[cap-talk] gauntlet - one way IPC considered useless, practical MLS?

Jed at Webstart donnelley1 at webstart.com
Thu Jan 12 14:52:41 EST 2006 

At 08:51 PM 1/9/2006, John McCabe-Dansted wrote:
> >  One thing I would like to ask those arguing for such one-way communication
> > mechanisms:  Is this argument at this point an academic exercise or are
> > there real and useful systems that are currently depending on such a
> > mechanism?  If this is a practical issue, perhaps they could describe the
> > existing real and useful systems and how they make use of the one-way
> > communication channels.  Then perhaps we could use those examples as input
> > to the broader issues.
>
>One common one-way communication mechanism is the POSIX pipe. E.g.
>           foo A | bar B
> >From both a POLA and "Principle of Less Surprise" point of view we may
>wish to limit "bar" so it cannot send backwards through the pipe to
>"foo". Since we have not passed in a clock to foo, foo has no other
>way of receiving data from B. Hence if B is in some way more secret
>than A, then foo and bar cannot collaborate to leak B's secrets into
>A.

While I agree the pipe mechanism is common, the only uses I know
of it as one-way communication are one-way for convenience, not one-way
out of any security or integrity necessity.

Regarding:

>(Actually, one covert channel remains, bar can choose to close the
>pipe after receiving N blocks, thus transmitting a one-off O(ln(N))
>bit message back to foo)

The above is not really so "covert" in that it doesn't depend on any
shared resource banging or anything like that.  In principle such
a back channel can even be used across network connections
with flow control.

As far as "one-off" goes, naturally the above can be repeated as
often as necessary.  To transmit N bytes back channel (with
cooperation), simple transmit N blocks of from 0-255 bytes (blocks?)
through the channel and block after the value of the byte that
needs to be transmitted.  This can be done quite rapidly - partly
because there was never any intent (that I know of) to make such
a pipe truly "one-way".

--Jed http://www.webstart.com/jed/

More information about the cap-talk mailing list