- Consider two users A and B with the following privileges: A can read and write a file F and read, write and execute a service program P; B can only read F and execute P. An intruder has managed to:
- Guess A's password
- Guess B's password
- Place a passive tap on A's terminal line; however, the password transmission is protected through encryption
- Place an active tap on A's terminal line (password transmission is protected as in the above part
For each of these cases, describe a simple scenario (if one exists) that would lead to each of the following problems:
- Information destruction
- Unauthorized use of services
- Consider five objects A, B, D1, D2, and D3 as in the Hydra operating system. Show the graphical representation of the objects' capabilities such that the following operations may be performed:
- A can call B
- B can read and write data from/to D1
- B can give its capability for D1 to another object D2
- A can read and write the capability list of D1
- A can read data from D3
- B can read and write data from/to D3
Each object should have only the minimal set of capabilities and rights necessary to accomplish the preceding operations. Assume that the capability for a procedure must contain the right c (for call) in order to be called.
- Consider the diagram you constructed for problem 2.
- Can data from D3 ever get into D1?
- Can data from D3 ever get into D2?
- Can data from D1 ever get into A?
- Can data from D2 ever get into A?
- Consider two processes in the Hydra operating system. Process p1 is currently executing in procedure P1 and process p2 is executing in procedure P2? Another procedure X and three data objects D1, D2, and D3 exist in the system. The capability lists are as follows:
|
Capability for Object |
Rights |
|
P1 |
X
D2 |
cms
emrw |
|
P2 |
D1
D3 |
l
l |
|
X |
D1
D2 |
ews
mrws |
- Show a graphic representation for this configuration.
- Assume P1 calls X and passes to it the capability for D2. Show the current capability list, assuming the m-right was masked out during the call.
- Answer the following questions:
- After the call, can X write into any of the objects: D1, D2, D3, P1, or P2?
- Can X store capabilities into the capability lists of any of the objects D1, D2, D3, P1 or P2?
- Which capabilities can propagate from P1 to P2?
- Assume that the generic set of rights in the access matrix model contains also contains the rights t (take) and g (grant), similar to the take-grant model.
- Define the corresponding operations ``take'' and ``grant'' (specified for the take-grant model) as commands in the access matrix model.
- How could the ``remove'' operation of the take-grant model be expressed as a command in the access matrix model? Sketch the necessary algorithm (assume a loop construct may be used in the command body).
- Construct a take-grant graph G in which a given subject s1 can never gain direct access to an object o1, that is the predicate can_share(r,s1,o1,G) is false for an r, yet it is still possible for information contained in o1 to reach s1 (i.e., to flow from o1 to s1).
- For each of the following take-grant graphs G, prove that the predicate can_share(r,x1,x3,G) holds:
T TR
.---
_.---_.
x1 x2 x3
T GR
.<---.<---.
x1 x2 x3
G TR
.---_.---_.
x1 x2 x3
G TR
.<---.<---.
x1 x2 x3
G GR
.---_.---_.
x1 x2 x3
T TR
.<---.<---.
x1 x2 x3
Show the corresponding sequences of transformations from G to Gn, where Gn is the first state containing the edge x1 -> x3.
- Which of the six transformations are still valid under each of the following assumptions:
- x3 is an object; x1 and x2 are subjects.
- x2 is an object; x1 and x3 are subjects.
- x1 is an object; x2 and x3 are subjects.
- x2 and x3 are objects; x1 is a subject.
- Consider a system consisting of two subjects s1 and s2 and four objects o1 through o4.
- Assign clearance to both subjects and classification levels to all objects according to the Bell-LaPadula model, such that the following conditions hold (use only as many levels as necessary to achieve your goal):
- s1 can write only into o3 and o4
- s2 can write only into o3
- Determine which objects can be read by which subjects under the assignment of the first bullet.
- Modify the assignment such that s1 cannot read o4.
- Consider the set of security classes C={00,01,10,11} in the lattice model of information flow. Define the flow relation -> and the class-combining operator + such that (C, ->, +) forms a lattice with the following:
- 00 and 11 as the lower and least upper bounds, respectively.
- 11 and 00 as the lower and least upper bounds respectively.
- Repeat exercise 9 for the set of security classes C={(XYZ) | X,Y,Z e {0,1}} and the bounds 000 and 111.