CS5430 Homework 5: Reference Monitors (and beyond!)
General Instructions.
Work individually --- do not work with other CS5430 students on this assignment.
Collaborating on this assignment with another CS5430 student will be treated
as an academic integrity violation.
Due: November 17, 2020 at 10:00am.
No late assignments will be accepted.
Submit your solution as .pdf using CMS.
Typset answers, using 10 point or larger font.
All answers should be in a single file containing at most 5 pages.
This assignment has you reading a technical paper from the cyber-security literature
and answering questions about the material it covers.
There are two goals.
First, the assignment will give you experience reading a technical paper from the literature.
Second, mastering the content of this paper will give you a deeper understanding
of material we have been discussing in class.
Your grade on this assignment will depend on the following.
Answer the following questions based on your understanding of the following paper.
Fred B. Schneider, Greg Morrisett, Robert Harper.
A language-based approach to security
Informatics: 10 Years Back, 10 Years Ahead
(Saarbrucken, Germany, August 2000),
Lecture Notes in Computer Science,
Volume 2000 (Reihnard Wilhelm, ed.),
Springer-Verlag, Heidelberg , 2000, 86-101.
Question 1.
What do the authors mean by "language-based security"?
Language-based security concerns using the following techniques from programming languages
to help enforce security policies:
compilers, automated analysis, type checking, and program rewriting.
[line 20].
Only partial credit for this answer in isolation:
"The building blocks of language-based security are program rewriting ane program analysis"
[line 267-268].
Question 2.
What arguments were operating systems developers using circa 2000
to justify having a large kernel.
A large kernel is needed to support a large set of basic services [line 52]
and to avoid the performance impact of making context switches [line 55].
Question 3.
How could fine-grained protection domains have been useful for defending against Melissa?
Melissa is a script that runs with all privileges of the user who is running
the mailer containing the message that conveys Melissa [line 68, footnote].
With fine-grained protection domains, the mailer would be running in its own domain,
so it would not have the privileges of the user who invoked the mailer.
In particular, it would not have privileges for reading a user's address book.
Melissa read a user's address book to propagate, so without access to the
user's address book, Melissa would not have been able to spread.
Question 4.
What problems arise from running a reference monitor in a separate address space
from the target system it monitors.
There are two problems [line 98-108].
First, there is an increased performance cost associated with context switches to the
reference monitor each time a security-relevant event occurs [line 99-103]
Second, only certain events can be security-relevant because only certain events cause
traps. [line 104-108]
Question 5.
What informal justification do the authors suggest for concluding that program analysis
is a more-powerful enforcement mechanism than reference monitors?
The program text describes all possible behaviors, so an analyzer has the information to make
inferences about compliance with policies that involve multiple behaviors.
A reference monitor enforces policies based on a single execution in isolation.
Thus, policies that a reference monitor enforces can be enforced by program analysis but
the opposite does not hold.
[line 147-151].
The paper also notes that "Information provided to an EM mechanism
is thus insufficient for predicting future steps the target system
might take, alternative possible executions, or all possible target
system executions. Therefore, compilers and theorem-provers, which
analyze a static representation of a target system to deduce
information about all of its possible executions, are not considered
EM mechanisms." [line 167-171]
Finally, the authors observe:
"Type systems (a form of program analysis) show promise for enforcing liveness
properties and information flow policies." [line 492-494].
Neither of these policies can be enforced by a reference monitor.
Other excerpts that can be cited in support of this answer are: L127-L130
Question 6.
Give two advantages of applying IRM enforcement to
high-level language programs rather than applying IRM enforcement to assembly language
programs.
(i) The policy can be written in terms of the high-level control structures
such as procedure calls.
(ii) The policy can be written in terms of the program's abstractions. [lines 342-346]
Other excerpts that can be cited in support of this answer are: L135-L139, L323-L325,
L328, L334-L335, L372, L498-L501.
Question 7.
What is the Java analog of TAL, and why would the authors see them as being analogous?
There are two elements of comparison: being an assembly language and
being output by a certifying compiler. Both elements must be mentioned for full credit.
TAL is a typed assembly language (albeit for a real computer)
and the target for a certifying compiler.[line 457-461]
JVM is the java virtual machine language (albeit an assembly language for a virtual machine)
and the target for the java compiler, also a certifying compiler.[line 436-438]
Other excerpts that can be cited in support of this answer are: L323-L325 and L463-L465.
Question 8.
In this paper, what is seen as the primary disadvantage
of building systems by using a high-level language and
how can that disadvanage be overcome?
When a high-level language is being used,
the trusted computing base must be enlarged to incorporate the compiler[line 427-428].
However, use of a certifying compiler removes the compiler from the trusted computing base [line 433-438].
Other excerpts that can be cited in support of this answer are: L141-L143, L352-L354 and L357.