Re: Hierarchy for sensitivity levels

[Stephen Smalley <sds tycho nsa gov>]

On Tue, 2007-06-12 at 15:42 -0600, Forrest Taylor wrote:
> I am teaching class this week and I had an interesting question from a
> student.  We were discussing sensitivities and categories, and a student
> wondered about the hierarchical nature of sensitivities and categories.
> Assuming that s0 is unclassified, s1 is classified, s2 is secret and s3
> is top secret, and s0<s1<s2<s3.  If I have access to s3, I assume that
> you also have access to s2, s1, s0.  Is there a way to throw categories
> in here so that users who have access to s3 do not necessarily have
> access to all of s2 and lower?

The dominance function is based on both the sensitivities and the
category sets.  A dominates B iff A's sensitivity >= B's sensitivity and
A's category set is a superset of B's category set.  The possible
relationships are dominates, dominated by, equivalent, or incomparable.

Under BLP/MLS, A can only read from B if A dominates B, and A can only
write to B if A is dominated by B.  Many MLS systems further limit A to
only allow writing to B if A is equivalent to B, even though that isn't
strictly required for BLP.  To violate those properties (no read up, no
write down), A has to be in a TE domain that is marked with one of the
type attributes used as exceptions in the MLS constraints.

-- 
Stephen Smalley
National Security Agency