Re: [RFC][PATCH 2/3] SLIM

From: Stephen Smalley (sds@private)
Date: Mon Nov 28 2005 - 07:11:14 PST

Previous message: Hawk Xu: "Seriously, about inode_post_removexattr"
In reply to: David Safford: "Re: [RFC][PATCH 2/3] SLIM"
Next in thread: Stephen Smalley: "Re: [RFC][PATCH 2/3] SLIM"
Next in thread: David Safford: "Re: [RFC][PATCH 2/3] SLIM"
Reply: Stephen Smalley: "Re: [RFC][PATCH 2/3] SLIM"
Reply: Tim Fraser: "Re: [RFC][PATCH 2/3] SLIM"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On Fri, 2005-11-18 at 14:38 -0500, David Safford wrote:
> While LOMAC as an implementation is certainly OBE, low water-mark as a
> model is not. The trade-offs were in the security of LOMAC's
> implementation, not in the security of the underlying low water-mark
> model. In fact, Biba published a security proof for the low
> water-mark model, while I am not aware of any such proofs for Type
> Enforcement.

Actually, the LOMAC manual itself noted that the model suffers in its
quality of protection, not just the implementation of the model (Section
7 of the manual, if you want to go read it).  Also discussed in Fraser's
paper.  Same basic issues as Biba and BLP, i.e. lack of support for
enforcing least privilege, reliance on trusted subjects, lack of support
for assured pipelines.  

With regard to proofs about security properties, TE is simply the
Lampson access matrix organized into equivalence classes for efficiency,
as noted by Boebert.  Thus, any proofs about the provided security
properties have to be based on the actual state of the matrix (generated
from the configuration), and tools like apol and slat provide a way of
analyzing and checking the properties.  Note that unlike the
discretionary case, the TE access matrix isn't subject to arbitrary
rights propagation.

With regard to low water mark, to elaborate slightly on my prior
comments, non-tranquility in the task security labels raises the obvious
concerns about revocation of access, e.g. do you ensure that a high
integrity process that is demoted truly loses all access to high
integrity resources it already holds (hint:  you can't provide complete
revocation with LSM today, nor are you likely to ever do so in Linux -
complete revocation is rather difficult and made more so by the kernel
model and interface; see the Flask and Fluke papers).  Automatic changes
in the task security labels raises obvious concerns about applications
failing in interesting ways upon such demotion, e.g. high integrity
process starts a transaction, reads low integrity data and is demoted,
and is unable to complete the transaction, thereby leaving the store
corrupted.

-- 
Stephen Smalley
National Security Agency

Previous message: Hawk Xu: "Seriously, about inode_post_removexattr"
In reply to: David Safford: "Re: [RFC][PATCH 2/3] SLIM"
Next in thread: Stephen Smalley: "Re: [RFC][PATCH 2/3] SLIM"
Next in thread: David Safford: "Re: [RFC][PATCH 2/3] SLIM"
Reply: Stephen Smalley: "Re: [RFC][PATCH 2/3] SLIM"
Reply: Tim Fraser: "Re: [RFC][PATCH 2/3] SLIM"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Mon Nov 28 2005 - 07:05:18 PST