TrustedBSD Extensions Project

David Collier-Brown - Sun Canada davecb at scot.canada.sun.com
Wed Apr 12 18:39:14 GMT 2000 

robert said:
| > however, the stated goal of the project is to include the B1 feature
| > set as part of the target feature set, not necessarily to have the
| > project be evaluated, nor to limit the scope of the project to B1
| > features.
| 
| I would word it differently:  "The design goals of TrustedBSD do not
| fit well into Orange Book outdated scheme."

	Er, outdated is a statement of opinion.  I find it old,
	grungy, dificult to read and and ... usefull.
	

| What if your disk controller goes bad and decides to write a block of
| TOP SECRET information onto CLASSIFIED hard drive once in every ten
| thousand requests?
| 
| You would need to have a trusted disk controller that has extensive
| self-checks.  Do you know of such disk controllers in the market for
| PCs?  I don't.

	Actually the write never gets to the driver, having been
	caught up in the permissions module that all the open
	operations have to pass through.
	
	Indeed, I wouldn't care to put two differently-labelled
	hard partitions on a given disk: It's much easier to
	make the disk eitehr single-level or multilevel.
	
| 
| > > #           3.1.3.2.1 Security Testing
| > > I.e., any remote DoS means no B1.  
...
| After re-reading the section I see that it implies that any
| *localhost* DoS is incompatible with B1.  

	That's a denial-of-service attack on the TCB, not the
	whole OS.  In fact, the spec has a predictable hole in
	it here: a denial-of-service attack on the whole system
	is never discussed.  It's hard enough to prevent attacks
	on small bits of code: they must preserve fairness and non-
	starvation guarantees, which were hard to even state in
	the days of Bell/LaPadula.
	
	
| Who, other than U.S. government users, want Orange Book certification
| or feature set?  I don't think I need it.

	H-P sells their firewalls hosted on a B1 OS, and 
	various individual companies do the same on other
	trusted OSs.
	 
| Just think about it:  Colored windows, and you can only cut-and-paste
| between windows of the same color.  How shall this work under X?
| How shall you identify rogue applications that mess with colormaps?

	No, the colors merely serve to remind the user that they
	can't copy from SECRET to UNCLAS on Trusted Solaris...
	
--dave
--
David Collier-Brown in Boston
Phone: (781) 442-0734, Room BUR03-3632

To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-discuss" in the body of the message

More information about the trustedbsd-discuss mailing list