Implications of The Term mandatory
In the context of MLS, the term mandatory used with access controls has historically implied a very high degree of robustness that assures that the control mechanisms resist subversion, thereby enabling them to enforce an access control policy that is mandated by some regulation that must be absolutely enforced, such as the Executive Order 12958 for US classified information.
For MAC, the access control decision is contingent on verifying the compatibility of the security properties of the data and the clearance properties of the individual (or the process proxying for the individual). The decision depends on the integrity of the metadata (e.g. label) that defines the security properties of the data, as well as the security clearance of the individual or process requesting access. For example, if a security label can be changed by a user, a surprisingly common vulnerability in some self-proclaimed 'MAC capable' systems, then that user can corrupt the access controls. Security mechanisms that protect such metadata and the access control decision logic from corruption are MAC-critical objects and require appropriate robustness.
The term mandatory in MAC has acquired a special meaning derived from its use with military systems. MAC means access controls that are mandated by order of a government and so enforcement is supposed to be more imperative than for commercial applications. This precludes enforcement by best-effort mechanisms, only mechanisms that can provide absolute, or near-absolute enforcement of the mandate are acceptable for MAC. This is a tall order and sometimes assumed unrealistic by those unfamiliar with high assurance strategies, and very difficult for those who are.
Vendors claiming to enforce MAC are sometimes making claims beyond their capability, and sometimes making claims beyond their understanding. The claim that MAC is enforced implies a claim of very high robustness. Vendors claiming MAC capability do usually have functions that enable defining of MAC privileges and rules but their implementations can be woefully unable to enforce them under even the mildest of attack. Ordinary 'best practices' does not produce software that has this kind of assurance level; in fact, no successful software-only approach has ever been documented. The only approach that has succeeded at protecting MAC controls from subversion has been to design the kernel to maintain a domain for its own execution using highly specialized hardware designed into the microprocessor architecture. Besides its cost, this is often unpopular because it affects portability of the operating system.
Read more about this topic: Mandatory Access Control
Famous quotes containing the words implications of, implications and/or term:
“The power to guess the unseen from the seen, to trace the implications of things, to judge the whole piece by the pattern, the condition of feeling life in general so completely that you are well on your way to knowing any particular corner of it—this cluster of gifts may almost be said to constitute experience.”
—Henry James (1843–1916)
“The power to guess the unseen from the seen, to trace the implications of things, to judge the whole piece by the pattern, the condition of feeling life in general so completely that you are well on your way to knowing any particular corner of it—this cluster of gifts may almost be said to constitute experience.”
—Henry James (1843–1916)
“The term preschooler signals another change in our expectations of children. While toddler refers to physical development, preschooler refers to a social and intellectual activity: going to school. That shift in emphasis is tremendously important, for it is at this age that we think of children as social creatures who can begin to solve problems.”
—Lawrence Kutner (20th century)