Unix security additions

John F Haugh II jfh at rpp386.cactus.org
Thu Mar 21 23:38:17 AEST 1991 

In article <1991Mar19.145012.10940 at decuac.dec.com> mjr at hussar.dco.dec.com (Marcus J. Ranum) writes:
>	The idea of "downgrade" is that when you downgrade information,
>the fact gets logged someplace, and remembered. Thus, downgrading a
>document is entirely different from cutting a hunk of TS data from
>one window and pasting it into an unclassified window. I believe that
>my employer's CMW product actually allows cut & paste, but upgrades the
>sensitivity of the pasted-into document to that of the cut-from, if
>the cut-from is higher.

I've not seen any restriction against down grading a part of the
document versus the entire document.  For example, why can't I
select some option which says "downgrade this paste buffer"?

My motivation for this is wanting to reduce the degree to which
MAC labels float up every time a file or window is touched.  You
point to this in your later comments - allowing cut and paste
with some mechanism for not floating up would avoid the "creeping
classification" problem.

>	As someone explained it to me, the goal is somewhat to limit the
>effective *bandwidth* at which you can steal stuff. If I could somehow
>do a software-to-software "theft" of sensitive information, my chances
>of being able to grab a LOT are higher than if I diligently copy to
>postit notes which I sneak out of the building secreted in my anus. (I
>have not ever tried this, mind you).

Agreed - but the hypothesis is that you already have been granted
the appropriate authority to "downgrade" some collection of data,
so bandwidth isn't an issue.  This is simply "usability", which is
something I feel the spook community is opposed to.

Obviously the cut/paste needs to be audited.  But, given that I can
type 30 or 40 wpm and given that desk blotters and computer printouts
don't enforce sensitivity labels (to say nothing of postit notes
secreted in your anus ;-), why is cut and paste between different MAC
level windows completely forbidden?  Covert channels are permitted
at the .1 bit/second level or so - I can type about 30 bits per
second, so 8,640 bits via a covert channel per day is "a lot", but
10 minutes of manual typing comes out to 14,000 bits or so - and the
later is unauditable!?

>	The part I really love about all this (haven't experienced it
>directly) is that with MAC stuff in your system, there's a degree of
>"creeping classification" - which is to say that over time the system
>will become more and more "secret" as data is touched, and eventually
>it will tend towards being entirely at whatever the highest security
>level was.

Yes, and this is a very serious problem.  Overclassification of data
is a serious expense.  You either have to pay to downgrade or
declassify, or pay to dispose of the data.
-- 
John F. Haugh II        | Distribution to  | UUCP: ...!cs.utexas.edu!rpp386!jfh
Ma Bell: (512) 832-8832 | GEnie PROHIBITED :-) |  Domain: jfh at rpp386.cactus.org
"I've never written a device driver, but I have written a device driver manual"
                -- Robert Hartman, IDE Corp.

More information about the Comp.unix.internals mailing list