Security Levels and Categories
- A security level is
defined as a hierarchical attribute that can be associated with entities
on a computer system to help denote their degree of sensitivity.
- A security category is
defined as a nonhierarchical grouping of computer system entities to help
denote their need to know
Need to Know
- A useful security concept
frequently represented as a security categories
- Information not only has
security levels, but need to know categories
- A security level may have
more than one need to know category
Security Labels
- A security label is
defined as an attribute that is associated with computer system entities
to denote their security level and need to know attributes
- Labels for a system is
the set of all ordered pairs (a,b) where a is an element of levels
and b is a subset (possibly empty) of categories
Subjects and Objects
- A subject can be
defined as an active computer system entity that can initiate requests for
resources and utilize these resources to complete a computing task.
- An object can be
defined as a passive computer system repository that is used to store
information
Clearance and Classification
- Clearance is defined
as a security label that denotes the security sensitivity of a subject
- Classification is
defined as a security label that denotes the security sensitivity of an object
- Clearance and Classification
can be defined as functions that assign labels to subjects and objects
Dominates Relationship
- Dominates is a binary
relationship on the set labels
- If (a, b) is a pair of
security labels a and b, then a dominates b
when the security level of a is greater than that of b and
the set of security categories of a are a superset of the
security categories of b
UNIX System V/MLS Security Labels
- Security labeling on the
security-enhanced UNIX System V/MLS operating system follows the above
definitions closely
- System administration names
and maintains security levels and categories in various V/MLS system files
- The implementations avoids
complex changes to the UNIX system kernel