 Safety's Security Policy  G The following is offered by way of explaining some of the philosophy of $ what Safety does in system security.  I The security parts of Safety are designed to address the observation that H while military security policy has dealt with clearing PEOPLE for accessI to information, what is needed is clearing ACTIONS (or, if you prefer the H word, ACTIVITIES). In the human and paper world, actions tend to be hardI to define, and a degree of trust must be present that people given access I to some secret information will use it responsibly for the reasons access 
 was given.  H Computers lack such "common sense", but also actions that computers take: can often be characterized more precisely than human ones.  H Safety was devised because I have observed that one often wants or needsK certain actions to be performed, but other actions need not be. Where vital J data to a company is stored on and used on computers, and must be accessedG by more than one person, it is useful to be able to control the actions M on that data more finely than simply a go/no-go based on a person's identity.   M The view of user actions from an operating system perspective is in some ways I coarse grained, but there are some things that can be known; Safety takes K advantage of some of these and allows you to distinguish an action you want 7 to authorize on your sensitive data and one you do not.   J There are of course problems of aggregation, which are similar to those ofG covert channels in the Multilevel Security world. In the MLS world, one M bandwidth limits covert channels. To a degree you bandwidth limit aggregation M here. I am not however proposing that Safety is a perfect or ultimate system. M Rather, it is a system that addresses authorizing actions to a point, instead  of ignoring the problem.    * A few example illustrations may help here.  E Let's say you have a customer list file. It is normally maintained by F some accounting applications you have, and any of several clerks oughtF to be able to access it in the course of their taking orders, shippingF items, and so on, and likewise some sales folks should be able to look for prospects.  2 Still, you don't want this to get to a competitor.  G In a vanilla OS, you'd have to allow the clerks, sales folks, etc., R/W C access to this file, which would mean anyone might copy or possibly E trash it. If all access is via ONE program, you might use a subsystem I facility to limit access, but where multiple programs are used, this gets J harder, and you have to ensure somehow that only a set collection of usersH can access the file...and you may also want to prevent someone who tries- the access at 3AM from succeeding regardless.   H That's the point of having a number of checks on access. Safety will letD you limit access by time of day and location, by person, AND by whatC programs are in use, and can even, if you like, deliver a fake file D to someone who tries to make an illicit copy of the data, instead ofH giving a possibly-revealing error message. This means that someone mightJ try to bribe a clerk, but the clerk can only look at records one at a timeK using his program...and cannot use COPY to copy the whole thing. A salesman F about to leave for another company is similarly inhibited. And you canJ inhibit someone who might have gained system privileges from access to the7 file at all when those privileges are available to him.   G Actions are represented for the computer by a program accessing a given H file or files, on behalf of some defined user, with at most some definedF privilege set, at some place and/or time. (There is also provision forI ensuring the programs or scripts being used have not been tampered with.)   E This is the model used to control what can be done with key corporate E information. You allow actions to be taken, and do not have to permit  access wholesale to people.   K This has other benefits. Consider what happens when someone uses downloaded N code (as happens with some web browsers) which has a security hole. The personA running the browser is treated as the person on whose behalf this G downloaded code is run...so the security hole might be used to read or  5 possibly write anywhere that individual is permitted.   M Where critical data cannot be accessed because this action is not authorized, J it is protected from such abuse regardless of the browser or unknown code.  G Beyond this, Safety has a "paranoid mode" which can be enabled where it E is suspected downloaded code will be used. The supplied scripts will  I simply notify the user of any files accessed while in this mode, but they G can also be edited to permit veto of opens based on any criteria a user F wants....thus restricting access to places a user considers safe. WithI such a system in place, security holes in browsers and similar downloaded D code are less a problem, since their effect is limited to only a few' parts of a user's normal access domain.    Glenn C. Everhart   