[cap-talk] Capabilities vs. Classifications
David Wagner
daw at cs.berkeley.edu
Wed Dec 21 15:51:35 EST 2005
In article <43A9880F.2010806 at cornell.edu> you write:
>I have long been a fan of capabilities, but recently I have been
>thinking about security classifications (aka ACLs) and am struggling to
>decide which is better.
Mandatory Access Control (Bell-LaPadula) is not the same as
ACLs. You may be conflating concepts that are not the same.
Bell-LaPadula and similar MAC schemes are focused solely on
confidentiality properties. They totally ignore integrity,
and often sacrifice integrity to better protect confidentiality.
Capabilities can be used for integrity properties (what side
effects can Alice cause?) and for secrecy properties (what secrets
can Alice learn?), but aren't very well suited to Bell-LaPadula style
information flow properties (what secrets can Alice leak?).
Bell-LaPadula style MAC has been a failure, in my view. It was
designed to prevent malicious code from leaking secrets, but it has
utterly failed at that -- covert channels are a fact of life, and no
one has any clue how to eliminate them without significantly curtailing
the usefulness of the system.
Moreover, in the commercial world integrity is often more important
than confidentiality.
There is also the MAC vs DAC argument and its relationship to
capabilities. I won't go into that whole business, since others have
discussed it here on cap-talk before.
More information about the cap-talk
mailing list