[Public Interpretations Database]

I-0025: Definition Of ``Named Objects''

 
NUMBER:               I-0025
STATUS:               Ready to Prepare for Management/CCIMB

TITLE:                Definition Of ``Named Objects''

FIRST POST:            [criteria 2345]

REQUIREMENT:          Definition
CRITERIA CLASSES:     C1, C2, B1, B2, B3, A1
DOCUMENT(S):          Security Features Users Guide
RELATED TO:
     I-0137           Definition Of ``Storage Objects'' For The Purposes Of MAC
     I-0232           In Most Cases, There Must Be Discretion In DAC

STATEMENT:

The following adds a TCSEC GLOSSARY definition for the term ``Named Object''. It also interprets the word "named objects" in the Discretionary Access Control requirement that ``the TCB shall define and control access between named users and named objects (e.g., files and programs) in the ADP system''.

A "Named Object" is an object in an ADP system that exhibits all of the following characteristics:

  1. The object may be used to transfer information between subjects of differing user identities within the TCB.

  2. Subjects in the TCB must be able to request a specific instance of the object.

  3. The name used to refer to a specific instance of the object must exist in a context that potentially allows subjects with different user identities to request the same instance of the object.

  4. The intended use of the object is for sharing of information across user identities.

PROJECTED IMPACT:

Clarifies previous guidance on meaning of ``named object'' and simplifies evaluation for most products.

SUPPORT:

The intent of this interpretation is to permit application of the DAC requirement in a way that is consistent with the Control Objective for Discretionary Security. DAC mechanisms are incapable (except in very limited cases) of controlling information flow. Instead, they serve to control access to a specific instance of the information, accessed through a named container (such as a file). Once access to the container is granted, the information can easily be copied to a different container with different controls.

DAC is distinctly different from Mandatory Access Control (MAC), where the concern is information flow under the control of (possibly malicious) programs. Under MAC, even if the information is copied to a different container, the TCB ensures that the new container has at least equivalent information flow controls to that of the old container.

Additionally, under DAC, the focus is resources visible to and manipulated by users--specifically ``large-grain'' data containers, where it is sensible, in terms of the product's interface and intended use, to specify particular users who do and do not have access to the container.

The notion that named objects are concerned with sharing between identities, as opposed to subjects, is also reflected in the TCSEC DAC requirement, as it explicitly refers to "between named users" and not the simpler "between subjects".

The definition also emphasizes the ability to request a specific instance of the resource. Many resources are intended for information sharing between user identities, but only when a handle for the communication pathway is explicitly propagated between the identities. The general case of controlled sharing doesn't apply then; it applies when an arbitrary untrusted subject could attempt to participate in the sharing of the resource. This latter case requires the TCB to make the determination of whether access was permitted (there is no TCB involvement in the access decision when access is explicitly propagated).

There is a preponderance of examples in existing products that offer considerable guidance as to the types of resource that are intended for sharing information (e.g., files, directories) and that are not. These examples, and the general principle of intended use, should guide vendors and evaluators in defining the named objects in a product. Common examples of named objects are files, UNIX System V IPC objects, and other containers sharable between identities. Examples of resources that are not named objects include UNIX unnamed pipes (specific instances cannot be requested), processes (typically under an owner-only policy), and process memory (typically not sharable with other subjects).