> On Wed, 2008-03-12 at 10:00 -0800, Gary Winiger wrote:
> > > I don't understand why a scanner would be classed as removable media.
> >
> > Because you put removable stuff in it and remove the stuff when
> > done. Solaris Object Reuse needs to be supported.
>
> I'm still not understanding why you think this means "object reuse"
> applies here; my understanding was that "object reuse" applied to
> reusable read/write storage like disks & memory -- if user A frees a
> page, and the system recycles it and gives it to user B, user B better
> not find any of user A's data in the page.
Huh:
T.RESIDUAL_DATA
A user or process may gain unauthorized access to data through
reallocation of TOE resources from one user or process to another.
O.RESIDUAL_INFORMATION
The TOE will ensure that any data contained in a protected resource is
not available when the resource is reallocated.
Rationale
The sharing of hardware resources such as primary and secondary storage
components between users introduces the potential for information flow
in violation of the TOE security policy when hardware resources are
deallocated from one user and allocated to another. In order to prevent
such unintended consequences, the TOE prevents the compromise of the TOE
security policy through mechanisms that ensure that residual information
cannot be accessed after the resource has been reallocated
(O.RESIDUAL_INFORMATION). The intent here is to prevent the unauthorized
flow of information that would violate the TOE security policy. The intent
is not to require explicit scrubbing or overwriting of data prior to reuse
of the storage resource. Therefore, the presence of "residual" data in a
storage resource is acceptable as long as it cannot be accessed by
subsequent users such that a violation of the TOE security policy results.
Note, however, that the requirements for storage resources which contain
critical cryptographic security parameters differ from the requirements
for other types of data. Refer to the appropriate threat, objectives, and
requirements rationale for a discussion of the requirements for residual
data protection involving critical cryptographic security parameters.
Residual Information Protection (FDP_RIP)
Full Residual Information Protection (FDP_RIP.2)
FDP_RIP.2.1 Refinement: The TSF shall ensure that any previous
information content of a resource is made unavailable upon the
[selection: allocation of the resource to, deallocation of the
resource from] all objects other than those associated with
cryptographic keys and critical cryptographic security parameters
as described in FCS_CKM.4.1 and FCS_CKM_EXP.2.5.
Application Note: This requirement applies to all resources except
for cryptographic keys and critical cryptographic security
parameters governed by or used by the TSF; it includes resources
used to store data and attributes. It also includes the encrypted
representation of information. Residual information protection for
cryptographic data is covered in class FCS.
Application Note: Clearing the content of resources on deallocation
is sufficient to satisfy this requirement, provided that
unallocated resources will not accumulate new information until
they are allocated again.
> the "removable stuff" in a typical scanner is not writable by the
> scanner.
Writability isn't the issue. Consider cryptographic keys that
are stored in read only memory. When you give that memory to
another process would you want those keys to ge readable by that
process?
> There is nothing SOFTWARE can do about people who left something on the
> scanner bed when they logged out and wandered off.
As broken as you may consider removable media management
and device allocation are there to address the things that can't
be done in other forms.
> What's more, the software being proposed here does not need special
> privileges to operate; if some sort of device allocation/object reuse
> controls need to happen, they would need to happen in trusted privileged
> code at device open time.
If the device allocation subsystem is in effect, the user is
required to be authorized, chkauthattr(3SECDB) to have access
to devices under its control.
I suppose you could argue that the project teams that integrate
devices needing object reuse into Solaris are not responsible.
Please convince your (and my) director that the responsibility
lies somewhere else.
Gary..
