Databases Reference
In-Depth Information
Integrity-Based Mandatory Policy
[14]. The main goal of integrity-based
mandatory policies is to prevent subjects from
indirectly
modifying informa-
tion they cannot write. The integrity level associated with a user reflects then
the degree of trust placed in the subject to insert and modify sensitive infor-
mation. The integrity level associated with an object indicates the degree of
trust placed on the information stored in the object and the potential damage
that could result from unauthorized modifications of the information. Again,
the set of categories associated with both subjects and objects defines the
area of competence of users and data.
The access requests submitted by a subject are evaluated by applying the
following two principles.
No-Read-Down.
A subject
s
can read an object
o
if and only if the integrity
class of the object dominates the integrity class of the subject.
No-Write-Up.
A subject
s
can write an object
o
if and only if the integrity
class of the subject dominates the integrity class of the object.
Consider, as an example, the integrity lattice in Fig. 4(b), where there
are two integrity levels
Crucial
(
C
)and
Important
(
I
), with
C
>
I
, and the
set of categories
{
}
Admin
,
Medical
. Suppose that user
Ann
connects to the
system as the
C
,
{
}
subject. She can read objects having integrity class
Admin
C
,
{
}
and
C
,
{
Admin
,
Medical
}
and she can write objects with integrity
Admin
class
.
These two principles are the dual with respect to the principles adopted by
secrecy-base policies. As a consequence, the integrity model prevents flows of
information from low level objects to higher objects. A major limitation of this
model is that it only captures integrity breaches due to improper information
flows. However, integrity is a much broader concept and additional aspects
should be taken into account [15].
Note that secrecy-based and integrity-based models are not mutually ex-
clusive, since it may be useful to protect both the confidentiality and the
integrity properties. Obviously, in this case, objects and subjects will be as-
sociated with both a security and an integrity class.
A major drawback of mandatory policies is that they control only flows
of information happening through
overt channels
, that is, channels operating
in a legitimate way. As a consequence, the mandatory policies are vulnerable
to
covert
channels [16], which are channels not intended for normal commu-
nication but that still can be exploited to infer information. For instance, if a
low level subject requests the use of a resource currently used by a high level
subject, it will receive a negative response, thus inferring that another (higher
level) subject is using the same resource.
C
,
{
Admin
}
,
C
,
{}
,
I
,
{
Admin
}
,and
I
,
{}
2.3 Role-Based Access Control
A third approach for access control is represented by
Role-Based Access Con-
trol
(RBAC) models [17, 18]. A
role
is defined as a set of privileges that any
