[cap-talk] Mandatory Access Control (was: What's "Discretionary Security")
Jed Donnelley
capability at webstart.com
Wed Jan 3 17:21:01 CST 2007
At 07:24 PM 1/2/2007, John McCabe-Dansted wrote:
>On 1/3/07, Jed Donnelley <capability at webstart.com> wrote:
> > Mandatory: Required or commanded by authority; obligatory.
> >
> > Discretionary: Left to or regulated by one's own discretion or judgment.
> >
> > I still regard these terms as nonsense when applied to access control
> > where, as I say, the controller of the access has discretion and the
> > controlled views the access control as mandatory - in whatever
> > scheme of labels, ACLs, capabilities, etc.
>
>I think that they are referring to discretionary with respect to the
>users who "own" or have access to certain documents. In a
>discretionary access system I can send any data I possess to any other
>user of the system.
Hmmm. That would suggest then that object-capability systems that
support confinement are NOT discretionary control systems. Namely
because in such an object-capability system that supports confinement
"you" (any subject) may not be able to communicate to whichever
user you wish to send data to. Again it seems that it is the communication
more than the object access that's at the core of MAC systems.
>In a MAC system this might fail if the recipient
>has a lower clearance than I do. I imagine that in a cap system this
>would mean that some powerboxes cannot communicate bidirectionally
>with other powerboxes on the same system,
or indeed with any process at a different level (if we're talking about
bidirectional communication).
>or that the powerboxes are
>in some way trusted to limit delegation of confidential data.
This (above) would seem to make any such "powerboxes" part of
the TCB as in that case they would be exercising "discretion".
--Jed http://www.webstart.com/jed/
More information about the cap-talk
mailing list