Homework #4

Questions

1. (25 points) Revisit the example for x := y + z in Section 16.1.1. Assume that x does not exist in state s. Confirm that information flows from y and z to x by computing H(y_s | x_t), H(y_s), H(z_s | x_t), and H(z_s) and showing that H(y_s | x_t) < H(y_s) and H(z_s | x_t) < H(z_s). (text, problem 16.1)

2. (25 points) Let L = (S_L, ≤_L) be a lattice. Define:
   1. S_IL = { [a, b] | a, b ∈ S_L ∧ a ≤_L b }
   2. ≤_IL = { ([a₁, b₁], [a₂, b₂]) | a₁ ≤_L a₂ ∧ b₁ ≤_L b₂ }
   3. lub_IL([a₁, b₁], [a₂, b₂]) = (lub_L(a₁, a₂), lub_L(b₁, b₂))
   4. glb_IL([a₁, b₁], [a₂, b₂]) = (glb_L(a₁, a₂), glb_L(b₁, b₂))
   Prove that the structure IL = (S_IL, ≤_IL) is a lattice. (text, problem 16.2, modified)

3. (25 points) In the Janus system, when the framework disallows a system call, the error code EINTR (interrupted system call) is returned.
   1. When some programs have read or write system calls terminated with this error, they retry the calls. What problems might this create?
   2. Why do you think the developers of Janus did not devise a new error code (say, EJAN) to indicate an unauthorized system call? Justify your answer.
   (text, problem 17.5, modified)

4. (25 points) Consider the rule of transitive confinement. Suppose a process needs to execute a subprocess in such a way that the child can access exactly two files, one only for reading and one only for writing.
   1. Could capabilities be used to implement this? If so, how?
   2. Could access control lists be used to implement this? If so, how?
   (text, problem 17.3)

Extra Credit

1. (20 points) A company develops a new security product using the agile programming software development methodology (in the book, this is called “extreme programming”). Programmers code, then test, then add more code, then test, and continue this iteration. Every day, they test the code base as a whole. The programmers work in pairs when writing code to ensure that at least two people review the code. The company does not adduce any additional evidence of assurance. How would you explain to the management of this company why their software is in fact not “high assurance” software? (text, problem 18.7, modified)