THE INFORMATION BUCKET

Every security mechanism has the concept of limiting who can have access to data. This concept is called the “information bucket.” All related information is placed in the same bucket, and then access to that bucket is controlled. The information bucket is very similar to the access class or the security level in Department of Defense (DoD) systems. For example, most computer systems have the concept of users. Each user gets his or her own bucket in which to work. All user files reside in the appropriate bucket, and the users control who can access their files. In its simplest form, a bucket has a set of programs and a set of files that the programs can access.

A secure system must control at least four factors:

•  Who can access a bucket.

•  Which programs can run in that bucket.

•  What those programs can access.

•  Which programs can communicate with other programs.

Communication between programs must be controlled, because programs can send information to other programs which then write that information into another bucket.

A system is very secure if no overlap exists between buckets, because in this configuration no user is able to read, modify data, or consume system resources from another bucket. However, this situation is equivalent to giving each user a separate computer and not allowing individual users to talk to each other. People in many computing environments need to share information. If the users are responsible for the information resources in their buckets and are careful about sharing their information with others, the system can remain secure.

Security problems arise when the boundaries between buckets are not well defined. For example, if two different buckets can read and write the same file, information can flow between the two buckets. This type of “leaky” bucket is a potential security problem. When leaky or overlapping buckets are combined with a complex system in which a large number of buckets exist, it becomes difficult to know how secure the system is.

For those leaks that are necessary, special programs can monitor data transfers between buckets to ensure that only the proper data are leaving the bucket. These programs are “trusted,” in that they guarantee that only the proper data are transferred. Writing a program that performs a guarantee is difficult. The best approach with current technology is to write the program as small as possible, so that it can be analyzed for potential error by a network administrator.

The goal of a secure system is to strike the proper balance between guarding and sharing data. A rough measure of how secure a system is can be obtained by considering these three factors:

•  The number of buckets.

•  The amount of overlap between buckets.

•  The level of trust for the programs protecting data channels (if information is allowed to move between buckets).

The more overlap that exists between buckets, the more information can flow through the system, and thus more analysis is required to ensure that the system is secure.

Another consideration for the security of a system is any exception to the bucket policy. For example, many systems allow an administrator to access any bucket on the system. The problem is not that administrators cannot be trusted, but rather that this situation gives attackers an opportunity to gain complete access. Instead of trying to find a leaky bucket, an attacker can try to trick the system into thinking he or she is the administrator.

TYPE ENFORCEMENT

Type enforcement was first proposed as part of the LOCK system to fulfill DoD requirements for secure systems. Most DoD secure systems in the late 1980s focused on the traditional classification levels of the DoD, such as unclassified, confidential, secret, and top secret. These systems implemented very strict buckets, with a one-way information flow between buckets. However, data and application interactions rarely fall into such a constrained security policy. In the course of an application transaction, data may flow in a complete circle through many different buckets with different security requirements.

The goal of type enforcement is to give each program only the permissions that the program requires to do its job. This concept is called “least privilege.” Type enforcement assigns each type of critical program its own bucket. All the files that the program needs to access are also placed in the bucket. Many programs need the same files because they are doing the same kinds of tasks. Type enforcement categorizes individual programs and files into general groups that describe the abstract behavior of the components. Programs are grouped into domains, and files are grouped into types. For example, two mail reader programs like Elm and Pine require the same permissions; thus, they are grouped together in the mail-reader domain.