1. Field of the Invention
This invention relates generally to provisioning of secure systems that implement mandatory controls. More particularly, an embodiment of the present invention relates to remote provisioning of such systems.
2. Description of Related Art
Modem computer systems and networks (system) need to reliably and securely manage information. These systems secure information by using access controls that are typically implemented by operating systems, virtual machine monitors, or other system software.
An operating system or virtual machine manager (VMM) used to implement mandatory access controls (MAC) supports information compartmentalization by denying access to information based upon a site-mandated security policy. The operating system in a MAC system ensures that a user cannot delegate his right to access an information object on that system to another user if the site-mandated policy dictates that such access be denied. Typically, site-mandated MAC policy specifies that access be either granted or denied based upon the specific role the user assumes, or the clearance level the user has. MAC-based operating systems can be typically implemented in a number of following ways: via multi-level secure (MLS) labels, via support for roles, or via domain type enforcement (DTE) techniques. The SELinux operating system, for example, supports MLS, role-based and DTE-based techniques for mandatory access controls.
In contrast, conventional operating systems implement discretionary access controls (DAC) that allow a user to delegate his access rights to other users. In such systems, information cannot be compartmentalized in accordance with a site-mandated security policy because a user with rights to an information object can delegate those rights to other users at their own discretion. Traditional varieties of Windows and UNIX, for example, are operating systems that support DAC.
FIG. 1 is a block diagram illustrating a prior art provisioning and security system. Although mandatory access control (MAC)-based operating systems, such as the MAC-based operating system 104, cannot be modified or patched at run-time without sufficient clearance, traditionally computer systems 102 having MAC-based operating systems 104 rely upon physical security 116 for their operation. Furthermore, information, including security labels associated with information objects (e.g., labeled objects 112), boot image of the operating system (e.g., operating system image 108), and security policy files 110, in the storage 106 has to be physically secured.
Security assurance refers to grounds for or level of confidence that a computer system meets its security objectives according to the accepted security policy. The security assurance of computer system 102 is highly dependent upon the MAC-based operating system 104 being provisioned correctly with a high integrity operating system image 108 and policy files 110 in a physically secure facility 100 (e.g., a locked room) by a trusted site administrator 114. Furthermore, without the physical security 100, an attacker could use low-level disk tools to subvert the MAC security policy, resulting in a loss of the security assurance of the computer system 102.
Conventional physical security 100 is necessary every time a MAC-based operating system 104 is installed and booted on a computer system, such as the computer system 102. Without such physical security 100, legitimate users of the computer system 102 and other networked systems or machines (not shown) interacting with the computer system 102 often incorrectly assume that the MAC-based operating system 104 on the computer system 102 is correctly enforcing the necessary confidentiality and security policy. Furthermore, conventional methods of provisioning of the MAC-based operating system 104 do not scale, as they depend on the need for physical security 100. In particular, the need for physical security 100 makes it impossible to remotely provision these computer systems, such as the computer system 102, within a potentially hostile physical environment.
Examples of various access-based security and control systems include Access360 by International Business Machines (IBM®), mainframe access control system, Windows Active Directory® by Microsoft® Corporation is an access control or management system which is known to coordinate Windows® access control lists. Other examples included DAC account permissions, MAC systems, role-based access control (RBAC), which is no more than a pre-packed form of MAC, and a lattice-based access control (LBAC), which is a combination of RBAC and DAC.