MLS Challenge Problem
Wed, 10 Nov 1999 15:43:29 -0800

I am new to the capability concept, so perhaps I can take advantage of
this problem and treat it as a learning opportunity.

> Design an efficient implementation by which these restrictions can be
> successfully imposed. In particular, address the question of how the
> trusted file implementation is able to determine the security attributes
> of its invoker, or by what means this determination is rendered
> unnecessary by the reference monitor.

The first thing that comes to mind is that the trusted file implementation
knows the security attributes of its invoker because invokers at different
security levels have different kinds of capabilities.  There are "top
secret" capabilities and "secret" capabilities.

Then when the file implementation gives out the capabilities that are
stored in a particular file, it looks at what kind of capabilities they
are and compares them with the capability being used to access the file.
If there is a mismatch it either fails or wraps them in a capability
which makes them legal (a read-only, top secret capability, for example).

There would be four kinds of capabilities to files: top-secret-read,
top-secret-read-write, secret-read, and secret-read-write.  In the example
given, when a top-secret-read capability to file A is used to fetch a
secret-read-write capability stored in file A which points at file B,
the trusted file implementation transforms it into a top-secret-read
capability to file B.