[cap-talk] VOC <-> DAC distinction (was: RE: In defense of P-1935)
Jed Donnelley
capability at webstart.com
Sat Feb 2 20:39:10 EST 2008
At 03:30 PM 2/2/2008, Karp, Alan H wrote:
>Jed wrote:
> >
> > Maybe you have a definition of DAC that
> > excludes VOC? To me it has always seemed
> > that VOC is a value added subset of DAC.
>
>In DAC the transfer of rights is allowed unless "unless restrained
>by mandatory access control". VOC recognizes that we might be
>working with unconstrained subjects so there are no mandatory controls.
So far so good.
>Basically, VOC says "Use the approved mechanism, and you won't
>accidentally violate policy."
Yes, I believe I understand this perfectly.
>DAC with MAC restrictions says "There is only the approved mechanism."
Hmmm. I believe I understand the above also.
Take the most common situation where there is DAC
and MAC - something like ACLs (e.g. Unix) in a
system that also has MLS MAC. In that case
the DACs are arranged so that they never violate
the MACs. That is, either I can't put a user
only cleared to unclassified on the ACL to
read a secret file, or even if I do that user
will still be blocked from reading the file.
>DAC without MAC says "You need to know the policy to avoid violating it."
This is the part that puzzles me. While the above
is certainly true in DAC without MAC environments
like Unix or Windows, I can easily imagine what
I would consider to be a DAC without MAC
environment, such as an unconfined capability
environment with available policy enforcing
Horton tunnels, in which the above "need to
know" isn't true. I believe from the definition
of DAC (which I repeat again for convenience):
________
In computer security, discretionary access control (DAC) is a kind of
access control defined by the Trusted Computer System Evaluation
Criteria[1] as "a means of restricting access to objects based on the
identity of subjects and/or groups to which they belong. The controls
are discretionary in the sense that a subject with a certain access
permission is capable of passing that permission (perhaps indirectly)
on to any other subject (unless restrained by mandatory access control)".
________
such a capability environment with available
Horton tunnels would be considered "discretionary"
access control (most security practitioners I
believe consider capabilities only for DAC,
they fail to consider environments in which
the only available communication is through
a policy enforcing PDP). It is still, however,
an environment in which you don't need to know
the policy to avoid violating it. You can just
use your discretion to do any needed delegations
through the Horton PDP.
I believe the above is DAC without MAC because
I can delegate access either by sending a
capability through a Horton tunnel or through
some other path - my choice. However, if
I send it through the Horton tunnel the
PDP inside will "obliviously" block the
delegation if it violates policy.
Isn't this a DAC without MAC situation where
I don't need to know the policy to avoid
violating it? Isn't it in fact Voluntary
Oblivious Compliance? The above thinking is
why to me VOC is a subset of DAC - essentially
a nice property of a DAC.
--Jed http://www.webstart.com/jed-signature.html
More information about the cap-talk
mailing list