CS5430 Homework 6: Mandatory Access Control
General Instructions.
You are expected to work alone on this assignment.
Due: April 25 (Thurs) 11:59pm.
Submit your solution using CMS.
Prepare your solution as .pdf, as follows:
-
Each problem should be uploaded as a separate file.
-
Use 10 point or larger font.
-
Use at most 1 page per problem.
Problem 1:
You are consulting to a new Internet start-up company
whose value proposition is facilitating
the creation and dissemination of age- and belief-appropriate videos
for impressionable children.
Age is measured in terms of integers (representing years since birth)
and gives a conservative approximation for the appropriate age of a viewer;
beliefs are characterized by a set of the following terms,
called content-descriptors:
Alcohol, Bambi, BarbieAndKen, Barney, Disrespect, Evolution, Intelligent_Design,
Sexuality, TeddyBears, VerbalAbuse, Violence .
The proposed system would work as follows.
-
A web site
(www.NoOffense.com)
stores videos that users contribute.
Each stored video includes meta-data that gives an age and a set of content-descriptors.
The age is the minimum age for a viewer;
the content-descriptors summarize what the video contains.
-
Your company provides a video-uploader program that
parents can use to upload new videos to www.NoOffense.com.
Prior to storing a video,
this video-uploader program creates meta-data for the video by asking questions
of the user about the contents of the video.
Assume that parents are truthful in answering these questions.
-
Your company provides a mash-up creation program
that allows children to download videos and then create a new video
by concatenating some subset of the videos that were downloaded, storing the
result as a new video in www.NoOffense.com.
The mash-up creation program automatically creates the meta-data for this new longer video.
-
Your company provides a video-viewer program that is
invoked from within the mash-up creation program
and/or can be run stand-alone by children wishing to view videos
stored at www.NoOffense.com.
The video-viewer program starts by reading child-viewing-allowed.config,
a local configuration file corresponding to the child on whose
behalf the video-viewer program was invoked.
This file is specified by a parent and gives
-
The birth year of the child who is running the program.
-
A list of content-descriptors specifying all content the child is allowed to see.
Thereafter, the video-viewer program will display only those videos that
are age-appropriate and belief-appropriate for
the child.
Give rules for how the meta-data for each video should be used by
the video-viewer program and the rules for how it should be produced by
the mash-up creation program.
Problem 2:
The Bell-LaPadula rules for MLS concern reads and writes to files.
Each file F has a classification, which is a label L(F);
each subject S has a classification, which is a label L(S);
and there is an ordering "<=" on labels.
This ordering is the basis for the "no read up" and "no write down"
rules that define read and write operations authorized for a subject.
The usual accounts of Bell-LaPadula are silent about the response
generated when a read or write operation would violate the BLP access rules.
For this assignment, assume that such an access attempt
returns an error message "Access Denied: File unavailable".
And assume that an attempt to access a file that does not exist returns the
same message.
-
Suppose we wish to support an additional operation
createFile( FName , Lbl )
whose execution creates a new empty file that
is named FName
and has label Lbl.
What, if any, rules about labels should be imposed on execution of createFile
if we want to ensure that classified information doesn't leak.
-
Suggest error messages to be returned from invoking the createFile
for the following two cases:
-
the rule you suggest in (a) is not satisfied.
-
the rule you suggest in (a) is satisfied but
a file with name FName already exists.
Give a rationale for the wordings you propose.
Problem 3
Sometimes individual data are less sensitive than their aggregate.
For example:
- The budgets of individual departments of a company may not reveal much
information. But collectively, they reveal where the company is
concentrating its resources, and thus telegraph its business strategy.
- In the 1996 movie "Mission: Impossible", the recovery of a NOC
(non-official cover) list is a focus of Agent Ethan Hunt. One half of
the list contains the code names of secret agents, and the other half
contains the agents' real names. Each half individually reveals sensitive
information, and their combination reveals even more information.
Aggregation is particularly relevant in the context of databases. For the
purpose of this problem, suppose that a database comprises a number of datasets.
(A dataset might be a table or a view.) Further, suppose that each
dataset is assigned a sensitivity label such as Unclassified, Secret, or Top
Secret. (We ignore compartments in this problem.) Then it might be the case that datasets A and B are both Unclassified,
but that their aggregation is Secret. To model this, let the function L(R),
where R is a set of datasets---for example, R={A,B}--- denote the sensitivity of
the aggregation of all the datasets in R. As healthiness conditions on L, we
require that:
- For all A, L({A}) = sensitivity of A.
- If R ⊆ R' then L(R) ≤ L(R').
Our goal in this problem is to develop a MAC model for this scenario. Suppose
that an object is a document containing information derived from the
database---e.g., the result of queries on datasets. A subject, as usual,
is a process executing on behalf of a user. An entity is either a subject
or an object.
- Construct your own real-world example, using the database model above, of aggregate data that are more sensitive than
their constituents. Your example should include at least three
datasets. Identify what L(R) is for each possible subset R of your
datasets. (If you need inspiration, begin by supposing that one of the
datasets is a set of photographs.)
- Suppose that each object (and subject) is labelled with its sensitivity
(or clearance). We could then attempt to employ the Bell and LaPadula
security conditions ("no read up, no write down"). However, we
claim that these conditions are insufficient to guarantee the
following policy:
P1: An object never contains information whose sensitivity is
higher than the object's label.
Using your example database from part 1, prove this claim by exhibiting a series
of read and write operations that effect such an information flow. You may
freely invent entities and their labels.
- Instead of sensitivity, suppose that each entity is
labelled with a set of datasets. Give new conditions for reading and writing.
Your conditions should guarantee the following policy:
P2: If X is labelled with R, then the information in datasets R should
be allowed to flow to X, and information from datasets other than those in R should not be allowed to flow to X.
Problem 4:
Describe the users, roles, permissions,
restrictions and authorizations
for an RBAC scheme to control access to files on a
course web site for a class like CS5430.
Assume the web site has postings of lecture notes, hw problem sets, and
hw solution sets, and grades.