MAC-Enabled Open Standards IT Systems


Mandatory Access Control
Principles
  • With MAC, an operating system limits the ability of an initiator to access or perform actions on objects. Objects such as files, directories, network ports, memory blocks.

  • Every access or action is checked against a set of rules (policy) to decide whether it's allowed. Violations of the rules are logged and can generate notifications.
The State of MAC
  • Linux gained MAC in 2000. MS Windows still doesn't have MAC.

  • Around 2008 Windows moved a little closer to MAC, but the design (MIC) is fundamentally wrong, since it uses levels of access rather than types.

  • If MS Windows had MAC it wouldn't need ever-more numerous and complex (and fragile) defence mechanisms to attempt to compensate for its absence. Mechanisms which can often be bypassed.

  • You can read another expert's comments here.
Web Server MAC example
  • If a way is found to upload malware to a MAC-protected web server, the MAC rules for the web server prevent the malware being executed. In fact those rules prevent any file being executed.
DNS Server MAC example
  • In July 2020 a serious MS Windows vulnerability was reported. Whereby the sending of certain data to a Windows DNS (Domain Name System) server made it possible to gain Domain Administrator privileges.

  • An equivalent vulnerability on a MAC-enabled system does not enable privilege increase. Because the MAC rules for the DNS server prevent execution of any privilege-increasing software.
Further MAC use
  • We provide systems based on CentOS Linux. Its MAC subsystem is called SELinux, and it's enabled by default and its policy is comprehensive.

  • Every service is protected in an appropriate way. So that if a vulnerability is found any exploit attempts are either completely blocked or severely restricted.

  • Rules also exist for limited-access user accounts. For example a user account that doesn't have network access.

  • It's not hard to add extra rules for even-more-specialised uses.
Copyright 2019-2020 : IOPEN Technologies Ltd