The Inevitability of Failure: The Flawed Assumption of Security in Modern Computing Environment

by: Peter A. Loscocco, Stephen D. Smalley, Patrick A. Muckelbauer, Ruth C. Taylor, S. Jeff Turner, John F. Farrel

 (tos@epoch.ncsc.mil

National Security Agency

summarized by Seung Yi (seungyi@cs.uiuc.edu)

 
Discussion Points
1. Introduction
  • "Fortress built on sand" argument
  • Is security really the primary concern of e-commerce businesses?

2. The Missing Link

  • What is the exact definition of the 'Mandatory Security'? Traditionally, the term MAC (Mandatory Access Control) has been used to describe the multi-level security system typically found in the military environment. In this paper, mandatory security is defined somewhat differently.
  • Does mandatory security imply that there should not be a 'root' user with all the privilege? 
  • It is proven to be impossible to prevent the covert channels. 
  • Does any system provide the least of privilege principle?
  • Is there any 'trusted application' in the typical Unix systems?
  • Why don't we see more secure/trusted OS in the market right now? - It takes too much time to make OS secure, so it tends to be out of date with limited functionality. Also, it can be too inconvenient to use secure OS. Export control could be another reason. Some secure system like IPSEC cannot be reconfigured very easily. 
  • Any news/update on RBAC used in Windows NT 5?
  • Do you need a discretionary access control in addition to mandatory access control? Is it ever possible to provide both at the same time?
  • What is difference between the 'trusted path' and the 'protected path'?

3. General Examples & 4. Concrete Example

  • Another way to attack JVM is to replace the classloaders to bypass the security manager.
  • History based access control can be useful to provide more flexible security compared to Java sandbox.
  • Does SESAME have the same problem as Kerberos? - Both architecture has a central point of failure, KDC.
  • Providing illusion of security to public can be more dangerous than using the plain unsecured system.

5. System Security & 6. Summary

  • They claim the secure OS is an important part to build a secure system.
Partial Conclusions
  • Generally agree on that secure OS is an important part to build a secure system. Although, it is not the sufficient condition.
  • Overall lukewarm reception of paper.
Recommended Readings
  • Covert channels
  • Type theory - What is secure typing?