[cap-talk] gauntlet - one way IPC considered useless, practical MLS?
daw at cs.berkeley.edu
Fri Jan 13 20:53:00 EST 2006
>The simple security property was enforced and programs/people had to be
>explicit about declassifications (the * property).
By writing "programs/people", I'm afraid you have failed to grasp
the purpose and motivation underlying all the work on MLS systems.
The basis of MLS is that you trust people, but don't trust programs.
Thus while it might be ok to allow explicit declassifications requested
by people, people to explicitly declassify, it definitely would not be ok
(according to the problem statement that MLS systems was trying to solve)
to let programs perform declassifications on their own, whether explicit
If you're going to trust programs to declassify data, then you don't
have a MLS system, and the Bell-Lapadula stuff is irrelevant.
More information about the cap-talk