[cap-talk] gauntlet - one way IPC considered useless, practical MLS?

Jed Donnelley jed at nersc.gov
Thu Jan 19 13:15:25 EST 2006

At 05:53 PM 1/13/2006, David Wagner wrote:
>Jed writes:
> >The simple security property was enforced and programs/people had to be
> >explicit about declassifications (the * property).
>By writing "programs/people", I'm afraid you have failed to grasp
>the purpose and motivation underlying all the work on MLS systems.
>The basis of MLS is that you trust people, but don't trust programs.
>Thus while it might be ok to allow explicit declassifications requested
>by people, people to explicitly declassify, it definitely would not be ok
>(according to the problem statement that MLS systems was trying to solve)
>to let programs perform declassifications on their own, whether explicit
>or otherwise.
>If you're going to trust programs to declassify data, then you don't
>have a MLS system, and the Bell-Lapadula stuff is irrelevant.

I understand the Bell-Lapadula model and it's intent.  What I described
is what we implemented because it's what we could implement.  I'm
fully aware that it doesn't meet the criteria of the Bell-Lapadula model
(which I consider unimplementable in an IPC system as I've described)
and that it doesn't meet the needs of people who want a "don't worry"
model where one doesn't have to trust the programs that run at high
classification levels to not declassify data (* property) - though it does
in some sense enforce the simple security property.

When you say that our system wasn't a multiple level security system
I think I would respectfully disagree.  It wasn't in the Bell-Lapadula sense
of course.  However, it did have classifications for data and clearances
for processes and people.  To my thinking that would make it qualify,
though I accept that this is a matter of semantics.  If you don't call it
an "MLS" system (because that means only Bell-Lapadula MLS
presumably) then I wonder what one would call it? 

More information about the cap-talk mailing list