I-0451: When To Use IFF/IFC And ACC/ACF

Subject: I-0451: When To Use IFF/IFC And ACC/ACF
From: "NIAP Interpretations Board" <ccevs-nib@nist.gov>
Date: Fri, 15 Nov 2002 12:35:11 -0800
Content-description: Mail message body
Content-transfer-encoding: 7BIT
Content-type: text/plain; charset=US-ASCII
Priority: normal
Reply-to: cc-cmt@nist.gov



  This transaction consists of a proposal for a NIAP Interpretation of a
  Common Criteria document. It is being posted in accordance with the
  procedures of the IWG.

  Comments on this proposal are welcomed and should be posted to this
  transaction chain.  If any party wishes to post a comment anonymously,
  the comment should be mailed to cc-cmt@nist.gov in a form suitable for
  posting.  All comments should be posted no later than Monday, January
  27, 2003.


                      CCITSE/CEM  GUIDANCE (PROPOSED)


     _________________________________________________________________

                    I-0451: When To Use IFF/IFC And ACC/ACF
     _________________________________________________________________

TYPE:                 Guidance
NUMBER:               I-0451
STATUS:               Ready for External Review

TITLE:                When To Use IFF/IFC And ACC/ACF
COMMENTS DUE BY:      Monday, January 27, 2003 to cc-cmt@nist.gov

SOURCE REFERENCE:     CC v2.1 Part 2 Subclause 6.1 FDP_ACC
                      CC v2.1 Part 2 Subclause 6.2 FDP_ACF
                      CC v2.1 Part 2 Subclause 6.5 FDP_IFC
                      CC v2.1 Part 2 Subclause 6.6 FDP_IFF
RELATED TO:           <None>

ISSUE:

   When is it appropriate to use IFF/IFC or ACC/ACF? In particular, for
   an environment where there is an externally defined policy and no
   attributes on objects, should IFF/IFC be used?

STATEMENT

   ACC/ACF should be used when access control is to the level of the
   container of the data (e.g., Discretionary Access Control). IFF/IFC
   should be used when access control is to be on the information,
   independent of the container (e.g., Mandatory Access Control).

SUPPORT:

   When the Common Criteria was first written, the goal on the functional
   side was to capture the policies that were present in the previous
   criteria that served as inspiration. In the case of the Trusted
   Computer System Evaluation Criteria, this was Discretionary Access
   Control (DAC) and Mandatory Access Control (MAC). However, at this
   time, there was an effort not to use terms that brought with them
   specific connotations--hence, many TCSEC terms were not used in the
   CC.

   The original intent was that "Access Control" (ACC/ACF) was to be able
   to capture DAC policies, and "Information Flow" was to be able to
   capture MAC policies. The terms chosen were based on the unique
   characteristics of each type of policy:


     * Discretionary Access Control policies typically serve to control
       access to a container. Once access to the container has been
       granted, the information may be copied out of the container,
       written to a different container with potentially broader access.

     * Mandatory Access Control policies typically control access to
       information. Even if the information is copied from the container
       once access is granted, when this information is subsequently
       rewritten, it is beyond the control of the subject to write it
       with broader access rights (in terms of information flow). To use
       a concrete example: If a SECRET process reads an UNCLASSIFIED
       file, any subsequent writing of that information will be
       classified SECRET, which is more restrictive.

   Both policies use attributes to make their policy decisions. IFF/IFC
   refers to attributes of the information, whereas ACC/ACF refer to
   attributes of the object. How do these differ?

   For the most part, they don't. But consider a file object that is
   implemented internally as a collection of segments. If I am only
   labeling the container (attributes of the object), I can put the
   relevant attributes in the file description table. The underlying
   segments need not have attributes independent of this file description
   table. On the other hand, if I must attach the attributes to the
   information, then each segment must have information flow attributes
   attached, independent of any attributes in a file description table.

   Nowadays, the use of ACC/ACF and IFC/IFF have broaded beyond the
   original DAC and MAC usages. They are being used for all forms of
   creative policies. The key determinant is what is labeled: the
   container or the information.

   Policies are flexible. Consider a Role Based Access Control policy.
   This is actually a combination of an Access Control (ACC/ACF) policy
   and Management Roles. The access control policy makes access decisions
   based on the role of the subject (not identity or label) and the role
   controlling access to the container or program. The management roles
   then serve to define the permitted roles.

Prev by Date: [ 광 고 ] 고객님의 대출 가능상품은 31 가지입니다. 신개념 대출안내서비스 온크레
Next by Date: Re: TOE Security Policy Model
Prev by thread: Re: I-0461: Definition Of TSF: Relied Upon For The Correct Enforcement
Next by thread: RE: I-0451: When To Use IFF/IFC And ACC/ACF

Date Index | Thread Index | Problems or questions? Contact list-master@nist.gov