[E-Lang] Re: Old Security Myths Continue to Mislead

Bill Frantz frantz@pwpconsult.com
Sun, 5 Aug 2001 14:06:27 -0700 

At 12:59 PM -0700 8/5/01, Mark S. Miller wrote:
>* KeySAFE: Has anyone measured the overhead of imposing a membrane between
>Domains?  Any idea how much this would cost in EROS?  The purpose of
>KeySAFE, AFAIK, was to meet Orange book criteria of high security.  These
>Orange book criteria, IMHO (yes, H in this case), are ill motivated.  They
>come from hierarchical military organizations and from ACL security
>thinking.  In particular, the Bell-LaPadula or star properties seems to me
>like the Ackerman's function of security: An interesting stunt, useful only
>in order to demonstrate you can do it.  In both building and dreaming of
>distributed secure applications, I've never encountered a situation where I
>needed it.

First let me note that KeySAFE was never built.  (Somehow the investors in
Key Logic were unwilling to invest $1,000,000 in a project that would only
result in Orange Book approval, and not working code or sales.)

KeySAFE, as designed, was an ACL system which controlled what objects could
be passed between compartments.  The only objects which could be passed
were, in the KeyKOS jargon, "sensory".  Sensory means that the kernel can
verify that no signals can pass from the holder of the capability to the
object (or any other object).  A read only, no call memory segment is a
common example.  As a result, there was no need to certify the security of
the objects, only the KeySAFE mechanisms used to check the ACLs and
objects, and perform the actual transfer.

Given this severe limitation on the objects that can be passed (although
files can easily be implemented as segments), there was no need to install
an intermediary in the use of the objects, only in the path by which they
were passed.  The overhead for this kind of system should be fairly low.

These constraints probably move KeySAFE quite far from Dan's research
interests as I understand them.

Cheers - Bill


-------------------------------------------------------------------------
Bill Frantz           | The principal effect of| Periwinkle -- Consulting
(408)356-8506         | DMCA/SDMI is to prevent| 16345 Englewood Ave.
frantz@pwpconsult.com | fair use.              | Los Gatos, CA 95032, USA