[cap-talk] Confinement Confusion, MLS and POLA

[David Wagner]

Jed wrote:
>At 08:47 AM 7/18/2006, Karp, Alan H wrote:
>>The Bell-LaPadula model also includes a means for explicitly lowering
>>the security level.  Hence, a High object can create a High message
>>"Tell me when you see an enemy soldier.", have it declassified and
>>transmitted it to Low objects.
>
>Right.  The above sort of mechanism (which I agree is needed for almost
>any practical purpose) seems to me to make clear the nonsense
>of this whole effort.  The MLS mechanism is supposed to be "mandatory".
>That is, the subjects involved have no control.  However, if you allow the
>above then it seems to me a clear violation of the * property (disallow
>write down).

To be fair, this can be justified as follows:

The Bell-Lapadula model is just a model.  Any time you have a model,
some parts of the system will have to be outside the model.  (For instance,
frequently the OS will be outside the model, or will be in the TCB, and
is given the power to deviate from the formal model.)  In this case, the
declassifier lives outside the model and receives special dispensation
to violate the rules.

Nonetheless, much of the code (for instance, most of the applications)
still has to live within the model and abide by the Bell-Lapadula rules.

And the way to think about it is that the Bell-Lapadula mechanisms
protect you against failures in the applications that are constrained
to live within the Bell-Lapadula model.  Of course, the Bell-Lapadula
model does not protect you against the declassifier or against anything
else that is outside the model and that receives special dispensation
to violate the rules.  The declassifier must be verified to be correct
by some other means.

But -- and here is the key point -- if you've gotten the declassifier
and the implementation of the Bell-Lapadula right, then you're not vulnerable
to failures or perhaps even malicious code in all the rest of the applications
running on your system.  That's the goal, anyway.

And that's a substantial reduction in the size of the TCB, i.e., a
substantial reduction in the amount of code that you're vulnerable to,
i.e., a substantial reduction in the amount of code that absolutely has
to be correct (and thus has to be proven correct using high-assurance
methods, like formal methods or detailed source code reviews).

So don't think of the Bell-Lapadula model as an all-or-nothing deal.
Models like this can still have benefits even if there are applications
that receive special dispensation to violate the normal rules.