RE: I-0451: When To Use IFF/IFC And ACC/ACF
- Subject: RE: I-0451: When To Use IFF/IFC And ACC/ACF
- From: "Knoke, Jim" <Jim.Knoke@GetronicsGov.com>
- Date: Thu, 21 Nov 2002 14:46:56 -0500
- content-class: urn:content-classes:message
- Content-Transfer-Encoding: 8bit
- Content-Type: text/plain; charset="us-ascii"
- Thread-Index: AcKM6QkB4j8Y+jqkSqWzRPCSZtq5ggErOSaQ
- Thread-Topic: I-0451: When To Use IFF/IFC And ACC/ACF
I would prefer if the wording of this interpretation shed more light on
whether an "in-between" policy should be defined as IFC or ACC. For
example, if I have a policy where objects have a "domain" and subjects
have a list of accessible domains, a subject could read
container/information from one object and then write the information to
an object with a different domain. This looks like ACC in that the
attribute of the information does not necessarily stay with the
information, but it looks like IFC in that the subject is very
restricted in which domains it can write the information.
> -----Original Message-----
> From: NIAP Interpretations Board [mailto:ccevs-nib@nist.gov]
> Sent: Friday, November 15, 2002 3:49 PM
> To: Multiple recipients of list
> Subject: I-0451: When To Use IFF/IFC And ACC/ACF
>
>
>
>
> This transaction consists of a proposal for a NIAP
> Interpretation of a
> Common Criteria document. It is being posted in accordance with the
> procedures of the IWG.
>
> Comments on this proposal are welcomed and should be posted to this
> transaction chain. If any party wishes to post a comment
> anonymously,
> the comment should be mailed to cc-cmt@nist.gov in a form
> suitable for
> posting. All comments should be posted no later than
> Monday, January
> 27, 2003.
>
>
> CCITSE/CEM GUIDANCE (PROPOSED)
>
>
> _________________________________________________________________
>
> I-0451: When To Use IFF/IFC And ACC/ACF
> _________________________________________________________________
>
> TYPE: Guidance
> NUMBER: I-0451
> STATUS: Ready for External Review
>
> TITLE: When To Use IFF/IFC And ACC/ACF
> COMMENTS DUE BY: Monday, January 27, 2003 to cc-cmt@nist.gov
>
> SOURCE REFERENCE: CC v2.1 Part 2 Subclause 6.1 FDP_ACC
> CC v2.1 Part 2 Subclause 6.2 FDP_ACF
> CC v2.1 Part 2 Subclause 6.5 FDP_IFC
> CC v2.1 Part 2 Subclause 6.6 FDP_IFF
> RELATED TO: <None>
>
> ISSUE:
>
> When is it appropriate to use IFF/IFC or ACC/ACF? In
> particular, for
> an environment where there is an externally defined policy and no
> attributes on objects, should IFF/IFC be used?
>
> STATEMENT
>
> ACC/ACF should be used when access control is to the level of the
> container of the data (e.g., Discretionary Access Control). IFF/IFC
> should be used when access control is to be on the information,
> independent of the container (e.g., Mandatory Access Control).
>
> SUPPORT:
>
> When the Common Criteria was first written, the goal on
> the functional
> side was to capture the policies that were present in the previous
> criteria that served as inspiration. In the case of the Trusted
> Computer System Evaluation Criteria, this was Discretionary Access
> Control (DAC) and Mandatory Access Control (MAC). However, at this
> time, there was an effort not to use terms that brought with them
> specific connotations--hence, many TCSEC terms were not used in the
> CC.
>
> The original intent was that "Access Control" (ACC/ACF)
> was to be able
> to capture DAC policies, and "Information Flow" was to be able to
> capture MAC policies. The terms chosen were based on the unique
> characteristics of each type of policy:
>
>
> * Discretionary Access Control policies typically serve
> to control
> access to a container. Once access to the container has been
> granted, the information may be copied out of the container,
> written to a different container with potentially
> broader access.
>
> * Mandatory Access Control policies typically control access to
> information. Even if the information is copied from
> the container
> once access is granted, when this information is subsequently
> rewritten, it is beyond the control of the subject to write it
> with broader access rights (in terms of information
> flow). To use
> a concrete example: If a SECRET process reads an UNCLASSIFIED
> file, any subsequent writing of that information will be
> classified SECRET, which is more restrictive.
>
> Both policies use attributes to make their policy
> decisions. IFF/IFC
> refers to attributes of the information, whereas ACC/ACF refer to
> attributes of the object. How do these differ?
>
> For the most part, they don't. But consider a file object that is
> implemented internally as a collection of segments. If I am only
> labeling the container (attributes of the object), I can put the
> relevant attributes in the file description table. The underlying
> segments need not have attributes independent of this file
> description
> table. On the other hand, if I must attach the attributes to the
> information, then each segment must have information flow
> attributes
> attached, independent of any attributes in a file
> description table.
>
> Nowadays, the use of ACC/ACF and IFC/IFF have broaded beyond the
> original DAC and MAC usages. They are being used for all forms of
> creative policies. The key determinant is what is labeled: the
> container or the information.
>
> Policies are flexible. Consider a Role Based Access Control policy.
> This is actually a combination of an Access Control
> (ACC/ACF) policy
> and Management Roles. The access control policy makes
> access decisions
> based on the role of the subject (not identity or label)
> and the role
> controlling access to the container or program. The
> management roles
> then serve to define the permitted roles.
>
>
>
>
Date Index |
Thread Index |
Problems or questions? Contact list-master@nist.gov