[cap-talk] Mandatory Access Control (was: What's "Discretionary Security")

Jed Donnelley capability at webstart.com
Wed Jan 3 17:09:04 CST 2007 

At 12:41 PM 1/3/2007, Jonathan S. Shapiro wrote:
>On Wed, 2007-01-03 at 10:02 -0800, Jed Donnelley wrote:
>
> > Let me just feed a bit off what's now on the "discretionary access
> > control" page:
> >
> > http://en.wikipedia.org/wiki/Discretionary_access_control
> >
> > Namely where it says, "A system is said to provide discretionary
> > access control if the owner of an object has the ability to control
> > how others can access it.
>
>This definition is flatly wrong. Discretionary control isn't about what
>the owner of an object can do. It's about what a process can do. The
>definition above would lead to the conclusion that capability systems
>cannot be discretionary because they have no notion of owner. This
>conclusion is clearly inconsistent with the literature.

I wonder if this isn't still a matter of terminology.  Might it be that
what is meant by "owner" in the above definition is a subject with
"ownership" access (whatever that means), and the subject could
be a process or a person?

At 10:22 AM 1/3/2007, Karp, Alan H wrote:
>Jed wrote:
> >                                                            Is MAC
> > really just another name for MLS?  If no, perhaps somebody could
> > suggest a MAC scheme that isn't MLS?
> >
>Compartments.

Good example.  I think "compartments" again suggests the dividing
by communication (more generally rather than with a lattice).

> > I believe the tension described in the above paragraph is at the
> > heart of why the MAC "community" (for lack of a better term, TCSEC,
> > etc., etc.) is antagonistic to object-capability systems, and visa
> > versa.  The MAC community feels that the basic object-capability
> > model is too laissez faire when it comes to access control (if "I" as
> > a subject have access to an object and I can communicate to "you"
> > then I can share access with you), while the object-capability
> > community feels that they're providing all the control that's
> > possible in any model.
>
>Personally, I think the MAC people are considering only permission,
>while the capability people, perhaps implicitly, realize the importance
>of authority.

Maybe if I hear the above often enough I'll understand it better.  Are we
saying the same thing with different words?  Is proxying a means for
expanding authority through a limited set of permissions?  That is, if Low
could communicate (bidirectionally) to High and High has access to an
object, then High can proxy that access to Low, thereby expanding
Low's authority without changing Low's permissions (never mind that
Low communicating bidirectionally with High breaks MLS to begin with).

If that's what you mean by the MAC people only considering permission
vs. the capability people considering authority then I think we're on the same
page.  I feel that the communicating conspirators "problem" (one could
consider it an opportunity) is still somehow at the heart of what one
might consider a value conflict between the MAC community and the
object-capability community.

I read ahead a bit in the discussion (quite busy today), and I do feel that
we're getting close to the heart of the darkness.  I sure hope we can
get this cleared up.

--Jed http://www.webstart.com/jed/

More information about the cap-talk mailing list