CS5430 Homework 4: Mandatory Access Control
General Instructions.
You are expected to work alone on this assignment.
Due 4/21 at 11:59pm.
No late assignments will be accepted.
Submit your solution using CMS.
Prepare your solution as .doc, .docx, or .pdf, as follows:
-
Use 10 point or larger font.
-
Start each problem's solution on a new page.
-
Use at most 1 page per problem.
-
Pur your name and net id on each page.
Failure to do wo will result in a grade deduction.
-
Consider a new scheme for implementing MLS confidentiality, where labels on
files and programs can be changed according to the following rules.
-
At any time, the label L(F) on a file F
-
can be increased or
-
can be decreased
to the largest label on any item that has been written so far to that file.
-
At any time, the label L(Pgm) on any program Pgm
-
can be increased or
-
can be decreased
to the largest label on any item that has been read so far by that program.
Moreover, assume that
-
If L(Pgm) > L(F) then a write to file F by program Pgm --- that is,
a "write-down" --- is implemented as a "no-op"
(but does not cause program execution to be blocked or terminated).
-
If L(Pgm) < L(F) then a read to file F by program Pgm ---- that is,
a "read-up" --- returns "file unavail" as if that is the contents of the file.
Is there an environment where it is possible for a program
Pgm to learn whether the contents of a file F satisfy some given
predicate, even though L(Pgm) < L(F) holds?
(We define environment to mean: some set of files and other executing programs.)
If so, describe the environment and the attack;
if not, give an argument that explains why the information cannot be learned
by Pgm.
-
Suppose the "MLC Write Restriction" (page 166 in
notes)
were replaced by:
L(Pgm)=L(F) is required for a program Pgm to write into a file F information
Pgm has read.
This new restriction ensures that a program can read anything it writes,
so the program can confirm that its writes are successful.
However, some writes that used to be authorized ---
namely, writes to files that have higher classifications --- are no longer
be permitted.
Can a program that satisfies the original "MLC Write Restriction"
on page 166 be translated mechanically to
a program or set programs that together
(i) satisfies this new restriction and
(ii) exhibits no loss of security?
-
The MLC and MLI restrictions for enforcing confidentiality and integrity
in the notes are formulated for
a single, monolithic program.
In actual practice, one program (e.g., Pgm1) might invoke another program (e.g., Pgm2).
Suppose we wish to allow the classification label on a calling program Pgm1 to be
different from the classification label on the called program Pgm2.
If Pgm1's execution is for some user U having clearance L(U),
then what restrictions must L(Pgm1), L(Pgm2), and L(U) satisfy to enforce
-
MLS confidentiality
-
MLS integrity
Give evidence that your restrictions are necessary.
-
The "Inventory Purchase Steps" sketched in Figure 8.2 of
notes
enforce a sequence on the transformation procedures for
a given business process.
Three transformation procedures tp are given:
purchase, orderRcvd, and invRcvd.
-
For each tp, state what is the pre(tp) that implements the desired sequencing.
-
For each tp,
explain what part, if any, of that transformation procedure then falsifies pre(tp).
-
For each tp,
explain what parts of the transformation procedure then makes pre(tp') true,
where tp' is a transformation procedure that should next execute.