You are hereMultilevel Security / MLS Information Flows

MLS Information Flows


The Multilevel Security policy is concerned with the flow of information from one subject to another. There is a general requirement that information not flow from a "higher" level subject to a "lower" level subject. Flows of information are referred to as channels. For instance, a channel may not exist from a Top Secret user to an Unclassified user as this would allow an Unclassified user access to Top Secret information.

 

Within the Trusted RUBIX DBMS, all SQL operations are controlled to prevent improper information flows. So, for instance, a Confidential user may not SELECT a Top Secret row. Also, a Top Secret user may not UPDATE a Confidential row. A Top Secret user would be permitted to SELECT a Confidential row.

 

In addition to explicit information flow channels, such as selecting a row, Trusted RUBIX also eliminates some covert information flow channels. These are situations where a low level subject can infer information about a "high" level object or subject. Two primary areas where Trusted RUBIX removes illegal covert channels are within the concurrency control algorithm and through the use of polyinstantiation.

 

The following diagram shows the permitted and non-permitted information flows between a representative set of MLS labels. In general, information is allowed to flow from a source to a destination if the destination MLS label dominates (is higher than or equal to) the source MLS label. Note that no information flows are allowed between incomparable MLS labels, such as Top Secret: AB and Top Secret: C. Also note that not all permitted information flows are shown in the diagram, such as from Unclassified: A to Top Secret: AB.

 

MLS Information Flows