) are assigned an integrity level. Subjects are typically assigned the integrity level of the file containing the program being executed by the subject. One example of an implementation of Low Water-Mark Mandatory Access Control mechanism is LOMAC on the Linux kernel.
According to the Low Water-Mark model, when a subject accesses an object, the integrity level of the subject is compared with the integrity level of the object. If the subject's integrity level is greater than or equal to the integrity level of the object, the access is allowed to proceed (according to the normal Linux DAC mechanism, for example). Otherwise access is denied. This comprises the access mediation or control part of the two-part model. If the access is allowed (by both the LOMAC and the normal Linux DAC, for example) and the access is a read operation (e.g., an observe operation) then the integrity level of the subject is set to the integrity level of the object (a possible reduction). This comprises the access monitoring part of the two-part model.
There are several mechanisms to modify and/or bypass this behavior in certain policy-defined cases. Biba's Low Water-Mark Mandatory Access Control utilizes “no write-up” rules to protect the integrity of the system. Each subject and object in the system carries a security level indicating its integrity level. If a higher integrity subject reads from a lower integrity object, its integrity level will be demoted to the level of the object it read from. After the demotion, the subject cannot write to the higher integrity objects. This protects against scenarios, such as a Trojan riding on a superuser status, that would overwrite the higher integrity data after accessing lower integrity malicious code. Overall, the Low Water-Mark Mandatory Access Control mechanism is simple and mostly effective in fending off integrity attack. However, it does not protect higher integrity data from leaking.
Traditionally, the security labels on the objects only determine if a subject can read or write to it. The traditional role based security in operating systems such as Linux will let the objects carry a permission to specify if a type of user can access the object. For example, some of the files can be read/write/execute by the users within the same group. However, the object does not specify if it can only be written into certain integrity level objects.