[cap-talk] Rob Meijer: Communicating conspirators...

[Jed at Webstart]

At 02:19 AM 7/18/2006, Rob wrote:
> >>All data and capabilities sent to Bob are
> >>by its 'labels' used to 'taint' Bob. The proxy can than use this tainting
> >>of Bob to disalow the further usage of outgoing communication to
> >>communication channels with mismatching labels. Further the Proxy
> >
> > I'm a bit unclear on what "the Proxy" is in the scheme you are
> > describing.  The only proxy that makes sense to me is Bob or some
> > active entity acting on Bob's (or perhaps Alice's) behalf.
> >
> >>can hold
> >>on to (t.i. blocking) communication for Bob on incomming communication
> >>channels where the lables mismatch the current tainting of Bob.
> >
> > I'm not sure how any labels might play a role in this scheme.
>
>With clasic MLS a process/object has something called a (static) clearance
>level. With capabilities however, it is not the process or object that has
>clearance but the capability.

What makes you think so?  I don't believe such an interpretation makes
any sense.  In "classic" MLS systems both the subject (analogous to a
person), generally referred to as the subject's "clearance", and the object
(holding information - think file), generally referred to as the objects
"classification", have levels chosen from the same well ordered set of
labels.  The traditional problem is to assure that information can't be
read up (simple security property) or written down (so-called * property,
a thoroughly meaningless name as far as I'm concerned.  Why don't
they just call it "read up" and "write down"?), e.g. as described in:

http://www.erights.org/elib/capability/duals/boebert.html

>By using an MLS style clearance like lable
>for each capability, making the lable an intrincic part of the capability,
>a proxy can be created around each objects in order to help the object
>to become able to handle capabilities with different values for this label.

It sounds like you are associating the label with the object (through the
capability), though I'm not sure if you intend to allow multiple capabilities
with multiple levels to point to (reference) the same object.  To my 
understanding
doing so wouldn't make sense as it's the data in the object that's 
traditionally
associated with the label - the "classification" of the 
information.  Let's just
think file for now.  Suppose I have a secret file.  That is I consider the
information in the file to be "secret" (labeled secret).  I really think it
meaningless to consider MLS without also having such labels ("clearances")
for the active entities (e.g. processes).  The simple security property
says that a secret process should not be able to read a top secret file
or write to an unclassified file.

If we have the same view on that much of the model, then perhaps
we can further this discussion.  If we don't agree on that much then
perhaps you can explain where you feel we differ.

>When you define this proxy to be both bag and membrane, the proxy can
>keep track of the 'tainting' of the object.

I'm still not sure what you are referring to when you refer to "this proxy".
Do you mean Alice or Bob (or Mallet) or some construction serviced by
one of them (e.g. Alice?).

>If the object

Which object (process - as you seem to be referring to an active object)?

>fetches a
>capability from the proxy (bag) or receives one in a method call, the
>object will get "tainted" to the highest value of a capability it holds.
>If after receiving a high labled capability the object tries to use a low
>labled capability, the proxy would interpret this as an aparent flaw in
>the object, and the object could be killed and be restored in its state
>to a previous level. Its a bit more complicated than this, but this
>is about the rough picture.
>
>This means the MLS properties get effectively deminished to:
>
>'An object may not combine capabilities with different labels'
>
>The proxy patern for this is a bit complicated, but the resulting
>property is quite usefull for solving the described problem.

I would like to understand the mechanism you are getting at.
However, I'm afraid I do need some additional details.  Can you help?

I really don't understand how you can talk about MLS if your active
entities (processes, active objects) don't themselves have labels.
Isn't that the essence of what MLS is trying to achieve (can't read
up, can't write down)?  While I can understand associating a classification
with a capability to an object (as we did in our NLTSS system), any
such association seems in some sense to be a simple convenience or
expedience as the real label must be on the information stored in the
object - it's "classification" level.  Having distinct levels for two different
capabilities (references) to the same object makes no sense to me.
Does it to you?  If so, can you explain?

Perhaps this is a topic that could best be communicated interactively
(e.g. by telephone?)?  Feel free to give me a call.  You can find my
telephone number in:

http://www.lbl.gov/cgi-bin/ds/ds.cgi?include=n&peopleName=donnelley&deptName=

We are on US Pacific time.  You can also call and perhaps reach me in
the evenings or leave a message where I can reach you at the "Webstart"
number on:

http://www.webstart.com/jed/

I hope we can clear this up.

--Jed http://www.webstart.com/jed/