[cap-talk] Communicating conspirators, MLS, and the Boebert attack

Karp, Alan H alan.karp at hp.com
Thu Jul 20 20:12:55 EDT 2006 

Jed wrote:
> 
> But then how does communication happen between the levels?
> Can you point to a system where that works?

NetTop with the sailor manually declassifying data by copying it from
the High machine to the Low one.
> 
> Then in that third party is where I put my Trojan, confused 
> deputy, etc.
> 
Trojan the declassifier, and all bets are off.  However, there need be
only one declassifier in the system for any number of applications.
Make that declassifier as secure as you possibly can.  The point is that
you only need to certify one piece of code, not every application you
might want to run.
> 
> I argue certainly yes, a c-list.  One can obtain a capability to
> a c-list (a directory) at least in any DVH-like system (e.g. RATS)
> that I am familiar with.  Such a system would be pretty useless
> if there wasn't a means to store capabilities somewhere.
> 
There is a way to insert a capability into a c-list, but it isn't
"Insert these bits as a capability."
> 
> I'm not sure I understand what you mean when you say the
> c-list refers to a different "capability" in each process.  Certainly
> every process has a c-list.  However, there's no reason why two
> processes can't share capabilities to the c-list of a third, e.g.
> to store and retrieve capabilities.  I think the question you have
> to ask for Beobert is how the MLS rules work for storing and
> retrieving capabilities.  It seems reasonable to me (and I think
> to Boebert) to assume that capabilities are treated like data
> in that regard.  That is, no write down and no read up.
> 
Index 7 in Alice's c-list is the Read_foo capability.  Index 7 in Bob's
c-list is the Write_bar capability.  There's no connection between them.


While there are systems that let processes have explicit capabilities to
the c-list (CU was one of them, but that's where our other mechanism
came in), I don't believe that's necessary.  Simply send the capability
in a message to the process.  Processes never explicitly refer to
c-lists.

If DVH did have such capabilities, then Boebert's analysis is correct.
Low writes a capability to a c-list that High can read.  I didn't think
that was the case.  If it is, then I misunderstood DVH, Boebert's
analysis does apply, and this whole discussion has been a waste of time.
My Bad.

_________________________
Alan Karp
Principal Scientist
Virus Safe Computing Initiative
Hewlett-Packard Laboratories 
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-7029
https://ecardfile.com/id/Alan_Karp
http://www.hpl.hp.com/personal/Alan_Karp/
  
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Karp, Alan H.vcf
Type: text/x-vcard
Size: 423 bytes
Desc: Karp, Alan H.vcf
Url : http://www.eros-os.org/pipermail/cap-talk/attachments/20060720/7d6f890f/attachment.vcf

More information about the cap-talk mailing list