[cap-talk] Confinement Confusion

[Jed at Webstart]

At 06:14 AM 7/18/2006, David Hopwood wrote:
>David Wagner wrote:
> > Toby Murray writes:
> >
> >>Thus, it looks to me that *-property and confinement are inherently
> >>tangled in the minds of many in the community. If anyone out there could
> >>give some history on this I'd certainly be interested to hear it.
> >
> > Confinement is the goal.  The *-property is one approach to try to
> > meet that goal.  To put it another way, the *-property is a means to
> > an end; that end is confinement.
>
>My impression was that confinement, the simple security property, and
>the *-property were all independent goals.
>
>You can certainly have each of these properties, in several variants,
>without the other two. (You can have confinement without any labelling,
>which is necessary to express the simple security property or the
>*-property.)

Right.  To consider the simple security property (disallow read up,
i.e. reading of information at a level higher than clearance) or the
* property (disallow write down, i.e. writing of information into an
object at a classification level below clearance) then you need to
have clearance labels on all active entities and classification levels
on sources/sinks of information (think files).

>But I never really understood why the simple security property or the
>*-property would be desirable anyway, given the restrictions they place
>on frequently needed patterns of cooperation. It is very odd that
>these properties have been considered important challenge problems for
>access control systems, when they are almost irrelevant to real-world
>security problems, and rigorous enforcement of them would often
>*preclude* secure cooperation.

See the discussion I give in the following message.

--Jed http://www.webstart.com/jed/