[cap-talk] Confinement Confusion

David Hopwood david.nospam.hopwood at blueyonder.co.uk
Tue Jul 18 13:27:04 EDT 2006 

Karp, Alan H wrote:
> David Hopwood wrote:
> 
>>But I never really understood why the simple security property or the
>>*-property would be desirable anyway, given the restrictions they place
>>on frequently needed patterns of cooperation. It is very odd that
>>these properties have been considered important challenge problems for
>>access control systems, when they are almost irrelevant to real-world
>>security problems, and rigorous enforcement of them would often
>>*preclude* secure cooperation.
> 
> The Bell-LaPadula model also includes a means for explicitly lowering
> the security level.  Hence, a High object can create a High message
> "Tell me when you see an enemy soldier.", have it declassified and
> transmitted it to Low objects.  Each Low object makes its reports as
> High.  Hence, only Highs can aggregate the data, but Lows know what data
> to send.
> 
> You can turn this example around.  The Low writes to High a message
> "Where should I go?"  High uses the aggregated information on enemy
> locations sent by the Lows, creates a response as High, has it
> declassified and sent to Low.  Awkward but useful.  
> 
> I believe this approach is used in real life (death) situations that
> don't involve computers at all.  Indeed, as has been noted on this list,
> the sense is "We trust the people; they've been cleared.  It's the
> computers we're not sure of."

If that is how the simple security property and *-property are supposed
to be used, then most papers that discuss them have done a lousy job at
explaining it. A typical example:

  "On the Inability of an Unmodified Capability Machine to Enforce the *-Property"
  <http://www.erights.org/elib/capability/duals/boebert.html>

# The attribute associated with a subject is its "clearance," a value
# which expresses the trustworthiness of the user on whose behalf the
                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
# program is executing.

-- 
David Hopwood <david.nospam.hopwood at blueyonder.co.uk>

More information about the cap-talk mailing list