[cap-talk] Confinement Confusion
Jed at LBL
JEDonnelley at lbl.gov
Tue Jul 18 21:05:05 EDT 2006
At 03:13 PM 7/18/2006, Karp, Alan H wrote:
>David Hopwood wrote:
> >
> > If that is how the simple security property and *-property
> > are supposed
> > to be used, then most papers that discuss them have done a
> > lousy job at
> > explaining it.
> >
>I agree. One correction to what I wrote, though. The explicit
>declassification may not be in the Bell-LaPadula model, but it is in the
>Orange Book.
Thanks for that clarification. I wondered about that.
> > "On the Inability of an Unmodified Capability Machine to
> > Enforce the *-Property"
> > <http://www.erights.org/elib/capability/duals/boebert.html>
> >
> > # The attribute associated with a subject is its "clearance," a value
> > # which expresses the trustworthiness of the user on whose behalf the
> > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> > # program is executing.
>
>I don't believe that this statement is incompatible with what I said.
>If the person is classified High, the program should be able to run
>High. Nevertheless, the person, but not the program, should be allowed
>to downgrade the classification of what the program produces.
In the situations I'm familiar with only authorized classifiers (not
any person) can declassify information (documents).
However, as I noted in the Meijer thread, we found it necessary for
at least some processes (most servers) to be able to declassify
information - specifically to deal with the situation where they
received requests from processes at lower clearances. Without
that ability we would have required separate sets of severs at
every classification level.
--Jed http://www.webstart.com/jed/
More information about the cap-talk
mailing list