Assignment 3: Protection Models

Start date 14 September, due beginning of class 21 September.

Protection Models: Exercises from the Book

Complete the following exercises from the book Section 3.9:

• 3.9.1. The idea is that some command c(s1,s2,...) will test for some rights in A[s1,o1] and some rights in A[s2,o2] and depending on the result may execute a primitive command that causes a leak of r (e.g., insert r into A[1,1], where A0[1,1] doesn't contain r. If we now set A[s1,o2]=A[s1,o2] union A[s2,o2], and run c(s1,s1,...), c should still execute the command that leaks r. Show that it it will. Try imagining all possible cases (e.g., does A[s1,o1] contain a and A[s2,o2] contain b? What about testing A[s1,o2] as well?) Look at the example commands in Theorem 3-2 for examples of what a test or condition means.
  Remember that a protection system consists of a fixed set of commands, along with the initial set of subjects, objects, and access control matrix. Given the initial state, can it leak a specific right r (put r into a cell in the matrix that didn't have r in the original matrix)? As an example of a set of commands that trivially can be shown not to leak r, take the commands given in the proof of theorem shown on pages 51-52. They can't leak r - none of them even mention r. They might leak other rights.
• 3.9.6. Discuss if this would change the expressive power of the model - and if so, why this is different from the SPM demand.

Use of the Extended Schematic Protection Model

Model a graduate school database like system using the Extended Schematic Protection model. Note that there are multiple classes of users - applicants, students, faculty, administrators, ... Data consists of applications, registration information, and plans of study.

Keep the model relatively simple. However, think about things like creating users.

What would safety analysis mean in such a system? Is it necessary and/or sufficient for a system to be safe to say meaningful things about the security of the system?

What problems do you have? Would some model other than ESPM be more appropriate for some issue you run into?

You don't need a complete model, just discuss some of the issues. I would expect one to two pages (12 point, single spaced).

Cryptography

You were given a description of oblivious transfer and a particular application. I am willing to sell a commodity (say, an airline seat) at a particular price, but I don't want to reveal that price to you. You are willing to pay up to a certain amount, but don't want to reveal how much you are willing to pay. We use oblivious transfer to do this: You transfer a set of prices you are willing to pay to me (and prices you aren't willing to pay), and I check the price I'm willing to sell at to see if we have a sale. If so, I sell you the ticket at that price.

• Would there be problems with the oblivious transfer mechanism described in class for solving this problem?
• As described, will the prices that people pay using this price/negotiation mechanism be closer to those that would be given with something like priceline or like E-Bay? Explain why.

Turning in assignment

Electronic submission preferred, using the turnin command (on mentor.ics.purdue.edu, expert.ics.purdue.edu, and possibly other machines; turnin -c cs526 -p asn3 filename) if possible. If you don't yet have access to mentor, and/or turnin doesn't work from other machines, then email to cs526@ics.purdue.edu. Pdf is the safest for capturing non-text, please check with the TA for formats other than text or pdf. If emailed as an attachment, use your career account ID (followed by appropriate file type extension) as the file name. Hard copy is acceptable, please hand in at the beginning of class.