Page 83 - DCAP516_COMPUTER_SECURITY
P. 83

Unit 7: Designing Trusted Operating System




          The first property is practically a definition of the meaning of a security clearance.  Notes
          Simple Security Property A subject S may have read access to an object O only if C(S) ≥ C(O).
          In example, this implies that user may show his SECRET parts of the report only to those who
          are cleared for SECRET-level or higher information.  Specifically, user cannot show the
          information to someone cleared only for access to Confidential information.
          *-Property A subject S who has read access to an object O (thus C(S) ≥ C(O)) may have write access
          to an object P only if C(O) ≤ C(P).
          This property seems a bit strange until one thinks about it. Notice first what this does not say –
          that the subject has read access to the object P. In our example, this states that if you are cleared
          for access to Top Secret information and are writing a report classified Top Secret, that I (having
          only a SECRET clearance) may submit a Unit classified SECRET for inclusion into your report.
          You accept the Unit and include it. I never get to see the entire report as my clearance level is not
          sufficient.
          The strict interpretation of the *-Property places a severe constraint on information flow from
          one program to a program of less sensitivity. In actual practice, such flows are common with a
          person taking responsibility for removing sensitive data. The problem here is that it is quite
          difficult for a computer program to scan a document and detect the sensitivity of data. For
          example, suppose I have a document classified as SECRET. A computer program scanning this
          document can easily pick out the classification marks, but cannot make any judgments about
          what it is that causes the document to be so classified. Thus, the strict rule is that if you are not
          cleared for the entire document, you cannot see any part of it.

          The author of these notes will share a true story dating from his days working for Air Force
          intelligence. As would be expected, much of the information handled by the intelligence
          organization was classified Top Secret, with most of that associated with sensitive intelligence
          projects. People were hired based on a SECRET security clearance and were assigned low-level
          projects until their Top Secret clearance was obtained.
          Information is the life blood of an intelligence organization. The basic model is that the people
          who collect the intelligence pass it to the analysts who then determine its significance. Most of
          what arrives at such an organization is quickly destroyed, but this is the preferable mode as it
          does not require those who collect the information to assess it.

          There were many sensitive projects that worked with both SECRET and Top Secret data. As the
          volume of documents to be destroyed was quite large, it was the practice for the data that was
          classified only SECRET to be packaged up, sent out of the restricted area, and given to the
          secretaries waiting on their Top Secret clearance to handle for destruction. Thus we had a data
          flow from an area handling Top Secret to an area authorized to handle data classified no higher
          than SECRET. This author was present when the expected leak happened.
          This author walked by the desk of a secretary engaged in the destruction of a large pile of
          SECRET documents. At the time, both she and I had SECRET security clearances and would soon
          be granted Top Secret clearances (each of got the clearance in a few months). In among the pile
          of documents properly delivered was a document clearly marked Top Secret with a code word
          indicating that it was associated with some very sensitive project. The secretary asked this
          author what to do with the obviously misplaced document. This author could not think of
          anything better than to report it to his supervisor, who he knew to have the appropriate clearance.
          Result – MAJOR FREAKOUT, and a change in policy.
          The problem at this point was a large flow of data from a more sensitive area to a less sensitive
          area. Here is the question: this was only one document out of tens of thousands. How important
          is it to avoid such a freak accident?




                                           LOVELY PROFESSIONAL UNIVERSITY                                   77
   78   79   80   81   82   83   84   85   86   87   88