So what you are saying is that I should concentrate on the process level
instead of the file level. That would change my design but it seems it
would be more
thorough. So basically if a process has read in data from a “high area”
then I would
need a driver that would block any writes to a “low area”. I would allow
that process to write data to a high area.
How this scenario play out using processes ?
I open Explorer
I do a copy by right clicking a document that is classified somehow
(so at this point I should not allow Explorer to do any writes to low areas)
I then right click on a non classified document and do a "send to A:".
Now at that point, I don’t want to stop the non classified data because
that is a not a problem, but if I set a flag saying explorer can’t do any
writes to low areas this would be a problem even though it is not a
violation.
-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of Benson Margulies
Sent: Friday, April 14, 2000 11:08 AM
To: File Systems Developers
Subject: [ntfsd] Re:Is it possible to determine if a file is being cop
ied …
Mr. Mack,
The problem you are trying to solve is addressed in the computer security
business by a concept called Mandatory Access Control, or MAC. In a MAC
system, each piece of data (typically a file) and each process has a label
which determines its security classification. The system imposes rules that
prevent data from flowing across security boundaries. In a MAC system, there
are both levels and categories. Information can’t travel to a less secure
level, and information can’t travel across category boundaries.
Without a MAC security model, what you are trying to do simply cannot be
done. In the explorer, for example, copy/paste of files are two very
distinct operations, and no code in the kernel has any clue about the
relationship between the reading side and the writing.
I cannot remember if the Win32 security model has provisions for MAC. The
presence of security descriptors on all the objects is certainly part of the
required picture, but I don’t know if the descriptors have a place for the
right information.
Since processes (like the explorer) read data into memory, the granularity
of many MAC decisions is at the process. If a process has permission to read
any ‘high security’ data then it can’t have permission to write any ‘low
security’ data, except via special system calls that ensure that the source
data is low security.
Essentially, it boils down to this.
Step 1: prevent all writes outside ‘your system’.
Step 2: provide a special driver that allows writes outside your system only
of carefully identified materials.
–
Benson Margulies
You are currently subscribed to ntfsd as: xxxxx@infoseerinc.com
To unsubscribe send a blank email to $subst(‘Email.Unsub’)