[cap-talk] What's "Discretionary Security" (was: Another "core" principle, capability communication)

Jonathan Smith jms at cis.upenn.edu
Tue Jan 2 07:10:31 CST 2007 

Advice:
	Write this up.
																-JMS

On Dec 31, 2006, at 2:48 PM, Jonathan S. Shapiro wrote:

> On Sun, 2006-12-31 at 10:56 -0800, Mark S. Miller wrote:
>> David Wagner wrote:
>
>>> I think the literature has gotten sloppy, or confused, about this
>>> distinction.  A huge number of papers have been written on the  
>>> subject
>>> of security policies that are enforced by the operating system upon
>>> applications and users.  Those policies are mandatory for  
>>> applications
>>> and users and discretionary (in some boring sense) for the operating
>>> system.  Because the mandatory/discretionary distinction frequently
>>> came up in this context, I suspect authors ended up just writing
>>> "mandatory" instead of "mandatory for applications & users", and  
>>> that
>>> shorthand got perpetuated and enshrined in the literature so  
>>> thoroughly
>>> that it became easy to forget the distinction.
>>
>>
>> But this does not. In what sense is the operating system making  
>> choices?
>
> In the sense that the operating system "elects" to apply the  
> policy, and
> is not itself subject to it.
>
> It's a terrible idiom. The OS itself is generally considered to stand
> outside the model. It is not a subject, and therefore there is (in
> effect) a type error in even framing the description in the way that
> David describes (which is consistent with what I've experienced in
> talking to people). Further, the OS "elects" to enforce a policy in  
> the
> same sense that it "elects" to obey it's instruction stream.
>
> As David said, it's a very sloppy usage.
>
>> Let's rephrase in terms of a conventional board game. At each  
>> turn, one player
>> has the choice to make one of a set of moves. Having made a  
>> choice, the next
>> player's choices are now constrained by the choice made by the  
>> previous
>> player. Does it help to speak of the first player's choices as being
>> discretionary, and the resulting constraints on the second  
>> player's choices as
>> being mandatory?
>
> Only if we really want to get mired in game theory as well as  
> protection
> theory. :-)
>
> I would say "no". Yes, each player is constrained by the state of the
> system at the time of their move, but all well-formed moves (in the
> sense that they are operationally valid according to the rules of the
> game) are permitted at every step. At no time is the set of well- 
> formed
> moves being further constrained by a policy that is expressed
> endogenously within the game.
>
> This is true in the same sense that an invoker in a capability system
> can, at any time, invoke any operation (method) that is bound in the
> environment that is named by some arbitrarily chosen capability  
> that the
> invoker holds (i.e. any method of that capability). The capabilities
> held by the invoker in the current state define the well-formed  
> moves at
> that step. [I ignore here for simplicity the possibility that a
> capability may be indirectly invokable, as by specifying an address  
> of a
> capability to be invoked relative to some address space held by the
> invoker.]
>
> The difference is that the games of classical game theory usually  
> do not
> entail anything corresponding to a transfer of authority. The question
> of policies only enters when someone is making a decision about what
> authority to transfer.
>
> If we consider a game like Monopoly, where "money" may change hands  
> as a
> consequence of a move, and "loans" are permissible (at least in the
> advanced rules), then perhaps we can construct an analogy, but we
> probably would need multiple currencies governing different classes of
> operations (corresponding to capability types).
>
> And to make the game model useful, we need a game in which there is a
> useful distinction between permission and authority (i.e. having a
> permission has non-immediate transitive implications) if the game  
> theory
> approach is really going to help us, because the classical mandatory
> policies are all about authority, not permission. The stepwise  
> rules of
> MLS exist for the purpose of implementing a restriction on authority,
> not for the sake of restricting permission per se.
>
> On the whole, I suspect that going for the game-based understanding  
> will
> prove to be a long and unenlightening diversion here.
>
>
> To state all of that another way: your question entails a level of
> abstraction violation. Yes, the specification of the well-formed moves
> constitutes a mandatory policy on all the players, but it is not a
> mandatory policy that exists *within* the system.
>
>> To understand your second paragraph above, should one talk about  
>> the game
>> rules themselves as making policy choices that are imposed on the  
>> players?
>
> In my opinion, no.
> -- 
> Jonathan S. Shapiro, Ph.D.
> Managing Director
> The EROS Group, LLC
> +1 443 927 1719 x5100
>
> _______________________________________________
> cap-talk mailing list
> cap-talk at mail.eros-os.org
> http://www.eros-os.org/mailman/listinfo/cap-talk

Jonathan M. Smith,  Pompa Professor of EAS,
Professor of CIS, University of Pennsylvania,
T: 215.898.9509, E: jms at cis.upenn.edu

More information about the cap-talk mailing list