[cap-talk] Mandatory Access Control (was: What's "Discretionary Security")
David Hopwood
david.nospam.hopwood at blueyonder.co.uk
Thu Jan 4 12:09:21 CST 2007
Jonathan S. Shapiro wrote:
> On Thu, 2007-01-04 at 00:13 +0000, David Hopwood wrote:
>
>> - that MLS/"the mandatory policy" is incompatible with POLA (primarily
>> for the reason I've explained in the context of the *-property in
>> <http://www.eros-os.org/pipermail/cap-talk/2006-July/005501.html>,
>> and Jed has also argued for IPC mechanisms),
>
> I have only just read that note, and I think your dichotomy concerning
> POLA vs. MLS is false. You wrote:
>
>>- The *-property (no write down) is fundamentally in opposition to
>> POLA. If a High subject P wants to delegate a service to another
>> subject S, then POLA says that P *should* use an S that has the
>> least possible access to objects other than those needed to perform
>> the service. The *-property, OTOH, effectively says that S *must*
>> have an equally high clearance level to P (and therefore, if the
>> ss-property is the only other rule in effect, it is able to read
>> anything that P can read).
>
> I think this is mistaken, and I suspect that the confusion lies in your
> trailing parenthetical remark.
>
> The level and compartment constraints of MLS are necessary, but are not
> sufficient. [...]
> That is: MLS does not preclude the possibility of a set of discretionary
> controls that are operating in parallel with the mandatory controls. In
> fact, MLS does not preclude the simultaneous parallel operation of other
> mandatory policies. The most notable example is the (largely failed)
> interest in reconciling the MLS security policy with the Biba integrity
> policy.
I discussed the Biba policy in the same note, and specifically how the
Biba ss-property has essentially the same problem as the BLP *-property.
OK, so we know that the BLP properties don't work on their own, and the
Biba properties don't work on their own, and BLP and Biba properties don't
work when used together. But, apparently, some unspecified combination of
these properties and some other unspecified properties might.
I think you are being entirely too charitable.
--
David Hopwood <david.nospam.hopwood at blueyonder.co.uk>
More information about the cap-talk
mailing list