Page 286 - DCAP103_Principle of operating system
P. 286

Unit 8: System Protection



            Bell and LaPadula. Since the property is an essential ingredient of the most widely used model   Notes
            of  DoD  security  policy,  this  result  implied  that  an  ‘‘unmodified’’  capability  machine  cannot
            meet the DoD requirements. Boebert’s discussion introduces the undefined term ‘‘unmodified
            capability machine.’’ In this paper we describe several classes of capability machine designs for
            managing access control information and show some that some classes cannot meet the DoD
            requirements but others can. We thereby circumvent a debate about the meaning of the term
            ‘‘unmodified capability machine.’’
            This  paper  begins with the brief definitions of the  basic notions  concerning  capabilities  and
            capability machines. We next consider the sequence of events a capability may undergo between
            the creation of a segment and an access to that segment, and we discuss strategies for controlling
            access rights in this context. A design taxonomy is developed to describe these options. Finally, we
            show some classes in the design taxonomy that are not compatible with the DoD security policy.
            8.5.1 Basic Notions

            The basic notions center on the properties of data and processes, the descriptions of these entities,
            the mechanisms that control access, and the policies that define ‘‘correct’’ access limitations. We
            start with data, processes, and capabilities.
            Definition: A segment is a group of data possessing identical security attributes. Additionally, the
            segment may contain a set of capabilities possessing identical security attributes; these security
            attributes need not necessarily be the same as the attributes of the data contained within the
            segment. A segment that can hold only capabilities is called a capability list or c-list.
            Definition: A capability is an object describing a segment, and possibly containing access rights
            or  other  access  control  information,  as  described  below.  Note  that  if  the  capability  contains
            access rights, it must be distinguished from data to prevent unauthorized changes to the access
            rights, which, if permitted, would defeat all attempts to limit access based upon the access rights
            present in accessible capabilities. Capabilities can be distinguished from data either by tagging
            or by limiting their locations to distinguished segments or portions of segments that may only
            contain capabilities.
            Definition: A segment possesses certain data security attributes, including, but not limited to, a
            security level and an access control list. In addition, the segment may possess a separate set of
            capability security attributes describing any capabilities stored within the segment. All data within
            the segment possess the data security attributes associated with the segment. All capabilities
            within the segment possess the capability security attributes associated with the segment.
            Definition: A process is the execution of a program on behalf of a user logged in at a certain
            security level.
            Definition: The security attributes of a process include a security level and the identity of the
            user on whose behalf the program is executed. A process may have other attributes, such as its
            domain of execution, in certain designs.
            Definition: A reference monitor is a mechanism for checking each attempted access by a process
            to an item within a segment for conformance with the access modes permitted for the process
            to that segment. A process can attempt access to a segment only via a capability that has been
            prepared for access (e.g. by placing it in a capability register). Capabilities prepared for access
            are not shared among processes.
            Definition: A security policy is a set of rules for determining the maximum permissible access
            rights for a particular process to a particular segment, given the attributes of both the process
            and the segment.
            Definition: The DoD mandatory security policy limits the access rights to a segment based upon
            a comparison between the security level of the segment and the security level of the accessing
            process. Write is allowed if the level of the segment dominates the level of the process, read if




                                             LOVELY PROFESSIONAL UNIVERSITY                                   279
   281   282   283   284   285   286   287   288   289   290   291