Mandatory model of OS MSVS 3.0
Mandatory access control system brings a lot of problems to novice developers under MSVS. A typical problem is the inability to work with files access to which is closed by credentials. This problem is usually explained by the glitch of MSVS. Although it is not at all in the MSWS. It's all about the misuse of credentials. And the misuse of labels is due to a lack of understanding of the basic principles of mandatory access control. In this article, I will outline the basic principles of the credential model - the basics of secure file access on this operating system. I specifically did not begin to describe the practical side of the issue in order to focus on the very foundations of the model.
It's no secret that MSVS is actually the good old RedHat (more old than good). These two operating systems are not much different. In addition to the modified desktop pictures, and the flag of the Russian Federation on the user login dialog, there are several differences associated with restrictions imposed by tolerances for classified information. One of these differences is the presence in MSWS, in addition to discretionary, and also mandatory access control. In addition to an increased level of security, this also causes problems when developing programs.
In addition to the problems described above, there are more interesting cases. There is a database stored on the server. It is impossible to work with this database from a computer on which a non-zero access level is installed. But the fact is that MSWS in all sent packets adds information about the current level of secrecy, which makes these packets unsuitable for reading.
When mindlessly assigning credentials to common to all file users, they become inaccessible to some users. As a result, logging in is not possible.
There are many more problems. All these problems are not so complicated if you know what they are caused by and how to solve them. But in practice, it is not always clear what caused the failure. And how to solve the problem is all the more unclear. In addition, Qt 4.2 library (as far as I know, 4.2 is the current version of libraries certified for MSWS) for obvious reasons there are no classes for working with credentials. All this makes life difficult for the developer.
Mandatory access control in the MSWS OS is based on the Bell-LaPadula Mandatory Security Model. This model is based on the secret workflow rules applicable in many countries.
Unlike discretionary control, in which users are directly assigned the rights to read, write and execute, in the credential model, access control occurs implicitly. All users (subjects) and files (objects) are assigned access levels. For example, “secret”, “top secret”.
An example of a hierarchy of access levels: Access
levels are ordered by the dominance of one level over another. Then access to protected files is carried out according to two simple rules:
1. The user has the right to read only those documents whose security level does not exceed his own security level.
This rule protects information processed by higher-level users from access by low-level users.
2. The user has the right to enter information only in those documents whose security level is not lower than his own security level.
This rule prevents violation of the access mode by high-level participants in the process of processing information to low-level users.
We illustrate both rules with the following figure:
The figure shows the relationship of the user with the level of "secret" with the subjects in a three-level credential model.
Moreover, “top secret”> “top secret”> “not top secret”
Thus, having assigned access levels to all objects and subjects, we will determine all permissible interactions within the system. From the above described rules it is seen that mandatory access control does not restrict the interaction of objects and entities located at the same access level. Therefore, for effective access control, the credential model is used in conjunction with the discretionary one, which describes the interaction of objects and subjects located at the same level.
In the Bella LaPadula model, there are only two types of access: reading and writing. If other types of access are necessary: for example, execution, then they will still come down to reading and writing. This is due to the fact that the model records not user actions on files, but information flows. Which can be of two types: from user to file (write), and from file to user (read).
Further development of the Bell-LaPadula model led to the emergence of many credential models. However, the Bella LaPadula model is a classic model of mandatory access control.
Understanding these basic principles of the model will help to avoid many problems associated with mandatory access to files, and perhaps even help to properly configure access to the system.
It's no secret that MSVS is actually the good old RedHat (more old than good). These two operating systems are not much different. In addition to the modified desktop pictures, and the flag of the Russian Federation on the user login dialog, there are several differences associated with restrictions imposed by tolerances for classified information. One of these differences is the presence in MSWS, in addition to discretionary, and also mandatory access control. In addition to an increased level of security, this also causes problems when developing programs.
In addition to the problems described above, there are more interesting cases. There is a database stored on the server. It is impossible to work with this database from a computer on which a non-zero access level is installed. But the fact is that MSWS in all sent packets adds information about the current level of secrecy, which makes these packets unsuitable for reading.
When mindlessly assigning credentials to common to all file users, they become inaccessible to some users. As a result, logging in is not possible.
There are many more problems. All these problems are not so complicated if you know what they are caused by and how to solve them. But in practice, it is not always clear what caused the failure. And how to solve the problem is all the more unclear. In addition, Qt 4.2 library (as far as I know, 4.2 is the current version of libraries certified for MSWS) for obvious reasons there are no classes for working with credentials. All this makes life difficult for the developer.
Mandatory access control in the MSWS OS is based on the Bell-LaPadula Mandatory Security Model. This model is based on the secret workflow rules applicable in many countries.
Unlike discretionary control, in which users are directly assigned the rights to read, write and execute, in the credential model, access control occurs implicitly. All users (subjects) and files (objects) are assigned access levels. For example, “secret”, “top secret”.
An example of a hierarchy of access levels: Access
levels are ordered by the dominance of one level over another. Then access to protected files is carried out according to two simple rules:
1. The user has the right to read only those documents whose security level does not exceed his own security level.
This rule protects information processed by higher-level users from access by low-level users.
2. The user has the right to enter information only in those documents whose security level is not lower than his own security level.
This rule prevents violation of the access mode by high-level participants in the process of processing information to low-level users.
We illustrate both rules with the following figure:
The figure shows the relationship of the user with the level of "secret" with the subjects in a three-level credential model.
Moreover, “top secret”> “top secret”> “not top secret”
Thus, having assigned access levels to all objects and subjects, we will determine all permissible interactions within the system. From the above described rules it is seen that mandatory access control does not restrict the interaction of objects and entities located at the same access level. Therefore, for effective access control, the credential model is used in conjunction with the discretionary one, which describes the interaction of objects and subjects located at the same level.
In the Bella LaPadula model, there are only two types of access: reading and writing. If other types of access are necessary: for example, execution, then they will still come down to reading and writing. This is due to the fact that the model records not user actions on files, but information flows. Which can be of two types: from user to file (write), and from file to user (read).
Further development of the Bell-LaPadula model led to the emergence of many credential models. However, the Bella LaPadula model is a classic model of mandatory access control.
Understanding these basic principles of the model will help to avoid many problems associated with mandatory access to files, and perhaps even help to properly configure access to the system.