> I've always recognized that MLS systems can impose mandatory
> protection bariers between processes by using levels,
> categories, and compartments, but I still concluded "No."
> This is based on my view of high assurance MLS obsessed with
> confidentiality. The argument goes as follows:
> 1) Typical Internet TCP/IP traffic does not contain labels.
> 2) The network interface in an MLS system is always assigned
> a label.
> 3) If a network interface receives a packet that does not
> already contain a label, then the packet must be assigned
> the network interface's label.
> 4) All packets sent or received as typical Internet TCP/IP
> traffic carry the same label (from 1, 2, 3). Call this
> label the "Internet Label."
> 5) If two processes have the same label, there is no way to
> enforce mandatory MLS protection between them.
> 6) Every network server process is assigned a label.
> 7) A network server process can only send and receive
> packets if the packets' labels are identical to the label
> of the network server process.
> 8) Any network server process that handles Internet traffic
> must be assigned the "Internet Label" (from 4, 7).
> 9) All Internet server processes must be assigned the
> "Internet Label" (from 6, 8).
> 10) You can't enforce MLS between Internet servers (from 5, 9).
> I suspect our misunderstandings are tied to statement 3)
> above. On Sidewinder we can associate TCP/IP port numbers
> with separately labeled domains in the TE system. The only
> way you can get a similar result in an MLS system is to
> associate TCP/IP port numbers with MLS confidentiality
> labels. For example, the B1 system might define a category
> or compartment label for "Mail" and restrict Port 25
> traffic to processes with the Mail label. If so, this changes
> how statement 3) is phrased, and completely changes the
> The problem is, you can't assign MLS labels that way if
> you're obsessed with confidentiality. I can think of
> three reasons immediately as to why not:
I would propose a different use for the MLS architecture.
o.proxies have level of '1'.
i.proxies have level of '2'.
o.proxies do not have access to write to the inside ethernet interface.
i.proxies have priviledge to read o.proxies based on label being
From what I see, this would make a connection-based attack useless.
You could break into the firewall and subvert the o.proxies. Data-based
attacks could potentially succeed if neither proxies noticed the signature.
Connection based attacks would be limited to harming the level '1' environment.
I would be interested in hearing comments...
p.s. I do not know if any firewalls implement this type of model/theory, but it
seems theoretically sound from the few mind blips I've had.