diff options
-rw-r--r-- | share/man/man9/mac_biba.9 | 182 |
1 files changed, 182 insertions, 0 deletions
diff --git a/share/man/man9/mac_biba.9 b/share/man/man9/mac_biba.9 new file mode 100644 index 0000000..b301bdf --- /dev/null +++ b/share/man/man9/mac_biba.9 @@ -0,0 +1,182 @@ +.\" Copyright (c) 2002 Networks Associates Technology, Inc. +.\" All rights reserved. +.\" +.\" This software was developed for the FreeBSD Project by Chris +.\" Costello at Safeport Network Services and NAI Labs, the Security +.\" Research Division of Network Associates, Inc. under DARPA/SPAWAR +.\" contract N66001-01-C-8035 ("CBOSS"), as part of the DARPA CHATS +.\" research program. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHORS AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.Dd NOVEMBER 18, 2002 +.Os +.Dt MAC_BIBA 9 +.Sh NAME +.Nm mac_biba +.Nd Biba data integrity policy +.Sh SYNOPSIS +.Cd "options MAC" +.Li "kldload mac_biba" +.Sh DESCRIPTION +The +.Nm +policy module implements the Biba integrity model, +which protects the integrity of system objects and subjects by means of +a strict information flow policy. +In Biba, all system subjects and objects are assigned integrity labels, made +up of hierarchal grades, and non-hierarchal components. +Together, these label elements permit all labels to be placed in a partial +order, with information flow protections based on a dominance operator +describing the order. +The hierarchal grade field is expressed as a value between 0 and 65535, +with higher values reflecting higher integrity. +The non-hierarchal compartment field is expressed as a set of up to 256 +components, numbered from 0 to 255. +A complete label consists of both hierarchal and non-hierarchal elements. +.Pp +Three special label values exist: +.Bl -column -offset indent ".Sy Label" ".Sy Comparison" +.It Sy Label Ta Ta Sy Comparison +.It Li biba/low Ta Ta Ta lower than all other labels +.It Li biba/equal Ta equal to all other labels +.It Li biba/high Ta higher than all other labels +.El +.Pp +The +.Dq biba/high +label is assigned to system objects which affect the ingrity of the system +as a whole. +.Dq biba/equal +may be used to indicate that a particular subject or object is exempt from +the Biba protections. +These special label values are not specified as containing any compartments, +although in a label comparison, +.Dq biba/high +appears to contain all compartments, +.Dq biba/equal +the same compartments as the other label to which it is being compared, +and +.Dq biba/low +none. +.Pp +Almost all system objects are tagged with a single, active label element, +reflecting the integrity of the object, or integrity of the data contained +in the object. +In general, objects labels are represented in the following form: +.Pp +.Dl biba/grade:compartments +.Pp +For example: +.Pp +.Bd -literal -offset indent +biba/10:2,3,6 +biba/low +.Ed +.Pp +Subject labels consist of three label elements: a single (active) label, +as well as a range of available labels. +This range is represented using two ordered Biba label elements, and when set +on a process, permits the process to change its active label to any label of +greater or equal integrity to the low end of the range, and lesser or equal +integrity to the high end of the range. +In general, subject labels are represented in the following form: +.Pp +.Dl biba/singlegrade:singlecompartments(lograde:locompartments- +.Dl higrade:hicompartments) +.Pp +For example: +.Bd -literal -offset indent +biba/10:2,3,6(5-20:2,3,4,5,6) +biba/high(low-high) +.Ed +.Pp +Valid ranged labels must meet the following requirement regarding their +elements: +.Pp +.Dl rangehigh >= single >= rangelow +.Pp +One class of objects with ranges currently exists, the network interface. +In the case of the network interface, the single label element references the +default label for packets received over the interface, and the range +represents the range of acceptable labels of packets to be transmitted over +the interface. +.Pp +In general, Biba access control takes the following model: +.Bl -bullet +.It +A subject at the same integrity level as an object may both read from +and write to the object as though Biba protections were not in place. +.It +A subject at a higher integrity level than an object may write to the object, +but not read the object. +.It +A subject at a lower integrity level than an object may read the object, +but not write to the object. +.It +If the subject and object labels may not be compared in the partial order, +all access is restricted. +.El +.Pp +These rules prevent subjects of lower integrity from influencing the +behavior of higher integrity subjects by preventing the flow of information, +and hence control, from allowing low integrity subjects to modify either +a high integrity object or high integrity subjects acting on those objects. +Biba integrity policies may be appropriate in a number of environments, +both from the perspective of preventing corruption of the operating system, +and corruption of user data if marked as higher integrity than the attacker. +In traditional trusted operating systems, the Biba integrity model is used +to protect the Trusted Code Base (TCB). +.Pp +The Biba integrity model is similar to +.Xr LOMAC 9 , +with the exception that LOMAC permits access by a higher integrity subject +to a lower integrity object, but downgrades the integrity level of the subject +to prevent integrity rules from being violated. +Biba is a fixed label policy in that all subject and object label changes are +explicit, whereas LOMAC is a floating label policy. +.Pp +The Biba integrity model is also similar to +.Xr mac_mls 9 , +with the exception that the dominance operator and access rules are reversed, +preventing the downward flow of information rather than the upward flow of +information. +Multi-Level Security (MLS) protects the confentiality, rather than the +integrity, of subjects and objects. +.Sh SEE ALSO +.Xr LOMAC 9 , +.Xr mac 9 , +.Xr mac_mls 9 +.Sh HISTORY +The +.Nm +policy module first appeared in +.Fx 5.0 +and was developed by the TrustedBSD Project. +.Sh AUTHORS +This software was contributed to the +.Fx +Project by Network Associates Labs, +the Security Research Division of Network Associates +Inc. under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), +as part of the DARPA CHATS research program. |