Mandatory Access Control

from Wikipedia, the free encyclopedia

Mandatory Access Control ( MAC ), about to German: absolutely necessary access control , describes a system specific, rule-based access control strategy and is an umbrella term for approaches to monitoring and control of access rights , especially on IT systems. The decisions about access rights are made not only on the basis of the identity of the actor ( user , process ) and the object (resource to be accessed), but also on the basis of additional rules and properties (such as categorizations, labels and code words). In contrast to other security models such as the user-definable DAC model or the role-based RBAC model, special functions are incorporated into the IT system and application programs that only allow access, use and conversion of information under the conditions applicable in the respective concept.

Areas of application

Mandatory Access Control models are used to ensure the security of information against unauthorized access and to enforce it in terms of system technology. The protection of the information relates to confidentiality and integrity .

Preventing unauthorized people from accessing protected information. Information that is subject to confidentiality can be listed here as an example.
Preventing the manipulation of information by unauthorized persons. The chain of command of a military deployment system such as command-and-control systems can be cited here as an example.

One characteristic is the implementation of access control in IT systems. Furthermore, the security models can also be used in the same way in organizational forms , processes and in building technology.

Such access systems are particularly needed in the military sector , which is sensitive information relating to warfare, but also in the field of authorities , which is information relating to technology , politics , foreign trade and communications technology . See also classified information . Another area of ​​application is patient data in the health sector , for example with patient cards .

There are two types of MAC concepts:

  • In the simplest (and also partly historical) case, the multi-level safety systems, such systems represent the model of the protection levels . For more information see section Multi-Level Security Systems .
  • In the more complex case, the multilateral security models , such systems not only form a vertical structure in levels of protection from, but an association (engl. Lattice) consisting of several levels of protection and code words (engl. "Labels"). For more information, see section Multilateral Security Models .

Multi-level security systems

The multi-level security systems (MLS) (English: multilevel security or multiple levels of security ) correspond to the original form of mandatory access control , which was described in the 1970s . Most of the time, implementations on mainframes were used in the military or security sector. This type of mandatory access control is the most widespread to date . With the MLS systems, access is always mapped using the model of the protection levels . Each object ( resource to be accessed) is assigned a protection level. The individual protection classes divide the objects into "layers" (vertical structure). The term "vertical" refers to the flow of information and means that information can only flow within layers without further ado. Secret information must not be made public. Each subject (actor, user) is now also assigned a protection level (trust). A subject may only access an object in another layer if the protection level of the subject (the clearance of a person) is at least as high as the protection level of the object (for example the confidentiality level of a document). The access security refers to the top-down and bottom-up flow of information.

Protection levels in MLS security

Bell LaPadula

The Bell-LaPadula model deals with the confidentiality of data. It should not be possible to read information from a higher protection level or to transfer information from a higher protection level to a lower protection level. Systems based on the Bell-LaPadula principle were primarily used when data was subject to a certain degree of confidentiality. The classic Bell LaPadula systems have been replaced by lattice or compartment-based systems.


The Biba model is a reversal of the Bell-LaPadula model: Here, information is not protected from being read, but from manipulation by unauthorized persons. The Biba model places an emphasis on the integrity of the data. It is used on the one hand in information technology, e.g. B. as a countermeasure in the event of attacks on security-relevant systems such as firewalls , on the other hand also in military systems, where it is fundamentally important that a command in the command chain cannot be modified and thus an incorrect instruction is passed on.


Low-Watermark Mandatory Access Control is a variation of the Biba model that allows subjects of high integrity to read objects of lower integrity. The integrity of the reading subject is reduced so that it can no longer write to objects with high integrity. LoMAC systems are mainly implemented in chroot applications such as honeypot .

Multilateral security models

Protection levels in the multilateral security models

The term multilateral security models is used for security systems that not only take top-down or bottom-up considerations, such as the Bell-LaPadula or Biba model , but also assign access rights on the basis of segments. Such systems form a bandage (engl. Lattice) consisting of several levels of protection and code words (engl. "Labels") from. Technically, both protection levels and code words are mapped as labels. This results in a horizontal access system (the code words) which has additional vertical properties (the protection levels). Access to protected information is not only possible with a secret classification , but all protection levels and code words must be fulfilled. If User A read access to the classification in strict confidence has, he can read information on this classification. However, the same user has no access to data classified as strictly confidential (CodeWord: crypto). To illustrate the more complex issue, these systems are also referred to as policy-based security models or rule-based security systems.

Compartment or Lattice model

Also referred to as a lattice model or compartment (in German: association or category ). The compartment model is based on the Bell-LaPadula model, expands the access to code words and thus forms a lattice. It describes "permissible and impermissible information channels between subjects". The Lattice model was described in 1993 by Ravi S. Shandu and in 1976 by Dorothy E. Denning . If User A has read access to the Top Confidential Classification and Classification Confidential , he can read information from that Classification. However, the same user has no access to data that is classified as strictly confidential (crypto) . Only if the user has access to the classifications strictly confidential and crypto can he access the data.

In principle, the model represents a combination of protection levels with the need to know principle : Objects are divided both vertically (according to protection level) and horizontally (according to subject area). Subjects are assigned a protection level per subject area . Access can only take place if the requirements of both control systems are met. The main focus is on controlling the flow of information . It should not be possible for confidential information to be passed on to untrustworthy people.

Chinese Wall - Brewer-Nash

The term Chinese Wall has its origins in the financial industry and describes certain rules that are intended to prevent a conflict of interest from being created (see also Chinese Wall (financial world) ). The IT system is intended to prevent “inadmissible use of insider knowledge when processing bank or stock exchange transactions” or the disclosure of company-specific insider information to competing companies by a consultant .

Other security models

Clark Wilson

The Clark-Wilson model describes the integrity of commercial, non-military systems and is a variation of the classic MAC approach. Practically every mainframe computer processes data based on the Clark-Wilson model.

  1. The system is in a valid (consistent) initial state.
  2. Access to the system only by means of explicitly permitted transactions .
  3. Only those transactions are permitted that bring the system into a (new) valid state under all circumstances .

BMA model (British Medical Association)

The BMA model was described by Ross Anderson in 1996 . The model combines features of the Clark-Wilson model with the Bell-LaPadula security model. The BMA model is an access model that was developed to protect medical data. The BMA model is generally applicable to all data that is subject to data protection. In 1996 the model was adopted by the UEMO European Medical Organization. The BMA model is not central, but decentralized. The policy is determined by the patient.

Principle of necessary knowledge

The principle of the necessary knowledge (ger .: need-to-know principle ) offers an alternative to protection class model: Here the objects are divided "horizontally" in subject areas; each subject is assigned the areas for which he or she should be responsible. Depending on the characteristics, a subject who wants to access an object must either belong to all or at least one subject area that is assigned to the object. In this way, the range of dissemination of information is significantly restricted, and control of the flow of information is made easier.

The advantage of this security concept is that the individual actors are only granted the rights that they need for their task. This minimizes the risk of application misuse by exploiting security gaps.

This means, for example, that an application that does not require authorization for network access does not receive any rights for this. As a result, an attacker who wants to exploit a security hole cannot use the program to establish network connections.

The disadvantage of this concept is the complexity of the configuration, since it has to be determined for each application which access rights it requires.


Manufacturer / implementation type system Accredited
NSA / Red Hat - SELinux Variant of Bell-LaPadula Fedora , RHEL , CentOS , Gentoo Linux , Debian , Darwin -
TrustedBSD Biba , LoMAC TrustedBSD , Mac OS X , Darwin -
Novell AppArmor - Ubuntu , openSUSE , SLES -
Rule Set Based Access Control (RSBAC) Variant of Bell-LaPadula Gentoo Linux , Debian , Fedora -
Sun Microsystems Variant of Bell-LaPadula Sun Trusted Solaris -
Microsoft Biba Windows Vista -
Unisys Biba , Bell-LaPadula , Lattice (compartment), Clark-Wilson OS2200 TCSEC B1
Argus Systems Group PitBull LX Lattice (compartment) AIX , Sun Solaris , Linux ITSEC F-B1, E3


  • Ross J. Anderson : Security Engineering. A Guide to Building Dependable Distributed Systems. Wiley, New York, NY et al. a. 2001, ISBN 0-471-38922-6 ( Wiley Computer Publishing ).

Individual evidence

  1. ^ Claudia Eckert: IT security. Concepts - Procedures - Protocols. 6th, revised and expanded edition. Oldenbourg, 2009, ISBN 978-3-486-58999-3 , p. 242
  2. ^ Claudia Eckert: IT security. Concepts - Procedures - Protocols. 6th, revised and expanded edition. Oldenbourg, 2009, ISBN 978-3-486-58999-3 , p. 242 f.
  3. ^ Claudia Eckert: IT security. Concepts - Procedures - Protocols. 6th, revised and expanded edition. Oldenbourg, 2009, ISBN 978-3-486-58999-3 , p. 272
  4. ^ Ravi S. Sandhu: Lattice-Based Access Control Models . In: Computer , v.26 n.11, November 1993, pp. 9-19
  5. ^ Dorothy E. Denning: A lattice model of secure information flow . In: Commun. ACM , v.19 n.5, 1976
  6. ^ Claudia Eckert: IT security. Concepts - Procedures - Protocols. 6th, revised and expanded edition. Oldenbourg, 2009, ISBN 978-3-486-58999-3 , p. 260
  7. ^ Ross J. Anderson: A Security Policy Model for Clinical Information Systems. (PDF; 536 kB) University of Cambridge Computer Laboratory, 1996, accessed on March 13, 2008 (English).