Mandatory Access Controls - secuguru/security-terms GitHub Wiki

Mandatory Access Control (MAC) is a security model that enforces strict access control policies determined by a central authority. Unlike discretionary access control (DAC), where users or resource owners determine access permissions, MAC is managed system-wide and based on predefined rules.

1. What is MAC?

  • Definition: MAC is a method of regulating access to resources based on labels (e.g., sensitivity levels) and rules enforced by the system administrator or security policy.
  • Key Principles:
    • Central Authority: Access is controlled by a central policy, not by the discretion of individual users.
    • Sensitivity Labels: Resources and users are assigned labels (e.g., “Confidential” or “Top Secret”) that determine access.
    • Strict Enforcement: Policies cannot be overridden by users, ensuring consistent and robust security.

2. Access Control Lists (ACLs)

  • Definition: An ACL is a list associated with a resource that specifies which users or groups are granted or denied access and what actions they are allowed to perform.
  • Relationship with MAC:
    • ACLs can be used in conjunction with MAC to enforce access rules at a granular level.
    • While MAC enforces overall policy (e.g., no “Confidential” user can access “Top Secret” files), ACLs can further refine access (e.g., user-specific read or write permissions).
  • Example:
    • A file labeled “Confidential” might have an ACL that grants “read” access to one user but denies “write” access to another.

3. Operating Systems with Mandatory Access Controls

Several operating systems implement MAC to enforce strict access policies. Some examples include:

a. SELinux (Security-Enhanced Linux)

  • Definition: SELinux is a Linux kernel security module that provides MAC by assigning labels to files, processes, and users.
  • How It Works:
    • SELinux uses policies to define rules about which processes can access specific resources.
    • Each resource and process has a security context that determines access based on the policy.
  • Example Policy:
    • A process running as httpd_t (Apache server) can only access files labeled httpd_sys_content_t.
  • Advantages:
    • Provides fine-grained access control.
    • Protects against privilege escalation by confining processes.
  • Use Case: Often used in servers and systems requiring strict security, such as Red Hat Enterprise Linux.

b. AppArmor (Application Armor)

  • Definition: AppArmor is a MAC implementation for Linux that uses profiles to restrict program capabilities.
  • How It Works:
    • Profiles define the resources (files, network, etc.) that a specific application can access.
  • Advantages:
    • Simpler and easier to configure compared to SELinux.
  • Use Case: Common in Ubuntu and Debian-based systems.

c. Trusted Solaris

  • Definition: A version of Solaris with built-in MAC capabilities.
  • How It Works:
    • Implements sensitivity labels for resources and users.
  • Use Case: Used in government and military applications requiring high-security environments.

d. Windows Mandatory Integrity Control (MIC)

  • Definition: A MAC system in modern Windows operating systems (Vista and later) that assigns integrity levels to processes and objects.
  • How It Works:
    • Processes can only interact with objects of the same or lower integrity level unless explicitly permitted.
  • Use Case: Helps prevent low-integrity processes (e.g., malware) from modifying high-integrity objects like system files.

4. Benefits of MAC

  • Enhanced Security: Centralized control prevents unauthorized access, reducing the risk of data breaches.
  • Protection Against Insider Threats: Users cannot modify or bypass policies, even if they have legitimate access to some resources.
  • Granular Control: Labels and policies allow for precise access control based on sensitivity levels.

5. Challenges of MAC

  • Complexity: Defining and managing policies can be challenging, especially in large, dynamic environments.
  • Usability: Strict enforcement can hinder usability if legitimate processes or users are inadvertently blocked.
  • Performance Overhead: Label checks and policy enforcement may introduce performance costs in resource-intensive environments.

6. Comparison: MAC vs. DAC

Aspect Mandatory Access Control (MAC) Discretionary Access Control (DAC)
Control Centralized, system-wide policies Decentralized, resource owners decide
Flexibility Less flexible, highly secure More flexible, less secure
Typical Use Case High-security environments (e.g., military, government) General-purpose computing environments
Example Systems SELinux, AppArmor, Trusted Solaris Traditional Unix/Linux file permissions

7. Real-World Example of MAC in Action

  • SELinux in Web Servers:
    • Scenario: A compromised Apache web server might be exploited to read sensitive files outside its directory.
    • MAC Enforcement:
      • SELinux confines the httpd process to only access files labeled for web content (httpd_sys_content_t).
      • Even if the server is compromised, the attacker cannot access sensitive files (e.g., /etc/passwd), as the SELinux policy prevents it.

8. Summary

Aspect Details
Definition Centralized, label-based access control managed by system-wide policies.
Tools SELinux, AppArmor, Trusted Solaris, Windows MIC.
Benefits Enhanced security, protection against insider threats, and granular control.
Challenges Complexity, usability trade-offs, and potential performance overhead.
Example Use Cases High-security systems, web servers, and government/military applications.

Conclusion

Mandatory Access Control (MAC) provides robust and enforceable security policies that are essential for environments requiring high levels of protection. Operating systems like SELinux, AppArmor, and Trusted Solaris are prime examples of MAC implementations, ensuring that sensitive resources remain secure even in the face of sophisticated attacks. While MAC introduces complexity, its security benefits make it indispensable for critical systems.