High assurance discretionary access control for object bases

Abstract

Discretionary access control, based on checking access requests against users' authorizations, does not provide any way of restricting the usage of information once it has been 'legally' accessed. This makes discretionary systems vulnerable to Trojan Horses maliciously leaking information. Therefore the need arises for providing additional controls limiting the indiscriminate flow of information in the system. This paper proposes a message filter complementing discretionary authorization control in object-oriented systems to limit the vulnerability of authorization systems to Trojan Horses. The encapsulation property of the object-oriented data model, which requires that access to objects be possible only through defined methods, makes information flow in such systems have a very concrete and natural embodiment in the form of messages and their replies. As a result, information information flow can be controlled by mediating the transmission of messages exchanged between objects. The message filter intercepts every message exchanged between objects to ensure that information is not leaked to objects accessible by users not allowed for it.