[cap-talk] Mandatory Access Control (was: What's "Discretionary Security")

[Jed Donnelley]

At 09:40 PM 1/3/2007, David Wagner wrote:
>Jed writes:
> >It's certainly true that
> >communication can happen also through shared object access, so a MAC
> >system must include both notions, but there seems to be something
> >about MAC access control that inevitably leads to communication
> >restrictions.  It has been quite difficult for me to avoid dropping
> >into MLS terminology and talking about communication diodes in this
> >paragraph.  Perhaps with my wording others can sense why?
>
>Historically, most of the research on MAC has been an attempt to
>study MLS, and in particular, to study ways to protect confidentiality.
>Communication diodes follow naturally from MLS and confidentiality.
>But it's worth pointing out that MAC is broader than just confidentiality
>or just MLS.  For instance, you can have MAC policies that are focused
>on integrity instead of confidentiality (e.g., LOMAC).  Often, those
>integrity-focused policies might not need communications diodes.

Perhaps not, but when I did some searching for LOMAC I ended up at
the Biba Model:

http://en.wikipedia.org/wiki/Biba_Model

which (amusingly to me) seems to be the dual of the MLS model, namely:
__________
This security model is directed toward data integrity (rather than 
confidentiality) and is characterized by the phrase: "no write up, no 
read down". This is in contrast to the Bell-LaPadula model which is 
characterized by the phrase "no write down, no read up".
__________

Of course this suggests that if one wants confidentiality and 
integrity then one has "no write down, no read up" and "no write up, 
no read down".  That seems like a pretty clear description of an air gap.

--Jed  http://www.webstart.com/jed-signature.html