Type enforcement
Encyclopedia
The concept of type enforcement (TE) in the field of information technology
is related to access control
. Implementing TE, gives priority to “mandatory access control
” (MAC) over “discretionary access control
” (DAC). Access clearance is first given to a subject (e.g. process) accessing objects (e.g. files, records, messages) based on rules defined in an attached security context. A security context in a domain is defined by a domain security policy. In the Linux security module (LSM
) in SELinux, the security context is an extended attribute. Type enforcement implementation is a prerequisite for MAC, and a first step before “multi-level security” (MLS) or its replacement “multi categories security
” (MCS). It is a complement of “role based access control” (RBAC).
architecture.
Active Directory
) or may not (as in SELinux) be associated with a domain, although the original type enforcement model implies so. It is always necessary to define a TE access matrix containing rules about clearance granted to a given security context, or subject's rights over objects according to an authorization scheme.
A variant called domain type enforcement was developed in the Trusted MACH system.
The original type enforcement model stated that labels should be attached to subject and object: a “domain label” for a subject and a “type label ” for an object. This implementation mechanism was improved by the FLASK
architecture, substituting complex structures and implicit relationship. Also, the original TE access matrix was extended to others structures: lattice-based, history-based, environment-based, policy logic… This is a matter of implementation of TE by the various operating systems. In SELinux, TE implementation does not internally distinguish TE-domain from TE-types. It should be considered a weakness of TE original model to specify detailed implementation aspects such as labels and matrix, especially using the terms “domain” and “types” which have other, more generic, widely accepted meanings.
Information technology
Information technology is the acquisition, processing, storage and dissemination of vocal, pictorial, textual and numerical information by a microelectronics-based combination of computing and telecommunications...
is related to access control
Access control
Access control refers to exerting control over who can interact with a resource. Often but not always, this involves an authority, who does the controlling. The resource can be a given building, group of buildings, or computer-based information system...
. Implementing TE, gives priority to “mandatory access control
Mandatory access control
In computer security, mandatory access control refers to a type of access control by which the operating system constrains the ability of a subject or initiator to access or generally perform some sort of operation on an object or target...
” (MAC) over “discretionary access control
Discretionary access control
In computer security, discretionary access control is a kind of access control defined by the Trusted Computer System Evaluation Criteria "as a means of restricting access to objects based on the identity of subjects and/or groups to which they belong...
” (DAC). Access clearance is first given to a subject (e.g. process) accessing objects (e.g. files, records, messages) based on rules defined in an attached security context. A security context in a domain is defined by a domain security policy. In the Linux security module (LSM
Linux Security Modules
Linux Security Modules is a framework that allows the Linux kernel to support a variety of computer security models while avoiding favoritism toward any single security implementation. The framework is licensed under the terms of the GNU General Public License and is standard part of the Linux...
) in SELinux, the security context is an extended attribute. Type enforcement implementation is a prerequisite for MAC, and a first step before “multi-level security” (MLS) or its replacement “multi categories security
Multi categories security
Multi Categories Security is an access control method in Security-Enhanced Linux that uses categories attached to objects and granted to subjects at the operating system level. The current implementation in Fedora Core 5 is advisory because there is nothing stopping a process from increasing its...
” (MCS). It is a complement of “role based access control” (RBAC).
Control
Type enforcement implies fine grained control over the operating system, not only to have control over process execution, but also over “domain transition” or authorization scheme. This is why it is best implemented as a kernel module, as is the case with SELinux. Using type enforcement is a way to implement the FLASKFLASK
The Flux Advanced Security Kernel is an operating system security architecture that provides flexible support for security policies....
architecture.
Access
Using type enforcement, users may (as in MicrosoftMicrosoft
Microsoft Corporation is an American public multinational corporation headquartered in Redmond, Washington, USA that develops, manufactures, licenses, and supports a wide range of products and services predominantly related to computing through its various product divisions...
Active Directory
Active Directory
Active Directory is a directory service created by Microsoft for Windows domain networks. It is included in most Windows Server operating systems. Server computers on which Active Directory is running are called domain controllers....
) or may not (as in SELinux) be associated with a domain, although the original type enforcement model implies so. It is always necessary to define a TE access matrix containing rules about clearance granted to a given security context, or subject's rights over objects according to an authorization scheme.
Security
Practically, type enforcement evaluates a set of rules from the source security context of a subject, against a set of rules from the target security context of the object. A clearance decision occurs depending on the TE access description (matrix…). Then, DAC or other access control mechanisms (MLS / MCS, …) apply.History
Type enforcement was introduced in the Secure Ada Target architecture in the late 1980s. A full implementation was developed in the LOCK system. The Sidewinder Internet Firewall was implemented on a custom version of Unix that incorporated type enforcement.A variant called domain type enforcement was developed in the Trusted MACH system.
The original type enforcement model stated that labels should be attached to subject and object: a “domain label” for a subject and a “type label ” for an object. This implementation mechanism was improved by the FLASK
Flask operating system
The Flask operating system architecture is a joint venture between the National Security Agency, the University of Utah, and the Secure Computing Corporation project designed to provide a framework for a more secure operating system. Development and implementation started with the Mach microkernel,...
architecture, substituting complex structures and implicit relationship. Also, the original TE access matrix was extended to others structures: lattice-based, history-based, environment-based, policy logic… This is a matter of implementation of TE by the various operating systems. In SELinux, TE implementation does not internally distinguish TE-domain from TE-types. It should be considered a weakness of TE original model to specify detailed implementation aspects such as labels and matrix, especially using the terms “domain” and “types” which have other, more generic, widely accepted meanings.