[cap-talk] Mandatory Access Control

Jed Donnelley capability at webstart.com
Thu Jan 4 02:22:03 CST 2007


At 04:06 PM 1/3/2007, Ka-Ping Yee wrote:
><snip>
>Then the wording of the definition i wrote is insufficient.  It seems
>to me that intermediate positions between "discretionary" and "mandatory"
>are possible because there is no clear agreement on a bright-line
>threshold that has to be crossed for a system to be called one or the
>other.  For example, properties like:
>
>     - "non-super" users can edit ACLs
>     - the user that owns an object can convey access to any other user
>     - a subject that controls an object can convey access to some broad
>         class of other subjects
>     - generally, users have more influence over access control decisions
>
>contribute to the "discretionary-ness" of an access control system;
>properties like:
>
>     - system-wide rules enforce prohibitions on certain kinds of
>         changes to ACLs
>     - access control changes are dependent on external procedures like
>         personnel security clearances
>     - generally, users have less influence over access control decisions
>
>contribute to "mandatory-ness".  Is that any better?

For me descriptions like the above feed into the intuitive notion
of what mandatory access control 'should' be.  However, I believe
those sorts of notions unfortunately further obfuscate what it
technically can be.

I still feel there is a fundamental issue with communicating
conspirators that isn't (pick a word: acknowledged, accepted,
appreciated, understood, ...) in the MAC community.

For example, suppose there are properties like:

     - system-wide rules enforce prohibitions on certain kinds of
         changes to ACLs
     - access control changes are dependent on external procedures like
         personnel security clearances
     - generally, users have less influence over access control decisions

in a system.  What good are they if bidirectional communication is
possible between subjects that are denied some sorts of access due
to the above properties?  The access can be proxied through the
communication.  This is true regardless of what sorts of access
are being controlled.

On the other hand ...  Let's take the MLS case (for a specific example).
If in that case all subjects are labeled (including service processes
and shared objects like disk or memory) and communication "diode"
restrictions are enforced (no send to down or receive from up) then
all the appropriate MLS "access controls" are automatically enforced.

To me this suggests that even thinking about "mandatory access controls"
in terms of things like ACLs or even more generally in terms like
"access control changes" is missing the point (being misleading,
pointing in an ineffective technical direction).  Fundamentally
the issue MAC mechanisms face is that of blocking communication
to meet the MAC policies.

If that is realized and the communicating conspirators problem
acknowledged, then I think the object-capability model
appears in quite a different light.  In that light the object-
capability model can not only provide POLA access control,
but can support any sort of MAC policy as a subset (e.g. along
the lines of the KeyKOS KeySafe mechanism).  It really comes
down to deciding which modules (subjects, code) are to be
trusted with the enforcement of the policies (and consequently
trusted to communicate bi directionally across the labeled
boundaries).

--Jed  http://www.webstart.com/jed-signature.html 




More information about the cap-talk mailing list