|
In computer security, mandatory access control (MAC) refers to a type of access control by which the operating system constrains the ability of a ''subject'' or ''initiator'' to access or generally perform some sort of operation on an ''object'' or ''target''. In practice, a subject is usually a process or thread; objects are constructs such as files, directories, TCP/UDP ports, shared memory segments, IO devices etc. Subjects and objects each have a set of security attributes. Whenever a subject attempts to access an object, an authorization rule enforced by the operating system kernel examines these security attributes and decides whether the access can take place. Any operation by any subject on any object is tested against the set of authorization rules (aka ''policy'') to determine if the operation is allowed. A database management system, in its access control mechanism, can also apply mandatory access control; in this case, the objects are tables, views, procedures, etc. == Implications of the term ''mandatory'' == In the context of Multilevel security (MLS), the term ''mandatory'' used with access controls has historically implied a very high degree of robustness that assures that the control mechanisms resist subversion, thereby enabling them to enforce an access control policy that is mandated by some regulation that must be absolutely enforced, such as the Executive Order 12958 for US classified information. For MAC, the access control decision is contingent on verifying the compatibility of the security properties of the data and the clearance properties of the individual (or the process proxying for the individual). The decision depends on the integrity of the metadata (e.g. label) that defines the security properties of the data, as well as the security clearance of the individual or process requesting access. For example, if a security label can be changed by a user, a surprisingly common vulnerability in some self-proclaimed 'MAC capable' systems, then that user can corrupt the access controls. Security mechanisms that protect such metadata and the access control decision logic from corruption are MAC-critical objects and require appropriate robustness. The term mandatory in MAC has acquired a special meaning derived from its use with military systems. MAC means access controls that are mandated by order of a government and so enforcement is supposed to be more imperative than for commercial applications. This precludes enforcement by best-effort mechanisms, only mechanisms that can provide absolute, or near-absolute enforcement of the mandate are acceptable for MAC. This is a tall order and sometimes assumed unrealistic by those unfamiliar with high assurance strategies, and very difficult for those who are. Vendors claiming to enforce MAC are sometimes making claims beyond their capability, and sometimes making claims beyond their understanding. The claim that MAC is enforced implies a claim of very high robustness. Vendors claiming MAC capability do usually have functions that enable defining of MAC privileges and rules but their implementations can be woefully unable to enforce them under even the mildest of attack. Ordinary 'best practices' does not produce software that has this kind of assurance level; in fact, no successful software-only approach has ever been documented. The only approach that has succeeded at protecting MAC controls from subversion has been to design the kernel to maintain a domain for its own execution using highly specialized hardware designed into the microprocessor architecture. Besides its cost, this is often unpopular because it affects portability of the operating system. 抄文引用元・出典: フリー百科事典『 ウィキペディア(Wikipedia)』 ■ウィキペディアで「Mandatory access control」の詳細全文を読む スポンサード リンク
|