[cap-talk] Mandatory Access Control (was: What's "Discretionary Security")

Jonathan S. Shapiro shap at eros-os.com
Thu Jan 4 06:44:14 CST 2007 

On Thu, 2007-01-04 at 00:13 +0000, David Hopwood wrote:

>  - that MLS/"the mandatory policy" is incompatible with POLA (primarily
>    for the reason I've explained in the context of the *-property in
>    <http://www.eros-os.org/pipermail/cap-talk/2006-July/005501.html>,
>    and Jed has also argued for IPC mechanisms),

I have only just read that note, and I think your dichotomy concerning
POLA vs. MLS is false. You wrote:

> - The *-property (no write down) is fundamentally in opposition to
>   POLA. If a High subject P wants to delegate a service to another
>   subject S, then POLA says that P *should* use an S that has the
>   least possible access to objects other than those needed to perform
>   the service. The *-property, OTOH, effectively says that S *must*
>   have an equally high clearance level to P (and therefore, if the
>   ss-property is the only other rule in effect, it is able to read
>   anything that P can read).

I think this is mistaken, and I suspect that the confusion lies in your
trailing parenthetical remark.

The level and compartment constraints of MLS are necessary, but are not
sufficient. MLS says that you must be in the "top-secret {nuclear,
submarine}" level{compartment-set} in order to examine the reactor plans
for the submarine. It does NOT say that being in this
level{compartment-set} is sufficient to give you the right to obtain
those plans. In the military context, "need to know" is still assumed to
apply. The implementation of "need to know" generally takes the form of
someone handing you a document or giving you an access key (very much
like a capability transfer).

That is: MLS does not preclude the possibility of a set of discretionary
controls that are operating in parallel with the mandatory controls. In
fact, MLS does not preclude the simultaneous parallel operation of other
mandatory policies. The most notable example is the (largely failed)
interest in reconciling the MLS security policy with the Biba integrity
policy.

To clear up your example, we need to be more clear about subjects vs
programs. In your example, P cannot delegate to a lower subject S
because it is never permitted to obtain a capability to S. This is not a
POLA violation. P remains free to instantiate a new subject S' that
obeys the same program that S obeys. The new subject S' is in the same
compartment as P, and P is free to hand anything to S'. This does not
preclude P from constraining the capabilities available to S' through
selective delegation, confinement, and so forth.

This is not a POLA violation in the same sense that confinement is not a
POLA violation. A confined subject P cannot delegate to a subject S that
lies outside the confinement boundary. In both the confinement case and
the MLS case, the reason is that the subject P will not, in either case,
hold a capability to the subject S.

shap
-- 
Jonathan S. Shapiro, Ph.D.
Managing Director
The EROS Group, LLC
+1 443 927 1719 x5100

More information about the cap-talk mailing list