Jail example from class

[Deian Stefan]

Re-posting discussion with Raj:

 

I had a question please see the attachment, this is the same situation that Prof.
Mazieres discussed about in the class. So there is a Jail where you confine the
processes within the system so that they don't leak information to other
processes within the same system (outside of the jail) or to the world. However
they can communicate to the world through the Gatekeeper. So please let me know
if this correct:
Lj and Lg are labels for Jail and Gatekeeper respectively. All the threads within
the jail will have the label Lj={jr,jw} and the Gatekeeper with label Lg={gr,gw}
Lj={jr,jw,gw}
Lg={gr,gw,jr}
The above two labels make sure the information can flow only between Jailed
process and Gatekeeper because every secrecy category in Lj is present in Lg and
every integrity category present in Lg is present in Lj. This will also ensure
that Jailed process will not leak info to other processes in the system and to
the outside world.
I have two questions:
1.       Since every thread T has an ownership O assigned to it as well I am kind
of confused how does the ownership come into play in the above situation. I tried
looking on the web I couldn't find the solution.
2.       Since the Gatekeeper can read and write information to the outside
world, what would the label for the Gatekeeper be.

Here is another stab at explaining the situation:

First, you need clearance to make sure that you cannot read/write

from/to the rest of the world.  So, jailed thread has label Lj = {jr,

jw}, clearance Cj = {jr, jw} and no ownership Oj = {}.

Since jw is in the clearance Cj, Lj cannot just drop jw: {jr} [/= {jr,

jw} Hence, since nobody* owns jw there is no source with label L such

that L [= Lj; thus the jailed thread cannot read from anywhere.

Similarly, since nobody* owns jr there is no sink with label L such that

Lj [= L; thus the jailed thread cannot write anywhere.

Of course, the gatekeeper is the one that actually created jr and jw,

hence Og = {jr, jw}. For simplicity, we can assume that the gatekeeper

has not been tainted. Nevertheless, it can read any data from the jail

since {jr, jw} - Og [= {} - Og. And, similarly it can write to it.

* - Except for the gate keeper.