Home ยป Solutions

Cross Domain Releasability Solutions

Solution: Cross Domain with Releasability Requirement

Requirements:

  • Two domains: US and France
  • Single table in US domain containing US government employees with three columns: name, pay_grade, organization
  • Read-write access by US domain to all rows of table
  • Read-only access by France to a subset of rows in the table where pay_grade is less than ten
  • France must not see actual value of organization (e.g., NSA, CIA, etc) but shall see a "cover" of US Government Employee
  • The rows France is allowed to see must be audited
  • No access by France to remainder of rows in the table where pay_grade is greater than or equal to 10

Environment of Solution:

  • US domain connects to Trusted RUBIX server platform on network interface fixed with session label Confidential:US
  • France domain connects to Trusted RUBIX server platform on network interface fixed with session label Confidential:FR
  • Table named xtab created with columns name (string), pay_grade (integer), and organization (string)
  • Table xtab populated by US domain

Security Policy of Solution:

  • DAC permission given to France on table xtab to allow select
  • DAC permission given to US on table xtab to allow all operations
  • SPM security policy called US-Access created with target of Confidential:US session label which always evaluates to Permit
  • SPM security policy called FR-Access created with target of Confidential:FR session label. Rules are evaluated in order and the policy evaluates to Permit immediately if a rule evaluates to Permit; otherwise, it evaluates to Deny
  • The FR-Access policy contains the following rules:
    • Rule1: If the current operation is select and column pay_grade < 10 then Permit
    • Rule2: If the current operation is of type open then Permit
    • Rule3: Deny
  • The FR-Access policy contains the following obligations:
    • Obligation 1: On Permit audit with optional audit data set to the value of the name column
    • Obligation 2: On Permit set the field organization to US Government Employee
  • SPM security policy set is configured to override the MLS-MAC policy and assigned to table xtab containing policies US-Access and FR-Access. Policies are evaluated in order and the policy set evaluates to Permit immediately if a policy evaluates to Permit; otherwise, it evaluates to Deny

Behavior of Solution:

Any operation on table xtab submitted by US will succeed. Any operation submitted on table xtab by France other than open and select will fail. A select operation on table xtab by France will have all rows where pay_grade >= 10 filtered out of the result set. If the column organization is selected by France its value will always be US Government Employee. All rows selected by France will be audited and the value of the name column will be included in the audit record.