solid base to build on. Type enforcement is a straightforward security mechanism that provides the flexibility to balance security and functionality.
The Dawn of Computer Security
In 1985, the federal government published the first set of computer security criteria that computer professionals could understand and build into systems. Officially called the Trusted Computer Security Evaluation Criteria, it is more popularly known as the Orange Book. It offers a range of ratings for secure systems. The ratings start with D, for systems with no security, and go to A1, which requires formal methods to verify security.
One of the key elements of the Orange Book was mandatory access control, where all the resources in the computer (i.e., users, files, services, and programs) are labeled with a security level, or sensitivity. The label identifies the degree of sensitivity of e
ach resource, such as Unclassified, Confidential, Secret, and Top Secret. Labels effectively assign the data on the system to separate "buckets." The goal, or security policy, is to keep sensitive data from getting into the least-sensitive bucket.
Many initial Orange Book implementations were too restrictive. The federal government funded seven years of R&D; to create a flexible implementation. At the heart of this solution is the type-enforcement security model.
Type enforcement is a security mechanism that gives every program on the system permission to do only those things it requires to do its job. This is called least privilege and applies to applications, files, and OSes.
Type enforcement works by grouping all the processes of the system into classes based on least privilege. Each process group is called a domain. In a similar manner, the files on the system are grouped into classes called types. The Domain Definition Table on page 156 describes ea
ch domain's access rights for each type. The table cannot be changed while the system is running.
The DBMS can interact only with database files, and the text editor can interact only with user files. The World Wide Web server can read user files but not modify them and is the only domain with access to the network. A similar table is constructed for controlling how domains can interact with each other.
One of the most important file types is the executable file. Tight controls are placed on which programs can be executed in a domain and who can modify them. Destructive software, such as viruses and Trojan horses, can be stopped cold because they cannot modify the executable files.
Providing separation of applications is not enough to ensure security; you must also control how the information flows through the system. Type enforcement creates a kind of pipeline to organize data flow between programs (see the figure "Assured Pipeline").
cations are part of larger systems. To assure that information moves securely, type enforcement controls the data each program can read and write. Each program can only read from the stage in front of it and write to the next stage of the pipeline. No stage of the pipeline can be skipped, and how the data flows through the system is tightly controlled.
A divide-and-conquer approach to building secure applications is another advantage of assured pipelines. By splitting a large program into smaller pieces, it is easier to analyze and be sure the pieces are operating correctly.
For example, suppose you wanted all the outgoing mail messages to be digitally signed before leaving your network, to prove who sent the message. You could modify the word processor to include the digital signature, but it would be difficult to make sure you modified it in all the correct places. If instead you created a program whose job was to check for the digital signature, you could feel confident the program was working
correctly. By using an assured pipeline, you can make sure no data reaches the network software unless it has passed through the new data filter.
Type Enforcement in a Firewall
Today, type enforcement has been incorporated in a firewall to provide flexible isolation between networks. Isolation between the Internet and an organization's internal network is extremely important to protect against malicious attack. Type enforcement offers an ideal mechanism to isolate internal corporate and organizational networks from the Internet.
If a firewall is to secure internetwork access, placing it on an insecure platform makes little sense. Incorporating type enforcement allows for a flexible policy to be enforced. Equally important is to make the policy mandatory -- do not let key security information be changed while the system is connected to the hostile network. This eliminates the possibility of "helpful reconfigurations" by Internet hackers.
Separate the two networks on the
inside of the machine. An Internet firewall's prime goal is to keep the information separate until a security check has been performed to verify that the information is permitted to cross the policy-driven barrier. The solution is network stack separation, using two distinct network cards.
A type-enforcement firewall with two network cards can also always tell where information originated, no matter how clever the intruder. The two network feeds are connected to two domain-separated network drivers, thus preventing network protocol spoofing (i.e., an advanced hacking technique where attackers handcraft network packets to mask their true origin). The two stacks maintain control over the information coming from either side. Only software defined and controlled by type enforcement can determine which information may move between networks (see the figure "Using Type Enforcement in a Firewall" below).
Always be on the lookout for malicious acts. If any software on the system tries to access information
outside its bucket, either the software is flawed or a potentially harmful entity is controlling it. Take control of the situation. Watch the software more closely through auditing, or shut the software down immediately.
Finally, apply the concept of least privilege. By limiting the privilege a system has, the amount of damage that can be caused if that system is compromised can be limited. Consider, for example, the sendmail program. It is the network server that receives and forwards mail on most Internet hosts. Unfortunately, sendmail has been littered with vulnerabilities that have let attackers take control of an entire system. The latest vulnerability revolved around the syslog system call letting attackers overwrite sendmail's stack and take control of sendmail. Once in control, the attackers started an interactive shell program and launched their attack on the rest of the system.
Using type enforcement and least privilege prevents the syslog vulnerability from being exploited without chan
ging the sendmail code. Sendmail is placed in a separate domain that can only read data from the external network and write data into the queues to be forwarded to the internal network. Sendmail cannot cause other programs to be created or executed.
Even if the attacker got control of sendmail, all he or she could do is interrupt the mail service, which could have been done anyway using a network flooding attack. Because type enforcement controls execution, the hacker could not even execute an interactive shell and would have no hope of penetrating other domains.
Not Just for Firewalls
Many other applications can be secured cost-effectively using type enforcement. Nowhere is security as critical as it is in cryptographic systems. Key management controls, encryption algorithms, key distribution, public-key repositories, and other critical subsystems can all be tightly controlled in their own protected domains.
Applying type enforcement and its data separation is a natura
l extension to databases containing sensitive information. And in environments where strict controls are placed on communications resources, type enforcement can control access to the communications resources and make sure that the software allocating the resources cannot be tampered with or bypassed.
By their nature, secure systems are more expensive to build. As a result, secure products often lag behind in current functionality. If you are going to get the features into secure systems in a timely and cost-effective manner, good tools are needed. Nowhere is that more important than in putting the right building blocks in the OS.
The type-enforcement security mechanism gives the OS a solid foundation for securing applications. Type enforcement can be used to protect applications from malicious modification by outsiders, other errant applications, and the application itself.
Domain Definition Table
A file's type specifies what domain, or application, can access the
Application Database User file Network
DBMS Read, write No access No access
Text editor No access Read, write No access
World Wide Web server No access Read Read, write
illustration_link (43 Kbytes)
Using Type Enforcement in a Firewall
illustration_link (29 Kbytes)
A type-enforcement firewall secures data by separating information from the Internet and the internal network.
Dan Thomsen is a senior research scientist at Secure Computing Corp. He is working on the Sidewinder Internet firewall. Winn Schwartau is a security consultant and author of Information Warfare: Chaos on the Electronic Superhighway. They can be reached on the Internet at
or on BIX c/o "editors."