[cap-talk] the value of non-delegatable authority?
Jed Donnelley
capability at webstart.com
Thu Jan 17 03:24:40 EST 2008
At 11:21 PM 1/16/2008, Toby Murray wrote:
>On Thu, 2008-01-17 at 06:08 +0000, David Hopwood wrote:
>...
> > By proxying, Alice can instantaneously give Bob the ability to read every
> > document that he wants to read (and the same ability to search
> for documents
> > that she has). This has a similar effect to giving Bob the same clearance,
> > except that an audit trail will show Alice, not Bob, as having accessed
> > the documents.
>
>It is similar, but there are some major differences.
>
>Alice must collaborate on each document Bob fetches when Alice is
>proxying.
>
>Instead, were Alice able to delegate her clearance to Bob, then Bob
>would only require her participation during this single act of
>delegation, and never again.
>
>I'd argue that were Alice to give bob *her* clearance, that Bob's
>accesses would show as having been authorised by Alice's clearance.
I believe Bob's accesses would show as having been authorized
by Alice's clearance even in the proxying case.
>Hence, the accesses may well show up as having been made by Alice,
>depending on the mechanics of the logging system of course.
Toby, did you see my message:
http://www.eros-os.org/pipermail/cap-talk/2008-January/009526.html
where I say: "I believe that's the best that
can be done, whether for defense/military MAC
or for company proprietary or any other protection
policy, voluntary or mandatory." With the Horton
approach you can do MAC if the subject is confined
and VOC if the subject is not, with the same
policy modules used in both cases and as much
logging and whichever policies (access denials,
whether during delegation or retroactive) you wish.
I'm amazed that you can even consider military MLS
in a situation where, as you say in your paper you,
"distribute authority to an unconfined subject
already in existence, to whom arbitrary communications
channels might be available".
The authorized declassifiers who I've know would
faint dead away in such a circumstance and then
tell you not to bother them with such a ridiculous
situation when they woke up. Isn't the main idea
of MLS MAC? If you have an unconfined communicator
with access to classified data, what is the point?
It seems to me you're splitting hairs with the
distinctions you make between MACs being violated
by proxy vs. by delegation. In both cases the
Mandatory Access Controls are being violated.
Why not do it "right" with something like Horton and
make sure that your untrusted subjects are only given
capabilities through a PDP for communication - which
means their communications (including but not only
their delegations) can be subject to what Alan
terms a Policy Decision Point? Then you'd get
some security you could count on, not some
theoretical non-delegatability after the horse
is already out of the barn.
Regardless of how you do MAC MLS, I believe that to
satisfy military folks you will have to make it
really mandatory. I believe that means that you have
to end up with some sort of compartmentalization
along the lines of the KeyKOS mechanism. You
won't find any unconfined subjects there.
--Jed http://www.webstart.com/jed/
More information about the cap-talk
mailing list