[cap-talk] gauntlet - one way IPC considered useless, practical MLS?

Jed at Webstart donnelley1 at webstart.com
Fri Jan 27 14:59:50 EST 2006

At 07:26 PM 1/26/2006, John Carlson wrote:

>>With such a facility there is really no need for two way communication
>>between the levels.  While one might be concerned that even the URLs
>>fetched by people with access to classified data might themselves
>>contain classified data - I think that is a risk you just have to take.
>>Beyond that there is no communication from red to black.
>Yes, I can see covert channels and weird query strings would apppear
>in the access log, etc with the URLs.  The URLs could be santized and
>the access to unclassified side controlled by providing a proxy server
>of some kind, but I can still see people requesting 2 alternating valid
>documents (or various documents from 2 collections, years, what have
>you) to send a digital signal.  However, I think there are bigger things
>to worry about, like which classified documents people are reading.

 From your comment above I'm not sure if I was clear about what I
was suggesting.  Be clear that this is a purely blue sky suggestion
for a means to allow people working on a classified network access
to content available through Web URLs on an unclassified network.
Here's how the proposal works:

1.  A person who wants some unclassified Web content on the
classified network goes to a browser on the unclassified network
and browses a special sort of proxy server.  Everything that is
fetched through this proxy server is queued for transfer to the
classified side.

2.  The URL and content from the unclassified that was fetched as
above is queued for the (a) one-way channel between the unclassified
site and the classified side.

3.  Once it's transferred to the classified side it's stored in a
Web server by the URL that it was fetched with on the unclassified

4.  At that point the person can now fetch the content on the classified

Oh sure, I'm aware of many of the problems with such a scheme such
as not working for content that requires input (though that might be
improved), not dynamic, etc.  However, I'd be interested to hear any
other criticisms.

Given the above, I'm not sure how you're comments apply John.
When you suggest a worry about "which classified documents people
are reading" for example.  In the mechanism that I suggested above
there are only unclassified documents being read.  That's the idea.
Get unclassified documents to the classified side.  The main concern
in such cases generally I think is separating out the "control" flow
so that it doesn't have to flow in any sense from the classified side to
the unclassified side and potentially provide a covert (or not so
covert) channel for red to black information flow in violation of the
*/ss properties.  With the above scheme all the control flow is handled
by people surfing on the unclassified network - which presumably they
can do in any case.

Remember, my main point was to illustrate how I see such one-way
communications as quite special cases and used in small numbers
and emphatically not for general inner process communication (IPC -
hence the subject of this thread).

If others (e.g. Rob) have experience using one-way communication
for more general IPC, I'd be quite interested to hear how it works.

--Jed http://www.webstart.com/jed/ 

More information about the cap-talk mailing list