From solworth@cs.uic.edu Mon Jul 5 17:47:45 2004 Subject: Re: Questions about your IEEE S&P'04 paper From: "Jon A. Solworth" Reply-To: solworth@cs.uic.edu To: ninghui Cc: Bob Sloan , tripunit@cerias.purdue.edu, Ziad El Bizri In-Reply-To: <000401c45ac7$fa71a4c0$23f20a80@purdue6p6h5oor> References: <000401c45ac7$fa71a4c0$23f20a80@purdue6p6h5oor> Content-Type: text/plain Organization: Computer Science Dept, UIC Message-Id: <1089067665.4934.47.camel@tokyo> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.6 Date: Mon, 05 Jul 2004 17:47:45 -0500 X-Evolution-Transport: smtp://solworth;auth=PLAIN@localhost:3025 X-Evolution-Account: solworth@cs.uic.edu X-Evolution-Fcc: file:///home0/director/solworth/evolution/local/Sent X-Evolution-Format: text/plain Content-Transfer-Encoding: 8bit Dr. Li, Sorry for the delay in replying to you. I hope these answers are helpful. You certainly have done a careful reading and we will certainly try to clarify these points in the journal version. When we get we have a draft of the journal article we'll share an early copy with you if you're interested. In any event, let me know if these answers are inadequate or if you have further questions. Jon On Fri, 2004-06-25 at 10:20, ninghui wrote: > Dear Dr. Solworth and Dr. Sloan, > > My students and I are reading your paper "A Layed Design of Discretionary > Access Controls with Decidable Safety". We have the following questions and > would really appreciate it if you could answer them. > > 1. It seems that there exists a sequence of relabelling rules for ordinary > object tags that is outside any native group set. When a subject relabels > an object, the system searches this sequence to find a match. When one > relabel a group label, one searches for the sequence in the native group set > that defines the group tags. Is this understanding correct? Yes this is correct. > > 2. What exactly is the syntax for relabelling rules? More specifically, > what can occur on the right hand side of a relabelling rule? > > In the paper, it is often said that the right hand side should be a group. > However, in Figure 2, you used "admin" and "{*u}", neither of them is a > group. What is "admin"? Is it a group tag? {*u} is not a group either, as > which user it evaluates to depends on how the rule is matched. "admin" is indeed a group, although its structure is not specified. It is intended to be a group of administrators, for purposes similar to "root" in unix. The {*u} notation clearly could be better explained, something we will endeavor to do for the journal version. For each user U in the system there is a constant group called {U}. A relabel rule specifies a pattern. When that pattern matches to a relabel operation it specifies a relabel permission where the right hand side resolves to a single group. (This is intended to clarify, so let me expound). The rule is how it is specified, the permission is what is allowed, and the operation is what the user tries to do and succeeds if there exists a permission for it. Hence the rule, rl(<*u,*g>,<*u,*h>) = {*u} when matched to the operation relabel(obj,) whre obj has label can be performed only by members of the group {U}, that is by U. > > 3. In Figure 1, is the second rule necessary? Yes. The first rule allows relabels between objects belonging to the same user. The second rule prevents relabels which change the owner of an object. While the relabels would be prohibited even in the absence of the second rule, a relabel of the form: rl(<*u,*>,<*w,*>)={*u} could *later* be defined, allowing relabel, in the absence of the second rule. (You could consider the second rule superfluous if you have read section 3.4 and you knew that no further rules were to be defined. But 3.4 doesn't come to later. So by this you could certainly argue that it is superfluous.) > > 4. In Figure 2, what is "u_relabel"? Is it a special user? > That's correct. > 5. After a system goes live, can one create new native group sets? My > understanding is no. Native group sets are defined at layer 3, and no new > native groups can be defined after the system goes live. Is this correct? > Native group sets can be created, see section 3.4. Now that I look at it, the wording is says that new native groups can be introduced. That should be new native group sets. In this paper we do not separate the "type information" ie the form of the group sets from the "objects" ie the actual groups which get created. In latter papers we do separate type information from objects. > 6. After a system goes live, can one change the patterns and relabel rules > for existing native group sets? I assume that the answer is no, but would > like to make sure that my understanding is correct. Yes, your understanding is absolutely correct. > > Thank you, > > Ninghui Li > REC 217C, 656 Oval Dr > West Lafayette, IN 47907-2086 > (Phone) 765-496-6756 > (Fax) 765-496-3181 -- _______________________________________________________________________________ Jon A. Solworth Computer Science Dept. (M/C 152) url: http://parsys.cs.uic.edu/~solworth University of Illinois at Chicago telephone: (312) 996-0955 851 S. Morgan Rm 1120 SEO FAX: (312) 413-0024 Chicago, IL 60607-7053