MAC is good for integrity

[Timothy Fraser]

Hi!

Typing away merrily, Robert Watson produced the immortal words:
> o Mandatory access control for privacy and integrity, allowing FreeBSD to
>   be used in environments hosting mutually suspicious parties and
>   multi-level security models.
 
On Mon, 10 Apr 2000, Phil Pennock wrote:
> Where you merely have mutually suspicious parties, discretionary access
> control are, AIUI, sufficient.  Excepting for DoS attacks.

	Mandatory access control can provide useful integrity protection
against viruses and Trojan horses.  Many UNIX admins refrain from
including "." at the beginning of their PATH shell environment variables,
for fear that they may move to a directory containing a Trojan horse.  The
Trojan might be named "ls", for example, so root would accidentally
execute it rather than "/bin/ls".  Once executed with root privileges, the
Trojan could do all sorts of harm, like modifying root-owned binaries.

	Access-matrix-based MAC integrity schemes deal with this problem
by labelling files according to their level of integrity.  For example,
all files off the installation CD might be labelled "high", and all files
created by users "low".  In a MAC scheme based on Biba's Strict Integrity
Model, the root user might be prohibited from reading (and thereby
executing) programs "low" files.  This scheme would protect the overall
system's integrity by preventing root from executing the Trojan ls.  In a
Low Water-Mark scheme, the root user would effectively loose his root
privileges upon reading the Trojan ls.  This would allow the execution,
but only at a harmless reduced privilege level.

	Both the Strict Integrity and Low Water-Mark models are described
in Biba, K. J., "Integrity Considerations for Secure Computer Systems,"
Tech Report ESD-TR-76-372, USAF Electronic Systems Division, Hanscom Air
Force Base, Bedford, MA, USA, April 1977.

			- Tim Fraser

To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message