Databases Reference
In-Depth Information
categories form an unordered set. As a consequence, the set of access classes
is characterized by a partial order relation, denoted
and called
dominance
.
Given two access classes
c
1
and
c
2
,
c
1
dominates c
2
, denoted
c
1
≥
≥
c
2
,iffthe
security level of
c
1
is greater than or equal to the security level of
c
2
and
the set of categories of
c
1
includes the set of categories of
c
2
. Access classes
together with their partial order dominance relationship form a
lattice
[9].
Mandatory policies can be classified as secrecy-based and integrity-based,
operating in a dual manner.
Secrecy-Based Mandatory Policy
[10, 11, 12, 13]. The main goal of secrecy-
based mandatory policies is to protect data confidentiality. As a consequence,
the security level of the access class associated with an object reflects the
sensitivity of its content, while the security level of the access class associated
with a subject, called
clearance
, reflects the degree of trust placed in the
subject not to reveal sensitive information. The set of categories associated
with both subjects and objects defines the area of competence of users and
data. A user can connect to the system using her clearance or any access class
dominated by her clearance. A process generated by a user connected with a
specific access class has the same access class as the user.
The access requests submitted by a subject are evaluated by applying the
following two principles.
No-Read-Up.
A subject
s
can read an object
o
if and only if the access class
of the subject dominates the access class of the object.
No-Write-Down.
A subject
s
can write an object
o
if and only if the access
class of the object dominates the access class of the subject.
Consider, as an example, the security lattice in Fig. 4(a), where there
are two security levels,
Secret
(
S
)and
Unclassified
(
U
), with
S
>
U
,and
the set of categories
{
Admin
,
Medical
}
. Suppose that user
Ann
has clearance
S
,
{
Admin
}
and she connects to the system as the
S
,
{}
subject. She is
allowed to read objects
S
,
{}
and
U
,
{}
. She can write objects with access
class
.
Note that a user is allowed to connect to the system at different access
classes to the aim of accessing information at different levels (provided that
she is cleared for it). Otherwise, these accesses would be blocked by the no-
write-down principle.
The principles of the secrecy-based mandatory policy prevent information
flows from high level subjects/objects to subjects/objects at lower (or incom-
parable) levels, thus preserving information confidentiality. However, these
two principles may turn out to be too restrictive. For instance, in a real sce-
nario data may need to be downgraded (e.g., this may happen at the end of
the embargo). To consider also these situations, the secrecy-based mandatory
models can allow exceptions for processes that are
trusted
and ensure that
the information produced is
sanitized
.
S
,
{}
,
S
,
{
Admin
}
,
S
,
{
Medical
}
,and
S
,
{
Admin
,
Medical
}
