[cap-talk] Capabilities and the NCSC Trusted Computer Security Evaluation Criteria (TCSEC)

Bill Tulloh btulloh at gmail.com
Sun Nov 5 07:01:17 CST 2006

On 11/4/06, David Wagner <daw at cs.berkeley.edu> wrote:

> A personal opinion:
> The TCSEC requirements are most irrelevant to modern computer security in
> the commercial world.  They're a waste of time.  Every second you spend
> trying to comply with TCSEC is one second forever lost from your lifespan.
> They're not worth the brain cells; don't bother.

Interestingly, this also seems to be the opinion of Virgil Gligor the
lead author of the "Traditional Capability Systems" report. He
recently led a panel at the 2006 Usenix Security conference on "Major
Security Blunders of the Past 30 Years." Multi-level secure systems
were his number 2 example.

You can find the MP3 of the panel online. The relevant section starts
at about 23:00.


He claimed the main problem was that there was no market for MLS
systems (operating systems, databases, applications) -- "absolutely
none, not even in the military." This was because they were too hard
to use and they broke off-the-shelf applications. He gives a
conservative estimate of the cost of this blunder of between $4-9
billion from 1980-1996.

He also asks why should we care? His answer: it largely drained
security funding for about 15 years, and led to a massive R&D
distraction. Since there was no market, there was no market
discipline, and the wrong R&D bets went unpunished.

It seems to me that part of what it did was distract R&D away from
capability-based systems.


More information about the cap-talk mailing list