A flexible mandatory access control policy for XML databases

A flexible mandatory access control policy (MAC) for XML databases is presented in this paper. The label type and label access policy can be defined according to the requirements of applications. In order to preserve the integrity of data in XML databases, a constraint between a read access rule and a write access rule in label access policy is introduced. Rules for label assignment and propagation are proposed to alleviate the workload of label assignment. Also, a solution for resolving conflicts of label assignments is proposed. At last, operations for implementation of the MAC policy in a XML database are illustrated

A Design of MAC Model Based on the Separation of Duties and Data Coloring: DSDC-MAC

Among the access control methods for database security, there is Mandatory Access Control (MAC) model in which the security level is set to both the subject and the object to enhance the security control. Legacy MAC models have focused only on one thing, either confidentiality or integrity. Thus, it can cause collisions between security policies in supporting confidentiality and integrity simultaneously. In addition, they do not provide a granular security class policy of subjects and objects in terms of subjects\u27 roles or tasks. In this paper, we present the security policy of Bell_LaPadula Model (BLP) model and Biba model as one complemented policy. In addition, Duties Separation and Data Coloring (DSDC)-MAC model applying new data coloring security method is proposed to enable granular access control from the viewpoint of Segregation of Duty (SoD). The case study demonstrated that the proposed modeling work maintains the practicality through the design of Human Resources management System. The proposed model in this study is suitable for organizations like military forces or intelligence agencies where confidential information should be carefully handled. Furthermore, this model is expected to protect systems against malicious insiders and improve the confidentiality and integrity of data

A practical mandatory access control model for XML databases

A practical mandatory access control (MAC) model for XML databases is presented in this paper. The label type and label access policy can be defined according to the requirements of different applications. In order to preserve the integrity of data in XML databases, a constraint between a read-access rule and a write-access rule in label access policy is introduced. Rules for label assignment and propagation are presented to alleviate the workload of label assignments. Furthermore, a solution for resolving conflicts in label assignments is proposed. Rules for update-related operations, rules for exceptional privileges of ordinary users and the administrator are also proposed to preserve the security of operations in XML databases. The MAC model, we proposed in this study, has been implemented in an XML database. Test results demonstrated that our approach provides rational and scalable performance

Mandatory access control policies of operating system

Práce se věnuje ochraně dat pomocí řízeného přístupu. Srovnává rozdíl řízeného přístupu pomocí režimů DAC a MAC. Popisuje vývoj režimu MAC na základě aktuálních požadavků uživatelů. Řeší problematiku SELinuxu, který nabízí systému větší bezpečnost a je založen na povinném řízeném přístupu MAC. Je zde uvedena problematika tvoření politiky SELinuxu. Vlastní tvoření politiky je věnováno SELinux editoru, který je založen na zjednodušených pravidlech a přibližuje tím SELinux i běžnému uživateli.The subject of this paper is data protection by means access control. It compares the difference between DAC and MAC access control and describes the progress of MAC due to user requierements. Next part is dedicated to SELinux, what offers more system safeness. SELinux is based on mandatory access control. Making own policy is dedicated to SELinux editor, which is composed of Simplified Policy and is easy to use for ordinary user.

An Historical Analysis of the SEAndroid Policy Evolution

Android adopted SELinux's mandatory access control (MAC) mechanisms in 2013. Since then, billions of Android devices have benefited from mandatory access control security policies. These policies are expressed in a variety of rules, maintained by Google and extended by Android OEMs. Over the years, the rules have grown to be quite complex, making it challenging to properly understand or configure these policies. In this paper, we perform a measurement study on the SEAndroid repository to understand the evolution of these policies. We propose a new metric to measure the complexity of the policy by expanding policy rules, with their abstraction features such as macros and groups, into primitive "boxes", which we then use to show that the complexity of the SEAndroid policies has been growing exponentially over time. By analyzing the Git commits, snapshot by snapshot, we are also able to analyze the "age" of policy rules, the trend of changes, and the contributor composition. We also look at hallmark events in Android's history, such as the "Stagefright" vulnerability in Android's media facilities, pointing out how these events led to changes in the MAC policies. The growing complexity of Android's mandatory policies suggests that we will eventually hit the limits of our ability to understand these policies, requiring new tools and techniques.Comment: 16 pages, 11 figures, published in ACSAC '1

Independent Partially Upgradable Mandatory Access Control System

Mandatory access control (MAC) is a mechanism by which an operating system provides a secure computing environment by restricting the ability of processes or threads to perform operations on objects. Objects are provided with type labels and a policy that governs how interactions between labeled objects may occur. MAC systems enforce a centralized policy that governs access to the entire system and is incompatible with operating systems where components are separately owned and upgraded. This disclosure provides techniques to write security policies for objects that are accessed by both platform and non-platform components. Per techniques disclosed, secure access to objects within separately owned components is provided by converting labels assigned to OS objects to versioned attributes that are inherited by future labels of those objects. A mapping is created and maintained between different versions of a label. The mapping is used to ensure that security policy works across versions of objects. The techniques enable new policies to be implemented, or old policies to be changed, without affecting non-platform components, and permit non-platform components to upgrade and eventually lose deprecated rules

An Optimistic Mandatory Access Control Model for Distributed Collaborative Editors

Distributed Collaborative Editors (DCE) provide computer support for modifying simultaneously shared documents, such as articles, wiki pages and programming source code, by dispersed users. Controlling access in such systems is still a challenging problem, as they need dynamic access changes and low latency access to shared documents. In this paper, we propose a Mandatory Access Control (MAC) based on replicating the shared document and its authorization policy at the local memory of each user. To deal with latency and dynamic access changes, we use an optimistic access control technique where enforcement of authorizations is retroactive. We show that naive coordination between updates of both copies can create security hole on the shared document by permitting illegal modification, or rejecting legal modification. Finally, we present a novel framework for managing authorizations in collaborative editing work which may be deployed easily on P2P networks

Untersuchung von MAC-Implementationen

Benutzerbestimmte Zugriffskontrolle ist an vielen Stellen schwer zu beschränken und zu administrieren. Der Ansatz der systembestimmten Zugriffskontrolle - Mandatory Access Control - gibt die Verantwortung an das System ab und gibt Benutzern deutlich weniger Rechte. Diese Arbeit vergleicht zwei Vertreter, welche Mandatory Access Control umsetzen, einerseits das Linux Security Module Framework und andererseits das FreeBSD MAC Framework, zudem werden die wichtigsten Policy Vertreter angegeben. Auf beiden Seiten finden sich ähnliche Ansätze wie die Umsetzung als Kernelmodul und vor allem generische Fähigkeiten, allerdings sind die implementierten Funktionalitäten unter FreeBSD im Detail oft besser durchdacht oder auch ausgereifter

Hierarchical Group and Attribute-Based Access Control: Incorporating Hierarchical Groups and Delegation into Attribute-Based Access Control

Attribute-Based Access Control (ABAC) is a promising alternative to traditional models of access control (i.e. Discretionary Access Control (DAC), Mandatory Access Control (MAC) and Role-Based Access control (RBAC)) that has drawn attention in both recent academic literature and industry application. However, formalization of a foundational model of ABAC and large-scale adoption is still in its infancy. The relatively recent popularity of ABAC still leaves a number of problems unexplored. Issues like delegation, administration, auditability, scalability, hierarchical representations, etc. have been largely ignored or left to future work. This thesis seeks to aid in the adoption of ABAC by filling in several of these gaps. The core contribution of this work is the Hierarchical Group and Attribute-Based Access Control (HGABAC) model, a novel formal model of ABAC which introduces the concept of hierarchical user and object attribute groups to ABAC. It is shown that HGABAC is capable of representing the traditional models of access control (MAC, DAC and RBAC) using this group hierarchy and that in many cases it’s use simplifies both attribute and policy administration. HGABAC serves as the basis upon which extensions are built to incorporate delegation into ABAC. Several potential strategies for introducing delegation into ABAC are proposed, categorized into families and the trade-offs of each are examined. One such strategy is formalized into a new User-to-User Attribute Delegation model, built as an extension to the HGABAC model. Attribute Delegation enables users to delegate a subset of their attributes to other users in an off-line manner (not requiring connecting to a third party). Finally, a supporting architecture for HGABAC is detailed including descriptions of services, high-level communication protocols and a new low-level attribute certificate format for exchanging user and connection attributes between independent services. Particular emphasis is placed on ensuring support for federated and distributed systems. Critical components of the architecture are implemented and evaluated with promising preliminary results. It is hoped that the contributions in this research will further the acceptance of ABAC in both academia and industry by solving the problem of delegation as well as simplifying administration and policy authoring through the introduction of hierarchical user groups

iFlask: Isolate flask security system from dangerous execution environment by using ARM TrustZone

Security is essential in mobile computing. And, therefore, various access control modules have been introduced. However, the complicated mobile runtime environment may directly impact on the integrity of these security modules, or even compels them to make wrong access control decisions. Therefore, for a trusted Flask based security system, it needs to be isolated from the dangerous mobile execution environment at runtime. In this paper, we propose an isolated Flask security architecture called iFlask to solve this problem for the Flask-based mandatory access control (MAC) system. iFlask puts its security server subsystem into the enclave provided by the ARM TrustZone so as to avert the negative impacts of the malicious environment. In the meanwhile, iFlask’s object manager subsystems which run in the mobile system kernel use a built-in supplicant proxy to effectively lookup policy decisions made by the back-end security server residing in the enclave, and to enforce these rules on the system with trustworthy behaviors. Moreover, to protect iFlask’s components which are not protected by the enclave, we not only provide an exception trap mechanism that enables TrustZone to enlarge its protection scope to protect selected memory regions from the malicious system, but also establish a secure communication channel to the enclave as well. The prototype is implemented on SELinux, which is the widely used Flask-based MAC system, and the base of SEAndroid. The experimental results show that SELinux receives reliable protection, because it resists all known vulnerabilities (e.g., CVE-2015-1815) and remains unaffected by the attacks in the test set. The propose architecture have very slight impact on the performance, it shows a performance degradation ranges between 0.53% to 6.49% compared to the naked system