Bell LaPadula (was Re: MAC implementation with definable policy)

[Ilmar S. Habibulin]

On Wed, 6 Oct 1999, Peter J. Holzer wrote:

> > Order not often are confidetial. ;-)
> Yes, but according to the Bell-LaPadula model, everything somebody who
> has access to confidential information, utters, is confidential, so in
> the BLM, orders are confidential (which doesn't make sense, IMHO).
This is the BLM trouble. The model is verrrrrrry simple, but in order to
implement it you have to jump over your head.
So only part of interactions inside OS obeys the model. 

> Lets take a somewhat more computer-oriented example. 
But not DB one.

> Assume we have a database which contains data about individuals (e.g.,
> name, age, sex, income, etc.). The data about every single individual is
> considered confidential. However, statistical data on the whole database
> (e.g, percentage of male/female, distribution of age, income, etc.) is
> not considered confidential. As I understand the BLM, it is not possible
> to have a program which reads the confidential database, extracts
> statistics from it and writes the results to a non-confidential file. 
I have only opposite experience. ;-) Fields, containing confidential data,
became more confidential as a whole. Why do you think there is a rainbow
book concerning trusted databases?

> It is of course possible if you combine BL with capabilities, so you can
> grant "read up" or "write down" permissions to the program.
Yes. So do people do. But this must be a _trusted_programm_.


To Unsubscribe: send mail to majordomo at cyrus.watson.org
with "unsubscribe posix1e" in the body of the message