[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: photuris-06.txt

To: "William Allen Simpson" <bsimpson@morningstar.com>
Subject: Re: photuris-06.txt
From: Theodore Ts'o <tytso@MIT.EDU>
Date: Sun, 5 Nov 1995 20:09:29 -0500
Address: 1 Amherst St., Cambridge, MA 02139
Cc: ipsec@ans.net
In-Reply-To: William Allen Simpson's message of Sun, 5 Nov 95 16:08:42 GMT,<199511051639.AA26025@interlock.ans.net>
Phone: (617) 253-8091

   Date: Sun, 5 Nov 95 16:08:42 GMT
   From: "William Allen Simpson" <bsimpson@morningstar.com>

   > What you call "plain-old multi-user operating systems", by which I would
   > assume mean systems like Windows NT and ITS, I would merely call them
   > "single-user operating systems", or "insecure multi-user operating
   > systems".

   Fine.  I will change the wording to "secure multi-user operating systems
   with mandatory access controls".

[You keep using terms like "inconceivable"... errr, "mandatory access
controls" and "multi-level systems"; I'm don't think it means what you
think it means.....]

You should remove "mandatory access controls" from the draft.
Photoris will work fine on a properly implemented, secure operating
systems with non-discrentionary access controls --- which means access
controls which are under the control of the owner of the object.  That
is, if I own a file, I can decide whether or not Bob or Alice is allowed
to look at it, and the operating system will respect my wishes, and not
allow an attacker to circumvent the access controls which I placed on
that object.

"Mandatory access controls" means that even if I own the file, I may not
be allowed to let Bob or Alice look at it.  I won't be able to mail it
to them, or print it on a printer which they might be able to get access
to.  If I'm running X-11 windows, it means that the operating system has
to keep track of whether I'm allowed to cut from one window to another,
lest I be able to send a top-secret file to Bob or Alice, who only
secret clearance.

There are those who claim that the only reason why mandatory access
controls are at all useful on modern computer systems is because
generals want to be able to play (non-classified) Tetris on the same
system where they have top-secret files stored.  Many years ago, it
might have been useful when it costed millions of dollars to purchase
and operate mainframe-style systems in a data center.  However, given
how cheap hardware is today, it's much simpler and cheaper to have one
computer that's only used for top-secret data, and another computer
that's only used for non-classified data, instead of going to amazing
lengths to try to segregate top-seceret and non-classified data on one
machine.

Whether or not MLS systems are only useful for enriching Beltway
Bandits, and should be considered in the same category as $50,000 coffee
machines, I will leave to others to debate.  However, there is
absolutely no reason why Photoris needs to make any requirements on an
operating systems to provide "mandatory access controls."

Bill, if you really believe that Photoris requires this level of
protection before it's useful, could you please explain your reasoning?
My guess is that you didn't really mean "mandatory access controls" in
the sense which I described it above.

						- Ted

Follow-Ups:

Re: photuris-06.txt

From: Phil Karn <karn@qualcomm.com>

References:

Re: photuris-06.txt

From: "William Allen Simpson" <bsimpson@morningstar.com>

Prev by Date: ip addresses as domain names
Next by Date: Re: photuris-06.txt
Prev by thread: Re: photuris-06.txt
Next by thread: Re: photuris-06.txt
Index(es):
- Main
- Thread