Decomposing Domains

While the domain, shared resources, and access concepts provide the ability to focus on where security properties are enforced in a CDS, these concepts by themselves do not provide sufficient ability to construct complex architectures. Domain decomposition allows a domain to be refined into sub-domains, shared resources, and accesses between them. These entities are called children of the domain.

All processes in a domain have essentially unlimited access to objects in that domain. With decomposition, access is refined within a domain by dividing the parent domain into sub-domains and shared resources in order to explicitly define the accesses that are allowed within the domain. Sub-domains obey the same rules as domains and may only interact via shared resources.

For example, consider a CDS security architecture with three domains: the low information domain, the guard application domain, and the high information domain. Using decomposition, the guard domain can be populated with several sub-domains representing individual guard stages or applications, each of which has a subset of the security permissions of the parent guard domain. This process allows for stepwise introduction of sub-domains, while keeping the focus on the security goals and least privilege, thereby increasing the assurance of the CDS security architecture.

Decomposed domains result in some overall security architecture constraints:

Domains cannot access shared resources inside another domain. A resource inside a domain is implicitly not shared with other domains.
A decomposed domain must contain at least one subdomain. In other words, no domain can contain solely shared resources. This limit exists because a parent domain itself is not an active entity. Instead, it is merely a container that represents an active entity with private resources.
Access by children of a decomposed domain to an external shared resource is constrained by the access of the parent to that resource. Similarly, child domains and resources can only associate with resource definitions also associated with the parent.

Decomposition may be successively applied to subdomains to provide the level of granularity needed in the security architecture. With decomposition, the CDS Framework allows a developer to produce a detailed and precise security policy, while maintaining the security goals of the architecture and preserving the high-level simplicity of the original design.