CS5430 Homework 6: Mandatory Access Control

General Instructions. You are expected to work alone on this assignment.

Due: April 25 (Thurs) 11:59pm.

Submit your solution using CMS. Prepare your solution as .pdf, as follows:


Problem 1:

You are consulting to a new Internet start-up company whose value proposition is facilitating the creation and dissemination of age- and belief-appropriate videos for impressionable children. Age is measured in terms of integers (representing years since birth) and gives a conservative approximation for the appropriate age of a viewer; beliefs are characterized by a set of the following terms, called content-descriptors:

The proposed system would work as follows.

Give rules for how the meta-data for each video should be used by the video-viewer program and the rules for how it should be produced by the mash-up creation program.


Problem 2:

The Bell-LaPadula rules for MLS concern reads and writes to files. Each file F has a classification, which is a label L(F); each subject S has a classification, which is a label L(S); and there is an ordering "<=" on labels. This ordering is the basis for the "no read up" and "no write down" rules that define read and write operations authorized for a subject.

The usual accounts of Bell-LaPadula are silent about the response generated when a read or write operation would violate the BLP access rules. For this assignment, assume that such an access attempt returns an error message "Access Denied: File unavailable". And assume that an attempt to access a file that does not exist returns the same message.

  1. Suppose we wish to support an additional operation
       createFile( FName , Lbl )
    
    whose execution creates a new empty file that is named FName and has label Lbl. What, if any, rules about labels should be imposed on execution of createFile if we want to ensure that classified information doesn't leak.
  2. Suggest error messages to be returned from invoking the createFile for the following two cases:
    1. the rule you suggest in (a) is not satisfied.
    2. the rule you suggest in (a) is satisfied but a file with name FName already exists.
    Give a rationale for the wordings you propose.

Problem 3

Sometimes individual data are less sensitive than their aggregate.  For example:

Aggregation is particularly relevant in the context of databases. For the purpose of this problem, suppose that a database comprises a number of datasets. (A dataset might be a table or a view.) Further, suppose that each dataset is assigned a sensitivity label such as Unclassified, Secret, or Top Secret. (We ignore compartments in this problem.)  Then it might be the case that datasets A and B are both Unclassified, but that their aggregation is Secret. To model this, let the function L(R), where R is a set of datasets---for example, R={A,B}--- denote the sensitivity of the aggregation of all the datasets in R. As healthiness conditions on L, we require that:

Our goal in this problem is to develop a MAC model for this scenario. Suppose that an object is a document containing information derived from the database---e.g., the result of queries on datasets. A subject, as usual, is a process executing on behalf of a user. An entity is either a subject or an object. 

  1. Construct your own real-world example, using the database model above, of aggregate data that are more sensitive than their constituents.  Your example should include at least three datasets.  Identify what L(R) is for each possible subset R of your datasets.  (If you need inspiration, begin by supposing that one of the datasets is a set of photographs.)
  2. Suppose that each object (and subject) is labelled with its sensitivity (or clearance). We could then attempt to employ the Bell and LaPadula security conditions ("no read up, no write down"). However, we claim that these conditions are insufficient to guarantee the following policy: 

    P1: An object never contains information whose sensitivity is higher than the object's label.

    Using your example database from part 1, prove this claim by exhibiting a series of read and write operations that effect such an information flow. You may freely invent entities and their labels.
  3. Instead of sensitivity, suppose that each entity is labelled with a set of datasets. Give new conditions for reading and writing. Your conditions should guarantee the following policy:
    P2: If X is labelled with R, then the information in datasets R should be allowed to flow to X, and information from datasets other than those in R should not be allowed to flow to X.

Problem 4:

Describe the users, roles, permissions, restrictions and authorizations for an RBAC scheme to control access to files on a course web site for a class like CS5430. Assume the web site has postings of lecture notes, hw problem sets, and hw solution sets, and grades.