Mandatory access control

   

Mandatory Access Control (MAC) is a technique to protect and contain computer processes, data, and system devices from mis-use. This extends the discretionary access controls of file system permissions and the concepts of users and groups. Traditional systems provide two basic user groups -- trusted administrators and untrusted users.

The goal is to define an architecture that requires the evaluation of all security-related labels and making decisions based upon the operations context and the same data labels. The Flask architecture coupled with MAC is an enabling technology of MLS-style systems.

Such a framework prevents an authenticated user or process at a specific classification or trust level to access information, processes, or devices in a different level. This provides a containment mechanism of users and processes, both known and unknown (an unknown program would be an untrusted application where device and file accesses should be monitored and/or controlled).

Clearly a framework that works to separate data and operations within a computer needs to be non-bypassable. It also needs to be evaluatable to determine the usefulness and effectiveness of a rule, always-invoked as to not bypass the system, and tamper-proof.

Historical MAC architectures

This is implemented in several security-focused operating systems, and is key in FLASK operating systems.

See Also

  • Security-related data labeling
  • Security-related type enforcement

Retrieved from "http://www.mywiseowl.com/articles/Mandatory_access_control"

This page has been accessed 223 times. This page was last modified 17:59, 5 Aug 2004. All text is available under the terms of the GNU Free Documentation License (see Copyrights for details).