[cap-talk] What's "Discretionary Security" (was: Another "core"principle, capability communication)
Jonathan S. Shapiro
shap at eros-os.com
Tue Jan 2 00:05:55 CST 2007
On Mon, 2007-01-01 at 23:30 -0600, Karp, Alan H wrote:
> Shap wrote:
> > Alan wouldn't have given that answer if he had caught up with
> > the policy
> > vs. point of view discussion.
> I would have, and I am caught up. I don't believe "point of view" is
> the proper perspective when you only consider two parties. I believe
> that there must be three parties for there to be non-discretionary
> access. The third party enforces the policy.
What you are saying is that mandatory controls are imposed by A on
interactions between two parties B and C. This seems like a workable
I find this view confusing for two reasons:
It is confusing to explain mandatory access controls on memory objects
this way, because memory objects are not processes and do not quite
participate in communications (whereas in your approach we need to
somehow make the memory object look like party (C).
It seems to me that in your model discretionary controls only involve
two parties, and this makes it hard to compare discretionary vs.
So I tend to think of this as (A is the policy enforcer):
B invokes ProxyToCProxiedByA(withArguments)
A executes some boolean predicate using B, C, Arguments, and other
reference monitor state as inputs.
A decides whether to allow (forward) or disallow (generate an
exception) the operation.
I think of this as A performing mandatory enforcement on B, because if
the operation is denied C never knows that anything happened. If C is a
(passive) memory object, it's difficult to think of it as a subject.
Offhand, I suspect that either approach works as long as it is used
More information about the cap-talk