Operating systems are typically computer programs or sets of computer programs that are loaded into a computer's memory and executed in order to control the subsequent operation of a computer. However, operating systems can also be embedded programs in firmware or hardware, particularly, for example, in portable devices such as mobile telephones and PDAs
Most, traditional computer operating systems offer some kind of logical protection to data in the form of access controls, which can be granted or denied to specific people or groups of people. Generally, in a system that offers discretionary access control (DAC) a user (as opposed to an administrator) is able to assign permissions to their data, which permit or deny others (or groups of others) access to the data. This is fine for individuals. However, some organisations, such as military or government organisations in particular, require the ability to more closely control access to information. For example, top secret information should not be visible to most people in an organisation, restricted information, as the label suggests, should not be generally available, whereas unrestricted information may be available for access by anyone in an organisation.
Accordingly, secure operating systems are known, which provide greater access control over an organisation's information. Typically, secure operating systems associate additional classifications or labels with files and apply so-called mandatory access control (MAC), which provides a means of restricting access to the files based on their sensitivity (for example, as represented by a sensitivity label). In contrast to DAC, under MAC a user does not have the right to determine who sees their data: only users having a compatible clearance are permitted to see the data. For example, a user with top secret clearance would not have the ability to permit others with a lesser clearance to see their data.
MAC can be expressed in terms of “compartments”. In practice, a compartment is typically a logical construct having an identifier such as a name, applied to which are a set of administrator-configured access control rules that define the compartment. Compartment rules are used to permit access only to those resources (such as files, processes and inter-process communication methods) necessary for an application to execute. These rules apply both to users and processes that have permission to operate in the compartment, and, accordingly, unless otherwise stated or unless the context dictates otherwise, such users and processes will be referred to herein generally as “entities”.
Thus, entities operating within a compartment can by default only access files, other process and resources that are defined to be accessible in the same compartment, unless specific MAC rules are provided to the contrary.
Compartments can provide an isolated runtime environment for an application, wherein the compartment rules allow access to only those resources that are necessary for the application to execute. This increases the likelihood that, even when an application is compromised, the damage is limited only to the compartment(s) where the application is running.
In addition to controlling access to file systems and the like, it is known for MAC to be used to control access to resources that are outside of a compartment, such as network end-points providing remote services generally and, more particularly, network services, by defining MAC rules, which grant or deny access to particular communications interfaces of a computing platform. As used herein, the term “network (or networked) service” is a computer program, which runs on a remote computer, or server, in a distributed computing environment of networked computers. Network services can be accessed, invoked, or “called”, from a client (for example a host running a secure operating system), which is remote from the server running the service. Examples of network services are RPC services (such as ypserv, mountd etc), Web sites, X-terminals and FTP sites, to name just a few of the well-known services.
The ability to control access to network services increases security, by providing mechanisms for preventing an entity from accessing network services that may have been, or may in future be, compromised. The most common way in which a network service can be compromised is from a denial-of-service-attack, which floods the service (or server running the service) with dummy requests for service, in an attempt to render the service unavailable to legitimate users.
One known way of defining MAC for resource access is based on so-called labelled security protection profiles (LSPP), where the resource (for example, a network end-point) is arranged to carry a label that specifies the access control policy on the resource. However, implementing MAC in this way requires a significant amount of effort and adaptation to traditional applications and operating systems. A known simpler way of defining MAC for resource access is based on using access control rules, which are specified for each individual compartment. Such control rules typically use TCP port numbers to uniquely identify network end-points, for example network services. Many network services use well-known, pre-assigned port numbers; for example, HTTP uses TCP port 80, POP3 uses port 110 and IRC uses port 194. In such cases, it is possible to grant or deny access to the services by granting or denying access to the respective ports using MAC rules. However, some network services, such as RPC services and XTERM services, do not use pre-assigned port numbers (that is, the port numbers are allocated or assigned dynamically at run time) and it is, therefore, not possible to grant or deny access by specifying port number in compartment rules. In the absence of such access control, if any such network service is compromised, then it may not be easy to contain or control the damage that can be done to an otherwise secure system.
It is an object of embodiments of the invention to at least mitigate one or more of the problems of the prior art.