[cap-talk] The Cascade Problem viewed as a Permission vs. AuthorityDistinction

Toby Murray toby.murray at dsto.defence.gov.au
Wed May 24 20:03:22 EDT 2006 

Karp, Alan H wrote:

>Toby Murray wrote:
>  
>
>>The paper puts it like this:
>>There is a cascading path from "ibm" on entity A to "hp" on 
>>entity B via 
>>shared channel  "shell". The assurance rules require an 
>>assurance level 
>>of at least "overseer" in order to be able to simultaneously 
>>access botg 
>>"hp" and "ibm" information. However, with a configuration 
>>that allows A 
>>and B to share "shell" information, entities with an 
>>assurance rating of 
>>just "consultant" can obtain this access.
>>
>>    
>>
>We used a similar example to illustrate the features of Client Utility
>(CU).  As you point out, you need to consider authority and not just
>permission.  
>
>The key here is who will do what.  If Alice (A) extracts part of the
>data from HP and inserts it into Shell, then Bob (B) can copy that data
>from Shell to IBM.  There are numerous projects that tag data to prevent
>just his sort of copying, but I don't know how successful they are if
>Alice and Bob want to violate the rules.  However, they may give honest
>employees the tools needed to follow the rules.  That's the point of
>Voluntary Oblivious Compliance (VOC).
>
>In CU, we had no control over data once it was removed from a file, so
>we focused on what we could do to control access to individual files.
>In this example, Alice could copy a file from the HP folder to the Shell
>folder without worrying that Bob could read it, much less copy it to the
>IBM folder.  In fact, Bob couldn't even find out that the file existed,
>no matter what folder it was in.  Hence, Alice could be oblvious to the
>rules and still follow them.  It was voluntary because Alice could read
>the data and insert it into a new file in the Shell folder.
>
>  
>
Alan, is there a paper on VOC? It's come up here a few times and I know 
there's some E code in MarcS' Walnut that demonstrates it but I've not 
yet been able to get my head around this code. Is there something that 
indicates the basic idea of VOC and how it might be implemented in the 
general object-cap model?

thanks,
Toby

-- 
Toby Murray
Advanced Computer Capabilities Group
Information Networks Division
DSTO, Australia

IMPORTANT: This e-mail remains the property of the Australian Defence
Organisation and is subject to the jurisdiction of section 70 of the
Crimes Act 1914. If you have received this e-mail in error, you are
requested to contact the sender and delete the e-mail.

More information about the cap-talk mailing list