|
Mandatory Access Control (MAC) is a technique to protect and contain computer processes, data, and system devices from mis-use. This extends the discretionary access controls of file system permissions and the concepts of users and groups. Traditional systems provide two basic user groups -- trusted administrators and untrusted users.
The goal is to define an architecture that requires the evaluation of all security-related labels and making decisions based upon the operations context and the same data labels. The Flask architecture coupled with MAC is an enabling technology of Multi-Level Security style systems.
Such a framework prevents an authenticated user or process at a specific classification or trust level to access information, processes, or devices in a different level. This provides a containment mechanism of users and processes, both known and unknown (an unknown program would be an untrusted application where device and file accesses should be monitored and/or controlled).
Clearly a framework that works to separate data and operations within a computer needs to be non-bypassable. It also needs to be evaluatable to determine the usefulness and effectiveness of a rule, always-invoked as to not bypass the system, and tamper-proof.
Historical MAC architectures
This is implemented in several security-focused operating systems, and is key in FLASK operating systems.
See Also
- Security-related data labeling
- Security-related type enforcement
| 
