### How can the TCB support MAC? [[TCB - Trusted Computing Base|TCB]] must maintain additional information with subjects and objects, which can be stored as meta-data or labels. Unlike [[Authorization#Discretionary access control|DAC]], [[Authorization#Mandatory access control|MAC]] required labels. These labels can be a combination of sensitivity level and a compartment. The compartment specifies what topics the data is related to. Meta-data or labels that can help enforce MAC policies for an *object*: 1. How sensitive is the data in the object? 2. What integrity level can be assigned to it? 3. What kind of data is contained in the object? for a *subject*: 5. What kind of data does is the subject allowed to access (need-to-know)? 6. Can the user access sensitive data? How sensitive? Labels help us decide when an access can be allowed. >[!note]- Does a subject’s label $L_1$ show that she should access an object with label $L2$? >We need to check/compare labels to answer this question. >Example: >Label $L_1 = ( l_1,c_1 )$ where $l_1$ is level (e.g., how sensitive) and $c_1$ is compartment that describes the kind of data in the object (e.g., Cyber, offensive) **Level** typically means how sensitive the data is (e.g., confidential, secret top secret) **Compartment** is typically a set (e.g., Cyber arsenal, Conventional Arms, Asia, Europe, America etc.) ### Comparing labels Properties of label comparison: 1. Comparing labels yields a partial order (not a total order). This means that when we compare two labels, the relationship we get is anti-symmetric, or, $(L_1 \space r \space L_2)$ and $(L_2 \space r \space L_1)$ can’t both be true. $if$ $(L_1$ $related$ $to$ $L_2)$ $==$ $True:$ $(L_2$ $related$ $to$ $L_1)$ $==$ $False$ 2. It is transitive. $if \space (L_1 \space related \space to \space L_2)\space \&\space (L_2 \space related \space to \space L_3):$ $(L_1 \space related \space to \space L_3)$ Important relationships: - $L_1$ dominates $L_2$ or $L_1 \gt L_2$, if: $(L_1.level \ge L_2.level) \wedge (L_1.compartment \supset L_2.compartment)$ or $L_1$‘s level is greater than $L_2$ and $L_1$‘s compartment contains $L_2$‘s compartment - $L_1$ is dominated by $L_2$ or $L_1 \lt L_2$, if: $(L_1.level \le L_2.level) \wedge (L_1.compartment \subset L_2.compartment)$ - $L_1 = L_2$, if: $(L_1.level = L_2.level) \wedge (L_1.compartment = L_2.compartment)$ - If none of the above conditions hold, then $L_1$ and $L_2$ are not related, and it is not ordered $∃ \space x,y \space s.t. \space x \in L_1.compartment \space \wedge \space x \notin L_2 .compartment \space and \space y \notin L_1 $ - compartment and $y \in L_2.compartment$ ### Lattice Structure Partially ordered things like the MAC labels make a lattice structure. - Poset → partial order - Least upper bound (LUB) → Least label that can dominate $L_1$ and $L_2$ - $LUB(L_1, L_2) \ge L_1 \wedge LUB(L_1, L_2) \ge L_2$ and if $∃$ label $L$ s.t. $L \ge L_1 \wedge L \ge L_2$, then - $L \ge LUB(L_1, L_2)$ - Greatest lower bound (GLB) → Greatest label that can be dominated by both $L_1$ and $L_2$ - $GLB(L_1, L_2) \le L_1 \wedge GLB(L_1, L_2) \le L_2$ and if $∃$ label $L$ s.t. $L \le L_1 \wedge L \le L_2$, then - $L \le GLB(L_1, L_2)$ Lattice example → Subset of a set ![[attachments/Screenshot 2023-06-10 at 6.51.47 PM.png]] In this example, - $n = 3$ or there are three elements - Empty sets have none of the elements - Circles are compartments or sets - Arrows are relationship. A → B, then B dominates A - Partial order is displayed in following relationships → C & H, C & (H, N), etc. This is because each has an element that the other one doesn’t have. - GLB → $\emptyset$ and LUB → (C,H,N) --- #comfort-hard