[cap-talk] gauntlet - one way IPC considered useless, practical MLS?

John McCabe-Dansted gmatht at gmail.com
Mon Jan 9 23:51:25 EST 2006

>  One thing I would like to ask those arguing for such one-way communication
> mechanisms:  Is this argument at this point an academic exercise or are
> there real and useful systems that are currently depending on such a
> mechanism?  If this is a practical issue, perhaps they could describe the
> existing real and useful systems and how they make use of the one-way
> communication channels.  Then perhaps we could use those examples as input
> to the broader issues.

One common one-way communication mechanism is the POSIX pipe. E.g.
          foo A | bar B
>From both a POLA and "Principle of Less Surprise" point of view we may
wish to limit "bar" so it cannot send backwards through the pipe to
"foo". Since we have not passed in a clock to foo, foo has no other
way of receiving data from B. Hence if B is in some way more secret
than A, then foo and bar cannot collaborate to leak B's secrets into

(Actually, one covert channel remains, bar can choose to close the
pipe after receiving N blocks, thus transmitting a one-off O(ln(N))
bit message back to foo)

John C. McCabe-Dansted
Master's Student

More information about the cap-talk mailing list