CS5430 Homework 3: Authorization Policies
General Instructions.
You are expected to work alone on this assignment.
Due March 2, 10am, via CMS.
No late assignments will be accepted.
Submit your solution using CMS.
Prepare your solution using Word (.doc) or some ascii editor (.txt), as follows:
-
Put your name and Cornell University netid at the top of the first page.
-
Use 10 point or larger font.
-
Start each problem's solution on a new page.
-
Use at most 1 page per problem.
-
An access control matrix is one way to depict an
assignment of privileges to principals.
A CS5430 student has proposed using a directed graph instead.
(Recall, a directed graph is defined by (i) a set of nodes and (ii) a set of triples
("edges") of the form
< n1, n2, lab > where n1 and n2 are nodes
and lab is a label.)
Specifically, the student proposes:
- Having each node of the graph correspond to a single principal and/or an object.
(Recall, principals are also considered objects.)
- For a node nP corresponding to a principal P and a node nO corresponding
to an object O, having an edge in the graph from nP to nO with label priv
if and only if principal P has privilege priv for object O.
And just as the access control matrix representation has commands
to change the assignment of privileges, you can imagine corresponding commands
to effect that change by manipulating the directed graph representation.
Discuss the relative expressive power of these two alternatives for
representing access control policies.
Are there situations that can be represented in one but not the other?
If so, give one;
if not, give a proof that none will exist.
-
UNIX associates some subset
of the privileges r (read), w (write), and x
(execute) with each file, for three categories of user
id's: (i) the file's owner, (ii) members of the file's group, and (iii) all other
user id's.
Suppose file foo.exe contains a program.
Consider the following "rules" about allowable sets of
privileges regarding foo.exe.
For each rule (in isolation), discuss
interesting security functionality (if there is any)
enabled by the rule, giving an example of its use and utility.
-
grant x but without r or w
-
grant r but without x or w
-
never grant both x and w.
-
You are consulting to a new Internet start-up company,
AppropriateTube, whose value proposition is facilitating
the creation and dissemination of age- and belief-appropriate videos
for impressionable children.
Age is measured in terms of integers (representing years since birth)
and defines the minimum age of an appropriate viewer;
beliefs are characterized by a set of the following terms,
called content-descriptors:
Alcohol, Bambi, BarbieAndKen, Barney, Disrespect, Evolution, Intelligent_Design,
Sexuality, TeddyBears, VerbalAbuse, Violence .
The system envisaged by AppropriateTube would work as follows.
-
An AppropriateTube web site
(www.NoOffense.com)
stores videos that users contribute.
Each stored video includes meta-data that gives an age and a set of content-descriptors.
The age is the minimum age for a viewer;
the content-descriptors summarize what the video contains.
-
AppropriateTube provides a video-uploader program that
parents can use to upload new videos to www.NoOffense.com.
Prior to storing a video,
this video-uploader program creates meta-data for the video by asking questions
of the user about the contents of the video.
Assume that parents are truthful in answering these questions.
-
AppropriateTube provides a video-combiner program
that allows children to download videos and then create a new, longer video
by concatenating some subset of the videos that were downloaded, storing the
result as a new video in www.NoOffense.com.
The video-combiner program automatically creates the meta-data for this new longer video.
-
AppropriateTube provides a video-viewer program that is
invoked from within the video-combiner
and/or can be run stand-alone by children wishing to view videos
stored at www.NoOffense.com.
The video-viewer program starts by reading child-viewing-allowed.config,
a local configuration file corresponding the the child on whose
behalf the video-viewer program was invoked.
This file is specified by a parent and gives
-
The birth year of the child who is running the program.
-
A list of content-descriptors specifying all content the child is allowed to see.
Thereafter, the video-viewer program will display only those videos that
are age-appropriate and belief-appropriate for
the child.
Give rules for how the meta-data for each video should be used by
the video-viewer program and the rules for how it should be produced by
the video-combiner program.