Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 14 Oct 1997 11:49:20 -0400 (EDT)
From:      "Christopher G. Petrilli" <petrilli@amber.org>
To:        Brian Beattie <beattie@stt3.com>
Cc:        Brian Mitchell <brian@firehouse.net>, Colman Reilly <careilly@monoid.cs.tcd.ie>, Douglas Carmichael <dcarmich@mcs.com>, freebsd-security@FreeBSD.ORG
Subject:   Re: C2 Trusted FreeBSD? 
Message-ID:  <Pine.BSF.3.96.971014114159.2865D-100000@dworkin.amber.org>
In-Reply-To: <Pine.GSO.3.95.971014083012.1809E-100000@durin>

next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 14 Oct 1997, Brian Beattie wrote:

> > This exclusion part is what makes it very difficult.  You must be capable 
> > of giving access to everyone BUT a specific user.  While theoretically I 
> > guess you could do it by managing billions of sepereate groups, I think 
> > it would fail none the less because of practical enforcement concerns.
>
> This is an over-rigous reading of this requirement.  The Gould (B1?)
> system made it clear that UNIX access control meets this requirement.
> This can be understood when you read the requirement to say that: it must
> be possible to exclude access to an object by one particular user.  This
> does not say that the system must provide a mechanizim to exclude access
> to an object by everyuser on a user-by-user basis, a requirement every
> system would fail.

While you're right that the UNIX system might meet minimum requirements,
it would become unworkable in practice, and thereby I think we need to
investigate the idea of ACLs implemented in to the FS.  This has other
distinct advantages that are not always obvious.

At a company I used to work at we had a system with 12,000 accounts
(database system, long story), and it used groups to enforce access.  On
this system we had over 1,500 groups, and I can testify that it was nearly
impossible to maintain them in any coherent strategy.

I'd like to see us move forward with perhaps a new paradigm in managing
access control to files, using strong inheraatence principles (i.e. allow
files to be restricted while inheriting the restrictions of the directory,
without having to necessarily ittterate them).  I think this would help in
pushing into a unified access control system for all access to the file
system.  Why not allow unification of web/non-web access into a single ACL
structure?  

> When reading the Orange Book, remember that to meet the requirements it is
> in general sufficent to meet only the minumum requirements.  The authors
> were very careful is laying out the requirements with-out makeing
> asumptions on how they might be met.

You're absolutely rtight, but realistic interpretation says C2 is largely
useless.  I'd like to see FreeBSD pursue red-book interpretations of the
TCSEC rather than some standalone idea.  For note, Windows NT is certified
C2, but only when it doesn't have a network card or floppy in it.  Since
this is silly, we need to understand the world is now networked and pursue
the architecture from that perspective.

For example... implementation of policy-based and labelled VLANs thru
cryptographic enforcement and virtual-interfaces (B2 requires manadatory
labeling of all interfaces, and currently, almost all B2 certified systems
have a "single-level" interface).  This would allow you to have a trusted
management network layered on top of the main network.  This begins to
make the MLS system concepts usable in a more realistic manner.

Chris




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.971014114159.2865D-100000>