Type enforcement is a method for computer security that is based on assigning labels to different “types” of assets and then allowing access based on them. While this may seem complicated, it is basically a method by which different permissions are assigned for access to various systems. A process that occurs on a network, for example, has a certain level of permission based on its source, which is assigned this authorization by the system administrator. When this process attempts to access resources on that network, then the permission is checked and if it is appropriate, then it is given access to the target.
The term “type enforcement” refers to the “types” of items that are part of a system and how they are each categorized for security purposes. There are two simple types: the source type, which is the domain running a process on the system; and target type, which is the object being accessed. A user on a network attempting to access a file on another computer is the source, while the computer with the file is the target. Type enforcement assigns each of these types an identification that is then used to ensure proper security is upheld through the use of permissions.
Each source type is clearly identified in a system that uses type enforcement, which may require thousands of different identifiers for all of the possible sources. Similarly, each target type is also provided with an identifier, so that the system is able to track every possible asset that is making a request or is the target of a request. A number of permissions are then established in a system using type enforcement, which are basically rules. These rules are created by a system administrator and indicate the types of sources that are allowed to access various targets.
Using the previous example, the file on the target computer is an object that may be accessible to the source depending on the permissions established. Additional information in a rule can even indicate the exact way in which objects can be used and interacted with, such as simply being able to read the file or being able to delete it. All of this information for interactions through type enforcement is contained in a single rule that provides the source type, target type, and permissions for the objects that are accessible. Creating each of these rules is essential for system security, as type enforcement is a “mandatory” security system. This means that every interaction must be clearly allowed or else it is not possible.