[cap-talk] gauntlet - one way IPC considered useless, practical MLS?

Fri Jan 13 21:00:05 EST 2006

Jed writes:
>When they say, "users can access two networks from the one desk top
>and cut and copy information from a more secure network to a less secure
>network without the risk of any information flowing in the opposite direction."
>
>(on the above page), did they get the sense of that correct?  Don't they
>mean from the less secure to the more secure?

It's not clear to me what they are trying to say.

Perhaps they are referring to a Biba model, where the goal is to
protect integrity rather than confidentiality.  If the goal is integrity,
then there is a dual of the ss- and *-properties, which permits
high-integrity process to write to low-integrity processes, but not
vice versa (and low-integrity processes to read from high-integrity
processes, but not vice versa).  That would be consistent with what
they write.

Of course, you can only have one.  If you want to protect integrity
(with a Biba model), you get no protection of confidentiality.  If you
want to protect confidentiality (with a Bell-Lapadula model), you get
no protection of integrity.  You have to choose one or the other.

>I have some considerable (though now ancient) experience with such
>devices.  The typical problem is that of getting control information from
>the high side to the low side without allowing general data flow.  I'd be
>quite interested to understand how they deal with that issue with this
>family of devices/software.

There is a publication on the subject that discussed some of what they
did.  I think it was at ACSAC.  Basically, they don't really solve the
problem; they fake it.

>Is this product family where the "data pump" terminology is coming from?
>That's something else that I haven't heard before.

I think the "data pump" terminology comes from an early paper from
NRL (Navy Research Lab) that introduced the notion and used the term
"data pump".  I think it was published at Oakland (IEEE S&P) or CSFW
or some place like that.  Googling should turn it up, but let me know
if you can't find it.

>In general I'll find it interesting to see how VMMs come to be used (or not)
>to help with security/integrity protections.

VMMs are a computational simulation of physical isolation.  Anything
you can do by buying two separate computers and isolating them, you can
do (albeit with considerably less assurance) by running two guest OSs
inside a VMM with appropriately restricted permissions.  So really what
you are asking is, what can we do with multiple physically isolated
machines?  That's more or less a distributed sytems question.