[cap-talk] process 'tainting': *-property or not *-property
daw at cs.berkeley.edu
Tue Jan 3 16:57:08 EST 2006
"Rob J Meijer" <rmeijer at xs4all.nl> writes:
>Should I understand this response to mean that resource allocation
>possibilities provided by some operating systems that allow to create
>dedicated per-zone resource pools can for theoretic reasons not
>now and not ever be considdered 'proper' resource allocation?
I'm afraid I don't understand the question. You've introduced so
many layers of abstraction that I can't follow where you're going.
The issue is actually very simple: covert channels are very hard
to avoid, in a multi-user system. Introducing fancy notions like
"per-zone resource pools" doesn't change that fact.
>To me one of the most appealing properties of MLS
>is that MLS design lends its self good to two way interaction with
>static risk assesment. Normaly assets that can be coupled to high risk
>move up the clasification scale and assets coupled with low risk move
>down the clasification scale after a risk assesment itteration.
>Given this, in many MLS systems, the lower range of levels will have
>relatively low risks involved with them, while investments to do
>full confinement in both human resources and iron may not weigh
>against the diverted risk.
It sounds like you are attracted to the principle that some data needs
more protection than others, and so we might apply different kinds of
protection according to how sensitive the data is. Well, I like that
principle, too. It's definitely a good principle.
But MLS is a whole lot more than just this principle. MLS brings in a
bunch of extra baggage of its own. My objection is to all the baggage.
You can have systems that respect this principle, but without all the
extra MLS cruft (the cruft that doesn't work). It's a mistake to conflate
MLS with "the principle of differential security"; MLS is a very specific
system, while the principle is a broad guideline. Most of my criticisms
are criticisms of the specifics of Bell-Lapadula-style MLS systems,
not criticisms of the broad principle.
More information about the cap-talk