[cap-talk] Mandatory Policy - practical problems, overhead, sensitivity focus

Jed Donnelley jed at nersc.gov
Thu Aug 2 13:28:39 EDT 2007 

Jonathan S. Shapiro wrote:
> [Note suggested subject change -- I should have changed it when I gave
> my definition.]
>
> On Thu, 2007-08-02 at 08:14 -0400, Jonathan S. Shapiro wrote:
>   
>>   Mandatory policy is policy whose controlling party is not a
>>   participant in the communication, except as a degenerate case. That
>>   is: the controlling agent's communications may be subject to the
>>   policy as a consequence of implementation or policy design, but this
>>   is not the purpose or focus of the policy.
>>     
>
> Using this definition as a "stake in the ground", I want to try to
> articulate a part of why all of us dislike the mandatory policy concept,
> and see if I can set a foundation for why mandatory policy is necessary
> or unnecessary.
>
> The mandatory policy notion implicitly establishes an us/them dichotomy.
> There is the (system) policy administrator, and there is the user, and
> one strictly dominates the other.
>
> Socially, of course, phrasing it this way is offensive to many people
> here, and I think that this is part of the visceral negative reaction
> that people have to the term.
>
>   
I find this an interesting thread that unfortunately I don't have
much time to be involved in at this point.  However, the above
drew me in enough that I'll make a couple of comments:

Mandatory access controls aren't socially offensive to me.  This
may just be a matter of taste and as we know taste can't be
disputed.

However, in the way I've seen mandatory access controls implemented
there are serious practical problems to "mandatory" access controls.

1.  Overhead - Consider the typical multi level security access controls
that seem a common and commonly agreed upon instance of "mandatory"
controls.   The most obvious practical problem that I see with them
is the notion of an "authorized declassifier".   This mechanism creates
a huge administrative overhead.  The basic difficulty is that any such
independent authorized declassifiers don't have local knowledge of
what is in the data.

Just as an example MAC overhead problem - I've been working for
many years now (indirectly since 1997) to get just the source code for
NLTSS declassified.  One might ask why it was classified to begin
with, but I can see legitimate reasons for that.  However, now that
NLTSS is no longer in use there is no legitimate reason to keep that
source classified.  How to we get it out?  The last time it was presented
to some authorized declassifiers, they simply refused to declassify
it, not because there was any sensitivity about the data, but because
there was simply too much data for them to deal with.  More recently
we've started to try a soda straw approach where we present one
source module at a time...  You see the problem.  I know, and others
at LLNL know exactly what this source code is and why it no longer
has any legitimate reason to be classified, but unfortunately the
last authorized unclassified with knowledge of this system retired
some years ago...  None of the current authorized declassifiers
know what that source code is, so they do the natural thing - they
protect their ... interests by simply refusing to declassify that
code.  At that point an "access control" decision becomes a
political decision - e.g. how many friends do we have in high
enough places... You see the problem.

To me this sort of "secondary human presence" is really the essence
of what I generally think of as "mandatory access control"s.  Namely,
they try to introduce an additional, perhaps "qualified", human into
the path of making an access control decision.  For those of us
normally used to having decisions made at computer speeds, such
human intervention is naturally frustrating.

2.  Sensitivity focus - I believe the requirement for such secondary
human actions also creates what might be referred to as a natural
"John Walker" effect, referring to the famous spy:

http://en.wikipedia.org/wiki/John_Anthony_Walker
http://www.fas.org/irp/eprint/heath.pdf  (Laura J. Health masters thesis)
http://www.crimelibrary.com/terrorists_spies/spies/walker/1.html
(not to be confused with John Walker Lindh)

KGB officer Vitaly Yurchenko: "Walker was the greatest case in
KGB history. We deciphered millions of your messages. If there
had been a war, we would have won it."

Namely they create a focus of human attention to the most
sensitive information involving significant overhead where
somebody with a vested interest in sensitive data (e.g. a spy)
can step in with a 'solution' to the problem (take all the admin.
burden) - but in doing so of course creates a more serious
problem than there was to begin with - e.g. all the problems
John Walker's ring caused (see the Laura Heath masters thesis
above).  Distributed mechanisms are more resistant to such
problems.

I generally feel that such mandatory access control mechanisms
are to be avoided if possible.

--Jed  http://www.webstart.com/jed/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.eros-os.org/pipermail/cap-talk/attachments/20070802/7ba9ccf0/attachment.html

More information about the cap-talk mailing list