強制訪問控制

強制訪問控制（英語：mandatory access control，縮寫MAC）在電腦安全領域指一種由作業系統約束的存取控制，目標是限制主體或發起者訪問或對對象或目標執行某種操作的能力。在實踐中，主體通常是一個行程或線程，對象可能是檔案、目錄、TCP/UDP埠、共用記憶體段、I/O裝置等。主體和對象各自具有一組安全屬性。每當主體嘗試訪問對象時，都會由作業系統內核強制施行授權規則——檢查安全屬性並決定是否可進行訪問。任何主體對任何物件的任何操作都將根據一組授權規則（也稱策略）進行測試，決定操作是否允許。在資料庫管理系統中也存在訪問控制機制，因而也可以應用強制訪問控制；在此環境下，對象為表、視圖、過程等。

通過強制訪問控制，安全策略由安全策略管理員集中控制；用戶無權覆蓋策略，例如不能給被否決而受到限制的檔案授予訪問權限。相比而言，自主訪問控制（DAC）也控制主體訪問對象的能力，但允許用戶進行策略決策和/或分配安全屬性。（傳統Unix系統的用戶、組和讀-寫-執行就是一種DAC。）啟用MAC的系統允許策略管理員實現組織範圍的安全策略。在MAC（不同於DAC）下，用戶不能覆蓋或修改策略，無論為意外或故意。這使安全管理員定義的中央策略得以在原則上保證向所有用戶強制實施。

在歷史上和傳統上，MAC與多層安全（英語：Multi-level security）（MLS）和專業的軍用系統密切相關。在此環境中，MAC意味着高度嚴格以滿足MLS系統的約束。但在最近，MAC已從MLS本身中發展出來，並變得更加主流。最近的MAC實現有諸如面向Linux的SELinux和AppArmor，以及面向Windows的強制完整性控制，它們使管理員得以關注沒有嚴格或MLS約束時遇到的如網絡攻擊或惡意軟件等問題。

歷史背景和對多層安全的影響

歷史上，MAC與作為保護美國機密資訊的多層安全（英語：Multi-Level Security）（MLS）手段密切相關。可信電腦系統評估標準（英語：Trusted Computer System Evaluation Criteria）（TCSEC）就是就這一主題的開創性工作，其中將MAC定義為「基於對象中包含資訊的敏感性（由標籤表示）來顯示對對象的訪問途徑以及對象訪問這種敏感資訊的授權」。MAC的早期實現有Honeywell的SCOMP、USAF SACDIN、NSA Blacker，以及的波音MLS LAN。

術語MAC中的「強制性」已經因其在軍事系統中的使用而獲得了特殊含義。在這方面，MAC意味着非常高的抵抗性，確保控制機制能夠抵抗任何類型的破壞，從而使他們能夠執行由政府命令授權的訪問控制，諸如面向美國等級資訊的第12958號行政命令 。強制施行的保證性要求要高於商業應用，因此這不允許採用「盡力而為」的機制。MAC只接受能夠絕對或者幾乎絕對地保證任務執行的機制。這點對於不熟悉高保證策略的人來說可能很困難或者被假定為不切實際。

系統強度

強度等級

在某些系統中，用戶有權決定是否向其他任何用戶授予訪問權限。為允許這點，所有用戶都必須有所有數據的審查許可。這不是MLS系統所需必要條件。如果個人或行程可能被拒絕訪問系統環境中的任何數據，則系統必須可信以強制執行MAC。由於可能存在各種級別的數據等級和用戶許可，這也顯示了健壯性的量化指標。例如，一個包含等級為最高機密的資訊和等級為未批准的用戶的系統相較於一個包含等級為絕密的資訊和等級為秘密的用戶的系統具有更高的健壯性。為了維持健壯性量化指標的一致性以及儘可能地消除主觀人為因素，一項針對該問題的大規模科學分析和風險評估提出了標誌性的測試標準，用以量化系統的安全健壯性，並根據其能夠保證的安全等級為其分級。該結果記錄於CSC-STD-004-85。^[1]健壯性的兩個相對獨立的組成部分可以被定義為保障等級和功能性，兩者都可以被闡述為一個系統在特定標準下能夠保證的其審查的精確性。

強度評估

已隱藏部分未翻譯內容，歡迎參與翻譯。

The Common Criteria^[2] is based on this science and it intended to preserve the Assurance Level as EAL levels（英語：Evaluation Assurance Level） and the functionality specifications as Protection Profile（英語：Protection Profile）s. Of these two essential components of objective robustness benchmarks, only EAL levels were faithfully preserved. In one case, TCSEC（英語：TCSEC） level C2^[3] (not a MAC capable category) was fairly faithfully preserved in the Common Criteria, as the Controlled Access Protection Profile（英語：Controlled Access Protection Profile） (CAPP).^[4] Multilevel security（英語：Multilevel security） (MLS) Protection Profiles (such as MLSOSPP similar to B2)^[5] is more general than B2. They are pursuant to MLS, but lack the detailed implementation requirements of their Orange Book（英語：Trusted Computer System Evaluation Criteria） predecessors, focusing more on objectives. This gives certifiers more subjective flexibility in deciding whether the evaluated product’s technical features adequately achieve the objective, potentially eroding consistency of evaluated products and making it easier to attain certification for less trustworthy products. For these reasons, the importance of the technical details of the Protection Profile is critical to determining the suitability of a product.

Such an architecture prevents an authenticated user or process at a specific classification or trust-level from accessing information, processes, or devices in a different level. This provides a containment mechanism of users and processes, both known and unknown (an unknown program (for example) might comprise an untrusted application where the system should monitor and/or control accesses to devices and files).

實現

已隱藏部分未翻譯內容，歡迎參與翻譯。

A few MAC implementations, such as 優利系統' Blacker（英語：Blacker (security)） project, were certified robust enough to separate Top Secret from Unclassified late in the last millennium. Their underlying technology became obsolete and they were not refreshed. Today there are no current implementations certified by TCSEC（英語：TCSEC） to that level of robust implementation. However, some less robust products exist.

• Amon Ott's RSBAC (Rule Set Based Access Control) provides a framework for Linux kernels that allows several different security policy / decision modules. One of the models implemented is Mandatory Access Control model. A general goal of RSBAC design was to try to reach (obsolete) Orange Book (TCSEC) B1 level. The model of mandatory access control used in RSBAC is mostly the same as in Unix System V/MLS, Version 1.2.1 (developed in 1989 by the National Computer Security Center of the USA with classification B1/TCSEC). RSBAC requires a set of patches to the stock kernel, which are maintained quite well by the project owner.
• An 美國國家安全域 research project called SELinux added a Mandatory Access Control architecture to the Linux內核, which was merged into the mainline version of Linux in August 2003. It utilizes a Linux 2.6 kernel feature called LSM (Linux Security Modules interface). Red Hat Enterprise Linux version 4 (and later versions) come with an SELinux-enabled kernel. Although SELinux is capable of restricting all processes in the system, the default targeted policy in RHEL confines the most vulnerable programs from the unconfined domain in which all other programs run. RHEL 5 ships 2 other binary policy types: strict, which attempts to implement 最小權限原則, and MLS, which is based on strict and adds MLS labels. RHEL 5 contains additional MLS enhancements and received 2 LSPP（英語：Labeled Security Protection Profile）/RBACPP/CAPP/EAL4+ certifications in June 2007.^[6]
• TOMOYO Linux（英語：TOMOYO Linux） is a lightweight MAC implementation for Linux and 嵌入式Linux, developed by NTT Data Corporation（英語：NTT Data Corporation）. It has been merged in Linux Kernel mainline version 2.6.30 in June 2009.^[7] Differently from the label-based approach used by 安全增強式Linux, TOMOYO Linux performs a pathname-based Mandatory Access Control, separating security domains according to process invocation history, which describes the system behavior. Policy are described in terms of pathnames. A security domain is simply defined by a process call chain, and represented as a string. There are 4 modes: disabled, learning, permissive, enforcing. Administrators can assign different modes for different domains. TOMOYO Linux introduced the "learning" mode, in which the accesses occurred in the kernel are automatically analyzed and stored to generate MAC policy: this mode can be used as first step of policy writing, making it easy to customize later.
• SUSE (now^[update] supported by Novell) and Ubuntu 7.10 have added a MAC implementation called AppArmor. AppArmor utilizes a Linux 2.6 kernel feature called LSM (Linux Security Modules interface). LSM provides a kernel API that allows modules of kernel code to govern ACL (DAC ACL, access control lists). AppArmor is not capable of restricting all programs and is optionally in the Linux kernel as of version 2.6.36.^[8]
• Linux and many other Unix distributions have MAC for CPU (multi-ring), disk, and memory; while OS software may not manage privileges well, Linux became famous during the 1990s as being more secure and far more stable than non-Unix alternatives. Linux distributors disable MAC to being at best DAC for some devices - although this is true for any consumer electronics available today.
• grsecurity（英語：grsecurity） is a patch for the Linux kernel providing a MAC implementation (precisely, it is a RBAC implementation). Hardened Gentoo（英語：Hardened Gentoo） offers a pre-patched kernel with grsecurity. grsecurity is not implemented via the LSM API.^[9]
• 微軟 Starting with Windows Vista and Server 2008 Windows incorporates 強制完整性控制, which adds Integrity Levels (IL) to processes running in a login session. MIC restricts the access permissions of applications that are running under the same user account and which may be less trustworthy. Five integrity levels are defined: Low, Medium, High, System, and Trusted Installer.^[10] Processes started by a regular user gain a Medium IL; elevated processes have High IL.^[11] While processes inherit the integrity level of the process that spawned it, the integrity level can be customized on a per-process basis: e.g. IE7 and downloaded executables run with Low IL. Windows controls access to objects based on ILs, as well as for defining the boundary for window messages via 用戶介面特權隔離. Named objects, including files, registry keys or other processes and threads, have an entry in the ACL governing access to them that defines the minimum IL of the process that can use the object. MIC enforces that a process can write to or delete an object only when its IL is equal to or higher than the object’s IL. Furthermore, to prevent access to sensitive data in memory, processes can’t open processes with a higher IL for read access.^[12]
• FreeBSD supports Mandatory Access Control, implemented as part of the TrustedBSD project. It was introduced in FreeBSD 5.0. Since FreeBSD 7.2, MAC support is enabled by default. The framework is extensible; various MAC modules implement policies such as Biba（英語：Biba Integrity Model） and Multi-Level Security（英語：Multi-Level Security）.
• Sun's Trusted Solaris（英語：Trusted Solaris） uses a mandatory and system-enforced access control mechanism (MAC), where clearances and labels are used to enforce a security policy. However note that the capability to manage labels does not imply the kernel strength to operate in Multi-Level Security（英語：Multi-Level Security） mode^{[來源請求]}. Access to the labels and control mechanisms are not^{[來源請求]} robustly protected from corruption in protected domain maintained by a kernel. The applications a user runs are combined with the security label at which the user works in the session. Access to information, programs and devices are only weakly controlled^{[來源請求]}.
• Apple's Mac OS X MAC framework is an implementation of the FreeBSD MAC framework.^[13] A limited high-level sandboxing interface is provided by the command-line function sandbox_init. See the sandbox_init manual page for documentation.^[14]
• Oracle Label Security（英語：Oracle Label Security） is an implementation of mandatory access control in the Oracle資料庫.
• SE-PostgreSQL（英語：SE-PostgreSQL） is a work in progress as of 2008-01-27,^[15][16] providing integration into SE-Linux. It aims for integration into version 8.4, together with row-level restrictions.
• Trusted RUBIX（英語：Trusted RUBIX） is a mandatory access control enforcing DBMS that fully integrates with SE-Linux to restrict access to all database objects.^[17]
• Astra Linux OS developed for 俄羅斯陸軍 has its own mandatory access control.^[18]
• Smack（英語：Smack (software)） (Simplified Mandatory Access Control Kernel) is a Linux內核 security module that protects data and process interaction from malicious manipulation using a set of custom mandatory access control rules, with simplicity as its main design goal.^[19] It has been officially merged since the Linux 2.6.25 release.^[20]

參見

• Bell–LaPadula model（英語：Bell–LaPadula model）
• 存取控制串列
• 基於屬性的訪問控制（英語：Attribute-Based Access Control）（ABAC）
• 基於上下文的訪問控制（英語：Context-based access control）（CBAC）
• 自主訪問控制（DAC）
• 基于格的訪問控制（英語：Lattice-based access control）（LBAC）
• 基於組織的訪問控制（英語：Organisation-based access control）（OrBAC）
• 以角色為基礎的存取控制（RBAC）
• 以規則集為基礎的存取控制（RSBAC）
• 基於能力的安全性（英語：Capability-based security）
• 基於位置的身份驗證（英語：Location-based authentication）
• 基於風險的身份驗證（英語：Risk-based authentication）
• Clark–Wilson model（英語：Clark–Wilson model）
• 國家機密
• Graham–Denning model（英語：Graham-Denning model）
• 強制完整性控制
• Multiple single-level（英語：Multiple single-level）
• 安全模型（英語：Security modes）
• Smack (software)（英語：Smack (software)）
• Systrace（英語：Systrace）
• 授權保護模型（英語：Take-grant protection model）
• 類型強制（英語：Type enforcement）

註腳

1. Technical Rational Behind CSC-STD-003-85: Computer Security Requirements. 1985-06-25 [2008-03-15]. （原始內容存檔於July 15, 2007）. 
2. The Common Criteria Portal. [2008-03-15]. （原始內容存檔於2006-07-18）. 
3. US Department of Defense. DoD 5200.28-STD: Trusted Computer System Evaluation Criteria. December 1985 [2008-03-15]. （原始內容存檔於2008-03-17）. 
4. Controlled Access Protection Profile, Version 1.d. National Security Agency. 1999-10-08 [2008-03-15]. （原始內容存檔於2012-02-07）. 
5. Protection Profile for Multi-Level Operating Systems in Environments Requiring Medium Robustness, Version 1.22. National Security Agency. 2001-05-23 [2008-03-15]. （原始內容存檔於2009-03-30）. 
6. National Information Assurance Partnership. The Common Criteria Evaluation and Validation Scheme Validated Products List. [2008-03-15]. （原始內容存檔於2008-03-14）. 
7. TOMOYO Linux, an alternative Mandatory Access Control. Linux 2 6 30. Linux Kernel Newbies. [2017-02-12]. （原始內容存檔於2012-04-05）. 
8. Linux 2.6.36 released 20 October 2010. Linux 2.6.36. Linux Kernel Newbies. [2017-02-12]. （原始內容存檔於2018-06-10）. 
9. Why doesn't grsecurity use LSM?. [2017-02-12]. （原始內容存檔於2016-07-22）. 
10. Matthew Conover. Analysis of the Windows Vista Security Model. 賽門鐵克. [2007-10-08]. （原始內容存檔於2008-03-25）. 
11. Steve Riley. Mandatory Integrity Control in Windows Vista. [2007-10-08]. （原始內容存檔於2007-09-29）. 
12. Mark Russinovich（英語：Mark Russinovich）. PsExec, User Account Control and Security Boundaries. [2007-10-08]. （原始內容存檔於2010-04-15）. 
13. TrustedBSD Project. TrustedBSD Mandatory Access Control (MAC) Framework. [2008-03-15]. （原始內容存檔於2010-01-23）. 
14. sandbox_init(3) man page. 2007-07-07 [2008-03-15]. （原始內容存檔於2008-07-25）. 
15. SEPostgreSQL-patch. [2017-02-12]. （原始內容存檔於2017-02-13）. 
16. Security Enhanced PostgreSQL. [2017-02-12]. （原始內容存檔於2009-02-07）. 
17. Trusted RUBIX. （原始內容存檔於2008年11月21日）. 
18. （俄文） Ключевые особенности Astra Linux Special Edition по реализации требований безопасности информации （頁面存檔備份，存於互聯網檔案館）
19. Official SMACK documentation from the Linux source tree. （原始內容存檔於2012-09-21）. 
20. Jonathan Corbet. More stuff for 2.6.25. （原始內容存檔於2012-09-21）. 

參考資料

• P. A. Loscocco, S. D. Smalley, P. A. Muckelbauer, R. C. Taylor, S. J. Turner, and J. F. Farrell. The Inevitability of Failure: The Flawed Assumption of Security in Modern Computing Environments. In Proceedings of the 21st National Information Systems Security Conference, pages 303–314, Oct. 1998.
• P. A. Loscocco, S. D. Smalley, Meeting Critical Security Objectives with Security-Enhanced Linux （頁面存檔備份，存於互聯網檔案館） Proceedings of the 2001 Ottawa Linux Symposium.
• ISO/IEC DIS 10181-3, Information Technology, OSI Security Model, Security FrameWorks, Part 3: Access Control, 1993
• Robert N. M. Watson. "A decade of OS access-control extensibility （頁面存檔備份，存於互聯網檔案館）". Commun. ACM 56, 2 (February 2013), 52-63.

外部連結

• 網絡網誌（英文）：有關如何使用虛擬化實現強制訪問控制。
• 網絡網誌（英文）：微軟員工詳細描述強制完整性控制以及它如何與其他MAC實現的差異。
• GWV Formal Security Policy Model （頁面存檔備份，存於互聯網檔案館） A Separation Kernel Formal Security Policy, David Greve, Matthew Wilding, and W. Mark Vanfleet.