Self-revocation Free Downgrading (SRFD)
IntroductionTraditional information flow systems like Biba do not revise privileges of subjects: Once a subject is assigned with certain integrity level, the level will not change (even if it is safe to be lowered). This strict integrity model limits usability of the system because 1) it requires deciding ahead of time what is the proper integrity level, and 2) some operations that are safe cannot be performed. Low-water-mark policies relaxed the strict integrity policies by allowing subjects to be downgraded to lower integrity and solved both problems. It is strictly more usable as it allows all safe operations to be completed without security violations. However, letting subjects to be downgraded can result in self-revocation: subjects’ privileges are revoked as a result of downgrading, leading to unexpected failures that applications are not writtent to handle.
Self-revocation Free Downgrading (SRFD) is, similar to LOMAC, an integrity policy that follows Low-water-mark policies and it can preserve system integrity while preventing self-revocation. Unlike LOMAC which relies on process group, SRFD tackle the self-revocation based on the actual information flow in the system. Hence, SRFD is more general and can handle sockets. SRFD maintains constraints about subjects and objects to identify potential self-revocation scenarios. It promotes early failure by constraining subjects from downgrading. Instead of denying write operations when subjects are downgraded, SRFD denies open operations when subjects open lower integrity files. This allows processes to handle failures more gracefully.
- system integrity assurance
- reasonable performance
- LSM module