[cap-talk] Confinement Confusion

[David Hopwood]

David Wagner wrote:
> Toby Murray writes:
> 
>>Thus, it looks to me that *-property and confinement are inherently 
>>tangled in the minds of many in the community. If anyone out there could 
>>give some history on this I'd certainly be interested to hear it.
> 
> Confinement is the goal.  The *-property is one approach to try to
> meet that goal.  To put it another way, the *-property is a means to
> an end; that end is confinement.

My impression was that confinement, the simple security property, and
the *-property were all independent goals.

You can certainly have each of these properties, in several variants,
without the other two. (You can have confinement without any labelling,
which is necessary to express the simple security property or the
*-property.)

But I never really understood why the simple security property or the
*-property would be desirable anyway, given the restrictions they place
on frequently needed patterns of cooperation. It is very odd that
these properties have been considered important challenge problems for
access control systems, when they are almost irrelevant to real-world
security problems, and rigorous enforcement of them would often
*preclude* secure cooperation.

>>Of course that most recent Halevi. Karger. et. al paper also models 
>>confinement using "probabilistic non-interference". Given the huge 
>>number of different variations on non-interference, I feel this only 
>>further confuses things.
> 
> Hmm.  I'm not sure I understand this criticism.  Probabilistic
> non-interference seems to be a reasonable formalism for analyzing covert
> channels and bit-confinement.

Probabilistic non-interference seems to me to be useless at best, given
that we have no sound basis on which to estimate the probabilities.

-- 
David Hopwood <david.nospam.hopwood at blueyonder.co.uk>