[pypy-dev] Security ideas

[Armin Rigo]

Hi Jacob,

On Wed, May 24, 2006 at 02:21:54PM +0200, Jacob Hall?n wrote:
> This is quite interesting, but I have some concerns over the scheme presented.
> It seems to only take into consideration who gets to see the contents of an 
> object. However, real information security is just as often concerned with 
> who gets to set or modify the contents of an object. This produces security 
> classifications that can't be represented as a linear scale, leading to a 
> much more complex infrastructure for determining what classification to give 
> to an object that receives it from multiple parents.

Definitely.  The scheme presented doesn't propose any classification,
and it allows us to experiment with variants.

As presented, the levels don't have to form a linear order but only have
to be arranged in a semi-lattice (i.e. where "public" is the most
permissive, and for any two levels L1 and L2 we can form a higher level
"L1 union L2" that represents someone with both L1 and L2 credential
levels).  Moreover nothing is specified about what the level means and
where exactly they are enforced, so we can definitely have object
attributes that require different levels to be read or modified.  There
are many theories available; I've heard of one where each level is
actually a set of tuples, where each tuple gives an "owner" name and a
set of names of persons that can read the information.  Also, it's easy
to come up with anything custom in this approach -- as opposed to other
approaches where changing the theory requires a whole compiler to be
rewritten, syntax to be redesigned, etc.


A bientot,

Armin.