Databases Reference
In-Depth Information
S
,
{
Admin
,
Medical
}
C
,
{
Admin
,
Medical
}
U
, {
Admin
,
Medical
}
I
, {
Admin
,
Medical
}
S
,
{
Admin
}
S
,
{
Medical
}
C
,
{
Admin
}
C
,
{
Medical
}
U
,
{
Admin
}
S
,
{}
U
,
{
Medical
}
I
,
{
Admin
}
C
,
{}
I
,
{
Medical
}
U
,
{}
I
,
{}
(a)
(b)
Fig. 4.
An example of security (a) and integrity (b) lattices
rizations (
Medical
,
Document1
,+
r
) and (
Nurse
,
Document1
,
r
).
Carol
cannot read
Document1
, since the
Nurse
group is more specific than
the
Medical
group.
−
-
Most specific along a path takes precedence.
An authorization associ-
ated with an element
n
overrides a contradicting authorization asso-
ciated with an ancestor
n
for all the descendants of
n
, only for the
paths passing from
n
. The overriding has no effect on other paths. For
instance, with respect to the previous example,
Carol
gains a positive
authorization from the path
Medical
,
Doctor
,
Carol
, and a negative
one from path
Nurse
,
Carol
.
While convenient for their expressiveness and flexibility, in high security
settings discretionary access control results limited for its vulnerability to
Trojan horses
. The reason for this vulnerability is that discretionary access
control does not distinguish between
users
(i.e., human entity whose identity
is exploited to select the privileges for making the access control decision) and
subjects
(i.e., process generated by a user and that makes requests to the sys-
tem). A discretionary access control system evaluates the requests made by a
subject against the authorizations of the user who generated the correspond-
ing process. It is then vulnerable from processes executing malicious programs
that exploit the authorizations of the user invoking them. Protection against
these processes requires controlling the flows of information within processes
execution and possibly restricting them. Mandatory policies provide a way to
enforce information flow control through the use of labels.
2.2 Mandatory Access Control
Mandatory security policies enforce access control on the basis of regulations
mandated by a central authority. The most common form of mandatory policy
is the
multilevel security policy
, based on the classifications of subjects and
objects in the system. Each subject and object in the system is associated with
an
access class
, usually composed of a
security level
and a set of
categories
.
Security levels in the system are characterized by a total order relation, while
