Mandatory access control systems (MAC ) are often criticised for their lack of flexibility, but they protect a system’s confidentiality from a wide range of untrustworthy Trojan Horse programs. On the other hand, discretionary access control systems (DAC ) place no restriction on flexibility. But, at present, they are generally regarded as inherently defenceless against all kinds of untrustworthy programs. We believe that this trade-off is not unavoidable. We show that, for lack of distinction between a user’s and a program’s trustworthiness, the vulnerability of DAC is design-based. On these grounds we present a modified (DAC ). The central idea is the separation of the management of rights from other activities of a user. The resulting system offers the flexibility of (DAC ) and the protection of (MAC ).
[1]
Silvana Castano,et al.
Database Security
,
1997,
IFIP Advances in Information and Communication Technology.
[2]
William L. Maxwell,et al.
On the implementation of security measures in information systems
,
1972,
CACM.
[3]
Lance J. Hoffman,et al.
Computers and Privacy: A Survey
,
1969,
CSUR.
[4]
D. Elliott Bell,et al.
Secure Computer System: Unified Exposition and Multics Interpretation
,
1976
.
[5]
Carl E. Landwehr,et al.
Formal Models for Computer Security
,
1981,
CSUR.
[6]
Lawrence Robinson,et al.
Proving multilevel security of a system design
,
1977,
SOSP '77.