[cap-talk] Confinement Confusion

[Karp, Alan H]

David Hopwood wrote:
> 
> But I never really understood why the simple security property or the
> *-property would be desirable anyway, given the restrictions 
> they place
> on frequently needed patterns of cooperation. It is very odd that
> these properties have been considered important challenge problems for
> access control systems, when they are almost irrelevant to real-world
> security problems, and rigorous enforcement of them would often
> *preclude* secure cooperation.
> 
The Bell-LaPadula model also includes a means for explicitly lowering
the security level.  Hence, a High object can create a High message
"Tell me when you see an enemy soldier.", have it declassified and
transmitted it to Low objects.  Each Low object makes its reports as
High.  Hence, only Highs can aggregate the data, but Lows know what data
to send.

You can turn this example around.  The Low writes to High a message
"Where should I go?"  High uses the aggregated information on enemy
locations sent by the Lows, creates a response as High, has it
declassified and sent to Low.  Awkward but useful.  

I believe this approach is used in real life (death) situations that
don't involve computers at all.  Indeed, as has been noted on this list,
the sense is "We trust the people; they've been cleared.  It's the
computers we're not sure of."  If only a person can declassify the data,
the inability of a High process to talk to Low makes sense while not
precluding the desired collaboration.

________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
https://ecardfile.com/id/Alan_Karp
http://www.hpl.hp.com/personal/Alan_Karp