RE: I-0451: When To Use IFF/IFC And ACF/ACC
- Subject: RE: I-0451: When To Use IFF/IFC And ACF/ACC
- From: Nir Naaman <nir.naaman@metasec.com>
- Date: Wed, 10 Mar 2004 22:57:06 +0200
- Content-transfer-encoding: 7BIT
- Content-type: text/plain; charset=us-ascii
- Importance: Normal
- In-reply-to: <404EDF74.7010204@itsef.tno.nl>
On Wednesday, March 10, 2004 Dr.Ir. D.J. Out wrote:
>
> How would I code with SFRs in a PP:
>
> The TOE will have a container containing data. This data may only be
> changed by user X.
>
> Nobody else is allowed to change, modify, cause to be changed,
> substitute, or alter this data in any way in such a way that all TOEs
> meeting this PP actually don't do this?
>
> DJ
I'm either a party pooper or just ignorant, but isn't this crying out for a
reference monitor:
FDP_ACC.2+FDP_ACF.1+FPT_SEP.2+FPT_RVM.1+ADV_INT.3?
This combination can EASILY express the requirement that the data IN the
container can't be changed, modified, altered, substituted, mangled, broken,
torn apart, whatever by anybody other than user X. Of course, user X can
create a COPY of the data that can be modified by others, but so what?
What doesn't this combination do? It doesn't guarantee that there are no bad
information flows THROUGH user x and into the container.
IFF is nifty, but outside the defense establishment, you can add:
A.WE_TRUST_USERS_NOT_TO_DO_STUPID_OR_ILLEGAL_THINGS_AND_WHEN_THEY_DO_THEN_TH
ANK_GOD_WE_ARE_INSURED
And suddenly: ACF starts looking pretty attractive.
Or have I totally missed it?
Nir
Date Index |
Thread Index |
Problems or questions? Contact list-master@nist.gov