Mandatory access policies and models
The policy of mandatory access is an example of the use of technologies developed in the extracomputer field, in particular the principles of secret office management and document management used in government structures in most countries.
The main provision of the mandatory access policy is to assign to all participants in the processing of protected information and documents in which it is contained a special label, for example secret, top secret, etc., called the security level. All security levels are ordered using an established dominance relationship, for example, the level of owls. secret is considered to be higher than the secret level. Access control is carried out depending on the security levels of the interacting parties based on two rules:
1. No read up (NRU) — no read up: the subject has the right to read only those documents whose security level does not exceed his own security level.
2. No write down (NWD) — no write down: the subject has the right to enter information only in those documents whose security level is not lower than his own security level.
The first rule protects information processed by more trusted (high-level) persons from access by less trusted (low-level) ones.
The second rule prevents information leakage (conscious or unconscious) from high-level participants in the information processing process to low-level ones.
The formalization of access control mechanisms in secret office work in relation to the subject-object model has shown the need to solve the following tasks:
the development of procedures for formalizing the NRU rule, and in particular the NWD rule;
the construction of a formal mathematical object and procedures that adequately reflect the system of security levels (a system of tolerances and secrecy stamps).
When representing employees working with secret documents as subjects of access, and secret documents as objects of access, literal adherence to the NWD rule leads to the inclusion of a subjective factor in the security mechanisms in the person of the user subject, who, when entering information, must assess whether the information being entered corresponds to the security level of the document. The task of eliminating this subjective factor can be solved in various ways, the simplest of which is a complete ban on subjects changing objects with a security level lower than the security level of the relevant subjects. At the same time, the functionality of the system is significantly reduced.
Thus, if in discretionary models access control occurs by authorizing users to perform certain operations on certain objects, then mandatory models control access implicitly - by assigning security levels to all entities of the system that define all permissible interactions between them. Therefore, mandatory access control does not distinguish between entities that are assigned the same level of security, and there are no restrictions on their interactions. Any object of a certain security level is accessible to any subject of the appropriate security level (subject to the rules of NRU and NWD). A mandatory approach to access differentiation based only on the concept of a security level, without taking into account the specifics of other characteristics of subjects and objects, in most cases leads to redundancy of access rights of specific subjects within the relevant security classes. To eliminate this shortcoming, the mandatory principle of access differentiation is complemented by a discretionary one within the relevant security classes.
In theoretical models, an access matrix is introduced for this purpose, delimiting access to objects of the same security level allowed by the mandatory principle.
