[cap-talk] Confinement Confusion (was: Communicating conspirators)

[David Wagner]

Mark Miller writes:
>David Wagner wrote:
>> Confinement is the goal.  The *-property is one approach to try to meet
>> that goal.  To put it another way, the *-property is a means to an end;
>> that end is confinement.
>
>I don't think this is right. Earlier I wrote
>
>> Confinement is necessary but not sufficient for the *-properties. For
>> example, a hypothetical caps-as-data system without covert channels, in
>> which full isolation could be provided, would be able to do confinement
>> but still not the *-properties.
>
>Even if it's not practically achievable to prevent covert channels,
>it is not logically inconsistent to imagine a system in which they have
>been prevented.  In such a system, I believe the above would hold. This
>shows that the *-properties go beyond confinement -- they are a tougher
>challenge.

Ok, you're right.  I over-simplified.  Let me try again, and you
can tell me whether you're convinced by my second attempt.

Bit-confinement is a goal.
Multi-level security is another goal.
MLS generally is understood to require certain kinds of bit-confinement,
thus MLS is a stronger goal than bit-confinement (because it
requires bit-confinement + more).

The *-property is an approach for building MLS systems.
The *-property is a means to an end; the end is MLS.
As such, the *-property could also be viewed as an approach to
achieving bit-confinement, but the *-property tries to achieve more
than just bit-confinement (it also tries to achieve MLS, which goes
beyond simple bit-confinement).