DOJ EX. 1020
`
`1/13
`
`DOJ EX. 1020
`
`

`
` lfiiinmunications
`
`SEPT1994Vol. 32 No.9
`
`MAGAZINE
`
`l S S U E
`I T H I S
`provides a sampling of security functions and
`technologies designed to protect the
`
`information superhighway.
`Cover illustration by Marsha Saldanha.
`
`Securing the Information Superhighway
`
`33 Kerberos: An Authentication Service for
`Computer Networks
`When using authentication based on cryptography, an attack-
`er listening to the network gains no information that would
`enable it to falsely claim another’s identity. Kerberos is the
`most commonly used example of this type of authentication
`technology.
`B, Clifford Neuman and Theodore Ts'o
`
`Access Control: Principles and Practice
`Access control constrains what a user can do directly, as
`well as what programs executing on behalf of the users are
`allowed to do. In this way access control seeks to prevent
`activity that could lead to breach of security.
`Ravi 5. Sandhu and Pierangela Samarati
`
`Network Firewalls
`Computer security is a hard problem. Security on networked
`computers is much harder. Firewalls (barriers between two
`networks), when used properly, can provide a significant
`increase in computer security.
`Steven M. Bellovin and William R. Cheswick
`
`Key Escrowing Today
`The objective of the U.S. Govemment’s Escrowed Encryption
`Standard and associated Key Escrow System is to provide
`strong security for communications while simultaneously
`allowing authorized government access to particular commu-
`nications for law enforcement and national security purposes.
`Dorothy E. Denning and Miles Smid
`
`Toward a National Public Key Infrastructure
`Reliance on electronic communications makes information
`more vulnerable. Public key cryptography will play an important
`role in providing confidentiality, message integrity, sender
`authentication, and sender non-repudiation.
`Santosh Chokhani
`
`IEEE Communications Magazine - September 1994
`
`2/13
`
`DOJ EX. 1020
`
`

`
`76 Digital Signatures: Are They Legal for Electronic
`Commerce ?
`Digital signature technology promises assurance at least
`equal to written signatures. From a legal standpoint, this
`assurance remains to be tested in the evidentiary process.
`Patrick W. Brown
`
`Securing a Global Village and Its Resources
`In an international economy and social infrastructure that
`is growing more dependent everyday on its communications
`networks, more attention must be placed on the security
`and integrity of the components and interfaces of those
`critical structures.
`Hemy M. Kluepfel
`
`Topics in Lightwave
`The Hidden Benefits Of Optical Transparency
`The optical fiber amplifier will bring about network trans-
`parency and reductions in manning levels, interface prob-
`lems, software and operating costs, while improving
`reliability and performance.
`Peter Cochrane, Roger Heckingbottom, and David Heatley
`
`All-Optical Signal Processing in Ultrahigh-Speed
`Optical Transmission
`The coming broadband era will require very high-speed
`technologies that can handle more than 100-Gb/s for both
`transmission lines and transmission nodes. Novel all-optical
`signal processing technologies that offer unsurpassed
`performance are urgently required.
`Masatoshi Saruwatori
`
`IEEE Communications Magazine - September 1994
`
`3/13
`
`DOJ EX. 1020
`
`

`
`Message from the President and the Director of Publications
`
`Communications Society’s Publications
`
`esponsiveness of products and ser-
`vices to member needs, globalization,
`and evolution toward on-line electronic
`information delivery — these are
`main strategic goals of the IEEE Communications
`Society. Its publishing program, a fundamental
`Society activity and contribution to the world
`industry, is clearly critical to the advancement of
`these goals. Our Publications Department
`focuses considerable attention on accelerated
`realization of these strategic directions.
`
`share in leadership andvolunteer editorialpositions
`as well as contributions, is an ongoing and accel-
`erating goal within the Publications Department.
`‘Participation on volunteer Editorial Boards
`now ranges from 25 to 60 percent or more from
`outside North America, depending on the par-
`ticular publication. Contributions reflect, and
`often exceed, the increasing globalization,
`openness, and diversity of our volunteer staffs.
`Progress is also being made in internationalization
`of leadership roles. Andrzej Jajszczyk of the
`Franco-Polish School of New Information and
`Communication Technologies inPoznar‘1, Poland,
`was recently appointed Editor of the Communi-
`cations Society’s new Global Communications
`Newsletter. Servedby regional correspondents from
`around the world, the Newsletter’s staff will be
`predominantly from outside North America. The
`newsletter will be published bimonthly, beginning
`in October 1994, bound—in to IEEE Communi-
`cations Magazine. The IEEE Global Communi-
`cations Newsletter will serve all our members,
`but especially the international members, with
`timely, important events and topics from around
`the world.
`
`IEEE Communications Magazine - September 1994
`
`Maurizio Decina
`
`tflfluwmflrlhuq
`
`Thomas J. Plevyak
`
`Responsiveness to Member Needs
`The IEEE Communications Society enjoys a
`leading role in the publication of timely, high-
`quality magazines, journals, and books, span-
`ning the full breadth and depth ofcommunications
`topics from around the world. Detailed and pro-
`fessionally objective peer review from subject
`matter experts, who abound in the Society, and
`flexibility to respond quickly and appropriately
`to hot topics and compelling technical imperatives
`are among the reasons for this leading position.
`The reader is, of course, familiar with the long-
`standing and respected magazines and journals
`published by the Society, butperhaps notwith recent
`Electronic Processes
`and very recent additions to the portfolio of pub-
`lications. We currently publish three magazines:
`The IEEE Communications Society is one of l
`IEEE Communications Magazine, IEEE Network,
`the leading contributors to worldwide develop-
`and the new IEEE Personal Communications —
`ment and implementation of information tech-
`The Magazine ofNomadic Communications and
`nology systems and services. The time has come
`Computing (developed in technical cosponsor-
`to enter the same Information Age its members
`may/%7¢
`shipwith the IEEE Computer and Vehicular Tech-
`champion in their daily professional activity. In
`nology Societies). The IEEE Communications
`response to this strategic goal, an Electronic
`Society is also a technical co-sponsor of the IEEE Computer
`Processes Study Group was formed to examine the processes
`Society’s new Multimedia Magazine. Our three journals are: the
`and requirements of the Society and to map these into elec-
`IEEE Transactions on Communications, the IEEE Journal on
`tronicpublishing and information dissemination capabilities. Cur-
`SelectedAreas in Communications (JSAC), and the IEEE Transac-
`rently chaired by the Director of Publications, the Study Group
`tionsonNetworkz'ng(developedinajointeditorial and financial agree-
`hopes to identify several high—potential trials/experiments which
`ment with the IEEE Computer Society and the Special
`will provide a learning base for more general deployment of
`Interest Group on Data Communications of the Association
`electronic services to the membership.
`for Computing Machinery (ACM). Our Society also interacts with
`An IEEE-sponsored electronic library experiment withithe
`six other Societies on the IEEE Journal on Lightwave Technology,
`University of California and the development and dissemination
`to identify collaborative topics and bring them to fruition. Finally,
`of the May 1995 IEEE JSAC issue entitled “Global Internet,”
`IEEE Press books have long been another publication activity
`using the Internet itself with a World Wide Web server, are
`supported by the IEEE Communications Society, and are now
`being pursued. Further information will be provided as this
`being supported even more strongly.
`work and other initiatives progress.
`All the above described activities are volunteer-driven with
`Globalization
`strong support from Executive Director Carol Lof, and her staff
`Participation and contributions from outside North America have
`in New York City who provide high-quality desktop publishing
`been important contemporary aspects of our publications. With
`ofour magazines. Ourjournals are published byIEEE Publications
`ever-increasing global membership (the fastest growth area in the
`in Piscataway, New Jersey. We would like to hear from you if
`Society), publications must also reflect the Society’s expanding
`you are interested in volunteering your time and_ talent to any
`of these initiatives.
`international interests and requirements. Increased international
`
`4/13
`
`DOJ EX. 1020
`
`

`
`Access Control: Princ@les and
`Practice
`Access control constrains what a user can do directly, as well as
`what programs executing on behalf of the users are allowed to do.
`In this way access control seeks to prevent activity that could lead
`to breach of security.
`
`Ravi S. Sandhu and Pierangela Samarati
`
`he purpose of access control is to limit
`the actionsoroperations that alegitimate
`user of a computer system can perform.
`Access controlconstrainswhat a user can
`do directly, as well as what programs
`executing on behalf of the users are
`allowed to do. In this way access control seeks to
`prevent activity that could lead to a breach of
`security. This article explains access control and
`its relationship to other security services such as
`authentication, auditing. and administration. It
`then reviews the access matrix model and describes
`different approaches to implementing the access
`matrix in practical systems, and follows with a dis-
`cussion of access control policies commonly
`found in current systems, and a brief considera-
`tion of access control administration.
`
`Access Control and Other
`Security Services
`A security services in a computer system (Fig.1).
`ccess control relies on and coexists with other
`
`Access control is concerned with limiting the activ-
`ity of legitimate users. It is enforced by a refer-
`ence monitorwhich mediates every attempted access
`by a user (or program executing on behalf of that
`user) t o objects in t h e system. T h e reference
`monitor consults an authorization database in order
`to determine if the user attempting to d o an
`operation isactually authorized toperform that oper-
`ation. Authorizations in this database are admin-
`istered and maintained by a security administrator.
`The administrator sets these authorizations on
`the basis of the security policy of the organiza-
`tion. Users may also be able to modify some por-
`tion of the authorization database, for instance,
`to set permissions for their personal files. Audit-
`ing monitors and keeps a record of relevant activ-
`ity in the system.
`Figure 1 is ii logical picture of security servicesand
`their interactions. It should not be interpreted liter-
`ally. For instance,aswe willseelater, the authorization
`database isoften storedwith the objects being protected
`by the reference monitor rather than in a physically
`
`separate area. The picture is also somewhat idealized
`in that the separation between authentication,
`access control, auditing, and administration services
`may not always be as clear as this picture indicates.
`This separation is considered highly desirable, but
`is not always faithfully implemented in every system.
`It is important to make aclear distinction between
`authentication and access control. Correctly estab-
`lishing the identity of the user is the responsibility
`of the authentication service. Accesscontrol assumes
`that authentication of the user has been successfully
`verified prior to enforcement of access control via
`a reference monitor. The effectiveness of the
`access control rests on a proper user identifica-
`tion and on thecorrectnessof the authorizationsgov-
`erning the reference monitor.
`Readers are surely familiar with the process of
`signing on to a computer system by providing an iden-
`tifier and a password. In a networked environ-
`ment authentication becomes more difficult for
`several reasons. If intruders can observe network
`traffic they can replay authentication protocols in
`order to masquerade as legitimate users. Also, com-
`puters on the network need to mutually authenti-
`cate each other. In this article we assume that
`authentication has been correctly achieved, and focus
`on what happens after that. For discussion of authen-
`tication issues in distributed systems readers are
`referred to [l, 21.
`It is also important to understand that access
`control is not a complete solution for securing a
`system. It mustbecoupledwith auditing. Auditcon-
`trols concern a posteriori analysis of all the
`requests and activities of users in the system.
`Auditing requires the registration (logging) of all
`user requests and activities for their later analy-
`sis. Audit controls areuseful bothas deterrent (users
`may be discouraged from attempting violations if
`they know all their requests are being tracked) as
`well as a means to analyze the users’ behavior in using
`the system to find out about possible attempted
`or actual violations. Moreover, auditing can be
`useful for determining possible flaws in the secu-
`rity system. Finally, auditing is essential to ensure
`that authorized uscrs do not misuse their privi-
`leges. In other words, to hold users accountable
`
`RA VI SANDHU b usrociafe
`chair of the Information and
`Software Sysfems Engtneering
`Depanment at George Mason
`Uniiser,c.i@
`
`PIERANGELA SAMARA TI
`Is u n a.r.yistcmr professor of’
`Computer Science af the
`Univrr.c.iw of i W / c r r i .
`
`40
`
`01 h.3-(,804/94/$03.oO 1994 C IEEE
`
`lEEE Communication\ Magazine September 1994
`
`5/13
`
`DOJ EX. 1020
`
`

`
`-
`
`Access
`control
`is not a
`complete
`solution for
`secunng a
`system; it
`must be
`coupled with
`auditing.
`
`H Figure 1. Access control and other securiy senices
`
`for their actions. Note that effective auditing requires
`that good authentication be in place.
`In access control systems a distinction is gen-
`erally made between policies and mechanisms. Poli-
`cies are high-level guidelincs that determine how
`accesses arc controlled and access decisions
`determined. Mechanisms are low-level software
`and hardware functions that can be configured to
`implement apolicy. Securityresearchers have sought
`to develop access control mechanisms that are
`largely independent o f the policy for which they could
`be used. This is a desirable goal in order to allow
`reuse of mechanisms that serve a variety of secu-
`rity purposes. Often, the same mechanisms can
`be used in support of secrecy. integrity,or availability
`objectives. O n the other hand, sometimes the
`policy alternatives are so many and diverse that
`system implementors feel compelled choose one
`in preference to the others.
`In general, there do not exist policies that are
`“better” than others; rather, thereexist policies that
`ensure more protection than others. However, not
`all systems have the same protection requirements.
`Policies suitable for a given system may not be
`suitable for another. For instance, very strict
`accesscontrolpolicies, which arecrucial tosome sys-
`tems, may be inappropriate for environments where
`users require greater flexibility. The choice of access
`control policy depends on the particular charac-
`teristics of the environment to be protected.
`The Access Matrix
`S of abstractions over the years in dealing with
`ecurity practitioners have developed a number
`
`access control. Perhaps the mo\t fundamental of
`
`these is the realization that all resources controlled
`by a computer system can be represented by data
`stored inobjects (e.g.,files).Thereforeprotection of
`objects is the crucial requirement, which in turn facil-
`itates protection of other resources controlled via
`the computer system. (Of course, these resources
`must also be physically protected so that they
`cannot be manipulated directly bypassing the access
`controls of the computer system.)
`Activity in the system isinitiated by entities known
`as subjects. Subjects are typically users or pro-
`grams executing on behalf of users. A user may
`sign on to the system as different subjectsondifferent
`occasions, depending on which privileges the user
`wishcs to exercise in a given session. For example.
`a user working on two different projects may sign
`on for purpose ofworking on one project or the other.
`We then have two subjectscorresponding to this user,
`depending on the project the user is currently
`working on.
`A subtle point that is often overlooked is that
`subjects can themselves be objects. A subject can
`create additional subjects in order to accomplish
`its task. The children subjects may be executing
`on various computers in a network. The parent
`subject will usually be able to suspend or termi-
`nate its children as appropriate. The fact that
`subjects can be objects corresponds to the obser-
`vation that the initiator of one operation can be
`the target of another. (In network parlance sub-
`jects are sometimescalled initiators, andobjectsare
`sometimes called targets.)
`The subject-object distinction is basic to access
`control. Subjects initiate actions or operations on
`objects. These actions are permitted or denied in
`accord with the authorizations established in the
`
`IEEE Communications Magazine Septemhzr 1904
`
`41
`
`6/13
`
`DOJ EX. 1020
`
`

`
`each object. There is a row in this matrix for each
`subject. and a column for each object. Each cell
`of the matrix specifies the access authorized for
`the subject in the row to the object in the column.
`The taskof access control is toensure that only those
`operations authorized by the access matrix actu-
`ally get executed. This is achieved by means of a
`reference monitor. which is responsible for medi-
`ating all attempted operations by suhjectson objects.
`Note that thc access matrix model clearly sepa-
`rates the problem of authentication from that of
`authorization.
`An example of an access matrix is shown in
`Fig. 2. where the rights R and bq denote read and
`write, respectively, and the other rights are as
`discussed above. The subjects shown here are
`John, Alice, and Bob. There arc four files and two
`accounts. This matrix specifies that. for exaniple,
`John is the owner of File 3 and can read and write
`that file, but John has no access to File 2 or File 4.
`The precise meaning of ownership varies from
`one system to mother. Usually the owner of ii file
`is authorized t o grant other users access to the file.
`;is well as revoke access. Since John owns Fils 1.
`he can give Alice the R right and Bob the and w
`rights ;IS shown in Fig. 2. John can later revoke
`one or more of these rights at his discretion.
`The access rights for the accounts illustrate how
`access can be controlled in terms of abstract oper-
`ation? implemented by application programs. Thc
`Inquiryoperation is similar toread in that it retrieves
`information but docs not change it. Both the
`credit and debit operations will involve read-
`ing the previous account balance, adjusting it as
`appropriate andwriting it back. The programswhich
`imp I em en t these operations re q u i r c re a d 21 n d
`write ;iccess to the account data. Users, however, are
`not allowed to read and write the account object
`
`only indirectly via application programs which implc-
`ment the debit and credit operations.
`Also note that there is no own right for
`Objects such as bank accounts do not really have
`an ownerwho can determine the ~iccessofotliersuh-
`jects to the account. Clearly the uscrwhu establishes
`the account a t the hank should not bc the one to
`decide who can ;iccess the account. Within thc
`bank differcnt~fficjalscan~iccessthe nccounton the
`basis of their job functions in the organization.
`
`Implementation Approaches
`matrix wil I be enormous
`in size. and most ol' its cells are likely to he empty.
`Accordingly the acccss matrix is very rarely implc-
`mentcd as a matrix. We now discuss some common
`approaches to implementing the access matrix in
`practical systems.
`Access Control Lists
`A popular approach to implementing the access
`matrix is by means of access control lists (Acts).
`Each object is associated with an ACL, indicating
`for each subject in the system the iiccesses the
`subject is authorized to execute on the object.
`This approach corresponds to storing the matrix
`by columns. ACLs corresponding to the files in
`access matrix of Fig2 arc shown in Fig.3. Essen-
`tially the access matrix column for File 1 is stored
`in association with File I , and so on.
`
`system. Authorization is expressed in terms of
`access rightsor access modes. The meaning of
`rights depends upon the object in question. For
`files the typical access rights are read. write,
`execute, and own. The meaning of the first three
`of these is self evident. Ownership isconcerned with
`controlling who can change t he access permissions for
`the file. An object such as a bank account may
`have access rights inquiry. credit, and detiit,
`corresponding to the basic operations that can be per-
`formed on an account. These operations would be
`implemented by application programs. whereas
`for a file the operations would typically be pro-
`vided by the operating system.
`The access matrix is a conceptual model that
`specifies the rights that each subject possesses for
`
`H Figure 3. Access control 1istrfi)rfiks itr Fig 2.
`
`42
`
`I EEE Coinniiiiiications Magazinc Scptemhcr IOU4
`
`7/13
`
`DOJ EX. 1020
`
`

`
`By looking at an object’s ACL it is easy t o deter-
`mine which modes of access subjects are current-
`ly authorized for that object. In other words,
`ACLs providc for convenient access review with
`respect to an object. It is also easy to revoke all access-
`es to an object by replacing the existing ACL
`with an enipt) one. On the other hand determin-
`ing all the acccsses that a subject has is difficult in
`an ACL-based system. It is necessary to examine
`the ACL of every object in the system to do access
`review with respect to a subject. Similarly if all
`accesses of a subject need to be revoked all ACLs
`must be visitcd one by one. (In practice revoca-
`tion of all accesses of a subject is often done by
`deleting the user account corresponding to that
`subject. This is acceptable if a user is leaving an
`organization. However, if a user is reassigned
`within the organization it would be more conve-
`nient to retain the account and change its privileges
`to reflect the changed assignment of the user.)
`Many systzms allow group names to occur in
`ACLs. For example, an entry such as (ISSE. R)
`canauthorize~rllmembersofthe ISSEgrouptoread
`a file. Several popular operating systems. such as
`UNlX and VMS, implement an abbreviated form of
`ACLs in which a small number, often only one or
`two, group names can occur in the ACL. Individ-
`ual subject nanies arc not allowed. With this approach
`the ACL has a small fixed size so it can be stored
`using a few bits associated with the file. At the
`other extreme there are a number of access con-
`trol packages that allow complicated rules in
`ACLs to limit when and how the access can be
`invoked. These rules can be applied to individual
`users or to all users who match a pattern defined
`in terms of user names or other user attributes.
`Capabilities
`Capabilities are a dual approach to ACLs. Each
`subject is associated with a list (called the capa-
`bility list) that indicates, for each object in the
`system. which accesses the subject is authorized
`to execute on the object. This approach corresponds
`to storing the access matrix by rows. Figure 4
`shows capability lists for the files in Fig. 2. In a
`capability li\t approach i t is easy to review all
`accesses thal a subject is authorized to perform,
`by simply exanlining the subject’scapability list. How-
`ever. determination of all subjects who can access
`aparticular ohject requiresexaminationof each and
`every subject’scapability list. A number of capability-
`based computer systems were developed in the
` OS, but did not prove to be commercially suc-
`cessful. Modern operating systems typically take the
`ACL-based approach.
`It is possible to combine ACLs and capabilities.
`Possession o f a capability is sufficient for a sub-
`ject toobtain ;iccessauthorizedbythatcapability. In
`adistributedsystem this approach has the advantage
`that repeated authentication of the subject is not
`required. This allows a subject to be authenticat-
`cd once, obtain itscapabilities, and then present these
`capabilities ti) obtain services from various servers
`in the system. Each server may further use ACLs
`to provide filler-grained access control.
`Authorization Rela fions
`We have se1.n that ACL- and capability-based
`approaches have dual advantages and disadvantages
`with respect t o access review. There are represen-
`
`tations of the access matrix that do not favor one
`aspect of access review over the other. For exam-
`ple, the access matrix can be represented by an
`authorization relation (or table) as shown in Table
`I . Each row, or tuple, of this table specifies one
`access right of a subject to an object. Thus, John’s
`accesses to File 1 require three rows. If this table
`is sorted by subject, we get the effect of capability
`lists. If it is sorted by object we get the effect of
`ACLs. Relational database management systems
`typically use such a representation.
`
`IEEE Comniunications Magwine Septcmber 1004
`
`43
`
`H Figure 4. Capabiliv list.r,forfiles in Fig. 2.
`
`1
`
`I
`
`1
`
`1
`
`1
`
`I
`
`I
`
`1
`
`1
`I
`
`John
`
`John
`
`John
`
`John
`
`John
`
`John
`
`Alice
`
`Alice
`
`Alice
`
`Alice
`
`Alice
`
`Bob
`
`Bob
`
`Bob
`
`Bob
`
`I
`
`I
`I
`
`1
`
`I
`
`I
`
`I
`I
`
`Own
`R
`
`W
`
`Own
`R
`
`W
`R
`
`Own
`R
`
`W
`
`R
`R
`
`W
`R
`
`Own
`R
`
`File 1
`
`File 1
`
`File 1
`
`File 3
`
`File 3
`
`File3
`
`File 1
`
`File 2
`File 2
`
`File 3
`
`File4
`File 1
`File 1
`
`File 2
`
`File4
`
`I
`
`I
`
`1
`
`I
`
`1
`
`I
`
`I
`
`File 4
`
`I
`
`1
`
`I
`
`I
`
`I
`
`I
`
`I
`1
`
`Bob
`Bob
`File 4
`W
`W Table 1. Authorization relation forfiles in Fig. 2.
`
`8/13
`
`DOJ EX. 1020
`
`

`
`-
`
`Access to an
`object by a
`subject is
`granted only
`ifsome
`relationship
`(depending
`on the type
`of access) is
`satisfied
`between the
`security levels
`associated
`with the two.
`
`,/”,
`
`f / Discretionary
`
`\ Role-based \ \
`
`i
`
`H Figure 5. Multiple access controlpolicies.
`
`Access Control Policies
`W that commonly occur in computer systems
`e will now discuss three different policies
`
`as follows:
`Classical discretionary policies.
`Classical mandatory policies.
`The emerging role-based policies.
`The qualifier “classical,” added to the first two
`policies, reflects the fact that they have been rec-
`ognized by security researchers and practitioners for
`alongtime.However,inrecentyearsthereisincreas-
`ing consensus that there are legitimate policies
`with aspects of both, leading to the emergence of
`role-based policies.
`It should be noted that access control policies are
`not necessarily exclusive. Different policies can
`be combined to provide a more suitable protec-
`tion system, as indicated in Fig. 5. Each of the
`three inner circles represents a policy that allows
`a subset of all possible accesses. When the poli-
`cies are combined, only the intersection of their
`accesses is allowed. Such a combination of poli-
`cies is relatively straightforward as long as there
`are no conflicts where one policy asserts that a
`particular access must be allowedwhile another one
`prohibits it. Such conflicts between policies need
`to be reconciled by negotiations at an appropriate
`level of management.
`Classical Discretionary Policies
`Discretionary protection policies govern the access
`of users to the information on the basis of the user’s
`identity and authorizations (or ru1es)that specify, for
`each user (or group of users) and each object in the
`system, the access modes (e.g., read, write, or exe-
`cute) the user is allowed on the object. Each request
`of a user to access an object is checked against the
`specified authorizations. If there exists an autho-
`rization stating that the user can access the object
`in the specific mode, the access is granted, otherwise
`it is denied.
`The flexibility of discretionary policies makes
`them suitable for a variety of systems and appli-
`cations. For these reasons, they have been widely
`used in a variety of implementations, especially in
`the commercial and industrial environments.
`However, discretionary access control policies
`have the drawback that they do not provide real assur-
`ance on the flow of information in a system. It is easy
`
`to bypass the access restrictions stated through the
`authorizations. For example, a user who is able to
`read data can pass it to other users not authorized
`to read it without the cognizance of the owner. The
`reason is that discretionary policies do not impose
`any restriction on the usage of information by a
`user once theuser has received it, i.e., dissemination
`of information is not controlled. In contrast, dis-
`semination of information is controlled in manda-
`tory systems by preventing information stored in
`high-level objects to flow into low-level objects.
`Discretionary access control policies based on
`explicitly specified authorizations are said to be
`closed, in that the default decision of the reference
`monitor is denial. Similar policies, called open
`policies, could also be applied by specifying denials
`instead of permissions. In this case, for each user
`and each object of the system, the access modes the
`user is forbidden on the object are specified. Each
`access request by a user is checked against the
`specified (negative) authorizations and granted only
`if no authorizations denying the access exist. The
`use ofpositiveandnegative authorizationscanbe com-
`bined, allowing the specification of both the
`accesses to be authorized as well as the accesses to
`be denied to the users. The interaction of positive and
`negative authorizations can become extremely com-
`plicated [3].
`Classical Mandatory Policies
`Mandatory policiesgovem access on the basis of clas-
`sification of subjects and objects in the system.
`Each user and each object in the system is assigned
`a security level. The security level associated with an
`object reflects the sensitivity of the information con-
`tainedin theobject, i.e, the potentialdamage thatcould
`result from unauthorized disclosure of the infor-
`mation. The security level associated with a user, also
`called clearance, reflects the user’s trustworthi-
`ness not to disclose sensitive information to users
`not cleared to see it. In the simplest case, the secu-
`rity level is an element of a hierarchical ordered set.
`In the military and civilian government arenas, the
`hierarchical set generally consists ofTop Secret (TS),
`Secret (S), Confidential (C), and Unclassified (U),
`where TS > S > C > U. Each security level is said
`to dominate itself and all others below it in this
`hierarchy.
`Access to an object by a subject is granted
`only if some relationship (depending on the type
`of access) is satisfied between the securitylevels asso-
`ciated with the two. In particular, the following
`two principles are required to hold.
`Read down - A subject’s clearance must domi-
`nate the security level of the object being read.
`
`Write up- Asubject’s clearance mustbedominated
`by the security level of the object being written.
`
`Satisfaction of these principles prevents infor-
`mation in high-level objects (i.e., more sensitive)
`to flow to objects at lower levels. The-ffect of
`these rules is illustrated in Fig. 6. In such a system
`information can only flow upwards or within the
`same security class.
`It is important to understand the relationship
`between usersand subjects in this context. Let us say
`that the human user Jane is cleared to S, and assume
`she always signs on to the system as an S subject
`
`44
`
`IEEE Communications Magazine September 1994
`
`9/13
`
`DOJ EX. 1020
`
`

`
`W Figure 6 . Controlling infomation flow for secrecy.
`
`(i.e., a subject with clearance S). Jane’s subjects are
`prevented from reading TS objects by the read-down
`rule. The write-up rule, however, has two aspects
`that seem at first sight contrary to expectation.
`First, Jane’s S sibjects can write a TS object
`(even though they cannot read it). In particular,
`they can overwrite existing TS data and there-
`fore destroy it. Due to this integrity concern, many
`systems for mandatory access control do not allow
`write up; but limit writing to the same level as
`the subject. At the same time, write up does
`allow Jane’s S subjects to send e-mail to TS
`subjects, and can have its