All modern mainstream operating systems rely to some extent on user co-operation to maintain security. Having sophisticated access control and strict privilege levels all help to improve the security of a computer, but if the users deliberately make their private files world-readable, there's nothing your OS can do to protect your data. Of course, no sane user would do this with their sensitive data, at least not intentionally, but what about in military and government systems, where malicious users could easily change a file's permissions and hence compromise the entire network? Clearly in such a security-centric environment, some other measures must be enforced to prevent accidental or malicious exposure of information.

The reason conventional operating systems are insecure in this regard is that they use a discretionary access control mechanism, so that a user can expose his or her data as they want. What is required is an enforced security policy, that is out of the control of users, and dictates what subjects (processes, users, etc.) can access what objects (files, devices, etc.). This is a mandatory access control mechanism.

There are a number of different implementations of mandatory access control.
The simplest must surely be to have entirely separate machines to deal with sensitive and non-sensitive data (see air-gap security). Typically, the sensitive machine will not have a modem, network card or floppy drive, which reduces the likelihood of data flowing out from the machine (see covert channels). In this way, it becomes very hard for users to inadvertently copy data from a secure to non-secure environment, and a lot harder for external threats to gain access to the sensitive data.

Another famous example is the Bell-LaPadula security model, which requires a specialistic operating system (see SELinux). In this system, subjects and objects are given security ratings of top secret, secret or unclassified. A subject can only access objects with the same rating or lower, and if a lower-rated object is written to, it is raised to the subject's rating. For example, if a user with top secret rating wrote into a file with unclassified rating, that file would be bumped up to top secret. This raises an obvious problem - all the objects are gradually going to rise to higher and higher ratings, eventually leaving the system unusable except to top secret subjects. The solution is to have a privileged de-classification process that can reduce security ratings (if the content is found to be non-sensitive of course).

In environments where data privacy is very important, it is useful to have some sort of a guarantee of the level of security. Mandatory access control mechanisms make it a lot easier to reason about the security, and offer some guarantees. In contrast, discretionary mechanisms rely on the infallibility of users, which, if the stakes are high, is too big an assumption to make.

Rainbow Series:
University of Cambridge Computer Lab