At 06:31 AM 8/20/99 , shapj@us.ibm.com wrote:
>For those of you who are interested in KeyKOS/EROS, and more broadly in
>security
>assessments, you might enjoy reading the assessment of KeyKOS that appears in
>the DTOS Generatl System Security and Assurability Assessment Report,
>which can
>be found at the bottom of:
>
> http://www.securecomputing.com/randt/HTML/technical-docs.html
Here's the summary of KeyKOS from that report (p49 of the PDF):
>The developers of KeyKOS and KeySAFE were obviously committed to security
>as one of the
>fundamental goals of the system. Moreover, the interest in a range of
>policies is unique to the
>systems considered in this report, with the exception of DTOS. The
>proposed solutions are quite
>creative, and may have in fact pushed the limits of a capability system to
>satisfy MAC policies
>about as far as it can be pushed. KeySAFE has certainly pushed the limits
>farther than some
>had thought possible.
>
>Nonetheless, we still have strong reservations about security and
>assurance for KeySAFE,
>ultimately due to the lack of explicit labeling of objects. As already
>discussed, this lack severely
>complicates analysis of the Total Isolation Invariant. It also can be
>expected to complicate
>analysis of other properties as well. For instance, the factory mechanism
>is a particularly
>graphic example of the complexities that need to be added to solve a
>problem that can be quite
>easily solved if explicit labeling is provided.
>
>Finally, there is little defense-in-depth in KeySAFE. There are many
>examples in the system
>where a single implementation error can lead to dramatic failures in
>security, with no way to
>detect the error through auditing and often ways for one error to
>propagate and lead to an
>entire sequence of security failures. For instance, a single key
>propagation in violation of the
>security policy can lead to an entire sequence of such violations, with no
>possibility of an audit
>trail.
Comments?
Cheers,
--MarkM