Announcement: TrustedBSD Extensions Project

jont at jont at
Mon Apr 10 20:08:55 GMT 2000

[ administrative - to avoid spammers please make the list subscriber send
only ]

Somone, perhaps Phil Pennock <phil at>, wrote:

| Typing away merrily, Robert Watson produced the immortal words:
| > o Mandatory access control for privacy and integrity, allowing FreeBSD
| >   be used in environments hosting mutually suspicious parties and
| >   multi-level security models.

| Hrm - my understanding of mandatory access controls[1] leads me to
| believe that they're of use where you don't trust everyone in your own
| party; whether that's their integrity or their competence is not the
| issue.

Mandatory access controls are controls which are mandatory from _your_
perspective ! Sometimes this means mandatory with regard to your personal
perspective and sometimes it means mandatory with regard to the perspective
of general programs you run.
So for example there are mandatory controls over the password file,
which does not mean you can't change your password using "trusted" paths
(unfortunately these are frequently inappropriately trusted).

| Where you merely have mutually suspicious parties, discretionary access
| control are, AIUI, sufficient.  Excepting for DoS attacks.

If you have mutually suspicious parties there is no way to do either of the
following using discretionary techniques:
 a) let them access your data with their code in their security context
     (you dont want them stealing your data)
 b) let them access your data with their code in your security context
       (they don't want you stealing their code/algorithms/embedded data)

Here even I am sweeping some things under the carpet, because Im assuming
a user-based discretionary model, and even some things about the model ...

| In what situations not involving lack of trust in your own party do MACs
| protect against another party?  If you are worried about DoS attacks,
| then aren't resource quotas sufficient, as opposed to all-out MACs, with
| all that implies for abolishing covert timing channels?  *wince*

There is frequently confusion between mandatory access control and
(aka lattice) access control, because lattice based controls are always
mandatory though the inverse is not true.

- JonT

| [1] I've never played with a system which has them.

Just installing Trusted Solaris 2.5 was a chore, I never went beyond that.
[ Though that was in part a lack of paper documentation - reading the cdrom
documentation before you have the install running is a problem; the
documentation CD is not readable on windows (file name conventions). ]

Jon Tidswell
Advanced OS Technology Group / Sawmill Linux Project
IBM TJ Watson Research Center 30 Saw Mill River Road, Hawthorne, N.Y. 10532

Email: jont at   Voice: +1 914 784 7550

To Unsubscribe: send mail to majordomo at
with "unsubscribe trustedbsd-discuss" in the body of the message

More information about the trustedbsd-discuss mailing list