Mandatory Access Control
July 29th, 2010 By alishinwari

Mandatory Access Control

Mandatory access control (1) aims to improve the security of computer systems by overcoming the weaknesses found in the discretionary access control systems. One of the major weaknesses of DAC is that it treats all of the processes of a user equally and does not differentiate between them i.e. all of the processes of a user have exactly the same permissions as the user himself. This creates several problems in the real world where malicious programs may exploit the permissions and privileges of a user on whose behalf they are being executed within the system, Trojan horses can easily exploit this weakness, -Whereby an unsuspecting user executes the malicious application as a result of which the security of the system is compromised.

A mandatory security policy is considered to be any security policy where the definition of the policy logic and the assignment of security attributes are tightly controlled by a system security policy administrator. MAC enforces access control on the basis of the labels assigned to subjects and objects. A mandatory access control policy specifies how subjects may access objects under the control of the operating system.
In any system which supports mandatory security, some applications require special privileges in the mandatory policy in order to perform some security-relevant function. Such applications are frequently called trusted applications because they are trusted to correctly perform some security-related function and because they are trusted to not misuse privileges required in order to perform that function. If the mandatory security mechanisms of a secure operating system only support coarse grained privileges, then the security of the overall system may devolve to the security of the trusted applications on the system. The mandatory security mechanisms of most of the operating system use the principle of least privilege to reduce the dependency on trusted applications. Type enforcement is an example of a mandatory security mechanism which is used to limit trusted applications to the minimal set of privileges required for their function and also to confine the damage caused by any misuse of these privileges.
MAC is often used to provide domain isolation, a mechanism used to rigorously confine an application to a unique security domain that is strongly separated from other domains in the system. As a result any damage arising from the misuse or exploitation of an application is restricted to a single security domain without disrupting the functionality applications running in different domains. This confinement property is critical to controlling data flows in support of a system security policy. In the case of personal computing systems, where the user may be the system security policy administrator, mandatory security mechanisms are helpful in protecting against flawed or malicious software.

Multi Level Security

Multilevel security (MLS) is used to process information with different sensitivities and to prevent unauthorized access to information. MLS allows the information to flow freely between recipients in a computing system who have appropriate security clearances while preventing the leakage of information to unauthorized users. MLS is most commonly used in military and government applications.
The notion of MLS seems very simple but unfortunately it is not easy to implement modern in computer systems effectively, where the sheer complexity of information flows within the system makes it impossible to prevent the leakage of data from high classification levels to lower ones. Furthermore more often than not MLS is not reliable and suitable enough for truly large scale systems.
Various security mechanisms are based on MLS each serves a different purpose e.g. confidentiality or integrity of information etc. Lattice based access control systems, Bell-La Padula, Biba and clark Wilson models may be viewed as variations of the multi-level security model.

Lattice based access control

Lattice based systems [2][3] are concerned with preserving the confidentiality and integrity of information flows with in a system and were formally defined by Denning. Lattice-based access control (LBAC) is a complex access control mechanism based on the interaction between any combination of objects and subjects. A lattice is used to define the levels of security that an object may have and that a subject may have access to. The subject is only allowed to access an object if the security level of the subject is greater than or equal to that of the object.

Bell-La Padula

The Bell-La Padula model [4] focuses on the confidentiality of data and access to classified information and aims to protect information from unauthorized subjects. Bell-La Padula is inspired from the hierarchy and information flow rules of military organizations and is the predominant form of access control in governmental and military applications. Access decision is taken on the basis of the security labels that are assigned to subjects and objects of a system. The security label of the subjects is known as “Security clearance” while the security label of an object is termed as its “Security classification”. The label of an object shows the sensitivity of the information contained within, while the label of a subject denotes the extent of sensitive information that can be accessed e.g. Top Secret, Secret, Classified, Unclassified, Public etc.
The model defines two mandatory access control (MAC) rules and one discretionary access control (DAC) rule with three security properties:
• The Simple Security Property: a subject at a given security level may not read an object at a higher security level (no read-up).
• The *-property: a subject at a given security level must not write to any object at a lower security level (no write-down). The *-property is also known as the Confinement property.
• The strong *-property: an alternative to the *-Property in which subjects are only allowed to write objects at their own security level. Thus, the write-up operation permitted in the usual *-Property is not present.
The transfer of information from a document of higher security level to a document in the lower security levels may happen in the Bell-La Padula model via the concept of trusted subjects. Trusted Subjects are not restricted by the *-property while un-trusted subjects are. Trusted Subjects must be shown to be trustworthy with regard to the security policy.
With Bell-La Padula, users can create content only at or above their own security level e.g. users having the security clearance of “secret” can create documents with security classification of “secret” or “top-secret”, but they are not allowed to create public files. While at the same time users can view content only at or below their own security level.


The Biba Model or Biba Integrity Model describes a set of access control rules designed to ensure data integrity. Data and subjects are grouped into ordered levels of integrity. In contrast to the Bell-La Padula model, subjects are not allowed to read information from the lower security level so users can only view content at or above their own integrity level. While at the same time writing to higher levels is prohibited.
In general the model was developed to circumvent a weakness in the Bell-La Padula Model which only addresses data confidentiality. The rules defined by the Biba model are the reverse of the Bell-La Padula rules:
• The Simple Integrity Axiom states that a subject at a given level of integrity must not read an object at a lower integrity level (no read down).
• The * (star) Integrity Axiom states that a subject at a given level of integrity must not write to any object at a higher level of integrity (no write up).

Low Water-Mark Model

Low Water-Mark also serves to protect the integrity of objects and information in a system and its rules are similar to the Biba model with one major difference [5]. The LOMAC model allows a subject to decrease its integrity level in order to read information from objects of lower integrity in which case the subject having decrease its integrity will not be able to write to the higher integrity objects so as to preserve their and to prevent the low integrity information from flowing into the higher integrity objects.

Clark Wilson

The Clark-Wilson integrity [6] model provides a foundation for specifying and analyzing an integrity policy for a commercial application system. The rules of Clark Wilson’s model are based on commercial data processing practices and are primarily concerned with formalizing the notion of information integrity.
Information integrity is maintained by preventing corruption of data items in a system due to either error or malicious intent. An integrity policy describes how the data items in the system should be kept valid from one state of the system to the next and specifies the capabilities of various principals in the system. The model defines enforcement rules and certification rules.
In contrast to the Bell-La Padula model, Clark-Wilson is more clearly applicable to business and industry processes in which the integrity of the information content is paramount at any level of classification.
The model uses two categories of mechanisms to realize integrity: well-formed transactions and separation of duty. The core of the model is based on the notion of a transaction.
• A well-formed transaction consists of a series of operations that transition a system from one consistent state to another consistent state and is defined as a transaction where the user is unable to manipulate data arbitrarily, but only in a constrained manner that preserves or ensures the integrity of the data. Well-formed transactions ensure that only legitimate actions can be executed so that the data is accurate and consistent to what it represents in the real world.
• The principle of separation of duty states no single person should perform a task from beginning to end, but should be divided among two or more people to prevent fraud by one person acting alone. According to this principle the certifier of a transaction and the implementer be different entities.
• In this model the integrity policy addresses the integrity of the transactions.
The model contains a number of basic constructs that represent both data items and processes that operate on those data items. Clark-Wilson model partitions all data in a system into two categories -constrained data items (CDI) and unconstrained items (UDI), data items for which integrity must be ensured. The (CDI) are objects that the integrity model is applied to and (UDI) are objects that are not covered by the integrity policy. Two procedures are then applied to these data items for protection. The first procedure integrity verification procedure (IVP), verifies that the data items are in a valid state. The second procedure is the transformation procedure (TP) or well-formed transaction, which changes the data items from one valid state to another. If only a transformation procedure is able to change data items, the integrity of the data is maintained.
Two types of rules have been defined in the Clark-Wilson model to ensure that integrity is preserved and achieved. These two types of rules are called integrity-monitoring (certification rules) and integrity-preserving rules (enforcement rules). The integrity-monitoring rules are enforced by the administrator and the integrity-preserving rules are enforcement rules guaranteed by the system.

Chinese wall policy

The Chinese wall policy caters to the information flow requirements of commercial sector organizations in general and financial sector in particular. The rules of Chinese wall can be easily understood by taking the example of an analyst working for a financial sector organization which provides services to various corporations. In such a scenario the financial organization has to adhere to rigorous rules and follow certain guidelines that have been devised to protect the confidential data of its clients, which in most cases are competitors of each other, to prevent the business secrets of one from falling into the hands of another. This means that the organization must not allow the analyst to advise a corporate client if he happens to have knowledge of or access to data and information of its competitors. Therefore the analyst is only allowed to advise and guide those organizations who are competitors of each other.
The Chinese wall policy works by dividing datasets into groups or categories, the group is called a “Conflict of interest class”, the conflict of interest class in general represents a business sector. A subject can access at most on dataset from any such conflict of interest class, therefore in the Chinese wall policy the access history of a subject determines what kind of objects or datasets he is allowed to access. If a subject has accessed a dataset from one conflict of interest class then any subsequent attempts to access other datasets from the said conflict of interest class are denied. Initially the users has the choice to access any dataset, once the initial choice has been made and a dataset is accessed then the user cannot access other datasets that belong to the same conflict of interest class, hence a wall is created around the dataset that has been accessed and the datasets that belong the same conflict of interest class are viewed as being on the wrong side of the wall, furthermore datasets belonging to other conflict of interest classes can be accessed by the user. As the user accesses datasets from other conflict of interest classes the wall changes its shape to include the newly selected dataset and the remaining items of its conflict of interest class also become inaccessible as they are now also on the wrong side of the wall. Therefore access to an object is allowed if it belongs to the datasets that have already been accessed and are therefore inside the wall, or if the object belongs to a dataset whose conflict of interest class has not been accessed before by the user.
In United Kingdom the Chinese Wall requirements of the UK Stock Exchange must be implemented either manually or via automated means and are mandatory as per law [7].


  1. Trusted computer system evaluation criteria. Qiu, L. and Zhang, Y. and Wang, F. and Kyung, M. and Mahajan, H.R. s.l. Citeseer, 1985, National Computer Security Center.
  2. A lattice model of secure information flow. Denning, D.E. s.l. : ACM New York, NY, USA, 1976.
  3. Lattice-based access control models. Sandhu, R.S. 11, s.l. : IEEE computer, 1993, Vol. 26.
  4. Computer security model: Unified exposition and multics interpretation. Bell, D.E. and LaPadula, L.J. s.l. : MITRE Corp., Bedford, MA, Tech. Rep. ESD-TR-75-306, June, 1975.
  5. Biba., K. J. Integrity Considerations for Secure Computer Systems. . Bedford, Massachusetts : USAF Electronic Systems Division, Hanscom Air Force Base, April 1977. Technical Report ESD-TR-76-372
  6. A comparison of commercial and military computer security policies. Clark, D.D. and Wilson, D.R. s.l. : NATIONAL INSTIUTE OF STANDARDS & TECHNOLOGY, 1989, Vol. NIST SPECIAL PUBLICATION SP.
  7. The Chinese wall security policy. Brewer, D.F.C. and Nash, M.J. s.l. : Proceedings of the 1989 IEEE Symposium on Security and Privacy, 1989.

Leave a Reply