2 Multilevel Security

Cynthia E. Irvine

Naval Postgraduate School, Monterey, California

2.1 Introduction

Multilevel security (MLS) refers to policies and techniques where the sensitivity of the information is immutably bound to an equivalence class. (One can think of equivalence classes as subsets of a set where there is no overlap or intersection among the subsets. For example, pens could be subdivided into red pens, blue pens, black pens, green pens, and so on. Information might be subdivided into CRITICAL and NONCRITICAL information or PUBLIC or PROPRIETARY information.) The active entities that access the information are also statically associated with equivalence classes. On the basis of the relationships between the equivalence classes, rules determine whether and with what rights an active entity can access the information. The mandatory policies associated with MLS can apply to integrity as well as confidentiality. Specific models and mechanisms have been developed to support MLS in computer systems. Requirements for multilevel secure systems span the private sector, the government, and the military.

2.2 Background

Most organizations maintain information that is either protected or openly available. In government, information often is categorized as either classified or unclassified. Within the context of classified information, various levels of information sensitivity may be established based upon the damage caused should that information become accessible to adversaries. The more grievous the damage resulting from unauthorized access, the more sensitive the information. For example, the recipe for Uncle Joe's secret sauce may be considered critical to the continued well being of a producer of barbeque sauce: it must neither be revealed to competitors, nor should be corrupted by changing the proportions of the ingredients. Physical documents containing sensitive information are protected through a variety of physical and procedural controls. Computer systems introduce new challenges.

Throughout the 1960s, as multiprocessing computer systems evolved, it became evident that the separation provided by the resource management mechanisms of typical operating systems was insufficient to prevent highly sensitive information from becoming accessible to unauthorized individuals. These controls were so inadequate that instead of utilizing the power of multiprocessing, classified information processing was conducted separately. At times, this meant that those with classified tasks had to wait until after hours, when the system could be dedicated to processing the sensitive information. Following the completion of the classified tasks, the system was purged of all sensitive information and restored to unclassified activity. This is what is called periods processing. If the amount of classified processing merited the additional expense, a dedicated system might be allocated to sensitive tasks.

Both these approaches were insufficient to meet the requirements of organizations that depended upon rapid access to information for military command and control. Periods processing could result in unacceptable delays and dedicated systems incurred both the expense of additional equipment and a high cost of ownership in terms of system maintenance and support personnel. If simultaneous processing at several classification levels, such as CONFIDENTIAL, SECRET, and TOP SECRET, was required, then the resources for either periods processing or dedicated systems could be inadequate. In addition, these approaches could be wasteful if the computing resources allocated to particular classification levels were underutilized.

In organizations where access to a broad spectrum of information is required for making informed decisions, the temporal and spatial separation of information with various sensitivities afforded by periods processing and dedicated systems was more than inconvenient: it could mean the difference between victory and defeat, life or death. Those at the management level wanted computer systems that would mimic the kind of access to information possible when using physical documents: timely simultaneous access to both classified and unclassified information, by properly authorized individuals.

MLS addresses these requirements. To understand MLS, it is necessary to understand the nature of the policies to be enforced, the challenges associated with enforcement of those policies in automated systems, how multilevel systems and networks are implemented, current approaches to MLS systems, and emerging technologies for MLS systems.

2.3 Multilevel Security Policies

Security policies are embodied in the laws, procedures, and rules used to manage and protect information. In general, policies reflect an organization's requirements for information confidentiality, integrity, and availability. MLS is applicable to both confidentiality and integrity policies. An organization may use labels to associate a particular sensitivity level with particular piece of information, and people are vetted for access to sensitive information through checks that result in some form of authorization. For example, extensive and costly background checks are required to vet individuals as sufficiently trustworthy to merit access to TOP-SECRET information. Individuals lacking appropriate authorization will be unable to access any sensitive information, whereas those with many or high authorizations have access not only to nonsensitive information but also to highly sensitive information. MAC policies are policies that are both global in scope and persistent in time; users cannot override the policy during normal use. Sometimes mandatory policies are called nondiscretionary policies; the two terms are equivalent. In contrast, discretionary access control policies permit modification of the rules pertaining to access to information: a run-time interface is provided through which properly authorized users may modify policy. Consequently, it is up to the discretion of the individual to determine who will have access to information. A test for determining whether a policy is mandatory or discretionary is to examine the punishment associated with its violation (1). Disclosure of state secrets can result in prison or firing squads, whereas violation of discretionary policy may only result in a reprimand.

Sensitivity levels are identifiers for equivalence classes of information and are based upon the secrecy and integrity attributes of the information. The choice of equivalence classes is up to the organization. For a private enterprise, the sensitivity levels might be PROPRIETARY and PUBLIC, whereas a military organization might choose SECRET, CONFIDENTIAL, and UNCLASSIFIED. Consider a few examples.

In a large company, only personnel in the PRODUCT-RESEARCH group may have access to PRODUCT-RESEARCH information, whereas only personnel in CORPORATE-STRATEGY group may access the CORPORATE-STRATEGY for next year. Information on the company web pages is PUBLIC and is readable by anyone, although the company is likely to restrict write access to its webmasters and system administrators. Management determines the membership of the respective groups. Lipner provided a discussion of the applicability of MAC policies in the commercial sector (2) and concluded that a very large number of labels would be required when many enterprises were involved. Military organizations may organize classified information into TOP SECRET, SECRET, and CONFIDENTIAL levels, and all nonsensitive information is UNCLASSIFIED. Individuals are given background checks and are assigned clearances such as TOP SECRET and SECRET.

There may be a hierarchical relationship between the major equivalence classes. For example, a user cleared for TOP SECRET is able to access TOP SECRET, SECRET, and UNCLASSIFIED information. In the corporate example, everyone in PRODUCT-RESEARCH may be allowed to access both SHIPPING and PUBLIC. Often an organization may impose further granularity on its access controls by imposing a mandatory need-to-know policy. Additional metadata is associated with both subjects and objects to reflect mandatory need-to-know policies. For example, an individual cleared for TOP SECRET may be vetted for access to information that is in special compartments such as Imagery Intelligence (IMINT), Signals Intelligence (SIGINT), and Human Intelligence (HUMINT). Such labels are commonly used by the intelligence community where the work of analysts is compartmented so that individuals have access only to the information required to do their job. These mandatory policies reflect a requirement to enforce the notion of least privilege (3). Figure 2.1 shows both a hierarchical ordering of access classes and classes created from combinations of noncomparable attributes. For a mandatory confidentiality policy, information is allowed to flow from lower classification levels or combinations to higher ones. In the latter, any classes may receive information from classes with attributes that are a subset of its own.

A common misconception is that MLS applies only to the enforcement of mandatory confidentiality policies. MLS may also be used to enforce mandatory integrity policies. The semantics of integrity...