[E-Lang] draft statement of consensus

Bill Frantz frantz@pwpconsult.com
Tue, 6 Feb 2001 11:04:23 -0800


At 22:44 PM -0800 2/5/01, Mark Miller wrote:
>At 09:24 PM Monday 2/5/01, Jonathan S. Shapiro wrote:
>>MarcS:
>>
>>In my note, I suggested an example of an ACL-class system that may be useful
>>(MLS). It hasn't been rebutted, and even MarkM seems to have agreed with it.
>
>Actually, what I said was approximately that it looks like a promising and
>challenging line of inquiry, but that I hadn't yet grokked it in its
>fullness.  (Or, for those that haven't read Stranger in a Strange Land, I
>don't really understand it yet.) The rest of your message makes it clear to
>me just how thoroughly I don't yet understand it, as well as how much I'd
>like to.  In my current level of ignorance of MLSish things, I'm not really
>able to agree or disagree with much of your message.

Well, I didn't really understand MLS until we sketched out a way to
implement it in KeyKOS.  :-)

For "classic" MLS systems, the basic idea is that there are two separate
protection mechanisms.  One is a "classic" ACL system which provides
discretionary access controls.  (The Orange Book C level system)  The other
is a system of classification labels which are attached to every subject
and object.  The reference monitor checks the ACL and the labels for every
access.  If the access violates the policy established by either the ACL OR
the classification labels, then it is denied.  (In practical systems, the
reference monitor usually only runs at "open" time, leaving plenty of time
for long-running processes to cause mischief.

The KeyKOS implementation imagined a global directory, outside any
protection domain, and a series of confined "compartments" where
applications ran.  Each compartment had a classification label, and the
compartment object permitted you to fetch sense keys and read-only/no-call
segments from the global directory; if the object ACL and label permitted.

Note that RO/NC segments and sense keys allow general sharing of data and
code.  More complex objects could be added to the permitted object types,
but they would have to be trusted, since each one is a potential leakage
path.

>To help me (and I suspect, others) understand MLSish things better, could
>you paint a scenario outside of gov't secrecy where one might find these
>mechanisms useful?  Corporate secrecy would be fine, or whatever works.
>It's just that with the standard gov't example, it's hard to, shall we say,
>feel motivated to solve the problem.

I would love to set up a MLS system where code downloaded by my web browser
was restricted.  Some restrictions I would like include:

* No way can it read my address book.  (Ditto for email messages.)
* No way can it schedule system startup tasks.
* No way can the code be executed outside these restrictions.

Cheers - Bill


-------------------------------------------------------------------------
Bill Frantz       | Microsoft Outlook, the     | Periwinkle -- Consulting
(408)356-8506     | hacker's path to your      | 16345 Englewood Ave.
frantz@netcom.com | hard disk.                 | Los Gatos, CA 95032, USA