[cap-talk] Comprehensive Security Policies on Capability Systems
Bill Frantz
frantz at pwpconsult.com
Wed Jan 17 17:18:10 CST 2007
nowhere.man at levallois.eu.org (Pierre THIERRY) on Wednesday, January 17, 2007 wrote:
>Scribit Bill Frantz dies 17/01/2007 hora 14:50:
>> Yes. KeySafe [1] interposes a reference monitor between different
>> compartments which implements labeled subjects and labeled data.
>> However, KeySafe it self is implemented with normal object
>> capabilities.
>
>But where is there a check between subjects and label? I understood that
>in the reference monitor pattern, you merely have a distinction between
>inside and outside. You could prevent selected capabilities to leak
>outside, but only based on the capability, not on the subject receiving
>it outside the reference monitor.
>
>Or did I miss something?
Well, it's a bit more complex then that. The KeySafe reference gives
the gory details, but in brief, when a compartment publishes a
capability, the reference monitor associates that capability with a
label. When a compartment tries to import a capability, the labels are
checked. The reference monitor mediates all communication between
compartments.
Cheers - Bill
-----------------------------------------------------------------------
Bill Frantz | I like the farmers' market | Periwinkle
(408)356-8506 | because I can get fruits and | 16345 Englewood Ave
www.pwpconsult.com | vegetables without stickers. | Los Gatos, CA 95032
More information about the cap-talk
mailing list