[cap-talk] Capabilities in C# (revised)

David Wagner daw at cs.berkeley.edu
Thu Nov 2 19:34:28 CST 2006

"Stiegler, Marc D" <marc.d.stiegler at hp.com> writes:
>Multi-compartmented workstations can match the security
>guarantees, they are just too hard to use.

No kidding about the "too hard to use".

This is a tangent, but:

I'll go even farther than MarcS.  I don't think that prior work on
compartmented-mode workstations doesn't even try to solve DarpaBrowser
style problems, and I don't think any of the compartmented-mode
workstation I've ever seen could match the security guarantees.  The
problem is that prior work into compartmented workstations consistently
focused on confidentiality, covert channels, and MLS.  As a result, their
foundations were usually based on enforcing a Bell-Lapadula-style policy.
However, Bell-Lapadula does nothing for integrity, and explicitly
allows a malicious renderer to scribble over compartments rated LOW.
Thus, Bell-Lapadula (and its dual, Biba) provides only unidirectional
integrity guarantees: if you want the model to protect the integrity
of component X from being subverted by component Y, the model cannot
protect Y from being subverted by X.  That limitation is fundamental to
the Bell-Lapadula and Biba models.  However, the DarpaBrowser problem
requires solving the mutual suspicion problem.

In other words, to my knowledge prior work on compartmented workstations
doesn't help to solve the mutual suspicion problem, and thus doesn't
help to solve the DarpaBrowser problem.

One thing I like about the term "secure cooperation" is that it
highlights that it's not enough to solve the one-direction integrity
problem (where X distrusts Y but Y trusts X); in many cases, you have
to solve the mutual distrust problem, too.

More information about the cap-talk mailing list