General Instructions. You are expected to work alone on this assignment.
Due March 23, 10 am. No late assignments will be accepted.
Submit your solution using CMS. Prepare your solution using Word (.doc) or some ascii editor (.txt), as follows:
The security policy noninterference for confidentiality can be informally stated as,
"Changes in high inputs do not cause changes in low outputs."
(In lecture, we referred to this policy simply as noninterference.) Do the following systems satisfy this policy? Argue why or why not. Your interpretation of this informal condition may affect your answer, so the clarity and precision of your rationale is important. You may assume that covert channels (e.g., timing and termination) are unobservable; or equivalently, that these channels are allowed to leak information. All systems have four channels: HI (high in), HO (high out), LI (low in), LO (low out).
In lecture, we built a static analysis that enforced noninterference for confidentiality, for a very simple programming language. Suppose we add heap-allocated arrays (as in Java) to that language. So, we may have assignment statements of the following forms:
a[i] = j; j = a[i]; a = b;
In the final statement above, a and b are
both arrays. The effect of the statement is to cause both
a and b to refer to the same array on the heap;
that is, the array is aliased by a and b. Thus,
if "a = b; b[j] = i;
" is executed, then both
a[j]
and b[j]
will be equal to
i
. Assume that all array indices are always within
bounds.
Examine the following three statements, whose variables
are subscripted by confidentiality labels. Explain which
statements satisfy noninterference, which don't, and why. Variables
c
, d
, e
, and
f
are arrays; m
, n
,
o
, and p
are integers.
cH[mL] =
nL;
oL =
dL[pH];
eL = fH;
The rules below are proposed to check information flow for
arrays. (Recall from lecture that "S sif pc = C"
means that program S satisfies noninterference if the
label on the program counter is C.)
The first rule allows array element selection (e.g.,
a[i]
) as part of expression E. Variables
in expressions may be arrays or scalars. In the first rule,
x may be either an array variable or a scalar
variable, but it may not be an array element selection. In
the second rule, a is an array.
C ≤ x E ≤ x | C ≤ a E1 ≤ a E2 ≤ a | |
|
|
|
x = E; sif pc = C | a[E1] = E2; sif pc = C |
Unfortunately, these rules do not enforce noninterference. Exhibit an example program and argue that it satisfies the rules yet does not satisfy noninterference.
The security policy noninterference for integrity can be informally stated as,
"Changes in untrusted inputs do not cause changes in trusted outputs."
Intuitively, untrusted information should not be allowed to corrupt trusted information.
Examine the following statements, which have integrity labels as subscripts on variables. The labels are T, for Trusted, and U, for Untrusted. Explain which statements satisfy noninterference for integrity, which don't, and why.
xT = yT + zU;
vU = yT + zU;
if (xT) yT =
xT; else vU = zU;
if (vU) yT =
xT; else vU = zU;
We will now reformulate the static analysis from lecture, which enforced only noninterference for confidentiality, to make it enforce both noninterference for confidentiality and noninterference for integrity.