On Fri, 2007-06-22 at 01:06 -0700, John Johansen wrote:
The fact that you have to go back to the drawing board for them is that
you didn't get the abstraction right in the first place.
I think we must have different understandings of the words "generalize"
and "analyzable". Look, if I want to be able to state properties about
data flow in the system for confidentiality or integrity goals (my
secret data can never leak to unauthorized entities, my critical data
can never be corrupted/tainted by unauthorized entities - directly or
indirectly), then I need to be able to have a common reference point for
my policy. When my policy is based on different abstractions
(pathnames, IP addresses, window ids, whatever) for different objects,
then I can no longer identify how data can flow throughout the system in
a system-wide way.
No, it isn't possible when using ambiguous and unstable identifiers for
the subjects and objects, nor when mediation is incomplete.
National Security Agency