Multi-Level Security was worked out in the late 1960s in order to allow computing both Secret and "Top Secret" information in the same computer at the same time. The use of the Bell-LaPadula model ensures that a lesser privileged user can never cause grief for a more privileged user. If we had Mutli-Level secure systems, we could safely run any program we want in a sandbox, and it could never, ever crawl back out of it.
The closest you're likely to approach is if you enable the MAC option in FreeBSD, which is experimental.
The Genode project aims to provide a capability based security system which can run Linux Apps... it is the best chance I see going forward for a truly secure system that isn't military grade. In such systems, you specify at run time exactly which files can be accessed by an application. This has the benefit of explicitly limiting the side effects of said application, and thus making for a far more secure system. You might be tempted to think this would make it unusable (as App-Armour tends to be)... but it doesn't have to be that way. In fact, it's possible to make apps behave almost identically, as far as the user is concerned, without compromising anything.
I think we're still 10 years out before people wake up and realize that our collective assumptions about computer security are wrong, and this needs a more rigorous, carefully engineered solution, instead of the layers of patch we currently employ. I'm hoping that my frequent postings on this subject are informative, and help shorten that timespan significantly.
Are any of these systems Multi-Level Secure? This stuff was figured out in the 1970s, we're still 10 years away from collectively realizing we needed it yesterday.
I just "upgraded" some Windows 7 machines to IE8 (from IE10) because that is the standard the automobile industry has settled on.
Linux is not any more secure than Windows in the long run... its not a multi-level secure system, nor is any other choice you've ever heard of. Until we adopt something like the Bell-LaPadula security model, we're going to be chasing our collective tails, and this is going to be happening for years!
The InterNet was created because the guy in charge of things didn't want a teletype in his office for each and every machine he could access. A network to access all of them, and a single terminal made more sense.
It had NOTHING to do with nuclear war, or reliability, at first.
Access control lists are not adequate security, no matter how careful you are. You need the Bell-LaPadula or something like it that implements mandatory access controls to actually secure a system.
SELinux is an attempt to push a little bit towards a secure system, but it's not the real deal.
If we started building bunkers out of blocks of TNT, someone would rapidly figure out it was a bad idea.... but not so when it's abstracted several layers deep.
In conventional munitions, it's necessary to deliver an explosive to a target. Thanks to the Unix security model, with its lack of any notion of multi-level security, we've created an entire infrastructure that's ready to self-destruct at a moment's notice. The military went on to actually procure and use multi-level security in a number of cases, while the idea is perceived as impossible, or unnecessary in the civilian space.
All of our Linux, Mac OS, and Windows machines share the same brain dead security model. When you run code, you have to trust it not to be a virtual grenade, each and every time.
The existence of billions of computers which blindly run code without actual security protecting the operating system (as a multi-level secure system does) is astoundingly stupid, and yet 99.9% of the "tech" community is just fine with this state of affairs.
The infrastructure IS the weapon, its your job to change that over the next 20 years.... get crackin'
This is the kind of thing that happens when you trust an application to do what it says on the tin. An OS based on a capability architecture would have made this pretty much impossible.
This isn't about being a Luddite, it's about pointing out the economic disparity at play in the world. When you create conditions in the rest of the world such that we give them pieces of paper, and they are willing to die trying to get something to sell for those pieces of paper... we have some social responsibility.
The US exports paper promises of... (well, nothing actually, Nixon closed the Gold window in 1971) paper, and over throws any resource rich country that wants to sell for some other paper, or... gasp... actual Gold. We've got a gun to the heads of the rest of humanity....... is that enough of a rant to show it's not about the technology.... its the economics?
We're all running systems based on some derivative of Unix. The user based permission model was fine for 1970s computer science departments, but it's totally crap for the world we now live in. We all should be running systems that are at least Orange Book A1 level secure, but we aren't. The resources are available to do it, we could totally pump this out in a year or two in the open source world.... but we won't.
Everyone thinks they have secure enough systems... but they don't, not by a country mile. Nobody seems to understand that trusting applications to do their jobs, and not subvert the systems, is a stupid thing.
We have persistently insecure computing... encryption, even if done perfectly, doesn't help fix that.
Fair enough... the propagation delays would suck, yes... but we're talking about general purpose computing here, not picosecond timing. The main goal is throughput, and if you can get most of the transistors in the thing doing computation, instead of waiting for the 100 picoseconds they are actually needed, you've solved the "dark transistor" problem.
The gain is from being able to process all parts of a given problem in parallel, so you get at least 1 result per clock.... imagine being able to do 1024 bin FFTs at 1 Ghz, or faster.
You have to route signal, but at least in the bitgrid, that's flexible, and not he huge constraint on things that existing FPGAs force you to work around. You should be able to get 90% usage... I'm writing a simulator to try to figure that out, in Delphi for Windows, it's on GitHub.
My solution to the dark transistor problem came to me back around 1982... I call it the BitGrid. It's a Cartesian grid of 4 bit input, 4 bit output look up tables. each cell can replicate any logic function, and those tables are the basis of modern FPGAs. The thing that makes the BitGrid different is the total lack of routing fabric. This makes the grid homogeneous and symmetric. As long as you know of a defect in a cell, you can route around it trivially, at load time. You can shift any given logic configuration left, right, up, down, without having to do any work. You can rotate and mirror it.
The down side is that you have to pass through every cell to get from one side to the other... which could be a waste of logic, or a tremendous opportunity to do computing in parallel.
Imagine a big enough grid (lets say 64k * 64k), implemented in CMOS. You could take a program, unwrap all the instructions into their logical equivalents, and then mape all that out into the grid. This would let you run the entire program all at the same time.
All of this points out what I'm saying... they've optimized for small(ish) systems that have to run very quickly, with a heavy emphasis on "routing fabric" internally. This makes them hard to program, as they are heterogeneous as all get out.
Imagine a grid of logic cells, a nice big, homogenous grid, that was symmetric. You could route programs in it almost instantly, there's be no need for custom tools to program it.
The problem IS the routing grid... it's a premature optimization. And for big scale stuff it definitely gets in the way.
I would have a 4 bits in, 4 bits out lookup table as the basis of this, and I call it the "bitgrid".... I've been writing about it for years, feel free to make the chip, and send me an email (or preferably a sample, please)., because that puppy is disclosed as far as patents go.... I have none, and can't now.
You should be able to get a 64k x 64k grid on a chip for a few bucks, in any kind of quantity. It should do Exaflops, or consume almost nothing if you idle it.
Now the blind ants (researchers) will need to explore more of the tree (the computing problem space)... there are many fruits out there yet to discover, this is just the end of the very easy fruit. I happen to believe that FPGAs can be made much more powerful because of some premature optimization. Time will tell if I'm right or wrong.
What do you think the founders believed? In the early revolutionary period, the US had no navy. They issued letters of marque to privately owned, armed ships. As in: private individuals owned war ships.
Wrong... dead wrong. The States each had their own Navy, and they were combined in 1775. The first Continental Navy ship was launched in September, 1775.
I applaud your Libertarian worldview, but it is not consistent with reality in this instance.
Well... I checked the distance to make sure old-fart-ism wasn't fscking with my memory... didn't think about the temperature. Can't find any records of the local temps, just the Chicago records you found.... oh well.
The current temperature outside my house is 47 degrees of frost. The only sensible scale of frackin cold I know of... which I learned of from Ernest Shackleton.
This is a REAL Chicago winter... you kids have all gotten soft in the last 30 years. We used to have these all the time when I was a kid. I remember in about 1980, it had been this cold for sever days in a row so I had sever cabin fever (a condition resulting in the need to GET OUT OF THE HOUSE)... so I walked 1.2 miles in -40 temperatures to get to Montgomery Wards. (I just checked the distance using google maps) That's -40 REAL degrees (trivia: -40F == -40C), or -80F with the "Wind Chill".... I was very glad my dad came to pick me up and take me home, so I didn't need to make the return trip on foot.
Two pairs of jeans (the thick kind we used to have back then) were barely enough to keep my legs warm during that walk.
We've had these before, we'll have them again... shove off with the invented names like "Polar Vortex"... it's just WINTER./rant
They thought the Civil war in the US would be over in an afternoon. People rushed into WWI, because the didn't want to miss it. The Germans thought they could roll through and capture Russia before taking over England, etc, repeating the mistake of Napoleon.
It's not about the first weeks of war... it's about the long fight that they all turn into... sure, we could have millions of cheap fancy Chinese made gizmos in our arsenal... but what happens if the war lasts long enough to need resupply?
Not so fast... we all administer our own wallets, and we know not to send all our money to a PO Box in Nigeria. If there's no way to specify what can/can't be accessed, you get the default behavior you describe, because there really is no control. What we have now are systems just like EULAs, you either choose to run a program, or don't.
It doesn't have to be this way, and it wouldn't even cost much more to do it right. We could all have Orange Book A1 Secure computers, if we wanted to do the work as a community to make it so.
So, what these articles are both calling for is Capability Based Security, in which you feed a list of resources to the OS when you run a program. This has the pleasant and reasonable effect of limiting the side effects a program can do, and protects the user, the operating system, and everyone else on the internet.
The trusted systems of the 1980s required the Administrator to supply these lists... it could reasonably be done by users these days, because we're all system administrators of our own machines, when it comes down to brass tacks. It doesn't even have to look much different than what we're used to seeing. A capability based version of Word would ask the system to get a file... which would do so via a "powerbox" (a secure way of picking files which side-steps the application doing it directly).
I applaud this fellow traveler who seeks the same sane approach I've been shouting about for years. 8)
If Obama actually defended the constitution from domestic enemies, he'd be dead within a month. Don't kid yourself about this. We live in an oligarchy, at best.
Well said. It seems that watching "lets play" videos on YouTube is the way they get interested in a game, then go off to play it themselves. Minecraft seems to be the current hit of my sproutlet, with an occasional burst of Spore. She spends more time watching than playing, however... which strikes me as bit odd, but hey, she's interested in something relatively safe to do.
Slashdot Mirror
Multi-Level Security was worked out in the late 1960s in order to allow computing both Secret and "Top Secret" information in the same computer at the same time. The use of the Bell-LaPadula model ensures that a lesser privileged user can never cause grief for a more privileged user. If we had Mutli-Level secure systems, we could safely run any program we want in a sandbox, and it could never, ever crawl back out of it.
The closest you're likely to approach is if you enable the MAC option in FreeBSD, which is experimental.
The Genode project aims to provide a capability based security system which can run Linux Apps... it is the best chance I see going forward for a truly secure system that isn't military grade. In such systems, you specify at run time exactly which files can be accessed by an application. This has the benefit of explicitly limiting the side effects of said application, and thus making for a far more secure system. You might be tempted to think this would make it unusable (as App-Armour tends to be)... but it doesn't have to be that way. In fact, it's possible to make apps behave almost identically, as far as the user is concerned, without compromising anything.
I think we're still 10 years out before people wake up and realize that our collective assumptions about computer security are wrong, and this needs a more rigorous, carefully engineered solution, instead of the layers of patch we currently employ. I'm hoping that my frequent postings on this subject are informative, and help shorten that timespan significantly.
Are any of these systems Multi-Level Secure? This stuff was figured out in the 1970s, we're still 10 years away from collectively realizing we needed it yesterday.
Amen!
I just "upgraded" some Windows 7 machines to IE8 (from IE10) because that is the standard the automobile industry has settled on.
Linux is not any more secure than Windows in the long run... its not a multi-level secure system, nor is any other choice you've ever heard of. Until we adopt something like the Bell-LaPadula security model, we're going to be chasing our collective tails, and this is going to be happening for years!
The InterNet was created because the guy in charge of things didn't want a teletype in his office for each and every machine he could access. A network to access all of them, and a single terminal made more sense.
It had NOTHING to do with nuclear war, or reliability, at first.
No mention of the Superb Owl watching over all this?
Access control lists are not adequate security, no matter how careful you are. You need the Bell-LaPadula or something like it that implements mandatory access controls to actually secure a system.
SELinux is an attempt to push a little bit towards a secure system, but it's not the real deal.
If we started building bunkers out of blocks of TNT, someone would rapidly figure out it was a bad idea.... but not so when it's abstracted several layers deep.
In conventional munitions, it's necessary to deliver an explosive to a target. Thanks to the Unix security model, with its lack of any notion of multi-level security, we've created an entire infrastructure that's ready to self-destruct at a moment's notice. The military went on to actually procure and use multi-level security in a number of cases, while the idea is perceived as impossible, or unnecessary in the civilian space.
All of our Linux, Mac OS, and Windows machines share the same brain dead security model. When you run code, you have to trust it not to be a virtual grenade, each and every time.
The existence of billions of computers which blindly run code without actual security protecting the operating system (as a multi-level secure system does) is astoundingly stupid, and yet 99.9% of the "tech" community is just fine with this state of affairs.
The infrastructure IS the weapon, its your job to change that over the next 20 years.... get crackin'
This is the kind of thing that happens when you trust an application to do what it says on the tin. An OS based on a capability architecture would have made this pretty much impossible.
This isn't about being a Luddite, it's about pointing out the economic disparity at play in the world. When you create conditions in the rest of the world such that we give them pieces of paper, and they are willing to die trying to get something to sell for those pieces of paper... we have some social responsibility.
The US exports paper promises of ... (well, nothing actually, Nixon closed the Gold window in 1971) paper, and over throws any resource rich country that wants to sell for some other paper, or... gasp... actual Gold. We've got a gun to the heads of the rest of humanity.... ... is that enough of a rant to show it's not about the technology.... its the economics?
We're all running systems based on some derivative of Unix. The user based permission model was fine for 1970s computer science departments, but it's totally crap for the world we now live in. We all should be running systems that are at least Orange Book A1 level secure, but we aren't. The resources are available to do it, we could totally pump this out in a year or two in the open source world.... but we won't.
Everyone thinks they have secure enough systems... but they don't, not by a country mile. Nobody seems to understand that trusting applications to do their jobs, and not subvert the systems, is a stupid thing.
We have persistently insecure computing... encryption, even if done perfectly, doesn't help fix that.
Fair enough... the propagation delays would suck, yes... but we're talking about general purpose computing here, not picosecond timing. The main goal is throughput, and if you can get most of the transistors in the thing doing computation, instead of waiting for the 100 picoseconds they are actually needed, you've solved the "dark transistor" problem.
The gain is from being able to process all parts of a given problem in parallel, so you get at least 1 result per clock.... imagine being able to do 1024 bin FFTs at 1 Ghz, or faster.
You have to route signal, but at least in the bitgrid, that's flexible, and not he huge constraint on things that existing FPGAs force you to work around. You should be able to get 90% usage... I'm writing a simulator to try to figure that out, in Delphi for Windows, it's on GitHub.
My solution to the dark transistor problem came to me back around 1982... I call it the BitGrid. It's a Cartesian grid of 4 bit input, 4 bit output look up tables. each cell can replicate any logic function, and those tables are the basis of modern FPGAs. The thing that makes the BitGrid different is the total lack of routing fabric. This makes the grid homogeneous and symmetric. As long as you know of a defect in a cell, you can route around it trivially, at load time. You can shift any given logic configuration left, right, up, down, without having to do any work. You can rotate and mirror it.
The down side is that you have to pass through every cell to get from one side to the other... which could be a waste of logic, or a tremendous opportunity to do computing in parallel.
Imagine a big enough grid (lets say 64k * 64k), implemented in CMOS. You could take a program, unwrap all the instructions into their logical equivalents, and then mape all that out into the grid. This would let you run the entire program all at the same time.
Exaflops... here we come.
All of this points out what I'm saying... they've optimized for small(ish) systems that have to run very quickly, with a heavy emphasis on "routing fabric" internally. This makes them hard to program, as they are heterogeneous as all get out.
Imagine a grid of logic cells, a nice big, homogenous grid, that was symmetric. You could route programs in it almost instantly, there's be no need for custom tools to program it.
The problem IS the routing grid... it's a premature optimization. And for big scale stuff it definitely gets in the way.
I would have a 4 bits in, 4 bits out lookup table as the basis of this, and I call it the "bitgrid".... I've been writing about it for years, feel free to make the chip, and send me an email (or preferably a sample, please)., because that puppy is disclosed as far as patents go.... I have none, and can't now.
You should be able to get a 64k x 64k grid on a chip for a few bucks, in any kind of quantity. It should do Exaflops, or consume almost nothing if you idle it.
Now the blind ants (researchers) will need to explore more of the tree (the computing problem space)... there are many fruits out there yet to discover, this is just the end of the very easy fruit. I happen to believe that FPGAs can be made much more powerful because of some premature optimization. Time will tell if I'm right or wrong.
Wrong... dead wrong. The States each had their own Navy, and they were combined in 1775. The first Continental Navy ship was launched in September, 1775.
I applaud your Libertarian worldview, but it is not consistent with reality in this instance.
Well... I checked the distance to make sure old-fart-ism wasn't fscking with my memory... didn't think about the temperature. Can't find any records of the local temps, just the Chicago records you found.... oh well.
Sorry.
The current temperature outside my house is 47 degrees of frost. The only sensible scale of frackin cold I know of... which I learned of from Ernest Shackleton.
This is a REAL Chicago winter... you kids have all gotten soft in the last 30 years. We used to have these all the time when I was a kid. I remember in about 1980, it had been this cold for sever days in a row so I had sever cabin fever (a condition resulting in the need to GET OUT OF THE HOUSE)... so I walked 1.2 miles in -40 temperatures to get to Montgomery Wards. (I just checked the distance using google maps) That's -40 REAL degrees (trivia: -40F == -40C), or -80F with the "Wind Chill".... I was very glad my dad came to pick me up and take me home, so I didn't need to make the return trip on foot.
Two pairs of jeans (the thick kind we used to have back then) were barely enough to keep my legs warm during that walk.
We've had these before, we'll have them again... shove off with the invented names like "Polar Vortex"... it's just WINTER. /rant
PS: Maybe it's cabin fever getting to me? ;-)
They thought the Civil war in the US would be over in an afternoon. People rushed into WWI, because the didn't want to miss it. The Germans thought they could roll through and capture Russia before taking over England, etc, repeating the mistake of Napoleon.
It's not about the first weeks of war... it's about the long fight that they all turn into... sure, we could have millions of cheap fancy Chinese made gizmos in our arsenal... but what happens if the war lasts long enough to need resupply?
I told you this would happen last year.
Not so fast... we all administer our own wallets, and we know not to send all our money to a PO Box in Nigeria. If there's no way to specify what can/can't be accessed, you get the default behavior you describe, because there really is no control. What we have now are systems just like EULAs, you either choose to run a program, or don't.
It doesn't have to be this way, and it wouldn't even cost much more to do it right. We could all have Orange Book A1 Secure computers, if we wanted to do the work as a community to make it so.
So, what these articles are both calling for is Capability Based Security, in which you feed a list of resources to the OS when you run a program. This has the pleasant and reasonable effect of limiting the side effects a program can do, and protects the user, the operating system, and everyone else on the internet.
The trusted systems of the 1980s required the Administrator to supply these lists... it could reasonably be done by users these days, because we're all system administrators of our own machines, when it comes down to brass tacks. It doesn't even have to look much different than what we're used to seeing. A capability based version of Word would ask the system to get a file... which would do so via a "powerbox" (a secure way of picking files which side-steps the application doing it directly).
I applaud this fellow traveler who seeks the same sane approach I've been shouting about for years. 8)
I, for one, do not wish to be hunted by any animals, nor rodents for that matter.
Troll? - Who moderated this troll?
If Obama actually defended the constitution from domestic enemies, he'd be dead within a month. Don't kid yourself about this. We live in an oligarchy, at best.
Well said. It seems that watching "lets play" videos on YouTube is the way they get interested in a game, then go off to play it themselves. Minecraft seems to be the current hit of my sproutlet, with an occasional burst of Spore. She spends more time watching than playing, however... which strikes me as bit odd, but hey, she's interested in something relatively safe to do.