CS5430 Homework 4: Mandatory Access Control

Due 4/21 at 11:59pm. No late assignments will be accepted.

Submit your solution using CMS. Prepare your solution as .doc, .docx, or .pdf, as follows:

• Use 10 point or larger font.
• Start each problem's solution on a new page.
• Use at most 1 page per problem.
• Pur your name and net id on each page. Failure to do wo will result in a grade deduction.

1. Consider a new scheme for implementing MLS confidentiality, where labels on files and programs can be changed according to the following rules.

   • At any time, the label L(F) on a file F
     1. can be increased or
     2. can be decreased to the largest label on any item that has been written so far to that file.

   • At any time, the label L(Pgm) on any program Pgm
     1. can be increased or
     2. can be decreased to the largest label on any item that has been read so far by that program.

   Moreover, assume that

   • If L(Pgm) > L(F) then a write to file F by program Pgm --- that is, a "write-down" --- is implemented as a "no-op" (but does not cause program execution to be blocked or terminated).

   • If L(Pgm) < L(F) then a read to file F by program Pgm ---- that is, a "read-up" --- returns "file unavail" as if that is the contents of the file.

   Is there an environment where it is possible for a program Pgm to learn whether the contents of a file F satisfy some given predicate, even though L(Pgm) < L(F) holds? (We define environment to mean: some set of files and other executing programs.) If so, describe the environment and the attack; if not, give an argument that explains why the information cannot be learned by Pgm.

---

2. Suppose the "MLC Write Restriction" (page 166 in notes) were replaced by:

   L(Pgm)=L(F) is required for a program Pgm to write into a file F information Pgm has read.

   This new restriction ensures that a program can read anything it writes, so the program can confirm that its writes are successful. However, some writes that used to be authorized --- namely, writes to files that have higher classifications --- are no longer be permitted.

   Can a program that satisfies the original "MLC Write Restriction" on page 166 be translated mechanically to a program or set programs that together (i) satisfies this new restriction and (ii) exhibits no loss of security?

---

3. The MLC and MLI restrictions for enforcing confidentiality and integrity in the notes are formulated for a single, monolithic program. In actual practice, one program (e.g., Pgm1) might invoke another program (e.g., Pgm2). Suppose we wish to allow the classification label on a calling program Pgm1 to be different from the classification label on the called program Pgm2. If Pgm1's execution is for some user U having clearance L(U), then what restrictions must L(Pgm1), L(Pgm2), and L(U) satisfy to enforce
   1. MLS confidentiality
   2. MLS integrity
   Give evidence that your restrictions are necessary.

---

4. The "Inventory Purchase Steps" sketched in Figure 8.2 of notes enforce a sequence on the transformation procedures for a given business process. Three transformation procedures tp are given: purchase, orderRcvd, and invRcvd.
   1. For each tp, state what is the pre(tp) that implements the desired sequencing.
   2. For each tp, explain what part, if any, of that transformation procedure then falsifies pre(tp).
   3. For each tp, explain what parts of the transformation procedure then makes pre(tp') true, where tp' is a transformation procedure that should next execute.