Lecture 10 Outline (April 20, 2015)

Reading: §2, 3.1–3.2
Assignment: Program 2, due April 27, 2015; Homework 2, May 1, 2015

1. Greetings and felicitations!
2. Discussion problem of the day
3. Access Control Matrix
   1. Subjects, objects, and rights
   2. Primitive commands: create subject/object, enter right, delete right, destroy subject/object
   3. Commands and conditions: create-file, various flavors of grant-right to show conditions and nested commands
   4. Copy flag
   5. Attenuation of privileges
4. HRU Result
   1. Notion of leakage in terms of ACM
   2. Determining security of a generic system with generic rights and mono-operational commands is decidable
   3. Determining security of a generic system with generic rights is undecidable
   4. Meaning: can’t derive a generic algorithm; must look at (sets of) individual case

Discussion question. An eighth grade school student in Florida shoulder-surfed a teacher he didn’t like typing in a password. He used that password to log into the teacher’s account and changed the wallpaper. The password, like all passwords on the school network, was the last name of the teacher (user), and teachers had administrative privileges on the network.

The student was first suspended or 10 days. But on April 2 of this year, the Pasco County sheriff filed felony charges against the student. The sheriff stated that he filed the charges because the teacher’s computer had “encrypted 2014 FCAT [Florida Comprehensive Assessment Test] questions”, although he admitted the student “did not view or tamper with those files.” He added “Even though some might say this is just a teenage prank, who knows what this teenager might have done.”

Do you think the student should have been suspended? Should he have been charged with a felony?