1. Field of the Invention
The present invention relates to implementing a mandatory access control model in operating systems which natively use a discretionary access control scheme.
2. Description of the Related Art
Access Control systems in data processing environments are generally classified as either Mandatory Access Control (MAC) or Discretionary Access Control (DAC). Discretionary Access Control (DAC) is defined as a means of restricting access to objects based on the identity and need-to-know of users and/or groups to which the object belongs. Controls are discretionary in the sense that a subject with certain access permission is capable of passing that permission (directly or indirectly) to any other subject. DAC systems permit owners to entirely determine the access granted to their resources. Consequently, in DAC systems owners may accidentally or maliciously grant access to unauthorized users (“unauthorized” as defined by the organization's security officers).
Mandatory access control (MAC) is a kind of access control that restricts access to objects based on the sensitivity (as represented by a label) of the information contained in the objects and the formal authorization i.e., clearance) of users to access information of such sensitivity. Authorization is contingent on a formalized process that documents prerequisite trust in the individual gaining access. An important feature of MAC involves denying users full control over the access to resources that they create. The system security policy (as set by the administrator) entirely determines the access rights granted and a user may not grant less restrictive access to their resources than the administrator specifies. Discretionary access control systems permit users to entirely determine the access granted to their resources, which means that they can (through accident or malice) give access to unauthorized users.
In a MAC system, permissions are set by an administrative authority and cannot be overridden by users. Even file owners are not permitted to grant less restrictive access than that set by the administrator. While the MAC model may be found in some specialized operating systems such as those used by military organizations, common operating systems such as various versions of MICROSOFT WINDOWS® or Unix variants implement the DAC model.
The above security models are not mutually exclusive. In a MAC system the permissions allowed for an object are determined by the system policy set by the administrator. These permissions are the upper bound, and users may still grant more restrictive access to objects they own. If the upper bound permission for an object is allowing access to any user, the MAC model behaves exactly as DAC.
Enforcing the DAC model requires only verification of access rights for individual user operations, and requires no state information. In the MAC model, a sequence of independently allowed operations may lead to an unauthorized result. For example, a user may read information from classified documents and write the same contents to an unprotected file. Thus a MAC system is required to track the system state and prohibit transitions that may lead to breaches of the security policy.
The (Discretionary Access Control) DAC security model provided by common operating systems may not be adequate for the needs of an organization. An add-on product may offer an alternative security model by modifying the rules used for determining the access that users are granted to resources.
A need arises for a technique by which a mandatory access control (MAC) model in may be implemented in an operating system that natively uses a discretionary access control scheme.