[cap-talk] Throwing down the gauntlet

David Wagner daw at cs.berkeley.edu
Mon Jan 9 14:45:58 EST 2006


Alan Karp:
>David Wagner wrote:
>> I don't understand why anyone thinks that limiting the bandwidth of
>> covert channels is a very useful solution.  If you set the limit at no
>> more than a few hundred bits/second (as the Orange Book did), then you
>> can leak a crypto key in seconds (or less).
>
>Since the people in an MLS system are trusted, but some of the programs
>they run are not, there's no reason for the untrusted app to have access
>to the crypto key.

Absolutely.  That's what I advocate, too: solve this with simple access
control stuff to ensure that untrusted code never learns any secrets,
instead of fancy MLS stuff to try to prevent untrusted code from leaking
the secrets it is given.  If do what I advocate, then you don't need
Bell-Lapadula-style MLS, you don't need the *-property, you don't need
complicated information flow tracking mechanisms...  So I don't see the
point of BL-style MLS.


More information about the cap-talk mailing list