[cap-talk] "mandatory" access control - distinct from MLS diodes? (was: Re: Another "core" principle)
Jed Donnelley
capability at webstart.com
Sun Dec 31 03:18:17 CST 2006
At 11:32 PM 12/30/2006, Bill Frantz wrote:
>markm at cs.jhu.edu (Mark S. Miller) on Saturday, December 30, 2006 wrote:
>
> >Can you offer coherent definitions of "mandatory" and
> >"discretionary"?
I agree with MarkM when he says:
>At 04:58 PM 12/30/2006, Mark S. Miller wrote:
>Jonathan S. Shapiro wrote:
> > I believe that your are confusing discretionary and mandatory security.
>
>I believe that any security discussion involving these terms is
>likely confused.
While I'm well aware of the history and the intuitive meaning, it
seems to me that all efforts at distinguishing a class of "mandatory"
access control eventually devolve into simple data diode
mechanisms. I believe this is because when one considers this core issue:
>...
>If a process A can give process B access to resource R, then its
>policy is discretionary. If A has access to R, but can not give it
>to B, then an mandatory policy is being enforced on A and B.
in the light of cooperating conspirators, then if A and B can
communicate bidirectionally then A can proxy access to R for B. I
argue then that any subjects on opposite sides of a "mandatory" level
boundary (funny how "mandatory" and MLS always seem to go hand in
hand) can only communicate through a diode, along the lines of:
>...Another is limits on the communication path(s) between A and B.
but a bit more specific. Regarding:
>[1] <http://en.wikipedia.org/wiki/Bell-LaPadula_model>
I puked when I first read it along with all it's formalism in the
1970s. My reaction today is not much different intellectually,
though from long familiarity my gut reaction is no longer as violent.
--Jed http://www.webstart.com/jed-signature.html
More information about the cap-talk
mailing list