[cap-talk] Capability MLS scheme using Horton (was: Re: Negative permissions)
Jonathan S. Shapiro
shap at eros-os.com
Mon Feb 4 17:18:12 EST 2008
On Mon, 2008-02-04 at 13:14 -0800, Jed Donnelley wrote:
> On 2/4/2008 11:06 AM, Jonathan S. Shapiro wrote:
> > On Mon, 2008-02-04 at 09:55 -0800, Jed Donnelley wrote:
> >> At 08:46 AM 2/4/2008, Karp, Alan H wrote:
> >>> Jed wrote:
> >>>> At this point I feel I have such a clear view of how
> >>>> these mechanisms are working, it seems a shame that I
> >>>> don't have an opportunity to work on architecting a
> >>>> system with them - e.g. a capability based system
> >>>> with some identity based controls (e.g. MLS).
> >
> > MLS does not entail identity-based controls. It entails domain-based
> > controls. There is nothing in the implementation of an MLS system that
> > benefits significantly (even if viewed purely from an efficiency
> > perspective) from identity-based controls in the core kernel.
>
> Hmmm. In most MLS systems that I'm aware of it is people
> who have clearances and objects (usually files) that
> have classifications.
Nope. In MLS systems, it is *subjects* that have clearances in their
capacity as agents of principals. If you disassemble an MLS system and
actually find an instance of "people" inside, your next action should be
to call in the homicide cops.
The classifications and compartments of subjects can be captured via a
domain discipline, which the KeyKOS MLS design clearly demonstrates.
There is no inherent reason to believe that the KeyKOS MLS design is
inherently any slower than other designs.
shap
More information about the cap-talk
mailing list