CS5430 Homework 3: More on Authorization

Due Friday March 4, 10am. No late assignments will be accepted.

Submit your solution using CMS. Prepare your solution as .doc, .docx, or .pdf, as follows:

• Use 10 point or larger font.
• Start each problem's solution on a new page.
• Use at most 1 page per problem.

Problem 1:

You are consulting to a new Internet start-up company, AppropriateTube, whose value proposition is facilitating the creation and dissemination of age- and belief-appropriate videos for impressionable children. Age is measured in terms of integers (representing years since birth) and defines the minimum age of an appropriate viewer; beliefs are characterized by a set of the following terms, called content-descriptors:

Alcohol, Bambi, BarbieAndKen, Barney, Disrespect, Evolution, Intelligent_Design, Sexuality, TeddyBears, VerbalAbuse, Violence .

The system envisaged by AppropriateTube would work as follows.

• An AppropriateTube web site (www.NoOffense.com) stores videos that users contribute. Each stored video includes meta-data that gives an age and a set of content-descriptors. The age is the minimum age for a viewer; the content-descriptors summarize what the video contains.

• AppropriateTube provides a video-uploader program that parents can use to upload new videos to www.NoOffense.com. Prior to storing a video, this video-uploader program creates meta-data for the video by asking questions of the user about the contents of the video. Assume that parents are truthful in answering these questions.

• AppropriateTube provides a mash-up creation program that allows children to download videos and then create a new, longer video by concatenating some subset of the videos that were downloaded, storing the result as a new video in www.NoOffense.com. The mash-up creation program automatically creates the meta-data for this new longer video.

• AppropriateTube provides a video-viewer program that is invoked from within the mash-up creation program and/or can be run stand-alone by children wishing to view videos stored at www.NoOffense.com. The video-viewer program starts by reading child-viewing-allowed.config, a local configuration file corresponding the the child on whose behalf the video-viewer program was invoked. This file is specified by a parent and gives
  • The birth year of the child who is running the program.
  • A list of content-descriptors specifying all content the child is allowed to see.
  Thereafter, the video-viewer program will display only those videos that are age-appropriate and belief-appropriate for the child.

Give rules for how the meta-data for each video should be used by the video-viewer program and the rules for how it should be produced by the mash-up creation program.

Problem 2:

Sometimes individual data are less sensitive than their aggregate.  For example:

• The budgets of individual departments of a company may not reveal much information.  But collectively, they reveal where the company is concentrating its resources, and thus telegraph its business strategy.
• In the movie Mission: Impossible (1996), the recovery of a NOC (non-official cover) list is a focus of Agent Ethan Hunt.  One half of the list contains the code names of secret agents, and the other half contains the agents' real names.  Each half individually reveals sensitive information, and their combination reveals even more information.

Aggregation is particularly relevant in the context of databases. For the purpose of this problem, suppose that a database comprises a number of datasets. (A dataset might be a table or a view.) Further, suppose that each dataset is assigned a sensitivity label such as Unclassified, Secret, or Top Secret. (We ignore compartments in this problem.)  Then it might be the case that datasets A and B are both Unclassified, but that their aggregation is Secret. To model this, let the function L(R), where R is a set of datasets---for example, R={A,B}--- denote the sensitivity of the aggregation of all the datasets in R. As healthiness conditions on L, we require that:

• For all A, L({A}) = sensitivity of A.
• If R ⊆ R' then L(R) ≤ L(R').

Our goal in this problem is to develop a MAC model for this scenario. Suppose that an object is a document containing information derived from the database---e.g., the result of queries on datasets. A subject, as usual, is a process executing on behalf of a user. An entity is either a subject or an object. 

1. Construct your own real-world example, using the database model above, of aggregate data that are more sensitive than their constituents.  Your example should include at least three datasets.  Identify what L(R) is for each possible subset R of your datasets.  (If you need inspiration, begin by supposing that one of the datasets is a set of photographs.)
   
2. Suppose that each object (and subject) is labelled with its sensitivity (or clearance). We could then attempt to employ the Bell and LaPadula security conditions ("no read up, no write down"). However, we claim that these conditions are insufficient to guarantee the following policy: 

   P1: An object never contains information whose sensitivity is higher than the object's label.

   Using your example database from part 1, prove this claim by exhibiting a series of read and write operations that effect such an information flow. You may freely invent entities and their labels.
   
3. Instead of sensitivity, suppose that each entity is labelled with a set of datasets. Give new conditions for reading and writing. Your conditions should guarantee the following policy:
   

   P2: If X is labelled with R, then the information in datasets R should be allowed to flow to X, and information from datasets other than those in R should not be allowed to flow to X.

Problem 3:

Recall that revocation of capabilities can be implemented by using revocation tags. Here each capability is a triple, < O , Privs, revTag >. And to revoke a capability C1 = < O1 , Privs1 , revTag1 >, it suffices that revTag1 be added to a set of revocation tags that the reference monitor for object O1 maintains.

An alternative approach for revocation of capabilities is to use ordinary capabilities (i.e., pairs < O , Privs >) but allow indirection and chains of capabilities. Here, the named object O in one capability can itself be a capability that appears on a path of capabilities; the final element of that path would be a capability for the object whose access is being authorized. If any capability in the chain is deleted, then all predecessors in the chain are effectively revoked.

Suppose an application has been built in terms capabilities that contain revocation tags. We are required to port this application to a system where capabilities are pairs, but indirection of capabitities and capability chains are supported. Describe the shapes of the "chains" that will be needed to implement the orginal functionality that revocation tags provided. And describe how to implement, using these capability chains, the operation of adding a revocation tag revTag to the set of tags that the reference monitor is maintaining.