[cap-talk] Capabilities vs. Classifications - MLS systems?
Karp, Alan H
alan.karp at hp.com
Thu Jan 5 11:50:47 EST 2006
> Attempts to
> make the enforcement of such principles "mandatory" (by that I mean
> not allowing a
> subject with a permission to grant effective access to that
> permission to another
> process with which it can communicate) in a system with inter process
> communication I believe is impossible, but misguided efforts
> in that direction
> make real systems effectively unusable.
I agree, but there's another aspect to the problem, voluntary oblivious
compliance (VOC). Say that Alice asks Bob for a file that he can read.
If Bob doesn't care about the rules, or he wants to break them, he'll
get the contents of the file to Alice by some means. No mandatory
access control, except one that prevents him from sending a message to
Alice, can prevent it.
On the other hand, Bob may want to obey the rules, but he may not know
them. Real security systems are far more complex than just a single set
of levels. Even matrix security, with levels and compartments, doesn't
capture all the policies people would like to enforce. Further, the
rules are constantly changing. A system that supports VOC allows Bob to
send Alice a handle to the file that Alice can only use if the policy
allows her access. We implemented such a mechanism in Client Utility
(e-speak Beta), and MarkM has figured out how to do something similar in
E. I call this control "mandatory" if Alice's use of the handle is
prevented by something other than the file server. That's different
from Jed's definition, but I believe mine has value.
Virus Safe Computing Initiative
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Karp, Alan H.vcf
Size: 433 bytes
Desc: Karp, Alan H.vcf
Url : http://eros.cs.jhu.edu/pipermail/cap-talk/attachments/20060105/a9ae5e88/KarpAlanH.vcf
More information about the cap-talk