Mandatory Access Control (MAC) and Discretionary Access Control (DAC)

Read section 3 on Discretionary Access Control (DAC) and section 4 on Mandatory Access Control (MAC). Why is DAC called discretionary and MAC non-discretionary? What is the main drawback or vulnerability presented when using DAC, and why is MAC not vulnerable as well? What do no read-up and no write-down mean?

Mandatory Access Control (MAC)

MAC security policies govern the access on the basis of the classifications of subjects and objects in the system [6]. Objects are the passive entries storing information for example relations, tuples in a relation etc. Subjects are active entities that access the objects, usually, active processes operating on behalf of users.

An access class consists of two components: a security level and a set of categories.

The security level is an element of a hierarchically ordered set. The levels often considered are Top Secret (TS), Secret (S), Confidential (C) and Unclassified (U), where TS>Sgt;C>U.

The set of categories is an unordered set, for example, NATO, Nuclear, Army etc.

The security level of the access class associated with an object reflects the sensitivity of the information contained in the object which means the potential damage which could result from unauthorized disclosure of information [7]. The security level of the access class associated with a user is called clearance, which reflects the users trustworthiness not to disclose sensitive information to users not cleared to it.

Access control in mandatory protection systems is based on the following two principles:

  • No read-up/Read down: A subject can read only those objects whose access class is dominated by the access class of the subject.

  • No write-down/Write up: A subject can write only those objects whose access class dominates the access class of the subject.

Satisfaction of these principles prevents information that is more sensitive to flow to objects at lower levels hence prevents the confidentiality of sensitive information. The effect of these rules can be diagrammatically represented as shown in fig. 5.

Figure 4

Fig 4: Example of Trojan horse


Figure

Fig 5: Controlling information flow for secrecy


MAC can as well be applied for the protection of information integrity [7]. For example, the integrity levels could be Crucial (C), Important (I)

and Unknown (U). The integrity level associated with an object reflects the degree of trust that can be placed in the information stored in the object, and the potential damage that could result from unauthorized modification of the information. The integrity level associated with a user reflects the user's trustworthiness for inserting, modifying, or deleting data programs at that level. The principles that are required to hold are as follows.

  • Read up - A subject's integrity level must be dominated by the integrity level of the object being read.

  • Write down - A subject's integrity level must dominate the integrity level of the object being written.


The effect of these rules can be diagrammatically represented as shown in fig. 6.
    MAC models are not vulnerable to Trojan horse attacks: Consider fig. 4, if Tom is not allowed read access to table Market, under MAC control, table Market will have an access class that is either higher than or incomparable to the access class given to Tom. But then a subject able to read Market would not be able to write table Stolen and hence Trojan horse would not be able to complete its function.