|
Multi-Level SecurityObservations by Rick SmithLast updated on
|
|
|
Multi-Level SecurityObservations by Rick SmithLast updated on
|
Several years ago I was at a workshop sponsored by the Air Force to develop some new directions for information systems improvements. The workshop included both "end user" representatives from the Air Force and "R&D" representatives from laboratories and government contractors.
Discussions on MLS capabilities became rather heated. One vendor representative from the security working group declared the following in a plenary session:
"Don't ask for MLS. We've tried to give you MLS, but in fact you've never really wanted it or used it. But please, tell us what you do want!"
A voice in the back shouted, "MLS!"
That little incident reflects an important fact about MLS: it's an overloaded term that describes both an abstract security objective and a well-known mechanism that is supposed to achieve that objective, more or less. In a well-known paper on software safety, Nancy Leveson criticizes this type of labeling:
Labeling a technique, e.g., "software diversity" or "expert system," with the property we hope to achieve by it (and need to prove about it) is misleading and unscientific.
Unfortunately, we're stuck with the established terminology, so now we must focus on distinguishing between the two meanings.
Some Material on MLS
This work by Rick Smith (rick@cryptosmith.com) is licensed under a Creative Commons License.