[cap-talk] mandatory vs. discretionary distinction - more clarification

Jed Donnelley capability at webstart.com
Sat Jan 19 13:09:35 EST 2008 

At 05:54 PM 1/18/2008, Mark Miller wrote:
>On Jan 18, 2008 2:24 PM, Jed Donnelley <jed at nersc.gov> wrote:
> > However, let me mention that in today's market
> > leading systems (Unix, Windows), most (nearly
> > all?) management of access control is already
> > discretionary - already exercised by end users.
>...
>
>I should set up a bot to search for "discretionary" and "mandatory"
>and post in response:
>
>"What do you mean by 'discretionary'?".
>
>Even better, could you rephrase without using this term so I have some
>hope of understanding what you mean? Thanks.

One thing that I should have perhaps tried to make clearer
in my distinction between "discretionary" vs. "mandatory"
access controls:

The contrast is between information resources (files)
that in both cases I have access to.  The situation that
I'm familiar with from personal experience is the MLS
case.  Let's say I have access to a secret file and
my clearance level is secret.  I can read the file.
A program that I run at the secret level can read the
file.

I want (let's say need for work) to give you (a
program you run) read access to the file.  Unfortunately
your clearance is only unclassified and your program
can only run at unclassified.  The MLS system is set
up so that my running program can't send data
to yours (simple security or * property depending
on which direction you think of it in) and I can't
grant your program read access to the file (though
in principle I could grant you write access to the
file ("* property").

Now it may be that this particular secret document
is old information and really doesn't need to stay
classified at the secret level.  I can go to a
knowledgeable administrator, an "authorized declassifier",
and ask, "Will you declassify this file for me?"
That person can say "yes", that person can say "no",
and in the most common case (from my experience)
that person can say "I'll take a look when I have
some time" - which is similar to the "no" response
except that it costs me a lot more time with repeated
queries.

I couldn't do that declassification myself.  Even though
I have access to the file and actually might be able
to communicate to the unclassified program (at the
unclassified level, not from a program running at
secret) I'm not able to get the information that
I have access to - the contents of the secret file -
to the running unclassified program in the system.
The access control is "mandatory" in that sense.

If I had an unclassified file that I wanted to
give you access to, I could do so myself.  That
control of "need to know" is discretionary.
By putting you on the ACL, you and your program
could get access to the unclassified file without
my needing to resort to involving an "authorized
declassifier".  That access control is
"discretionary" in that sense.

I think the confusion on this point often results
from the fact that of course all access controls
are "mandatory".  If they weren't they wouldn't
be 'controls'.  The special nature of the distinction
between "mandatory" and "discretionary" access controls
in the defense setting is that they block somebody
(some program) who has access from granting that
access to somebody else (some other program),
even though the first might be able to share
other access via end user controls.

Having experienced this situation (e.g. I'm
experiencing it to this day as I'm still trying
to get the NLTSS sources declassified), it seems
pretty clear to me.  Does it seem there's something
I'm missing MarkM or others?

Incidentally, from my perspective the definition
in Wikipedia for MAC:

http://en.wikipedia.org/wiki/Mandatory_access_control

"...the term 'mandatory' used with access controls has
historically implied a very high degree of robustness
that assures that the control mechanisms resist subversion"

and

"MAC also implies that access rules or decisions cannot
be casually or informally determined."

seems to be nonsense.  I can easily how anyone might
not understand that definition, so I might well be
missing something.  Think I ought to take a stab at
"correcting" the Wikipedia entry?

How about the other MLS folks on the list.  What does
the MAC vs. discretionary distinction mean for them?

--Jed  http://www.webstart.com/jed/

More information about the cap-talk mailing list