[cap-talk] Boebert's quote, Beobert attack on DVH, conspiring communicators

Jed at Webstart donnelley1 at webstart.com
Thu Jul 20 15:41:21 EDT 2006 

At 05:35 PM 7/19/2006, Toby Murray wrote:
>...
>The problem is that Boebert's quote is ambiguous. Depending on how 
>one interprets its meaning, we can draw different conclusions about 
>its correctness and applicability.

Why does it matter how we interpret Boebert's quote?  Isn't what 
matters whether or not the attack applies?

At 09:55 AM 7/20/2006, Karp, Alan H wrote:
>...
>In DVH a process only holds an index into a
>c-list.  What exactly can a Low process write to High that will give a
>High process a capability?  That's what's required for Boebert's
>analysis to hold.  In fact, Boebert's attack succeeds only if a process
>can write a capability as data.

I don't agree.  Here's Boebert's attack (from
http://www.erights.org/elib/capability/duals/boebert.html
Kudo's to Ka-Ping Yee, many thanks - in spite of the minor typos...):
__________________________________________

A malicious program executing on behalf
of a user with low clearance requests a capability which grants Read and
Write access to a storage object of equally low classification.  We will
call this object low_object and the capability RW_low_object.  Such a
request is naturally granted by the oracle.  The program places RW_low_object
in low_object.  At some later time, a user wiht a high clearance unwittingly
                                         >>>with
invokes a Trojan Horse program.  The Trojan Horse program requests a capability
granting read access to a storage object of high classification.  We will call
the object high_object and the capability R_high_object.  This request will
also naturally be granted.  Finally, the Trojan Horse program requests a
capability granting Read access to low_object.  This request will be granted
by the oracle, in accordance with the Simple Security Property.  We will
call this last capability R_low_object.

      The Trojan Horse program then uses R_low_object to fetch RW_low_object
from low_object.  A malicious program now simultaneously possesses R_high_
object and RW_low_object, and is therefore able to transfer information in
violation of the *_Property.
_________________________________________

In terms of DVH, consider:

"low_object" is a c-list (later called a directory I believe, but no matter.
It's an object that can store capabilities.  It has insert or write and fetch
operations).  A RW_low_object capability allows both insert/write and fetch
operations to the c-list.  In Dennis and VanHorn as in any capability as
descriptor system (e.g. KeyKos, EROS, RATS, E, etc.) one can store capabilities
in some such c-list or directory object.

One thing we have to do (and Boebert did) is to imagine how a classification
scheme would apply to capability objects as well as to data.  It seems to me
his interpretation that capabilities can have classification levels just like
with data is a natural one.  I don't believe that's an issue, is it?

All we have to have for the attack to succeed is the RW_low_object capability
stored in the low object (c-list) and the High clearance Trojan Horse with:

R_low_object and
R_high_object

capabilities.  The Trojan horse then simply fetches RW_low_object 
from R_low_object
and then reads from R_high_object and writes to RW_low_object.


Perhaps it might simplify things in terms of thinking about Dennis 
and VanHorn to
distinguish some types and to name the capabilities and objects by their types.

Let's consider the case where we have:

low_c-list,
low_file, and
high_file

In our initial conditions we have:

1.  A capability RW_low_file stored in low_c-list, and

2.  Our Trojan Horse with capabilities to R_low_c-list and R_high_file.
(allowed by the MLS "oracle" - presumably any MLS policy)

The Trojan Horse then simply:

A.  Fetches RW_low_file from it's R_low_c-list,

B.  Reads data from R_high_file, and

C.  Writes data to RW_low_file

thereby violating the so-called star property (write down).

Of course once the High Trojan Horse is able to get ahold of
the RW_low_file capability (fetching it as it does from the
R_low_c-list) the deed is done.

There is nothing relating to capabilities as data in the above.
As far as I understand this attack succeeds or fails exactly the
same in capabilities as data and capabilities as descriptor systems.

Perhaps it's worthwhile to consider the Boebert defense in the
Capability Myths demolished paper in this regard?  Let me
describe how I read that defense.  They say
(from http://srl.cs.jhu.edu/pubs/SRL2003-02.pdf )

________________________________________________________
Boebert concludes correctly that the particular use of
capabilities he described does not enforce the
*-Property. However, the argument assumes that
subjects can transmit capabilities anywhere they can
transmit data, which is not the case in most capability
systems.
________________________________________________________

As I argue above it does not.  It merely assumes that
the rules for reading and writing capabilities follows
along the lines of the rules for reading and writing data.
Namely that capabilities also have classifications and that
they are similarly constrained by the policies of no write
down and no read up.

Then the Capability Myths authors go on to create the
very attractive diagram on page 9 where, as they say,
_________________________
Suppose now that each of the two classification levels
has separate read capabilities for capabilities and data,
and separate write capabilities for capabilities and data.
The oracle now hands out capabilities of both kinds,
much as before, with the exception that it does not hand
out capabilities that permit reading or writing
capabilities between different levels.
_________________________

I believe one must ask with such a proposal if indeed
there is any communication at all (not just capabilities
permitting reading and writing between the levels) between
the levels?  If such communication is allowed at all
then I argue that essentially the Boebert attack is
possible.  It may require a proxy, but it is certainly
possible.  In Figure 10 on page 9 of the Capability Myths
paper, if we allow bidirectional communication between
Bob and Alice, Bob can send Alice high data that Alice can
write into her low data object.  I argue that any such
bidirectional communication can support the same attack.

This is why I believe the idea of the Boebert attack
ends up getting tied into conspiring communicators.
That is really what it comes down to in violating
the MLS rules - whether one uses capabilities (as
descriptors or as data) or not.

If communication isn't allowed between the levels then
one has a partitioned system, as Boebert says,
"The attack can be stopped only if both reading and
writing are restricted to cases where clearance equals
classification, which is of course the trivial case of
no flow whatsoever."

Incidentally, does anybody know if Boebert is still active
in the IT area?  From:

http://portal.acm.org/results.cfm?query=author%3AP501214&querydisp=author%3AW%2E%20E%2E%20Boebert&coll=GUIDE&dl=GUIDE&CFID=15151515&CFTOKEN=6184618

I see:

An Approach to the Specification of Distributed Software
William R. Franta, W. E. Boebert, Helmut K. Berg
June 1979
The Use of Formal Specification of Software
Publisher: Springer-Verlag

Applications: The extended access matrix model of computer security
W. E. Boebert, R. Y. Kain
August 1985
ACM SIGSOFT Software Engineering Notes,  Volume 10 Issue 4
Publisher: ACM Press

which doesn't include the reference we fret over so much.

1984 and 1985 seem about it.  Anybody know what happened to
him after that?  It might be interesting to hear his thoughts
on this topic if that's possible.

--Jed http://www.webstart.com/jed/ 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.eros-os.org/pipermail/cap-talk/attachments/20060720/951e1955/attachment-0001.html

More information about the cap-talk mailing list