SPARTA ISSO

Finished Projects

Secure Execution Environments

Access Control For Distributed Systems

DTE Prototype
Under HPCC funding, Trusted Information Systems (TIS) has constructed a prototype that demonstrates how innovative access control software can provide significant, practical improvements in the security of DoD and civil-sector computer systems, particularly those based based on the widely-used UNIX (UNIX is a registered trademark in the United States and other countries, licensed exclusively through X/Open Company, Ltd.) operating system. The prototype provides strong, flexible administrative control over existing programs and data on both autonomous and networked systems. We've demonstrated this prototype to personnel from DISA, NSA, NRL, ARPA, and other organizations and have received uniformly positive reactions.

The access control technology we've developed is called Domain and Type Enforcement (DTE). DTE is an enhanced version of a technique proposed previously. (See W.E. Boebert and R.Y. Kain, ``A Practical Alternative to Hierarchical Integrity Policies,'' Proceedings of the 8th National Computer Security Conference, Gaithersburg, MD, p. 18, 1985.) One of its key enhancements is a high-level human-friendly security description language that simplifies the task of describing, enforcing, and administering role-based security policies like those shown below.

A Simple Role-Based Policy
Domains Types
  General Specs Budget Rates
General Purpose Modify - - -
Engineer Read Modify - -
Project Leader Read Read Modify Read
Acounting Supervisor Read - Read Modify

Types, Roles and Domains in the DTE System
In a DTE system, all files are categorized according to their sensitivity; files may be sensitive with respect to information disclosure or modification. These categories are called types. In the simple example shown above, every file is assigned a type that indicates whether it contains general purpose information, manufacturing specifications, a project budget, or labor cost rates. Similarly, user log-on sessions are categorized according the kind of work the user intends and is authorized to do during that session. These kinds of work are called roles and are represented by a sets of permissions called domains. In the example above, when users log in, they must choose from the following domains: general purpose user, engineer, project leader, or accounting supervisor. All programs run during a session are automatically restricted by DTE so that they can read or modify only files of types that are appropriate to that domain. Domain definitions are programmed by an system administrator using the security description language. As a result, information of all other types is protected from unauthorized access, even if the programs run by the user contain malicious code, viruses, or programming bugs. Automated processes not associated with a particular user session are also restricted so that potential damages caused by programming errors in them or attacks are similarly limited.

Published Papers
This project has produced several published papers that describe various aspects of DTE, and other related projects, in greater detail:

Presentations
This project has presented at several conferences and proceedings. Here are briefing slides and notes from some of these presentations: