[cap-talk] Confinement Confusion
Karp, Alan H
alan.karp at hp.com
Tue Jul 18 18:13:23 EDT 2006
David Hopwood wrote:
>
> If that is how the simple security property and *-property
> are supposed
> to be used, then most papers that discuss them have done a
> lousy job at
> explaining it.
>
I agree. One correction to what I wrote, though. The explicit
declassification may not be in the Bell-LaPadula model, but it is in the
Orange Book.
>
> "On the Inability of an Unmodified Capability Machine to
> Enforce the *-Property"
> <http://www.erights.org/elib/capability/duals/boebert.html>
>
> # The attribute associated with a subject is its "clearance," a value
> # which expresses the trustworthiness of the user on whose behalf the
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> # program is executing.
>
I don't believe that this statement is incompatible with what I said.
If the person is classified High, the program should be able to run
High. Nevertheless, the person, but not the program, should be allowed
to downgrade the classification of what the program produces.
________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
https://ecardfile.com/id/Alan_Karp
http://www.hpl.hp.com/personal/Alan_Karp
More information about the cap-talk
mailing list