Re: In defense of Mandatory Access Control, was Re: No more Novell AppArmor?

[spender () grsecurity net (Brad Spengler)]

> MLS basically adds in the Bell-LaPadula model, so that Secret programs
> produce Secret data, and can't read Top Secret data.

> 1) The complexity of policy is directly related to how fine-grained
> you want your access control to be.

> I'm a bit surprised about seeing so many people being snarky about
> such a powerful security technology.  I guess I'll just have to chalk
> it up to cynicism about any new protective technologies; it's cool to
> be dismissive and aloof.  If you can find major areas it doesn't
> cover, you can call it ineffective.

It is cool to be dismissive and aloof about "new" (9 year old) 
technologies.  Otherwise you're just the SELinux version of the "year of 
Linux on the desktop!" guy.  Regarding ineffectiveness (and specifically in
regards to "proofs" and words such as "can't" and complexity/usability 
trade-offs) I won't repeat myself, since everything that needed to be 
said or demonstrated was done 2 years ago:
http://lists.immunitysec.com/pipermail/dailydave/2007-March/004133.html

They say a picture is worth a thousand words.  A little bird gave me 
this:
http://grsecurity.net/~spender/mac_security_sesamestreet.jpg

-Brad

Attachment: signature.asc
Description: Digital signature

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave