[E-Lang] draft statement of consensus

Karp, Alan alan_karp@hp.com
Tue, 6 Feb 2001 15:34:44 -0800


I don't really think of the browser example as MLS as described in the
Orange Book.  (Sorry to put you back to square one, MarkM.)  MLS normally
embodies the "read down, write up" rules.  As I understand the term,
restricted-MLS embodies the "read and write only at your level" rule.  The
whole covert channels discussion in the Orange Book is intended to limit the
bandwidth of ways around the enforcement of these rules.

Every company I have heard of has MLS.  A common set is Public
(advertising), Internal Use Only (internal phone directory), Confidential
(invention disclosures), Restricted (business plans), Private (unannounced
financial results).  These classifications are frequently, but not always,
associated with compartments.  In general, the only mechanism companies have
to enforce these rules is the employment contract; they can fire you if you
disclose or modify information inappropriately.

We were able to express MLS in e-speak Beta 2.2 because we could force a
process to submit certain capabilities, and because each capability was not
necessarily associated with a specific object.  For example, we could define
the "Secret" capability, put it on the process's mandatory key ring, and use
its presence to implement mandatory restricted-MLS or discretionary MLS.

_________________________
Alan Karp
Principal Scientist
Decision Technology Department
Hewlett-Packard Laboratories MS 1U-2
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-6278
https://ecardfile.com/id/Alan_Karp
http://www.hpl.hp.com/personal/Alan_Karp/
 

> -----Original Message-----
> From: Mark S. Miller [mailto:markm@caplet.com]
> Sent: Tuesday, February 06, 2001 12:30 PM
> To: Marc Stiegler
> Cc: Jonathan S. Shapiro; E Language Discussions; Bill Frantz
> Subject: Re: [E-Lang] draft statement of consensus
> 
> 
> 
> >Bill wrote:
> >> I would love to set up a MLS system where code downloaded by my web
> >browser
> >> was restricted.  Some restrictions I would like include:
> >>
> >> * No way can it read my address book.  (Ditto for email messages.)
> >> * No way can it schedule system startup tasks.
> >> * No way can the code be executed outside these restrictions.
> 
> At 11:14 AM Tuesday 2/6/01, Marc Stiegler wrote:
> >My Capzilla browser, when launching caplets, already 
> achieves these goals,
> >and I don't even know what MLS is :-) So if this is a good 
> example, then I'd
> >guess you can do it with pure capabilities :-)
> 
> 
> This is an excellent example of the problem I've had 
> understanding what MLS 
> is *for*.  All the non governmental examples seem like stuff 
> you can do with 
> just capabilities, without ever thinking "MLS".
> 
> 
>         Cheers,
>         --MarkM
> 
> _______________________________________________
> e-lang mailing list
> e-lang@mail.eros-os.org
> http://www.eros-os.org/mailman/listinfo/e-lang
>