[cap-talk] Confinement Confusion, MLS and POLA

[Jed at Webstart]

At 03:05 PM 7/18/2006, Karp, Alan H wrote:
>Jed wrote:
>
>A lot of stuff I agree with.  Nevertheless, I'd like to give one real
>example.  The Navy typically has a sailor sitting in front of two
>computer displays, one display connected to a computer running at High,
>the other at Low.  Sometimes, the sailor will read something on the High
>machine and manually type it into the Low machine.  This setup allows
>the Navy to run Microsoft Word on the High machine and get information
>to Low without needing to do a full security audit of Word to make sure
>that Word doesn't decide what gets copied to Low.  The sailor is cleared
>High, but the *-property is not applied to the person (We trust the
>people), only to the computer (It's the computer we worry about).  Of
>course, all is lost if the sailor is a spy.

That sailor is playing the role of an authorized declassifier.  He or she
should be trained in that role (e.g. know what to look for coming through
and not blindly copy it to Low).  That role is fine and is discussed in
the Bell and LaPadula model as I recall.  That role exists even now
at places link LLNL.  Even though they have no multi-level networked
systems any more, they do still have the need to transfer information
from a higher level network to a lower level one.

>My understanding is that this approach has largely been abandonded for
>anything but low volume data because nobody has been able to automate
>the classification downgrading process.

Certainly.

This is where an issue arises with regard to IPC systems with
MLS (with or without capabilities) - see my most recent message
in the Meijer thread if you're interested.

--Jed http://www.webstart.com/jed/