[cap-talk] Mandatory Access Control (was: What's "Discretionary Security")

[Jed Donnelley]

At 04:12 PM 1/3/2007, Ka-Ping Yee wrote:
>On Wed, 3 Jan 2007, Jonathan S. Shapiro wrote:
> > Mandatory control advocates almost universally state that capabilities
> > are purely discretionary controls. This is absolutely correct.
>
>It may be almost universally stated, but it is also inconsistent.
>The definition in the glossary of the Orange Book is
>
>     Discretionary Access Control - A means of restricting
>     access to objects based on the identity of subjects
>     and/or groups to which they belong. The controls are
>     discretionary in the sense that a subject with a certain
>     access permission is capable of passing that permission
>     (perhaps indirectly) on to any other subject (unless
>     restrained by mandatory access control).

The second sentence above is really a lovely statement that
seems to me to come as close as any to what I've been
referring to as the "heart of darkness".  It's exactly that
presumed ability to pass a permission on to "any" other
subject (unless restrained by MAC) that the MAC folks feel
makes capability systems DAC.  Ping rightly notes that:

>Capability systems do not permit subjects to pass on permission
>to just "any other subject", so they do not meet the TCSEC
>definition of DAC.

However, capability systems do permit subjects to pass on
permission to any other subject that they can communicate
to (even unidirectionally).  The fundamental object-capability
paradigm is that if I (anthropomorphically a process/active
object) have a capability and I have another capability
that allows communication, then I can pass the first
capability to an invocation of the second - granting the
permission that the capability authorizes to whatever subject
receives the invocation.  This is simple parameter passing.

OK, we can quibble about whether there might be a permission
required in the communication capability that allows
capability transmission.  I argue that this is more a
property of the "type" of capability than a fundamental
feature of the object-capability model.  Even if a capability
prohibits capability communication but it does allow
bidirectional data communication then we know that access
can be proxied - which is why I consider such a "feature"
a quibble.  There's still a fine case (unidirectional
communication, capability communication denied) that one
might consider a saving grace of the object-capability
model.  If that's what it takes to be saved, then I'll
forego being saved.

I believe the fundamental value that the MAC people
are trying to achieve is blocking access communication
while still permitting data communication.  This is
where my brain just goes sproing!  It can't be done.
Once you realize it can't be done, then the appeal of
the object-capability model (with POLA, etc.) becomes
clear - even to achieve MAC (e.g MLS), in so far as it's
possible.

--Jed  http://www.webstart.com/jed-signature.html