[redhat-lspp] Write up restrictions

Frank Mayer mayerf at tresys.com
Wed Jun 29 14:17:57 UTC 2005 

> However, there are
> still cases where this MLS restriction can be useful. One example
> could files of same type, like home directories, in which we can't
> use the TE to help enforce the integrity, but we can use the MLS
> restriction to limit the write up.       

But you are making the false presumption that higher level files are of
higher integrity.

> Write ups are valuable and that is why is can be allowed with a
> simple attribute to process. MLS has shortcomings and that is why TE
> can greatly increase the overall security of the system. Is it not
> fair to try to increase the security of the MLS model when possible?
> A defense in depth approach would agree that a strong MLS and TE
> model lead to the strongest system.     

Again your false presumption. That is the problem. MLS is not an integrity
policy. You are not increasing MLS security, you are perpetuating false
assurance and confusion over what MLS can do. We should not make application
engineering think that writing up is somehow an evil privilege on par with
writing down (some I've run into think writing down is less evil than
writing up).

> This mechanism isn't disallowing this. This is just adding a
> restriction making sure the clearance of the process is system high
> to have write access. 

Why? What value does it add? Does nothing to prevent the unintended
downgrading of information, the sole purpose of MLS.

> This is similar to the fact you would want to
> make sure the type of the process has access, why can't we also make
> sure the MLS label has access as well. 

What access are you restricting? The flow of information up? We can't even
do that, only one flavor of upward flow. It makes no sense unless your
confusing the intent of MLS (confidentiality) with integrity.

> This would mean you would have
> to misconfigure TE and MLS to have undesired access instead of just
> one.      

Because the false presumption is misguided. Higher sensitivity does not
imply higher quality/integrity. Writing up no more upgrades information that
reading down does, but no one objects to reading down. And remember we don't
trust any of the application software so you can't argue that somehow the
shell/application running at the higher level is of more integrity than the
same program running at the lower level.

On the other hand, for good MLS security engineering there are lots of
example where I want all processes to write up, well past the user's
clearance level. Logging; MLS-aware, untrusted apps; even trusted apps where
you use this high level to restrict write downs but I still want to write up
above that high level. 

I hate to use one of my own papers as a reference, but of hand it's the only
one I can think of that talks around the issue of using write ups and read
downs for untrusted MLS aware applications: Mayer, Padilla, "An Example
Complex Application for High Assurance Systems," 15th National Computer
Security Conference, October 1992 (sorry I don't have a hyper link off hand
but if you really want to see the paper I have a .ps file somewhere).

More information about the redhat-lspp mailing list