| Multi-level Security |
Website Links For Security |
Information AboutMulti-level Security |
| CATEGORIES ABOUT MULTILEVEL SECURITY | |
| computer security models | |
| cissp | |
|
This is often interpreted in different ways.
TRUSTED OPERATING SYSTEMS MLS implementation requires a highly trustworthy information processing system. If MLS is being deployed on a single computer, then that computer must use a trusted operating system (OS). Because all information in an MLS environment is physically accessible by the OS, strong logical controls must exist to ensure that access to information is strictly controlled. Typically this involves Mandatory Access Control that uses security labels, like the Bell-LaPadula Model noted earlier. Freely available implementations of MLS operating systems include Security-Enhanced Linux and TrustedBSD . Sun Microsystems offers " Trusted Solaris ," a commercial version of the Solaris Operating Environment that supports MLS. Early versions were evaluated at the TCSEC B1 level (the lowest allowed for MLS) and more recent versions were evaluated under the Common Criteria . The current implementation is based on Solaris 8; however, Trusted Solaris extensions are expected for Solaris 10 in 2006, extending the life of the product. MLS PROBLEM AREAS Sanitization is a problem area for MLS systems. Systems that implement MLS restrictions, like those defined by Bell-LaPadula , only allow sharing when it does not obviously violate security restrictions. Users with lower clearances can easily share their work with users holding higher clearances, but not vice versa. There is no efficient, reliable mechanism by which a Top Secret user can edit a Top Secret file, remove all Top Secret information, and then deliver it to users with Secret or lower clearances. In practice, MLS systems circumvent this problem via privileged functions that allow a trustworthy user to bypass the MLS mechanism and change a file's security classification. However, the technique is Not Reliable . Covert Channel s pose another problem for MLS systems. For an MLS system to keep secrets perfectly, there must be ''no possible way'' for a Top Secret process to transmit signals of any kind to a Secret or lower process. This includes side effects such as changes in available memory or disk space, or changes in process timing. When a process exploits such a side effect to transmit data, it is exploiting a covert channel. It is extremely difficult to close all covert channels in a practical computing system, and it may be impossible in practice. The process of identifying all covert channels is a challenging one by itself. Most commercially available MLS systems do not attempt to close all covert channels, even though this makes it impractical to use them in high security applications. MILS ARCHITECTURE The defense community categorizes MLS as one subset of an architecture referred to as MILS (''multiple independent levels of security''). MILS architecture is designed to address the ways in which models such as the Biba Model (for integrity) and the Bell-LaPadula Model (for confidentiality) can be applied to systems processing classified information. As has been discussed, MLS is designed to provide a framework in which information classified at different levels may coexist without risk of compromise. Another variation of MILS, termed MSL (which is interchangeably defined as ''multiple single level'' or ''multiple security level'') takes a different approach by isolating each level of information within its own single-level environment ( System High ). MSL SYSTEMS There is another way of solving such problems known as Multiple Single-Level . This involves having multiple workstations or virtual machines running under a system such as VMware (as used in NetTop ) which each runs at a separate level. This is often used to support applications or OSs which have no possibility of supporting MLS such as MS Windows. SEE ALSO
RESOURCES
|
|
|