Page 285 - DCAP103_Principle of operating system
P. 285
Principles of Operating Systems
Notes another company. Several COIs may coexist. For example, COI1 may pertain to banks, while
COI2 may pertain to energy companies. The Chinese Wall policy aims to prevent a consultant
from reading information for more than one company in any given COI.
There are several observations that we can make regarding this policy with respect to read
operations. First, as long as a consultant has not read information belonging to any institution,
the consultant is not yet bound by the policy and is free to read any sensitive information of
any institution. Note that although a consultant may be free to read sensitive information under
the Chinese Wall policy, he or she may be restricted from reading sensitive information with
respect to another policy, such as a MAC policy. Second, once a consultant has read sensitive
information of bank A, the consultant is prohibited from reading sensitive information belonging
to any other bank included in the COI of which bank A is a member. Third, all consultants are
free to read all the public information of all institutions.
In the history-based access control policies, previous access events are used as one of the
decision factors for the next access authorization; the policies require sophisticated historical
system state control for tracking and maintaining of historical events. For example, the Chinese
Wall policy is simple and easy to describe; however, its implementation and deployment are
less straightforward.
8.4 Revocation of Access Rights
These are to be performed:
• Immediately or after a delay
• For all users or a selective group
• All rights or partial rights
• Temporary or permanent
Remove access rights for an object — given to a user/domain. Easy with global table or access
list — search list for object and remove entry. Capabilities are distributed throughout the system
— must be found and destroyed — difficult:
• Expiry Time: Capabilities expire after a time and new must be requested — this is refused
if rights have been revoked.
• Back Pointers: Objects maintain pointers to all capabilities issued — costly to implement,
particularly if capabilities are passed around as parameters.
• Indirect Capabilities: Capability points to table entry which points to object — Invalidate
entry to revoke capability — No selective revocation.
• Keys: Capability contains encrypted key checked by object — change key in object to
revoke capability — No selective revocation.
8.5 Capability Based System
Capability based systems were first described in the literature in the mid-1960’s. Their informal
descriptions are typically based upon the notion that a capability is equivalent to a ‘‘ticket,’’ in
the sense that possession of the ticket allows the possessing process access to the object described
in the capability, provided that the access mode is compatible with the ‘‘access rights’’ stored
within the capability. Whether a computer system based upon capabilities can provably enforce
the DoD security policy has been a matter of discussion for some time. Boebert has argued that
an ‘‘unmodified’’ capability machine must be incapable of enforcing the property defined by
278 LOVELY PROFESSIONAL UNIVERSITY
