     |
Attacks on MLS
Finally some considerations on how susceptible a MLS system is for certain attacks.
A trust relationship to other TCBs is required.
Exceptional rights for users to bypass MAC are dangerous but cannot be avoided sometimes.
A regular program taken over by malicious code can cause only very limited harm as long as the "no-write-down" policy of MAC is in effect. It can read confidential information but then cannot expose this information to untrusted channels. The user identity restricts the set of resources which can be read or written (DAC), the current security label of the user or subject further restricts the set of objects AND the possible operations.
Compared to a capability system a pure MAC allows more objects to be accessed by the malicious program. The capability based system could respect security labels during creation of capabilities and therefore prevent even accidental content abuse. This seems to indicate that MAC and MLS are genuine protection forms which can be combined with other access control mechanisms to create even safer systems.