B1 security in System V (was Re: Implications...)
Steven M. Bellovin
smb at ulysses.homer.nj.att.com
Tue Nov 15 05:15:21 AEST 1988
In article <10192 at swan.ulowell.edu>, arosen at hawk.ulowell..edu (MFHorn) writes:
>
> What does this product do to get this rating?
I know about AT&T's System V/MLS; let me describe it a bit. For those
who want more details, see the May/June 1988 issue of the AT&T
Technical Journal. I'll start by quoting from the introduction:
``System V/MLS adds several security enhancements to the
standard UNIX system, including mandatory access controls based
on labels consistent with the DoD classification scheme,
improved protection of passwords, extensive auditing, boot-time
assurance measures to detect the introduction of malicious
code, and restriction of certain capabilities that historically
have been responsible for security failures.
The most interesting change is the way mandatory labels are
implemented. What's done is to reinterpret the GID. Rather than being
used for a simple equality check, the System V/MLS GID is used as a
pointer to a label table; this table gives the security level,
compartment information, etc.
More information about the Comp.unix.wizards
mailing list