%!PS
%%Version: 3.3.1
%%DocumentFonts: (atend)
%%Pages: (atend)
%%EndComments
%
% Version 3.3.1 prologue for troff files.
%

/#copies 1 store
/aspectratio 1 def
/formsperpage 1 def
/landscape false def
/linewidth .3 def
/magnification 1 def
/margin 0 def
/orientation 0 def
/resolution 720 def
/rotation 1 def
/xoffset 0 def
/yoffset 0 def

/roundpage true def
/useclippath true def
/pagebbox [0 0 612 792] def

/R  /Times-Roman def
/I  /Times-Italic def
/B  /Times-Bold def
/BI /Times-BoldItalic def
/H  /Helvetica def
/HI /Helvetica-Oblique def
/HB /Helvetica-Bold def
/HX /Helvetica-BoldOblique def
/CW /Courier def
/CO /Courier def
/CI /Courier-Oblique def
/CB /Courier-Bold def
/CX /Courier-BoldOblique def
/PA /Palatino-Roman def
/PI /Palatino-Italic def
/PB /Palatino-Bold def
/PX /Palatino-BoldItalic def
/Hr /Helvetica-Narrow def
/Hi /Helvetica-Narrow-Oblique def
/Hb /Helvetica-Narrow-Bold def
/Hx /Helvetica-Narrow-BoldOblique def
/KR /Bookman-Light def
/KI /Bookman-LightItalic def
/KB /Bookman-Demi def
/KX /Bookman-DemiItalic def
/AR /AvantGarde-Book def
/AI /AvantGarde-BookOblique def
/AB /AvantGarde-Demi def
/AX /AvantGarde-DemiOblique def
/NR /NewCenturySchlbk-Roman def
/NI /NewCenturySchlbk-Italic def
/NB /NewCenturySchlbk-Bold def
/NX /NewCenturySchlbk-BoldItalic def
/ZD /ZapfDingbats def
/ZI /ZapfChancery-MediumItalic def
/S  /S def
/S1 /S1 def
/GR /Symbol def

/inch {72 mul} bind def
/min {2 copy gt {exch} if pop} bind def

/setup {
	counttomark 2 idiv {def} repeat pop

	landscape {/orientation 90 orientation add def} if
	/scaling 72 resolution div def
	linewidth setlinewidth
	1 setlinecap

	pagedimensions
	xcenter ycenter translate
	orientation rotation mul rotate
	width 2 div neg height 2 div translate
	xoffset inch yoffset inch neg translate
	margin 2 div dup neg translate
	magnification dup aspectratio mul scale
	scaling scaling scale

	addmetrics
	0 0 moveto
} def

/pagedimensions {
	useclippath userdict /gotpagebbox known not and {
		/pagebbox [clippath pathbbox newpath] def
		roundpage currentdict /roundpagebbox known and {roundpagebbox} if
	} if
	pagebbox aload pop
	4 -1 roll exch 4 1 roll 4 copy
	landscape {4 2 roll} if
	sub /width exch def
	sub /height exch def
	add 2 div /xcenter exch def
	add 2 div /ycenter exch def
	userdict /gotpagebbox true put
} def

/addmetrics {
	/Symbol /S null Sdefs cf
	/Times-Roman /S1 StandardEncoding dup length array copy S1defs cf
} def

/pagesetup {
	/page exch def
	currentdict /pagedict known currentdict page known and {
		page load pagedict exch get cvx exec
	} if
} def

/decodingdefs [
	{counttomark 2 idiv {y moveto show} repeat}
	{neg /y exch def counttomark 2 idiv {y moveto show} repeat}
	{neg moveto {2 index stringwidth pop sub exch div 0 32 4 -1 roll widthshow} repeat}
	{neg moveto {spacewidth sub 0.0 32 4 -1 roll widthshow} repeat}
	{counttomark 2 idiv {y moveto show} repeat}
	{neg setfunnytext}
] def

/setdecoding {/t decodingdefs 3 -1 roll get bind def} bind def

/w {neg moveto show} bind def
/m {neg dup /y exch def moveto} bind def
/done {/lastpage where {pop lastpage} if} def

/f {
	dup /font exch def findfont exch
	dup /ptsize exch def scaling div dup /size exch def scalefont setfont
	linewidth ptsize mul scaling 10 mul div setlinewidth
	/spacewidth ( ) stringwidth pop def
} bind def

/changefont {
	/fontheight exch def
	/fontslant exch def
	currentfont [
		1 0
		fontheight ptsize div fontslant sin mul fontslant cos div
		fontheight ptsize div
		0 0
	] makefont setfont
} bind def

/sf {f} bind def

/cf {
	dup length 2 idiv
	/entries exch def
	/chtab exch def
	/newencoding exch def
	/newfont exch def

	findfont dup length 1 add dict
	/newdict exch def
	{1 index /FID ne {newdict 3 1 roll put}{pop pop} ifelse} forall

	newencoding type /arraytype eq {newdict /Encoding newencoding put} if

	newdict /Metrics entries dict put
	newdict /Metrics get
	begin
		chtab aload pop
		1 1 entries {pop def} for
		newfont newdict definefont pop
	end
} bind def

%
% A few arrays used to adjust reference points and character widths in some
% of the printer resident fonts. If square roots are too high try changing
% the lines describing /radical and /radicalex to,
%
%	/radical	[0 -75 550 0]
%	/radicalex	[-50 -75 500 0]
%
% Move braceleftbt a bit - default PostScript character is off a bit.
%

/Sdefs [
	/bracketlefttp		[201 500]
	/bracketleftbt		[201 500]
	/bracketrighttp		[-81 380]
	/bracketrightbt		[-83 380]
	/braceleftbt		[203 490]
	/bracketrightex		[220 -125 500 0]
	/radical		[0 0 550 0]
	/radicalex		[-50 0 500 0]
	/parenleftex		[-20 -170 0 0]
	/integral		[100 -50 500 0]
	/infinity		[10 -75 730 0]
] def

/S1defs [
	/underscore		[0 80 500 0]
	/endash			[7 90 650 0]
] def
%
% Tries to round clipping path dimensions, as stored in array pagebbox, so they
% match one of the known sizes in the papersizes array. Lower left coordinates
% are always set to 0.
%

/roundpagebbox {
    7 dict begin
	/papersizes [8.5 inch 11 inch 14 inch 17 inch] def

	/mappapersize {
		/val exch def
		/slop .5 inch def
		/diff slop def
		/j 0 def
		0 1 papersizes length 1 sub {
			/i exch def
			papersizes i get val sub abs
			dup diff le {/diff exch def /j i def} {pop} ifelse
		} for
		diff slop lt {papersizes j get} {val} ifelse
	} def

	pagebbox 0 0 put
	pagebbox 1 0 put
	pagebbox dup 2 get mappapersize 2 exch put
	pagebbox dup 3 get mappapersize 3 exch put
    end
} bind def

%%EndProlog
%%BeginSetup
mark
/linewidth 0.5 def
/xoffset 0 def
/yoffset 0 def
/#copies 1 store
/magnification 1 def
%%FormsPerPage: 1
/formsperpage 1 def

/landscape false def
/resolution 720 def
setup
2 setdecoding
%%EndSetup
%%Page: 1 1
/saveobj save def
mark
1 pagesetup
12 B f
(A Tour of IX)3 669 1 2545 1230 t
10 I f
(Doug McIlroy)1 568 1 2596 1470 t
(Jim Reeds)1 407 1 2676 1650 t
(ABSTRACT)2643 2090 w
10 R f
(The IX experimental version of)4 1274 1 1330 2350 t
9 R f
(UNIX)2631 2350 w
10 S f
(\322)2856 2350 w
10 R f
(supports dynamic security labels, integrity)4 1716 1 2964 2350 t
( of its use show how IX differs from classical)9 1852( Examples)1 448(controls, and divided privileges.)3 1300 3 1080 2470 t
(systems, and give some hints about how cope with the differences.)10 2663 1 1080 2590 t
( is intended for)3 638(Although this tour consists of simple examples, it)7 2061 2 970 2866 t
9 R f
(UNIX)3704 2866 w
10 R f
( touches on the)3 638(experts. It)1 436 2 3966 2866 t
(actions of system administrators as well as of ordinary users.)9 2430 1 720 2986 t
( way to show)3 545(Many of the examples show things that don't work, because that seemed like a quicker)14 3525 2 970 3142 t
( to give a feel for how to cope with its novelties than would a series of examples)17 3226(what IX is really about and)5 1094 2 720 3262 t
( frustrations of these examples, which are not qualitatively different from the frus-)12 3309( The)1 207( worked.)1 351(that always)1 453 4 720 3382 t
(trations that a newcomer to)4 1127 1 720 3502 t
9 R f
(UNIX)1880 3502 w
10 R f
( of everyday use.)3 708(may experience, should not be taken as characteristic)7 2192 2 2140 3502 t
(By and large IX works just like any)7 1423 1 720 3622 t
9 R f
(UNIX)2166 3622 w
10 R f
( in multiple)2 464( differences only show up when you work)7 1677(system. The)1 508 3 2391 3622 t
( actually easier than that of other)6 1350( the IX model is)4 676( Then)1 263(security compartments or levels at the same time.)7 2031 4 720 3742 t
9 R f
(UNIX)720 3862 w
10 R f
(systems with labeled access control.)4 1445 1 970 3862 t
10 B f
(Logging in)1 460 1 720 4102 t
10 R f
(The first thing you see when you attempt to log in is familiar.)12 2457 1 970 4258 t
10 CW f
(login:)1080 4438 w
10 R f
( may look like this,)4 770( It)1 111(But after you answer with a login name, the password prompt is different.)12 2951 3 720 4618 t
10 CW f
(Password\(you:19818\):)1080 4798 w
10 R f
( with a tradi-)3 543( may reply)2 445( You)1 231(The prompt reminds you of who you claim to be, in case you didn't know.)14 3101 4 720 4978 t
( for a Secure Net Key \(also known as)8 1586( prompt also gives a 5-digit challenge string)7 1848( The)1 218(tional password.)1 668 4 720 5098 t
( the box)2 350( Unlock)1 358( the system's security administrator.)4 1502(Atalla\) challenge box, which you may obtain from)7 2110 4 720 5218 t
( computer the first 5 characters of)6 1358(with its password, key the challenge string into the box, and type into the)13 2962 2 720 5338 t
( the box displays)3 675( If)1 116(the response\320all in lower case.)4 1272 3 720 5458 t
10 CW f
(9Ab34F70)1080 5638 w
10 R f
(type)720 5818 w
10 CI f
(9ab34)1080 5998 w
10 R f
( time you log in you get a different challenge.)9 1825( Every)1 288(and you should be admitted.)4 1130 3 720 6178 t
( is)1 109( IX)1 171( sometimes the system admits no alternative.)6 1887( Because)1 398(Why all the challenge-box folderol?)4 1505 5 970 6334 t
( you try to log in from some ``untrusted'' source, such as a modem in Cal-)15 2974( If)1 116(paranoid about eavesdropping.)2 1230 3 720 6454 t
(ifornia or another computer, where unknown agents might be listening in, you)11 3121 1 720 6574 t
10 I f
(must)3866 6574 w
10 R f
(use the challenge box:)3 890 1 4080 6574 t
10 CW f
(Password\(TAPPED LINE:23740\):)1 1680 1 1080 6754 t
10 R f
( one never knows, so the system makes the pessimistic guess and reminds)12 3022(The line may not be tapped, but)6 1298 2 720 6934 t
(you not to use your ordinary password.)6 1562 1 720 7054 t
( in, you can poke around as in an ordinary)9 1914(Once you're logged)2 842 2 970 7210 t
9 R f
(UNIX)3775 7210 w
10 R f
( a few)2 295(system. Try)1 523 2 4051 7210 t
10 CW f
(ls)4920 7210 w
cleartomark
showpage
saveobj restore
%%EndPage: 1 1
%%Page: 2 2
/saveobj save def
mark
2 pagesetup
10 R f
(- 2 -)2 166 1 2797 480 t
(commands:)720 840 w
10 CW f
($)1080 1020 w
10 CI f
(ls .)1 240 1 1200 1020 t
10 CW f
($)1080 1140 w
10 CI f
(ls /)1 240 1 1200 1140 t
10 CW f
($)1080 1260 w
10 CI f
(ls -l /etc)2 600 1 1200 1260 t
10 R f
( with the listing of)4 734( Along)1 300(You may see some surprises.)4 1162 3 720 1440 t
10 CW f
(/etc)2941 1440 w
10 R f
(appears)3206 1440 w
10 CW f
(ls: /etc/pwfile: Security label violation)4 2460 1 1080 1620 t
10 R f
( The)1 207(This is a file you're not cleared to see, and with good reason; it contains the challenge-box passwords.)17 4113 2 720 1800 t
(file has a very high security)5 1136 1 720 1920 t
10 I f
(label,)1887 1920 w
10 R f
( odd that the label applies not only to the)9 1675( may seem)2 439( It)1 117(or classification.)1 666 4 2143 1920 t
( reason is that information, such as file mode and modification)10 2510( The)1 205(contents of the file, but also to its inode.)8 1605 3 720 2040 t
( information is, as far as the sytem can tell, as secret as anything else)14 2759( That)1 234(time, can be written in the inode.)6 1327 3 720 2160 t
(in the file.)2 408 1 720 2280 t
( course no ordinary)3 785( Of)1 159( inode?)1 295( would anybody put secrets in an)6 1333( Why)1 247(Here is a classic security issue.)5 1251 6 970 2436 t
( Any)1 232( however, attempts to prevent dishonest as well as accidental disclosure of secrets.)12 3420( IX,)1 191(user would.)1 477 4 720 2556 t
( information)1 500( Inode)1 280( could be a Trojan horse, attempting to slip secrets through the cracks.)12 2837(ordinary program)1 703 4 720 2676 t
(is just one of many possible cracks.)6 1418 1 720 2796 t
10 B f
(Labels)720 3036 w
10 R f
(Every process and every file, including terminals, pipes, and even)9 2646 1 970 3192 t
10 CW f
(/dev/null)3643 3192 w
10 R f
( find)1 189( To)1 164( a label.)2 319(, has)1 185 4 4183 3192 t
(the label of your shell, type)5 1093 1 720 3312 t
10 CW f
($)1080 3492 w
10 CI f
(getlab)1200 3492 w
10 CW f
( 0000 0000 ...)3 840( ffff)1 480( ------)1 420( ------)1 1320(proc lab)1 480 5 1080 3612 t
( 0000 0000 ...)3 840( ffff)1 480( ------)1 420( ------)1 1260(proc ceil)1 540 5 1080 3732 t
10 R f
(There is the process label,)4 1055 1 720 3912 t
10 CW f
(ffff 0000 0000 ...)3 1095 1 1805 3912 t
10 R f
(, a hex constant representing the first 48 of a total of)11 2140 1 2900 3912 t
( ought to be symbolic names for)6 1342( There)1 291( for the primitive representation.)4 1331( apologize)1 423( \(We)1 231(480 bits of label.)3 702 6 720 4032 t
( particular label is the system)5 1183( This)1 231( but they haven't been implemented.\))5 1507(common labels,)1 635 4 720 4152 t
10 I f
(floor,)4304 4152 w
10 R f
(the standard)1 488 1 4552 4152 t
( is also the standard label for communicating with the unclassified)10 2647( It)1 111( users.)1 255(unclassified starting place for all)4 1307 4 720 4272 t
( come back)2 462( We'll)1 281( of minus signs have to do with the tricky matter of privilege.)12 2499( strings)1 295( The)1 208(outside world.)1 575 6 720 4392 t
(to that later.)2 480 1 720 4512 t
(You can ask for the label of the terminal\320actually for the labels of all open file descriptors \()17 3706 1 970 4668 t
10 CW f
(-d)4676 4668 w
10 R f
(\):)4796 4668 w
10 CW f
($)1080 4848 w
10 CI f
(getlab -d)1 540 1 1200 4848 t
10 CW f
( 0000 0000 ...)3 840( ffff)1 480( ------)1 420( ------)1 1320(proc lab)1 480 5 1080 4968 t
( 0000 0000 ...)3 840( ffff)1 480( ------)1 420( ------)1 1260(proc ceil)1 540 5 1080 5088 t
( 0000 0000 ...)3 840( ffff)1 360( ------ R)2 540( ------)1 1560(fd 0)1 240 5 1080 5208 t
( 0000 0000 ...)3 840( ffff)1 360( ------ R)2 540( ------)1 1560(fd 1)1 240 5 1080 5328 t
( 0000 0000 ...)3 840( ffff)1 360( ------ R)2 540( ------)1 1560(fd 2)1 240 5 1080 5448 t
( 0000 0000 ...)3 840( ffff)1 360( ------ R)2 540( ------)1 1560(fd 3)1 240 5 1080 5568 t
10 R f
( four default file descriptors, standard)5 1572( All)1 192(For good measure, the process label has been reported again.)9 2556 3 720 5748 t
( must, for they all)4 736(input, standard output, standard error, and control stream, have the same label\320as they)12 3584 2 720 5868 t
(refer to the same open file.)5 1069 1 720 5988 t
(Besides a label, each process also has a)7 1596 1 970 6144 t
10 I f
(ceiling,)2595 6144 w
10 R f
( deal with.)2 429(the highest label the process is allowed to)7 1690 2 2921 6144 t
( may look below the)4 820( You)1 223( log in, you are not permitted to see anything higher than the floor.)13 2674(When you first)2 603 4 720 6264 t
( process may look at any file with a bitwise lesser or equal label.)13 2579( A)1 122(floor, however.)1 612 3 720 6384 t
(The all-purpose)1 629 1 970 6540 t
10 CW f
(getlab)1624 6540 w
10 R f
(command can also retrieve the label of a file.)8 1798 1 2009 6540 t
10 CW f
($)1080 6720 w
10 CI f
(getlab /etc/passwd)1 1080 1 1200 6720 t
10 CW f
( 0000 ...)2 540( 0000)1 480( ------)1 420(/etc/passwd ------)1 1800 4 1080 6840 t
10 R f
( as)1 115(The all-zero label, known)3 1043 2 720 7020 t
10 I f
(bottom,)1910 7020 w
10 R f
( the classical password file is, as)6 1337( Thus)1 257(is visible from every process.)4 1201 3 2245 7020 t
(always, visible to everybody.)3 1168 1 720 7140 t
( labels below the floor, which serves as the ``unclassified'')9 2503(What's the point of having files with)6 1567 2 970 7296 t
cleartomark
showpage
saveobj restore
%%EndPage: 2 2
%%Page: 3 3
/saveobj save def
mark
3 pagesetup
10 R f
(- 3 -)2 166 1 2797 480 t
( we answer, we must discuss the basic rule for handling classified information.)12 3145( Before)1 321(security level?)1 579 3 720 840 t
10 I f
( of the destination of a data transfer must dominate \(be bitwise greater than or equal)15 3443(The label)1 377 2 970 996 t
(to\) the label of the source.)5 1049 1 970 1116 t
10 R f
( ordinary file permissions, which the owners of files can)9 2354( Unlike)1 333(In other words, data may only flow up.)7 1633 3 720 1272 t
( system enforces them automatically.)4 1484( The)1 205(change at will, label restrictions are mandatory.)6 1896 3 720 1392 t
( permissions allow writing, an attempt to)6 1648( the)1 148( When)1 289(IX supports the usual file permission mechanism.)6 1985 4 970 1548 t
( transfer may be prohibited, or the file)7 1568( The)1 213(write high data into a low file can have one of two outcomes.)12 2539 3 720 1668 t
( on which outcome is preferred, files)6 1490( Depending)1 492( the label of the source process.)6 1279(label may change to cover)4 1059 4 720 1788 t
( labels may be)3 586( Their)1 270( be protected in two different ways.)6 1440(below the floor may)3 822 4 720 1908 t
10 I f
(frozen,)3867 1908 w
10 R f
(in which case writing)3 869 1 4171 1908 t
(down is prohibited, or their labels may be)7 1686 1 720 2028 t
10 I f
(loose,)2434 2028 w
10 R f
( is impossible for)3 704( It)1 115( case writing raises the label.)5 1173(in which)1 350 4 2698 2028 t
( unauthorized tam-)2 760( Thus)1 253( process.)1 352(data written by an ordinary process to have a label below the label of the)14 2955 4 720 2148 t
( if it is possible at all, be exposed by the file's label changing)13 2585(pering with a supposedly bottom file will,)6 1735 2 720 2268 t
(away from bottom.)2 763 1 720 2388 t
( Labels)1 329( ``negative.'')1 533(We think of the floor as the zero of labels, with labels below the floor being)15 3208 3 970 2544 t
( with monitor-)2 586( below the floor are concerned)5 1240( Labels)1 321(above the floor are concerned with protecting secrets.)7 2173 4 720 2664 t
(ing ``integrity'', i.e. with detecting unintended changes.)6 2230 1 720 2784 t
(Let us look at some more labels.)6 1296 1 970 2940 t
10 CW f
($)1080 3120 w
10 CI f
(getlab /bin /bin/cp)2 1140 1 1200 3120 t
10 CW f
( 0000 ...)2 540( 0000)1 360( ------ F)2 540(/bin ------)1 1800 4 1080 3240 t
( 0000 ...)2 540( 0000)1 480( ------)1 420(/bin/cp ------)1 1800 4 1080 3360 t
10 R f
( the directory)2 556( One,)1 253( labels.)1 295(Both files have bottom)3 947 4 720 3540 t
10 CW f
(/bin)2808 3540 w
10 R f
(, is flagged)2 465 1 3048 3540 t
10 CW f
(F)3550 3540 w
10 R f
( is a prophylactic)3 721( This)1 240(for frozen.)1 432 3 3647 3540 t
( prevent the directory's label from rising whenever somebody\320mistakenly\320creates a file in it)12 3877(measure to)1 443 2 720 3660 t
( that file creation involves)4 1043( \(Recall)1 338(from a high process.)3 815 3 720 3780 t
10 I f
(writing)2941 3780 w
10 R f
(in the containing directory.\))3 1115 1 3256 3780 t
( the files in it would)5 818( All)1 181( get a high label.)4 675(Considerable trouble would ensue should the directory ever)7 2396 4 970 3936 t
( all low processes that did have)6 1302( subtly, the labels of)4 848( More)1 276(be cut off from processes with lower ceilings.)7 1894 4 720 4056 t
( would spread)2 568( contaminated, the processes)3 1151( Thus)1 253(clearance to search the directory would automatically rise.)7 2348 4 720 4176 t
( directories have justifiably been dubbed ``tar babies.'')7 2189( Mislabeled)1 494(the unwanted label like a disease.)5 1336 3 720 4296 t
( program)1 383(The label of the)3 686 2 970 4452 t
10 CW f
(/bin/cp)2084 4452 w
10 R f
( penalty if it)3 546( The)1 225(is not frozen, although it might well be.)7 1720 3 2549 4452 t
( is considerably less, because a program \(except perhaps for a shell\) is far less)14 3251(becomes wrong, however,)2 1069 2 720 4572 t
( program, of course, is still protected by permissions:)8 2126( The)1 205(often consulted than is its directory.)5 1432 3 720 4692 t
10 CW f
($)1080 4872 w
10 CI f
(ls -l /bin/cp)2 780 1 1200 4872 t
10 CW f
( /bin/cp)1 480( 1987)1 360( Oct 16)2 420( 11264)1 540( bin)1 480(-rwxrwxr-x 1 bin)2 1080 6 1080 4992 t
(/bin/cp)720 5172 w
10 R f
(can be written by user)4 893 1 1168 5172 t
10 CW f
(bin)2089 5172 w
10 R f
(and by group)2 533 1 2297 5172 t
10 CW f
(bin)2858 5172 w
10 R f
( particular, the superuser cannot write in)6 1634(only. In)1 340 2 3066 5172 t
( superuser can still do)4 919( The)1 217( universal write permission.)3 1146(the file; in IX the superuser has been stripped of)9 2038 4 720 5292 t
(damage by masquerading:)2 1048 1 720 5412 t
10 CW f
(#)1080 5592 w
10 CI f
(/etc/su bin)1 660 1 1200 5592 t
10 CW f
($)1080 5712 w
10 CI f
(cp trash /bin/cp)2 960 1 1200 5712 t
10 R f
(or by taking over the file)5 990 1 720 5892 t
10 CW f
(#)1080 6072 w
10 CI f
(/etc/chown root /bin/cp)2 1380 1 1200 6072 t
10 CW f
(#)1080 6192 w
10 CI f
(cp trash /bin/cp)2 960 1 1200 6192 t
10 R f
( use of privilege, which)4 956(Still, unless the superuser has managed to get the process label down to bottom \(by)14 3364 2 720 6372 t
(we shall discuss later\) the incident will leave a tell-tale notice in the new label)14 3117 1 720 6492 t
10 CW f
($)1080 6672 w
10 CI f
(getlab /bin/cp)1 840 1 1200 6672 t
10 CW f
( 0000 0000 ...)3 840( ffff)1 480( ------)1 420(/bin/cp ------)1 1800 4 1080 6792 t
10 R f
( system)1 314( A)1 133( a file that should be at bottom reveals that the file has been compromised.)14 3125(The floor label on)3 748 4 720 6972 t
( a bogus)2 351(administrator installing new software could guard against handling it with)9 3046 2 720 7092 t
10 CW f
(cp)4151 7092 w
10 R f
(by running with a)3 735 1 4305 7092 t
(ceiling below the floor; we'll see how later.)7 1741 1 720 7212 t
cleartomark
showpage
saveobj restore
%%EndPage: 3 3
%%Page: 4 4
/saveobj save def
mark
4 pagesetup
10 R f
(- 4 -)2 166 1 2797 480 t
( at other labels is best)5 908( Work)1 286(It's a good idea to have your home directory frozen at the login label.)13 2876 3 970 840 t
( to check,)2 385( Just)1 206(done in other directories.)3 998 3 720 960 t
10 CW f
($)1080 1140 w
10 CI f
(getlab $HOME)1 720 1 1200 1140 t
10 CW f
( 0000 0000 ...)3 840( ffff)1 360( ------ F)2 540(/usr/you ------)1 1800 4 1080 1260 t
10 R f
( one would expect, there is a)6 1157( As)1 164(Wisely, it is frozen.)3 794 3 720 1440 t
10 CW f
(setlab)2863 1440 w
10 R f
( file's owner\320)2 612( A)1 125(program to change things.)3 1052 3 3251 1440 t
(and nobody else\320may change a file from frozen to loose and back. Here we subtract \()15 3517 1 720 1560 t
10 CW f
(-s)4237 1560 w
10 R f
( frozen indi-)2 499(\) the)1 184 2 4357 1560 t
(cator, which works.)2 787 1 720 1680 t
10 CW f
($)1080 1860 w
10 CI f
(setlab -s F $HOME)3 1020 1 1200 1860 t
10 CW f
($)1080 1980 w
10 CI f
(getlab $HOME)1 720 1 1200 1980 t
10 CW f
( 0000 0000 ...)3 840( ffff)1 480( ------)1 420(/usr/you ------)1 1800 4 1080 2100 t
10 R f
(Next we try to set the label lower by ``subtracting'')9 2063 1 720 2280 t
10 CW f
(ffff)2810 2280 w
10 R f
( being a downward change in label, is ille-)8 1710(. This,)1 280 2 3050 2280 t
(gal.)720 2400 w
10 CW f
($)1080 2580 w
10 CI f
(setlab -s ffff $HOME)3 1200 1 1200 2580 t
10 CW f
(/usr/you: Security label violation)3 2040 1 1080 2700 t
10 R f
(Because it's wise to leave the home directory frozen, let's add \()11 2626 1 720 2880 t
10 CW f
(-a)3346 2880 w
10 R f
(\) the frozen indicator,)3 888 1 3466 2880 t
10 CW f
(F)4387 2880 w
10 R f
(, back into the)3 593 1 4447 2880 t
(label.)720 3000 w
10 CW f
($)1080 3180 w
10 CI f
(setlab -a F $HOME)3 1020 1 1200 3180 t
10 CW f
($)1080 3300 w
10 CI f
(getlab $HOME)1 720 1 1200 3300 t
10 CW f
( 0000 0000 ...)3 840( ffff)1 360( ------ F)2 540(/usr/you ------)1 1800 4 1080 3420 t
10 B f
(Fixity,)720 3720 w
8 B f
(YES,)1020 3720 w
10 B f
(and no)1 293 1 1222 3720 t
10 R f
( are two more degrees of fixity,)6 1357( There)1 299(We have seen that a label may be ``frozen'' or ``loose.'')10 2414 3 970 3876 t
( file descriptors for a ter-)5 1019( The)1 210( without privilege.)2 746( labels cannot be changed)4 1049( Rigid)1 279(``rigid'' and ``constant.'')2 1017 6 720 3996 t
(minal are rigid, denoted)3 954 1 720 4116 t
10 CW f
(R)1699 4116 w
10 R f
(in a displayed label.)3 799 1 1784 4116 t
10 CW f
($)1080 4296 w
10 CI f
(getlab -d)1 540 1 1200 4296 t
10 CW f
( 0000 0000 ...)3 840( ffff)1 480( ------)1 420( ------)1 1320(proc lab)1 480 5 1080 4416 t
( 0000 0000 ...)3 840( ffff)1 480( ------)1 420( ------)1 1260(proc ceil)1 540 5 1080 4536 t
( 0000 0000 ...)3 840( ffff)1 360( ------ R)2 540( ------)1 1560(fd 0)1 240 5 1080 4656 t
( 0000 0000 ...)3 840( ffff)1 360( ------ R)2 540( ------)1 1560(fd 1)1 240 5 1080 4776 t
( 0000 0000 ...)3 840( ffff)1 360( ------ R)2 540( ------)1 1560(fd 2)1 240 5 1080 4896 t
( 0000 0000 ...)3 840( ffff)1 360( ------ R)2 540( ------)1 1560(fd 3)1 240 5 1080 5016 t
10 R f
( terminal's label is that data cannot be controlled after leaving the computer.)12 3083(The reason for the rigidity of a)6 1237 2 720 5196 t
( system cannot)2 610( The)1 213(Special negotiations were required to determine an acceptable label in the first place.)12 3497 3 720 5316 t
(honor an arbitrary change in label, for only a single level of data transfer has been approved.)16 3690 1 720 5436 t
(Constant labels, denoted)2 988 1 970 5592 t
10 CW f
(C)1987 5592 w
10 R f
(in a)1 151 1 2076 5592 t
10 CW f
(getlab)2256 5592 w
10 R f
( exam-)1 279( An)1 177(display, are built in; they can never be changed.)8 1939 3 2645 5592 t
(ple is)1 214 1 720 5712 t
10 CW f
(/dev/null)959 5712 w
10 R f
(.)1499 5712 w
10 CW f
($)1080 5892 w
10 CI f
(getlab /dev/null)1 960 1 1200 5892 t
10 CW f
( ------ CY 0000 0000 ...)5 1440(/dev/null ------)1 1800 2 1080 6012 t
10 R f
(It is also marked)3 684 1 720 6192 t
10 CW f
(Y)1436 6192 w
10 R f
(for the special label)3 805 1 1528 6192 t
8 R f
(YES.)2365 6192 w
10 R f
( of any)2 293(A file so labeled can be read or written by processes)10 2153 2 2594 6192 t
( is justified for)3 586(label. This)1 447 2 720 6312 t
10 CW f
(/dev/null)1778 6312 w
10 R f
(because whatever goes in there never comes out.)7 1944 1 2343 6312 t
(Complementary to)1 757 1 970 6468 t
8 R f
(YES)1762 6468 w
10 R f
(is the other special label)4 1009 1 1950 6468 t
10 B f
(no)2995 6468 w
10 R f
( file so labeled can be read or written only)9 1781(. A)1 158 2 3101 6468 t
( usual use of label)4 745( The)1 211(with privilege.)1 589 3 720 6588 t
10 B f
(no)2295 6588 w
10 R f
( external)1 351( Unopened)1 465(is to prevent data from leaving the machine.)7 1793 3 2431 6588 t
(ports are labeled rigid)3 888 1 720 6708 t
10 B f
(no)1638 6708 w
10 R f
( programs, in particular)3 952(. Privileged)1 491 2 1744 6708 t
10 CW f
(login)3218 6708 w
10 R f
(, can give a different label to the file.)8 1522 1 3518 6708 t
( process has the device open, at which time it reverts automatically to)12 2836(The label persists as long as any)6 1323 2 720 6828 t
10 B f
(no)4909 6828 w
10 R f
(.)5015 6828 w
( a)1 72(Because label protection covers inodes as well as data, unprivileged processes cannot fetch the label from)15 4248 2 720 6948 t
10 B f
(no)720 7068 w
10 R f
( currently active login devices,)4 1232( the following example, the labels of two)7 1651(file. In)1 293 3 853 7068 t
10 CW f
(dk08)4055 7068 w
10 R f
(and)4321 7068 w
10 CW f
(dk10)4491 7068 w
10 R f
(, can be)2 309 1 4731 7068 t
(seen; the)1 352 1 720 7188 t
10 B f
(no)1097 7188 w
10 R f
(label of the currently unused device,)5 1452 1 1228 7188 t
10 CW f
(dk12)2705 7188 w
10 R f
(, cannot.)1 341 1 2945 7188 t
cleartomark
showpage
saveobj restore
%%EndPage: 4 4
%%Page: 5 5
/saveobj save def
mark
5 pagesetup
10 R f
(- 5 -)2 166 1 2797 480 t
10 CW f
($)1080 900 w
10 CI f
(who)1200 900 w
10 CW f
( 14 05:59)2 540( May)1 300(reeds dk/dk08)1 960 3 1080 1020 t
( 14 12:59)2 540( May)1 300(you dk/dk10)1 960 3 1080 1140 t
($)1080 1260 w
10 CI f
(getlab /dev/dk/dk08 /dev/dk/dk10 /dev/dk/dk12)3 2700 1 1200 1260 t
10 CW f
( 0000 0000 ...)3 840( ffff)1 360( ------ R)2 540( ------)1 600(/dev/dk/dk08 [name])1 1200 5 1080 1380 t
( 0000 0000 ...)3 840( ffff)1 360( ------ R)2 540( ------)1 600(/dev/dk/dk10 [name])1 1200 5 1080 1500 t
(/dev/dk/dk12: Security label violation)3 2280 1 1080 1620 t
10 R f
( they are)2 357( When)1 294(The label of a device need not be the same as the label of an opening of the device.)18 3419 3 970 1836 t
(different,)720 1956 w
10 CW f
(getlab)1113 1956 w
10 R f
( example is)2 455( An)1 172(reports both.)1 505 3 1498 1956 t
10 CW f
(/dev/tty)2655 1956 w
10 R f
(.)3135 1956 w
10 CW f
($)1080 2136 w
10 CI f
(getlab /dev/tty)1 900 1 1200 2136 t
10 CW f
( ------ CY 0000 0000 ...)5 1440( ------)1 600(/dev/tty [name])1 1200 3 1080 2256 t
( 0000 0000 ...)3 840( ffff)1 360( ------ R)2 540( ------)1 600(/dev/tty [desc])1 1200 5 1080 2376 t
10 R f
(The device is a constant)4 975 1 720 2556 t
8 R f
(YES;)1724 2556 w
10 R f
( instance of)2 470( open file, though, is just another)6 1340( The)1 209(it can always be examined.)4 1094 4 1927 2556 t
(file descriptor 3 and shares its label, which in this \(normal\) case has a rigid floor value.)16 3477 1 720 2676 t
10 B f
(Higher labels)1 570 1 720 2916 t
10 R f
( work)1 237( To)1 168(When you register as a user, you are given clearance for data up to some maximum level.)16 3665 3 970 3072 t
( a ses-)2 249( a try for)3 349( Here's)1 316(with data above the floor, but within your clearance, you need a higher-label session.)13 3406 4 720 3192 t
( to)1 106( apply to the ``privilege server'' to invoke a session-making command)10 2832( We)1 190(sion with a top \(all-1's\) label.)5 1192 4 720 3312 t
(do the trick.)2 480 1 720 3432 t
10 CW f
($)1080 3612 w
10 CI f
(priv session -l ffff...)3 1380 1 1200 3612 t
10 CW f
(Password\(you:38510\):)1080 3732 w
(Sorry.)1080 3852 w
10 R f
(Too bad; not enough clearance.)4 1255 1 720 4032 t
10 CW f
($)1080 4212 w
10 CI f
(priv session -l ffffa)3 1260 1 1200 4212 t
10 CW f
(Password\(you:57747\):)1080 4332 w
(priv\(session -l ffffa\)?)2 1380 1 1080 4452 t
10 CI f
(y)2520 4452 w
10 CW f
(session -l ffffa \(EXEC /bin/sh\)?)4 1920 1 1080 4572 t
10 CI f
(y)3060 4572 w
10 CW f
($)1080 4692 w
10 CI f
(getlab)1200 4692 w
10 CW f
( a000 0000 ...)3 840( ffff)1 480( ------)1 420( ------)1 1320(proc lab)1 480 5 1080 4812 t
( a000 0000 ...)3 840( ffff)1 480( ------)1 420( ------)1 1260(proc ceil)1 540 5 1080 4932 t
10 R f
( a free service of)4 663(Success. As)1 502 2 720 5112 t
10 I f
(session,)1910 5112 w
10 R f
( it went up at all proves that you)8 1296( fact that)2 349( The)1 205(the ceiling went up too.)4 941 4 2249 5112 t
(are recorded as being cleared for at least that level.)9 2026 1 720 5232 t
( other questions were asked, one by)6 1440(Besides the password, two)3 1066 2 970 5388 t
10 CW f
(priv)3504 5388 w
10 R f
(, and one by)3 497 1 3744 5388 t
10 CW f
(session)4269 5388 w
10 R f
( is)1 95(. This)1 256 2 4689 5388 t
( shell, a horrendously)3 887( The)1 214( by the shell.)3 538( request for a sensitive action was mediated)7 1808( Your)1 265(more paranoia.)1 608 6 720 5508 t
( other programs as)3 755(complicated and highly spoofable program cannot be trusted to deliver the arguments to)12 3565 2 720 5628 t
( that what the trusted programs received is what you)9 2214( you were asked to confirm)5 1164( Thus)1 265(you typed them.)2 677 4 720 5748 t
(typed.*)720 5868 w
( bits are often portioned)4 990( The)1 214( beyond the floor group.)4 1004(There is nothing special about any of the bits)8 1862 4 970 6024 t
( are evidently cleared for at least compartment)7 1853( You)1 222(out to different information ``compartments.'')4 1844 3 720 6144 t
10 CW f
(0000 8000 0000 ...)3 1080 1 970 6300 t
10 R f
(,)2050 6300 w
(which stands perhaps for payroll information, and)6 2012 1 720 6456 t
10 CW f
(0000 2000 0000 ...)3 1092 1 2760 6456 t
10 R f
( Or-)1 192(, perhaps labor relations.)3 996 2 3852 6456 t
(ed together with the floor, these compartments make the full label)10 2632 1 720 6576 t
10 CW f
(ffff a000 0000 ...)3 1080 1 3377 6576 t
10 R f
( For)1 202(Labels also can be used to indicate classical security levels ordered by increasing sensitivity.)13 3868 2 970 6732 t
(example)720 6852 w
8 S1 f
(__________________)720 6980 w
8 R f
(* Later we'll see how you know that the whole dialog wasn't a spoof.)13 2221 1 720 7080 t
cleartomark
showpage
saveobj restore
%%EndPage: 5 5
%%Page: 6 6
/saveobj save def
mark
6 pagesetup
10 R f
(- 6 -)2 166 1 2797 480 t
10 CW f
(0000 0000 0000 ...)3 1080 1 970 840 t
10 R f
(unclassified)2050 840 w
10 CW f
(0000 0100 0000 ...)3 1080 1 970 960 t
10 R f
(confidential)2050 960 w
10 CW f
(0000 0300 0000 ...)3 1080 1 970 1080 t
10 R f
(secret)2050 1080 w
10 CW f
(0000 0700 0000 ...)3 1080 1 970 1200 t
10 R f
(top secret)1 385 1 2050 1200 t
( bitwise, not)2 504(Notice that the values are counted 0, 1, 3, 7 rather than 0, 1, 2, 3 because labels are compared)19 3816 2 720 1356 t
(as numeric values.)2 740 1 720 1476 t
(Remembering that it's wise to do higher level work in a different directory, try making one.)15 3664 1 970 1632 t
10 CW f
($)1080 1812 w
10 CI f
(mkdir classified)1 960 1 1200 1812 t
10 CW f
(classified: Unknown error)2 1500 1 1080 1932 t
10 R f
( intended to write the name of a new file)9 1661( You)1 227( have been done in the wrong order.)7 1470( Things)1 333(Too bad, again.)2 629 5 720 2112 t
( is frozen at a lower label than your)8 1429( write is forbidden because that directory)6 1653( The)1 208(into your home directory.)3 1030 4 720 2232 t
( standard pro-)2 576( error'' should really be ``Security label violation,'' but not all)10 2593( ``Unknown)1 520(current session.)1 631 4 720 2352 t
(grams yet know about this new error code.)7 1702 1 720 2472 t
(Better leave the high session and start again.)7 1775 1 970 2628 t
10 CW f
($)1080 2808 w
10 S f
(<)1200 2808 w
10 R f
(control-D)1255 2808 w
10 S f
(>)1643 2808 w
10 R f
(\(to leave high session\))3 896 1 1823 2808 t
10 CW f
($)1080 2928 w
10 CI f
(mkdir classified)1 960 1 1200 2928 t
10 CW f
($)1080 3048 w
10 CI f
(priv session -l ffffa)3 1260 1 1200 3048 t
10 CW f
(Password\(you:57747\):)1080 3168 w
(priv\(session -l ffffa\)?)2 1380 1 1080 3288 t
10 CI f
(y)2520 3288 w
10 CW f
(session -l ffffa \(EXEC /bin/sh\)?)4 1920 1 1080 3408 t
10 CI f
(y)3060 3408 w
10 CW f
($)1080 3528 w
10 CI f
(getlab classified)1 1020 1 1200 3528 t
10 CW f
(classified: Security label violation)3 2160 1 1080 3648 t
10 R f
( are we?)2 331( Where)1 315(Now things are getting a bit ridiculous.)6 1563 3 720 3828 t
10 CW f
($)1080 4008 w
10 CI f
(pwd)1200 4008 w
10 CW f
(/)1080 4128 w
10 R f
( are actually stuck in a black hole, a directory labeled)10 2165( You)1 226( a lie.)2 227(This is crazy; and it is)5 895 4 720 4308 t
10 B f
(no)4262 4308 w
10 R f
(, which not even)3 672 1 4368 4308 t
10 CW f
(pwd)720 4428 w
10 R f
( perhaps an excess of zeal the privilege server,)8 1860( With)1 251( to.)1 129(can trace the path)3 706 4 927 4428 t
10 CW f
(priv)3899 4428 w
10 R f
(, starts each privileged)3 901 1 4139 4428 t
( prevents spoofing games with relative path-)6 1787( This)1 230(process in the black hole and cleans out the environment.)9 2303 3 720 4548 t
( also means that you have to do a bit of extra work and probably reexe-)15 2841( It)1 112(names and environment variables.)3 1367 3 720 4668 t
(cute your profile to get a friendly shell in a differently labeled session.)12 2809 1 720 4788 t
10 CW f
($)1080 4968 w
10 CI f
(cd $HOME)1 480 1 1200 4968 t
10 CW f
(no home directory)2 1020 1 1080 5088 t
10 R f
( environment is empty.)3 922(Oops. The)1 441 2 720 5268 t
10 CW f
($)1080 5448 w
10 CI f
(cd /usr/you)1 660 1 1200 5448 t
10 CW f
($)1080 5568 w
10 CI f
(getlab classified)1 1020 1 1200 5568 t
( 0000 ...)2 540( ffff)1 480( ------)1 420(classified ------)1 1800 4 1080 5688 t
10 R f
(Now create a file in directory)5 1171 1 720 5868 t
10 CW f
(classified)1916 5868 w
10 R f
(\(which as yet is still labeled at bottom\).)7 1577 1 2541 5868 t
10 CW f
($)1080 6048 w
10 CI f
(>classified/secretfile)1200 6048 w
10 CW f
($)1080 6168 w
10 CI f
(getlab classified classified/secretfile)2 2340 1 1200 6168 t
10 CW f
( a000 0000 ...)3 840( ffff)1 480( ------)1 420(classified ------)1 1800 4 1080 6288 t
( a000 0000 ...)3 840( ffff)1 480( ------)1 420(classified/secretfile ------)1 1800 4 1080 6408 t
10 R f
(The label of the directory)4 1022 1 720 6588 t
10 CW f
(classified)1769 6588 w
10 R f
(rises to cover the label of the process that created)9 1991 1 2396 6588 t
10 CW f
(secretfile)4415 6588 w
10 R f
(.)5015 6588 w
(And)720 6708 w
10 CW f
(secretfile)917 6708 w
10 R f
(bears the label of that process, too.)6 1386 1 1542 6708 t
(You may have guessed that the labels printed by)8 1984 1 970 6864 t
10 CW f
(getlab)2985 6864 w
10 R f
( in them only for readability.)5 1184(have blanks)1 480 2 3376 6864 t
( have already used additive and subtractive labels in)8 2111( We)1 192(The blanks are optional.)3 977 3 720 6984 t
10 CW f
(setlab)4029 6984 w
10 R f
( labels)1 261(; absolute)1 390 2 4389 6984 t
( is another way to freeze the label of the new directory:)11 2202( This)1 228(may be used as well.)4 829 3 720 7104 t
cleartomark
showpage
saveobj restore
%%EndPage: 6 6
%%Page: 7 7
/saveobj save def
mark
7 pagesetup
10 R f
(- 7 -)2 166 1 2797 480 t
10 CW f
($)1080 900 w
10 CI f
(setlab Fffffa classified)2 1440 1 1200 900 t
10 R f
( label from rising automatically, freezing prevents anybody else\320even the)9 3334(Besides preventing the)2 986 2 720 1080 t
( still change it with)4 787( the file's owner, you can)5 1044( As)1 167(superuser\320from tinkering with the label.)4 1680 4 720 1200 t
10 CW f
(setlab)4428 1200 w
10 R f
(. You)1 252 1 4788 1200 t
( raise our ceiling and change the label up further.)9 1956( Let's)1 255(can only change it upwards, however.)5 1510 3 720 1320 t
10 CW f
($)1080 1500 w
10 CI f
(priv session -C fffff # raise ceiling)6 2220 1 1200 1500 t
10 CW f
($)1080 1620 w
10 CI f
(setlab "ffff e" secretfile)3 1560 1 1200 1620 t
10 R f
(Now let's write stuff into the file and try to read it back)12 2213 1 970 1836 t
10 CW f
($)1080 2016 w
10 CI f
(echo hello >secretfile)2 1320 1 1200 2016 t
10 CW f
($)1080 2136 w
10 CI f
(cat secretfile)1 840 1 1200 2136 t
10 CW f
(Terminated)1080 2256 w
10 R f
(1)1680 2256 w
( high enough, so)3 682( ceiling is)2 401( The)1 211(Trouble again.)1 588 4 720 2436 t
10 CW f
(cat)2634 2436 w
10 R f
(can work, but the terminal is not labeled high enough)9 2194 1 2846 2436 t
( the output of)3 560( Thus)1 258(and its label is rigid.)4 846 3 720 2556 t
10 CW f
(cat)2417 2556 w
10 R f
( that it would)3 552(is blocked. The process dies in the same way)8 1858 2 2630 2556 t
(from writing on a broken pipe.)5 1226 1 720 2676 t
( were brought down to the session level,)7 1693(If the ceiling)2 532 2 970 2832 t
10 CW f
(cat)3232 2832 w
10 R f
( the)1 159( Try)1 206(could not read the file.)4 949 3 3449 2832 t
10 CW f
(drop)4800 2832 w
10 R f
(command, which runs a process with the ceiling dropped to the current process label.)13 3402 1 720 2952 t
10 CW f
($)1080 3132 w
10 CI f
(drop cat secretfile)2 1140 1 1200 3132 t
10 R f
( is all right for)4 572( It)1 111( come?)1 285( How)1 244(Still silence.)1 495 5 720 3312 t
10 CW f
(secretfile)2452 3312 w
10 R f
( no secrets are revealed thereby, for)6 1425(to be opened;)2 538 2 3077 3312 t
( silence of)2 418( The)1 209( sets in only when the file is read.)8 1372( Trouble)1 370(its name is known in a lower-labeled directory.*)7 1951 5 720 3432 t
10 CW f
(cat)720 3552 w
10 R f
( commands are.)2 629( Some)1 278(indicates that it is not careful about distinguishing read errors from end-of-file.)11 3145 3 925 3552 t
10 CW f
($)1080 3732 w
10 CI f
(drop cp secretfile /dev/tty)3 1620 1 1200 3732 t
10 CW f
(cp: secretfile: Unknown error)3 1740 1 1080 3852 t
10 R f
( little glitch simply shows that)5 1215( This)1 229(``Unknown error'' really should be ``Security label violation.'')7 2529 3 720 4032 t
10 CW f
(cp)4719 4032 w
10 R f
(, like)1 201 1 4839 4032 t
(most code in IX, was taken over lock, stock, and barrel from v10, knows nothing about security labels.)17 4105 1 720 4152 t
(Let's get rid of the file while we can)8 1452 1 970 4308 t
10 CW f
($)1080 4488 w
10 CI f
(rm secretfile)1 780 1 1200 4488 t
10 R f
(A couple of EOTs will get us back to where we started.)11 2212 1 720 4668 t
10 CW f
($)1080 4848 w
10 S f
(<)1200 4848 w
10 R f
(control-D)1255 4848 w
10 S f
(>)1643 4848 w
10 CW f
($)1080 4968 w
10 S f
(<)1200 4968 w
10 R f
(control-D)1255 4968 w
10 S f
(>)1643 4968 w
10 CW f
($)1080 5088 w
10 CI f
(getlab)1200 5088 w
10 CW f
( 0000 0000 ...)3 840( ffff)1 480( ------)1 420( ------)1 1320(proc lab)1 480 5 1080 5208 t
( 0000 0000 ...)3 840( ffff)1 480( ------)1 420( ------)1 1260(proc ceil)1 540 5 1080 5328 t
($)1080 5448 w
10 CI f
(pwd)1200 5448 w
10 CW f
(/usr/you)1080 5568 w
10 R f
(Now remove the classified directory.)4 1477 1 720 5748 t
10 CW f
($)1080 5928 w
10 CI f
(rm classified)1 780 1 1200 5928 t
10 CW f
(rm: classified: Security label violation)4 2400 1 1080 6048 t
10 R f
( need a pro-)3 488( You)1 227( you're not supposed to meddle.)5 1307( directory is above the ceiling, where)6 1501( The)1 209(It didn't work.)2 588 6 720 6228 t
( it, we raise the ceiling for just)7 1243( get rid of)3 406( To)1 166(cess label at floor and a ceiling above the file being removed.)11 2505 4 720 6348 t
( to be executed from the black hole, we give a full)11 2023( that the command is going)5 1091( Remembering)1 617(one command.)1 589 4 720 6468 t
(pathname)720 6588 w
10 CW f
($)1080 6768 w
10 CI f
(priv session -C fffff -c rm $HOME/classified)6 2640 1 1200 6768 t
8 S1 f
(__________________)720 6880 w
8 R f
( covert)1 228( This)1 192( whether the file permissions permit opening.)6 1502(* Actually a small secret, exactly one bit, is revealed, namely)10 2038 4 720 6980 t
(channel is beneath our notice.)4 947 1 720 7080 t
cleartomark
showpage
saveobj restore
%%EndPage: 7 7
%%Page: 8 8
/saveobj save def
mark
8 pagesetup
10 R f
(- 8 -)2 166 1 2797 480 t
(The usual verification dialog ensues.)4 1467 1 720 840 t
(With)970 996 w
10 CW f
(mux)1202 996 w
10 R f
( A different window)3 836(windows, the constant changing of sessions would not be necessary.)9 2790 2 1414 996 t
( course you can't cut and paste from a high)9 1730( Of)1 156(can be devoted to each kind of session you're likely to need.)11 2434 3 720 1116 t
( if in a window you return from a)8 1403( And)1 231( windows work normally.)3 1054(window to a low one, but otherwise the)7 1632 4 720 1236 t
( contents of the window gets wiped out with the comment,)10 2420(high session to a previos lower one, the entire)8 1900 2 720 1356 t
(``Sanitized window downgrade.'')2 1344 1 720 1476 t
10 B f
(Privilege)720 1716 w
10 R f
( must be)2 341( Data)1 239( up the lattice of labels must be broken.)8 1581(Sometimes the fundamental rule that data flows)6 1909 4 970 1872 t
( media, which are)3 721( External)1 392( new software labeled below the floor.)6 1556( must install)2 500(declassified. Administrators)1 1151 5 720 1992 t
(normally labeled)1 689 1 720 2112 t
8 R f
(NO,)1449 2112 w
10 R f
( all labels, must be)4 811( systems, which contain data of)5 1329( File)1 221(must be made accessible.)3 1054 4 1625 2112 t
( these actions are)3 696( All)1 182( right to break the rules must be administered.)8 1866( finally, the)2 468( And)1 227(checked and repaired.)2 881 6 720 2232 t
(regulated by privileges.)2 940 1 720 2352 t
(Privilege is mediated by)3 1011 1 970 2508 t
10 I f
(licenses,)2020 2508 w
10 R f
(which go with processes, and)4 1229 1 2400 2508 t
10 I f
(capabilities,)3669 2508 w
10 R f
(which go with files.)3 839 1 4201 2508 t
(The superuser has no)3 845 1 720 2628 t
10 I f
(ex officio)1 369 1 1590 2628 t
10 R f
(licenses.)1984 2628 w
( process with an)3 697( A)1 138(There is, for example, an ``extern'' privilege to make external media visible.)11 3235 3 970 2784 t
( license may be exercised only in ``trusted'' programs that have)10 2594( The)1 211(extern license isn't enough, however.)4 1515 3 720 2904 t
( command, which brings file systems into view, has extern)9 2435( the mount)2 446( Thus)1 259(the corresponding capability.)2 1180 4 720 3024 t
(capability, indicated by the)3 1082 1 720 3144 t
10 CW f
(x)1827 3144 w
10 R f
(in its label.)2 442 1 1912 3144 t
10 CW f
($)1080 3324 w
10 CI f
(getlab /etc/mount)1 1020 1 1200 3324 t
10 CW f
( 0000 ...)2 540( 0000)1 480( ------)1 420(/etc/mount --x---)1 1800 4 1080 3444 t
10 R f
( command successfully a process must have extern license\320plus userid 0 for old times')13 3605(To run the mount)3 715 2 720 3624 t
(sake.)720 3744 w
(Licenses are obtained from the privilege server)6 1944 1 970 3900 t
10 CW f
(priv)2950 3900 w
10 R f
( colloquially called the ``priv server.'')5 1584(, more)1 266 2 3190 3900 t
( need for exactly one command.)5 1280(The priv server verifies your rights and hands out exactly the privileges you)12 3040 2 720 4020 t
(To mount a file system, you might invoke)7 1678 1 720 4140 t
10 CW f
($)1080 4320 w
10 CI f
(/etc/su)1200 4320 w
10 CW f
(Password\(root:74390\):)1080 4440 w
(#)1080 4560 w
10 CI f
(/etc/priv mount -r /dev/ra14 /mnt)4 1980 1 1200 4560 t
10 CW f
(Password\(you:65330\):)1080 4680 w
(priv\(mount -r /dev/ra14 /mnt\)?)3 1800 1 1080 4800 t
10 CI f
(y)2940 4800 w
10 R f
( a data-)2 295( Consulting)1 491( priv server.)2 481(First you become superuser, then you issue the mount command through the)11 3053 4 720 4980 t
( are required to issue your password so)7 1583(base of command requirements and rights, the server finds that you)10 2737 2 720 5100 t
( protection)1 440( as)1 117( Then,)1 289(that nobody can assume your privileges simply by finding your terminal unattended.)11 3474 4 720 5220 t
( shell, it prints the request it thinks)7 1433(against having received an improper request from a possibly dishonest)9 2887 2 720 5340 t
( after your confirmation is the request finally performed.)8 2259( Only)1 250(you entered.)1 493 3 720 5460 t
( the)1 159( In)1 145( controlled by the database.)4 1143(The form in which a privileged command is finally executed is)10 2623 4 970 5616 t
(present example, a request for)4 1199 1 720 5736 t
10 CW f
(mount)1944 5736 w
10 R f
(becomes an invocation of)3 1023 1 2269 5736 t
10 CW f
(/etc/mount)3317 5736 w
10 R f
(.)3917 5736 w
(The full list of privileges is)5 1111 1 970 5892 t
10 CW f
(guxnlp)2111 5892 w
10 R f
( in)1 109(, which appear in printed labels intermixed with minus signs)9 2460 2 2471 5892 t
(the same way that file permissions)5 1379 1 720 6012 t
10 CW f
(rwxrwxrwx)2124 6012 w
10 R f
(appear in the output of)4 904 1 2689 6012 t
10 CW f
(ls)3618 6012 w
10 R f
( mean)1 241(. They)1 280 2 3738 6012 t
10 CW f
(g)720 6168 w
10 R f
( one program,)2 557( Only)1 250(Logging privilege.)1 744 3 970 6168 t
10 CW f
(syslog)2546 6168 w
10 R f
(, has this capability.)3 797 1 2906 6168 t
10 CW f
(u)720 6324 w
10 R f
( is required for system calls such as)7 1438( It)1 113(This relatively minor privilege allows changes to the ``uarea.'')8 2519 3 970 6324 t
10 CW f
(setuid)970 6444 w
10 R f
(and)1356 6444 w
10 CW f
(setlogname)1526 6444 w
10 R f
( passed between processes without)4 1386( is privileged because uarea data is)6 1391(. It)1 137 3 2126 6444 t
( not for this privilege, untrusted code could use the uarea to pass information)13 3185( it)1 89( Were)1 273(label checks.)1 523 4 970 6564 t
(from high to low processes.)4 1107 1 970 6684 t
10 CW f
(x)720 6840 w
10 R f
( systems, to)2 474( is needed to mount file)5 946( It)1 112(Extern privilege allows new data sources to become accessible.)8 2538 4 970 6840 t
(give labels to terminals, or to downgrade \(declassify\) labels.)8 2407 1 970 6960 t
10 CW f
(n)720 7116 w
10 R f
( to the privileged)3 701( makes any data source available)5 1340( It)1 117(Nocheck privilege bypasses label comparisons.)4 1912 4 970 7116 t
( privilege is weaker than)4 1013( Nocheck)1 412( will treat the data with due respect.)7 1481(program, which is presumed)3 1164 4 970 7236 t
cleartomark
showpage
saveobj restore
%%EndPage: 8 8
%%Page: 9 9
/saveobj save def
mark
9 pagesetup
10 R f
(- 9 -)2 166 1 2797 480 t
(extern privilege, which makes data accessible to untrusted processes as well.)10 3060 1 970 840 t
10 CW f
(l)720 996 w
10 R f
( to add licenses, to change its label downward, or)9 1975(Setlic privilege \(a slight misnomer\) allows a process)7 2095 2 970 996 t
( Only)1 250(to change its ceiling upward.)4 1151 2 970 1116 t
10 CW f
(session)2396 1116 w
10 R f
(and)2841 1116 w
10 CW f
(priv)3010 1116 w
10 R f
(have setlic capability.)2 868 1 3275 1116 t
10 CW f
(p)720 1272 w
10 R f
( two pro-)2 374( Only)1 254( allows a process to change the privileges of files, usually programs.)11 2770(Setpriv privilege)1 672 4 970 1272 t
(grams have it.)2 563 1 970 1392 t
10 B f
(Self-licensing programs)1 1008 1 720 1632 t
10 R f
( that a program gets a privilege if its process is licensed for that privilege and the exe-)17 3509(We have seen)2 561 2 970 1788 t
( The)1 216( files may also be ``self-licensing.'')5 1474( Executable)1 504( the capability for that privilege.)5 1342(cutable file has)2 628 5 720 1908 t
10 CW f
(su)4920 1908 w
10 R f
(command is one such file.)4 1046 1 720 2028 t
10 CW f
($)1080 2208 w
10 CI f
(getlab /etc/su)1 840 1 1200 2208 t
10 CW f
( 0000 ...)2 540( 0000)1 480( -u-n--)1 420(/etc/su -u-n--)1 1800 4 1080 2328 t
10 R f
( one might)2 452( As)1 173( licenses.)1 378(The first set of privileges in the printed label are capabilities, the second set are)14 3317 4 720 2508 t
(expect,)720 2628 w
10 CW f
(su)1040 2628 w
10 R f
(is self-licensed to write in the uarea \()7 1547 1 1195 2628 t
10 CW f
(u)2742 2628 w
10 R f
(\) so it can execute the)5 917 1 2802 2628 t
10 CW f
(setuid)3754 2628 w
10 R f
( why)1 206( But)1 204(system call.)1 481 3 4149 2628 t
(does it have nocheck privilege \()5 1332 1 720 2748 t
10 CW f
(n)2052 2748 w
10 R f
( Customarily)1 558( is administrative.)2 740( reason)1 297(\)? The)1 294 4 2112 2748 t
10 CW f
(su)4039 2748 w
10 R f
(keeps a console log.)3 843 1 4197 2748 t
(The console, like all ports, is labeled)6 1465 1 720 2868 t
8 R f
(NO;)2210 2868 w
10 CW f
(su)2373 2868 w
10 R f
(has nocheck privilege to bypass the label check.*)7 1968 1 2518 2868 t
( which needs setlic capability \()5 1264(Another self-licensing program is the priv server,)6 2001 2 970 3024 t
10 CW f
(l)4235 3024 w
10 R f
(\) to issue licenses.)3 745 1 4295 3024 t
(The priv server is a permanent program;)6 1607 1 720 3144 t
10 CW f
(/bin/priv)2352 3144 w
10 R f
(simply passes it information.)3 1156 1 2917 3144 t
10 CW f
($)1080 3324 w
10 CI f
(getlab /etc/priv /bin/priv)2 1560 1 1200 3324 t
10 CW f
( 0000 ...)2 540( 0000)1 480( ----l-)1 420(/etc/priv ----l-)1 1800 4 1080 3444 t
( 0000 ...)2 540( 0000)1 480( ------)1 420(/bin/priv ------)1 1800 4 1080 3564 t
10 R f
( field tells what)3 634( license)1 306( The)1 209(The capability field of a running program describes its actual privileges.)10 2921 4 970 3780 t
(licenses it holds to be passed on across)7 1565 1 720 3900 t
10 CW f
(exec)2312 3900 w
10 R f
( The)1 206( privileges are not passed on.)5 1169( Self-licensed)1 573(system calls.)1 513 4 2579 3900 t
(session program, for example, has three capbilities and is self-licensed for two of them.)13 3488 1 720 4020 t
10 CW f
($)1080 4200 w
10 CI f
(getlab /bin/session)1 1140 1 1200 4200 t
10 CW f
( 0000 ...)2 540( 0000)1 480( --xn--)1 420(/bin/session --xnl-)1 1800 4 1080 4320 t
10 R f
(The)720 4500 w
10 CW f
(session)903 4500 w
10 R f
(program checks authorization, using nocheck privilege \()6 2266 1 1351 4500 t
10 CW f
(n)3617 4500 w
10 R f
( access the secret)3 695(\) to)1 139 2 3677 4500 t
10 CW f
(pwfile)4540 4500 w
10 R f
(. It)1 140 1 4900 4500 t
( child process uses extern privilege \()6 1530( The)1 217(then forks.)1 439 3 720 4620 t
10 CW f
(x)2906 4620 w
10 R f
( long as the process)4 826( As)1 172(\) to set the terminal label.)5 1076 3 2966 4620 t
( up,)1 156(label stays between floor and ceiling and the ceiling doesn't go)10 2568 2 720 4740 t
10 CW f
(session)3475 4740 w
10 R f
(can work for itself, without)4 1114 1 3926 4740 t
( it requires set license privilege \()6 1339( Otherwise)1 466( the black hole.)3 628(going through the priv server or)5 1308 4 720 4860 t
10 CW f
(l)4461 4860 w
10 R f
(\), the license)2 519 1 4521 4860 t
(for which comes from the priv server.)6 1510 1 720 4980 t
(What label would)2 710 1 970 5136 t
10 CW f
(ps)1705 5136 w
10 R f
(have to have in order to examine the core image of)10 2028 1 1850 5136 t
10 CW f
(session)3903 5136 w
10 R f
( least as high)3 522(? At)1 195 2 4323 5136 t
(a label as that of the data)6 1004 1 720 5256 t
10 CW f
(session)1751 5256 w
10 R f
(has read, namely)2 677 1 2198 5256 t
10 CW f
(pwfile)2902 5256 w
10 R f
( reading regard-)2 638( privilege permits)2 709(. Nocheck)1 431 3 3262 5256 t
(less of the label of the)5 904 1 720 5376 t
10 CW f
(ps)1654 5376 w
10 R f
( process)1 330( no information as to the real label of the information the)11 2327(process. With)1 579 3 1804 5376 t
( a top-labeled process,)3 898( Only)1 252( assigns the process file a top label.)7 1423(contains, the system assumes the worst and)6 1747 4 720 5496 t
( Simi-)1 282(or another nocheck process, can inspect the image of any process that ever had nocheck privilege.)15 4038 2 720 5616 t
(larly a core dump of a nocheck process gets a top label.)11 2211 1 720 5736 t
10 B f
(Trust)720 5976 w
10 R f
( integrity of the system depends as critically on)8 1895( The)1 206( is called ``trusted.'')3 812(Any program with privileges)3 1157 4 970 6132 t
( be carefully written and)4 1011( must)1 230( Programs)1 443(the honesty of trusted programs as it does on that of the kernel.)12 2636 4 720 6252 t
( only changes that)3 754( The)1 215( trusted programs must not change.)5 1454( Moreover)1 453(checked before being granted trust.)4 1444 5 720 6372 t
( changes in its trustedness, and those changes themselves require privi-)10 2837(can be made to a trusted program are)7 1483 2 720 6492 t
(lege.)720 6612 w
( program can't be trusted more than the data it receives as)11 2440(No matter how carefully it is written, a)7 1630 2 970 6768 t
8 S1 f
(__________________)720 6868 w
8 R f
(* An astute reader will see that the console log can't be public, for secrets can be sent to it this way:)21 3174 1 720 6968 t
8 CW f
($)1080 7128 w
8 CI f
(/etc/su attack_at_noon)1 1056 1 1176 7128 t
cleartomark
showpage
saveobj restore
%%EndPage: 9 9
%%Page: 10 10
/saveobj save def
mark
10 pagesetup
10 R f
(- 10 -)2 216 1 2772 480 t
( are made over ``private paths'', so that unintended processes can)10 2702( that reason password checks)4 1190(input. For)1 428 3 720 840 t
( a ``trusted source'', usually a)5 1261( private path connects)3 918( A)1 137(neither eavesdrop on nor corrupt the exchanges.)6 2004 4 720 960 t
( a)1 79( On)1 182( a private path.)3 623( untrusted program may intervene in)5 1501( No)1 181(secure terminal, to a trusted program.)5 1539 6 720 1080 t
10 CW f
(mux)4860 1080 w
10 R f
( If)1 126( the pertinent window.)3 929(terminal, the existence of a private path is marked by checkered border around)12 3265 3 720 1200 t
(you don't see the border, you know that somebody is spoofing you.)11 2695 1 720 1320 t
( untrusted shell, uses a private path)6 1413(Similarly, the priv server, which usually receives requests from an)9 2657 2 970 1476 t
( program such as)3 715( A)1 134(to confirm a request before acting on it.)7 1664 3 720 1596 t
10 CW f
(/bin/setlab)3270 1596 w
10 R f
( can do magic only)4 804(, which)1 306 2 3930 1596 t
( it under-)2 372( Instead)1 341( invoker, will not usually check its arguments, however.)8 2263(when it inherits a license from its)6 1344 4 720 1716 t
( guaranteed the)2 649(stands that the license could only have come from a trusted program that has already)14 3671 2 720 1836 t
(integrity of the input.)3 850 1 720 1956 t
10 B f
(Nosh)720 2196 w
10 R f
( abounding with hidden)3 971( Besides)1 369( have already pointed out, standard shells are untrustworthy.)8 2471(As we)1 259 4 970 2352 t
( that no matter how perfectly a shell is)8 1651(and ill-described features, they are programmable, which means)7 2669 2 720 2472 t
(implemented, the current meaning of any shell command is unknown.)9 2794 1 720 2592 t
(For delicate situations IX provides)4 1446 1 970 2748 t
10 CW f
(nosh)2458 2748 w
10 R f
( shell is used for the startup)6 1201( This)1 245(, the no-feature shell.)3 896 3 2698 2748 t
(script,)720 2868 w
10 CW f
(/etc/rc.nosh)1008 2868 w
10 R f
(, which plays the same role in IX that)8 1623 1 1728 2868 t
10 CW f
(/etc/rc)3392 2868 w
10 R f
(does in ordinary)2 679 1 3853 2868 t
9 R f
(UNIX)4570 2868 w
10 R f
(. The)1 245 1 4795 2868 t
10 CW f
(nosh)720 2988 w
10 R f
(shell is also used for sessions below the floor, which can be obtained only with privilege.)15 3560 1 985 2988 t
10 CW f
($)1080 3168 w
10 CI f
(/etc/priv session -l 0)3 1320 1 1200 3168 t
10 CW f
(Password\(you:57146\):)1080 3288 w
(priv\(session -l 0\)?)2 1140 1 1080 3408 t
10 CI f
(y)2280 3408 w
10 CW f
($$)1080 3528 w
10 R f
(The prompt changes to)3 918 1 720 3708 t
10 CW f
($$)1663 3708 w
10 R f
(, the signature of)3 671 1 1783 3708 t
10 CW f
(nosh)2479 3708 w
10 R f
(.)2719 3708 w
(To avoid surprises,)2 763 1 970 3864 t
10 CW f
(nosh)1758 3864 w
10 R f
(has no search path.)3 759 1 2023 3864 t
10 CW f
($$)1080 4044 w
10 CI f
(echo hello world)2 960 1 1260 4044 t
10 CW f
(first letter not / or .)5 1380 1 1080 4164 t
($$)1080 4284 w
10 CI f
(/bin/echo hello world)2 1260 1 1260 4284 t
10 CW f
(hello world)1 660 1 1080 4404 t
10 R f
(It does, however, let you change the working directory.)8 2209 1 720 4584 t
10 CW f
($$)1080 4764 w
10 CI f
(cd /bin)1 420 1 1260 4764 t
10 CW f
($$)1080 4884 w
10 CI f
(./echo hello world)2 1080 1 1260 4884 t
10 CW f
(hello world)1 660 1 1080 5004 t
10 R f
(If)720 5184 w
10 CW f
(nosh)813 5184 w
10 R f
( users can)2 399( Authorized)1 501(is invoked with privilege, the prompt reminds you which ones are available.)11 3060 3 1080 5184 t
( don't; the only time a privileged shell is rou-)9 1867( practice they)2 551( \(In)1 173(get a privileged shell from the priv server.)7 1729 4 720 5304 t
(tinely invoked is in single-user mode at boot time.\))8 2041 1 720 5424 t
10 CW f
($$)1080 5604 w
10 CI f
( ask for xn licenses)4 1200( #)1 300(/etc/priv nosh xn)2 1020 3 1260 5604 t
10 CW f
(Password\(you:52892\):)1080 5724 w
(priv\(nosh xn\)?)1 840 1 1080 5844 t
10 CI f
(y)1980 5844 w
10 CW f
(xn$$)1080 5964 w
10 CI f
(/bin/getlab)1380 5964 w
10 CW f
( 0000 ...)2 540( 0000)1 480( ------)1 420( ------)1 1320(proc lab)1 480 5 1080 6084 t
( 0000 0000 ...)3 840( ffff)1 480( ------)1 420( ------)1 1260(proc ceil)1 540 5 1080 6204 t
10 R f
(The)720 6384 w
10 CW f
(getlab)913 6384 w
10 R f
( is more paranoia; to avoid)5 1138( This)1 242( did.)1 192(report reveals no privileges even though the prompt)7 2157 4 1311 6384 t
( inadvertently,)1 581(licensing a program)2 803 2 720 6504 t
10 CW f
(nosh)2133 6504 w
10 R f
(will not pass a license to a command unless you ask it to by sup-)14 2638 1 2402 6504 t
(plying a ``license mask.'')3 1020 1 720 6624 t
10 CW f
(xn$$)1080 6804 w
10 CI f
(lmask n /bin/getlab)2 1140 1 1380 6804 t
10 CW f
( 0000 0000 ...)3 840( ffff)1 480( ---n--)1 420( ---n--)1 1320(proc lab)1 480 5 1080 6924 t
( 0000 0000 ...)3 840( ffff)1 480( ------)1 420( ------)1 1260(proc ceil)1 540 5 1080 7044 t
10 R f
(The second)1 459 1 720 7224 t
10 CW f
(n)1206 7224 w
10 R f
(reports the license; the first)4 1095 1 1293 7224 t
10 CW f
(n)2415 7224 w
10 R f
(reports that)1 454 1 2502 7224 t
10 CW f
(getlab)2983 7224 w
10 R f
( first)1 188( The)1 207(has nocheck privilege.)2 899 3 3370 7224 t
10 CW f
(n)4691 7224 w
10 R f
(results)4779 7224 w
cleartomark
showpage
saveobj restore
%%EndPage: 10 10
%%Page: 11 11
/saveobj save def
mark
11 pagesetup
10 R f
(- 11 -)2 216 1 2772 480 t
( happens that)2 541( It)1 118( with the capabilities of the executable file.)7 1768(from and-ing the licenses)3 1036 4 720 840 t
10 CW f
(/bin/getlab)4215 840 w
10 R f
(has)4907 840 w
(nocheck capability, so that authorized users can use it to see forbidden device labels.)13 3379 1 720 960 t
10 CW f
(xn$$)1080 1140 w
10 CI f
(lmask n /bin/getlab /dev/dk/dk12)3 1920 1 1380 1140 t
10 CW f
( ------ RN 0000 0000 ...)5 1440( ------)1 600(/dev/dk/dk12 [name])1 1200 3 1080 1260 t
10 R f
(The device is rigidly \()4 882 1 720 1440 t
10 CW f
(R)1602 1440 w
10 R f
(\) labeled)1 346 1 1662 1440 t
8 R f
(NO)2033 1440 w
10 R f
(\()2174 1440 w
10 CW f
(N)2207 1440 w
10 R f
(\), as it ought to be.)5 747 1 2267 1440 t
(Control-D returns from the privileged)4 1525 1 970 1596 t
10 CW f
(nosh)2524 1596 w
10 R f
(to the low session\320still using)4 1227 1 2794 1596 t
10 CW f
(nosh)4051 1596 w
10 R f
( device label)2 514(. The)1 235 2 4291 1596 t
(is no longer visible because the shell has no license to give to)12 2453 1 720 1716 t
10 CW f
(getlab)3198 1716 w
10 R f
(.)3558 1716 w
10 CW f
(xn$$)1080 1896 w
10 S f
(<)1380 1896 w
10 R f
(control-D)1435 1896 w
10 S f
(>)1823 1896 w
10 CW f
($$)1080 2016 w
10 CI f
(lmask n /bin/getlab /dev/dk/dk12)3 1920 1 1260 2016 t
10 CW f
(/dev/dk/dk12: Security label violation)3 2280 1 1080 2136 t
(e=001)1200 2256 w
10 R f
( error comment comes from)4 1138(The first)1 346 2 720 2436 t
10 CW f
(getlab)2235 2436 w
10 R f
( second, from)2 558(. The)1 236 2 2595 2436 t
10 CW f
(nosh)3420 2436 w
10 R f
(, reports the exit code returned by)6 1380 1 3660 2436 t
10 CW f
(getlab)720 2556 w
10 R f
(.)1080 2556 w
( their being writ-)3 683( controls, however, prevent)3 1095( Label)1 279(In the low session, higher-labeled data are visible.)7 2013 4 970 2712 t
(ten to the low-labeled terminal.)4 1251 1 720 2832 t
10 CW f
($$)1080 3012 w
10 CI f
(/bin/ls)1260 3012 w
10 CW f
(t=015)1200 3132 w
10 R f
(The command terminated abnormally with termination code octal 15,)8 2873 1 720 3312 t
10 CW f
(SIGPIPE)3630 3312 w
10 R f
( the)1 160( reason is that)3 588(. The)1 242 3 4050 3312 t
(label of)1 304 1 720 3432 t
10 CW f
(ls)1051 3432 w
10 R f
( prevent high-labeled data from reaching the)6 1779( To)1 162( directory.)1 411(rose to the floor as it read the current)8 1490 4 1198 3432 t
( the output of)3 548(bottom-labeled terminal, the system discarded)4 1857 2 720 3552 t
10 CW f
(ls)3154 3552 w
10 R f
(and killed the process just as if it had writ-)9 1737 1 3303 3552 t
(ten on a broken pipe.)4 840 1 720 3672 t
cleartomark
showpage
saveobj restore
%%EndPage: 11 11
%%Trailer
done
%%Pages: 11
%%DocumentFonts: Courier-Oblique Courier Times-Bold Times-Italic Times-Roman Times-Roman Symbol