[cap-talk] Capability MLS scheme using Horton
Jed Donnelley
jed at nersc.gov
Mon Feb 4 19:10:59 EST 2008
On 2/4/2008 2:18 PM, Jonathan S. Shapiro wrote:
> On Mon, 2008-02-04 at 13:14 -0800, Jed Donnelley wrote:
>> On 2/4/2008 11:06 AM, Jonathan S. Shapiro wrote:
...Jonathan:
>>> MLS does not entail identity-based controls. It entails domain-based
>>> controls. There is nothing in the implementation of an MLS system that
>>> benefits significantly (even if viewed purely from an efficiency
>>> perspective) from identity-based controls in the core kernel.
Jed:
>> Hmmm. In most MLS systems that I'm aware of it is people
>> who have clearances and objects (usually files) that
>> have classifications.
>
> Nope. In MLS systems, it is *subjects* that have clearances in their
> capacity as agents of principals. If you disassemble an MLS system and
> actually find an instance of "people" inside, your next action should be
> to call in the homicide cops.
Hmmm. Perhaps you didn't read my next sentence?:
> It's true that executing programs inherit clearances from
> the people who run them, and you can consider these to
> be executing in domains that require control (lest the
> information they read or write inappropriately get
> back to the wrong person by violating the simple
> security or star properties), but it's still people and
> their clearances that I believe are the primary source
> of concern and need for control.
I assume you know that I worked at LLNL for 25 years where I
led the implementation of a production MLS MAC OS that ran
in MLS production for over 10 of those years. Of course
we were concerned about the subjects (processes) in those
systems to insure sensitive information didn't fall
into the hands of the wrong people.
Another way to consider my point is to note that if the
information never got out of the programs, people wouldn't
care about the domain protections as far as MLS goes.
Since the information does get out, appropriate care
must be taken. Still, a system that provides effective
protection of the information without associating
clearances with running programs (a property of both the
KeyKOS design and my Horton straw man I believe - though
this wasn't true of the NLTSS system that we ran at LLNL
where processes had clearance labels) can be perfectly
adequate I believe.
> The classifications and compartments of subjects can be captured via a
> domain discipline, which the KeyKOS MLS design clearly demonstrates.
> There is no inherent reason to believe that the KeyKOS MLS design is
> inherently any slower than other designs.
I wasn't criticizing the KeyKOS MLS design. I was just
proposing another built on Horton. It might be interesting
to contrast the properties of each. My note about performance
was to suggest that a design built on Horton could be optimized
to minimize the cost of having every access go through
a Horton tunnel - not to somehow denigrate a possible KeyKOS
implementation.
The "holy grail" that I'm seeking is an architecture that
has all the POLA aspects of capabilities (all access is via
invocations and capabilities can be communicated through
such accesses - only) with the values that people look for
from current market leading systems - e.g. as sought in
TCSEC (logging, auditing, and control of who has access
to what, including control over access that has been
delegated - no "loss of control"). I believe these
properties are important in systems beyond MLS such
as controlling proprietary or company sensitive
information. I believe these properties and the
"control" they imply will be important to sell most
capability implementations that are used to control
delegation, including between people - such as WebKeys.
--Jed http://www.webstart.com/jed/
More information about the cap-talk
mailing list