The enforcement mechanisms within the Flask security architecture are a generalization of type enforcement [3] or domain and type enforcement [1]. A type enforcing system uses a particular form of labeling (domains and types) and a particular form of access decision computation (a lookup within a static access matrix). All relationships among domains and types must be explicitly defined in the access matrix. In contrast, Flask provides flexibility in both labeling and access decision computations by cleanly encapsulating these functions within a separate security subsystem and by carefully defining the interfaces between this subsystem and the rest of the system.
Not only can Flask support simple labels like domains and types, it can also support labels with complex structures and/or implicit relationships. Although a type enforcing system can explicitly represent some implicit relationships among labels through the access matrix definition, such a representation is inefficient and difficult to manage. Flask can also support a combination of multiple types of labels, such as a combination of a role attribute, a domain attribute, an integrity level attribute and a sensitivity level attribute. In the Fluke and Linux implementations of the Flask architecture, labels consist of a role attribute, a domain or type attribute, a range of MLS levels and a user identity.
Access decision computations in Flask may likewise take a variety of forms, such as static access matrix lookups, lattice-based models, history-based or environment-based decisions and dynamic policy logic. Flask can support combinations of access decision computation forms, such as a combination of role-based access control, type enforcement and MLS. In the Fluke and Linux implementations of the Flask architecture, this combination of policies is provided. A different form of labeling or access decision computation can be added to a Flask system simply by changing the security subsystem.
In addition to having a more flexible architecture, the Flask design provides greater security and flexibility than type enforcing systems in the set of controls it provides. Greater security is provided through a comprehensive suite of controls for the system services, while greater flexibility is provided through individual permissions on most controlled operations. Strictly speaking, the gaps in controls and the coarse granularity of permissions provided by type enforcing systems are not intrinsic to type enforcement; however, these limitations are common to current type enforcing systems.
Last modified June 7 2000