[cap-talk] Mandatory Access Control: unidirectional state changes

Rob Meijer rmeijer at xs4all.nl
Fri Jan 5 05:30:23 CST 2007 

On Fri, January 5, 2007 11:00, Ka-Ping Yee wrote:
> On Fri, 5 Jan 2007, Rob Meijer wrote:
>> I think MAC vs DAC is not an issue of local vs global but rather an
>> issue
>> of unidirectional state changes vs bidirectional state changes.
> [...]
>> I feel that in MLS MAC only provides the mechanisms of unidirectional
>> state changes at a global level, rather than moving controll to a global
>> level. I feel that any access controll mechanism that provides
>> the posibility to do unidirectional state changes provides MAC, while
>> any
>> access controll mechanism that provides the ability to do bidirectional
>> state changes would thus provide DAC.
>
> This perspective is new to me.  Do you have any examples of systems or
> documentation where the terms "mandatory" and "discretionary" are used
> with these meanings?

No, unfortunately. It is my personal practical conclusion from trying to
see a true constant in systems designs claiming to provide MAC.
To me this apears to be the only generic claim about MAC that can not be
demolished through examples of MAC systems that did/do not conform to it.

Maybe mapping it to a reference example could show if this perspective
would stick:

1) Alice holds a reference to Carol that she through a caretaker
 (Carol*) delegates to Bob.
2) Bob holds a reference to a resource R that he now delegates through a
caretaker (R*) to Carol.
3) Bob revokes Carols access to R through R*.
4) Alice revokes Bobs acces to Carol through Carol*.
5) Bob wants Carol to again have access to R.

In my view, if R* does 'not' provide the posibility to un-revoke access to R
than R* can be seen as providing MAC, if it does provide the posibility to
un-revoke access to R than R* would IMO provide DAC.
That is, in my view, by providing unidirectional state changes R* would
provide MAC to Bob, while if it would provide unidirectional state
changes, it would provide DAC to Bob.

Is this making sense to anyone else but me? Or have I been over
extrapolating my observations of existing MAC/DAC designs?

Rob

More information about the cap-talk mailing list