[E-Lang] draft statement of consensus

[Karp, Alan]

> -----Original Message-----
> From: Bill Frantz [mailto:frantz@pwpconsult.com]
> Sent: Tuesday, February 06, 2001 10:35 PM
> To: Mark S. Miller; Marc Stiegler
> Cc: Jonathan S. Shapiro; E Language Discussions
> Subject: Re: [E-Lang] draft statement of consensus
> 
> 
> At 12:29 PM -0800 2/6/01, Mark S. Miller wrote:
> >>Bill wrote:
> >>> I would love to set up a MLS system where code downloaded 
> by my web
> >>browser
> >>> was restricted.  Some restrictions I would like include:
> >>>
> >>> * No way can it read my address book.  (Ditto for email messages.)
> >>> * No way can it schedule system startup tasks.
> >>> * No way can the code be executed outside these restrictions.
> >
> >At 11:14 AM Tuesday 2/6/01, Marc Stiegler wrote:
> >>My Capzilla browser, when launching caplets, already 
> achieves these goals,
> >>and I don't even know what MLS is :-) So if this is a good 
> example, then I'd
> >>guess you can do it with pure capabilities :-)
> >
> >
> >This is an excellent example of the problem I've had 
> understanding what MLS
> >is *for*.  All the non governmental examples seem like stuff 
> you can do with
> >just capabilities, without ever thinking "MLS".
> 
> At 12:14:00 -0700 2/6/01, Marc Stiegler wrote:
> >My Capzilla browser, when launching caplets, already 
> achieves these goals,
> >and I don't even know what MLS is :-) So if this is a good 
> example, then I'd
> >guess you can do it with pure capabilities :-)
> 
> Do note that Key Logic designed a MLS system using a pure 
> capability system
> as a mechanism.  We were working on getting a B2, until we 
> found out how
> much it would cost.
> 
> 
> I think when the MLS ideas were developed, the designers had the Unix
> system as their model.  They assumed that programs ran with the full
> authority of their users, so you needed some mandatory 
> mechanism to keep
> the program from using it's (full) authority to provide 
> access in excess of
> the mandatory policy.  My web browser example attempted to 
> describe the
> essence of this mind set.

Actually, my reading of the matter is quite different.  I believe the Orange
Book attempts to express in computer terms policies that were in effect long
before computers were used to hold confidential information.  This approach
is quite common, using a new technology to implement existing procedures.
You'll note, for example, that the policies are information, if not file,
specific.  They say little about invocation.  Instead, they center on
controlling information flow across security levels.  I don't see anything
about assuming programs having the full authority of their users, either.
In fact, it's the people who aren't trusted, not just the programs.  I do
agree, however, that most implementations of MLS are based on the Unix model
where programs get the full authority of the account under which they run.

> 
> Cheers - Bill
> 
> 
> --------------------------------------------------------------
> -----------
> Bill Frantz       | Microsoft Outlook, the     | Periwinkle 
> -- Consulting
> (408)356-8506     | hacker's path to your      | 16345 Englewood Ave.
> frantz@netcom.com | hard disk.                 | Los Gatos, 
> CA 95032, USA
> 
> 
> _______________________________________________
> e-lang mailing list
> e-lang@mail.eros-os.org
> http://www.eros-os.org/mailman/listinfo/e-lang
> 

_________________________
Alan Karp
Principal Scientist
Decision Technology Department
Hewlett-Packard Laboratories MS 1U-2
1501 Page Mill Road
Palo Alto, CA 94304
(650) 857-3967, fax (650) 857-6278
https://ecardfile.com/id/Alan_Karp
http://www.hpl.hp.com/personal/Alan_Karp/