Unix security additions

[Barry Margolin]

In article <19114 at rpp386.cactus.org> jfh at rpp386.cactus.org (John F Haugh II) writes:
>At some point in time you ultimately have to trust the people who you
>have given access to this data to.  This is why it is permissible to
>type from a higher level window to a lever level window - simply because
>desk blotters and note pads lack MAC labels.  As for why you can't have
>cut and paste between windows, hell, seems like a completely arbitrary
>restriction to me - provided the invoker has the authority to downgrade
>information, that is.  "downgrader" isn't exactly an authority that
>should be tossed around, so maybe there is something to it ...

The problem is that while you may trust the *people*, you can't always
trust the software they run.  In many window systems, it is possible for
software to simulate user actions, and this is ripe breeding ground for
Trojan Horses.  If a user can manually cut and paste, then a TH can
simulate this and downgrade information without the user realizing it.

However, if cut-and-paste uses a "trusted path" that can't be emulated by
unverified software (which probably requires much of the window system to
be in the TCB, yuck) then it might be feasible to relax such restrictions
in some environments.  Such operations must be audited, but if you permit
downgrading at such a fine grain then then tracing back the information in
the logs can be difficult (cut buffers don't generally remember the name of
the document from which the data came).
--
Barry Margolin, Thinking Machines Corp.

barmar at think.com
{uunet,harvard}!think!barmar