This is a concept which arose in the early 1960's when
the military started considering the use of computers to hold information
having different levels of classification. In a military (or government)
environment information is graded according to its sensitivity, the
grade, or classification, ranges from unclassified, through secret,
top secret, etc. The purpose of the classification is to restrict
access to people having the same or higher clearance. A clearance
is an ability, or trustworthiness, to see information graded at that
or a lower level. Additionally, information is compartmentalized into
groups, such as <#762#> nuclear<#762#>, <#763#> NATO<#763#>, or <#764#> naval<#764#>.
A person wishing to have access to a piece of information would also
have to be cleared to see information in all of the compartments to
which the information has been assigned. For instance if we had some
information classified as <#765#> [secret; naval, nuclear]<#765#> and
a person cleared to <#766#> [top secret; NATO, nuclear]<#766#> he would
not be allowed to see the information, even though he has a higher
classification than the information, he does not have access to the
NAVAL compartment.
A multi-level system is one in which information of different security
levels is stored. The problem of multi-level security is to two fold:
-
To provide adequate access control to meet the classification and
compartment labels. Such access control schemes are called label
based schemes.
-
To prevent the leakage of information from a high classification
to a lower classification.
The first problem is entirely one of access control and is discussed
above. The second problem is one of information flow. The problem
is described in the following scenario. Suppose an object with top
secret clearance accesses another object with a classification of
top secret, this is allowed by the access control rules. The client
object may then access another object which is unclassified, this
is also allowed by the rules. The client object may then read information
from the top secret object and write it to the unclassified object.
The top secret information has then been <#769#> written down<#769#> to
an unclassified level. To prevent this the system must monitor which
objects a client has accessed and prevent such a sequence from occurring.
In an object oriented system this would mean that an object that has
accessed another object at some classification level would not be
allowed to access another object at a lower classification for writing,
but could read from it. Thus the access control system must have a
memory for the lowest possible classification available to an object.
Note that this scheme is oriented at preventing disclosure, a similar
problem also exists for corruption. To maintain the integrity of information,
integrity levels can be applied to objects. A high integrity object
will be allowed to access a low integrity object, but a low integrity
object will not be allowed to access a high integrity object. The
write down problem of disclosure is reversed for corruption to prevent
low integrity information contaminating high integrity information.
Multi-level security, especially concerning protection against disclosure,
is a fairly well understood problem. There
are a number of books on the subject. This understanding
is the result of considerable research funded by the needs of military
security. Commercial security has the same concerns as military security,
but the emphasis is different.