Multi-Level Security

This is a concept which arose in the early 1960's when the military started considering the use of computers to hold information having different levels of classification. In a military (or government) environment information is graded according to its sensitivity, the grade, or classification, ranges from unclassified, through secret, top secret, etc. The purpose of the classification is to restrict access to people having the same or higher clearance. A clearance is an ability, or trustworthiness, to see information graded at that or a lower level. Additionally, information is compartmentalized into groups, such as <#762#> nuclear<#762#>, <#763#> NATO<#763#>, or <#764#> naval<#764#>. A person wishing to have access to a piece of information would also have to be cleared to see information in all of the compartments to which the information has been assigned. For instance if we had some information classified as <#765#> [secret; naval, nuclear]<#765#> and a person cleared to <#766#> [top secret; NATO, nuclear]<#766#> he would not be allowed to see the information, even though he has a higher classification than the information, he does not have access to the NAVAL compartment. A multi-level system is one in which information of different security levels is stored. The problem of multi-level security is to two fold:
  1. To provide adequate access control to meet the classification and compartment labels. Such access control schemes are called label based schemes.
  2. To prevent the leakage of information from a high classification to a lower classification.
The first problem is entirely one of access control and is discussed above. The second problem is one of information flow. The problem is described in the following scenario. Suppose an object with top secret clearance accesses another object with a classification of top secret, this is allowed by the access control rules. The client object may then access another object which is unclassified, this is also allowed by the rules. The client object may then read information from the top secret object and write it to the unclassified object. The top secret information has then been <#769#> written down<#769#> to an unclassified level. To prevent this the system must monitor which objects a client has accessed and prevent such a sequence from occurring. In an object oriented system this would mean that an object that has accessed another object at some classification level would not be allowed to access another object at a lower classification for writing, but could read from it. Thus the access control system must have a memory for the lowest possible classification available to an object. Note that this scheme is oriented at preventing disclosure, a similar problem also exists for corruption. To maintain the integrity of information, integrity levels can be applied to objects. A high integrity object will be allowed to access a low integrity object, but a low integrity object will not be allowed to access a high integrity object. The write down problem of disclosure is reversed for corruption to prevent low integrity information contaminating high integrity information. Multi-level security, especially concerning protection against disclosure, is a fairly well understood problem. There are a number of books on the subject. This understanding is the result of considerable research funded by the needs of military security. Commercial security has the same concerns as military security, but the emphasis is different.