CS5430 System Security

CS5430 Homework 5: Access Control

General Instructions. You are expected to work alone on this assignment.

Due May 7, 2010, 9am. Submit your solution using CMS. No late assignments will be accepted.

To facilitate grading, format your solutions as follows.

Put your name and net id on each page of your solution.
Typeset your solution, using 10 point or larger font and use 8.5 x 11 inch paper.
Use at most one page (both sides, if necessary) for each problem (so what you submit comprises 6 sheets of paper).
Start each problem's solution on a separate side.

Solutions that do not satisfy the formatting guidelines will be returned, ungraded.

Problem 1:

A proposal has been made to represent principals and groups on access control lists by using regular expressions. With this new scheme, an access control list is a sequence of pairs < P_reg, Privs >, where P_reg is a regular expression and Privs is a set of privileges. Regular expression P_reg here is interpreted as defining one or more principals---those principals whose names match the regular expression. For example, the regular expression "fbs" describes that single principal and the regular expression "(f+g)bs" describes the group {fbs, gbs}.

Is this scheme a good alternative to the scheme outlined in the reading, where names for groups and their members are defined separately? Justify your answer.

Problem 2:

Discuss the extent to which Separation of Privilige can be achieved for each of the following strategies.

Only employ fine-grained objects, defining as many different kinds of priviliges and operations as necessary.
Only employ coarse-grained objects, defining as many different kinds of priviliges and operations as necessary,
Only employ fine-grained principals, defining as many different kinds of priviliges and operations as necessary.

Problem 3:

In class, we only discussed schemes for associating a sepearate capability with each different memory segment but not with each individual word. Explain why this choice of granularity would seem to be necessary.

Problem 4:

Describe the users, roles, permissions, restrictions and authorizations for an RBAC scheme to control access to files on a course web site for a class like CS5430. Assume the web site has postings of lecture notes, hw problem sets, and hw solution sets, and grades.

Problem 5:

Sometimes individual data are less sensitive than their aggregate. For example:

Each part of a (3,2) secret sharing is indistinguishable from random. But any two parts of the share reveal the entire secret.
The budgets of individual departments of a company may not reveal much information. But collectively, they reveal where the company is concentrating its resources, and thus telegraph its business strategy.
In the movie Mission: Impossible (1996), the recovery of a NOC (non-official cover) list is a focus of Agent Ethan Hunt. One half of the list contains the code names of secret agents, and the other half contains the agents' real names. Each half individually reveals sensitive information, and their combination reveals even more information.

Aggregation is particularly relevant in the context of databases. For the purpose of this problem, suppose that a database comprises a number of datasets. (A dataset might be a table or a view.) Further, suppose that each dataset is assigned a sensitivity label such as Unclassified, Secret, or Top Secret. (We ignore compartments in this problem.) Then it might be the case that datasets A and B are both Unclassified, but that their aggregation is Secret. To model this, let the function L(R), where R is a set of datasets---for example, R={A,B}--- denote the sensitivity of the aggregation of all the datasets in R. As healthiness conditions on L, we require that:

For all A, L({A}) = sensitivity of A.
If R ⊆ R' then L(R) ≤ L(R').

Our goal in this problem is to develop a MAC model for this scenario. Suppose that an object is a document containing information derived from the database---e.g., the result of queries on datasets. A subject, as usual, is a process executing on behalf of a user. An entity is either a subject or an object.

Construct your own real-world example, using the database model above, of aggregate data that are more sensitive than their constituents. Your example should include at least three datasets. Identify what L(R) is for each possible subset R of your datasets. (If you need inspiration, begin by supposing that one of the datasets is a set of photographs.)
Suppose that each object (and subject) is labelled with its sensitivity (or clearance). We could then attempt to employ the Bell and LaPadula security conditions ("no read up, no write down"). However, we claim that these conditions are insufficient to guarantee the following policy:

P1: An object never contains information whose sensitivity is higher than the object's label.

Using your example database from part 1, prove this claim by exhibiting a series of read and write operations that effect such an information flow. You may freely invent entities and their labels.
Instead of sensitivity, suppose that each entity is labelled with a set of datasets. Give new conditions for reading and writing. Your conditions should guarantee the following policy:

P2: If X is labelled with R, then the information in datasets R should be allowed to flow to X, and information from datasets other than those in R should not be allowed to flow to X.