[cap-talk] Non-safety vs. permission propagation -- HRU and IBAC ACLs
Jonathan S. Shapiro
shap at eros-os.com
Mon Aug 6 13:45:55 EDT 2007
On Mon, 2007-08-06 at 18:18 +0100, David Hopwood wrote:
> Jonathan S. Shapiro wrote:
> > Back up. This is a model in which all processes that are not part of the
> > TCB are assumed to be perfectly hostile.
> I disagree. The HRU model does not say anything about which processes
> outside the TCB are assumed to be hostile. It clearly allows the possibility
> of processes outside the TCB that are trusted for a particular right (to
> the extent that it talks about processes at all).
I have not re-read the paper in some time, but I believe that this is
incorrect. Specifically, I believe the basic analysis is that any
process in the subject graph can and will perform any command that it is
capable of performing, subject only to the permission requirements of
the commands. In this sense, it is a conservative analysis.
This is precisely why trusted subjects must be removed from the graph in
order for the analysis to make sense.
More information about the cap-talk