Due: April 17, 2017
- (15 points) A network in the College of Engineering is set up so that individual hosts (really, virtual machines) can run HTTP (web) servers that are available to the outside. (Here, available means the ability to read and write data.)
The hosts can also run email (SMTP) servers available
to other hosts on the CoE network, but these are not
available to the outside. Instead, all outside mail is routed to a machine
named “smtphost”, which forwards it to the internal host, and all internal
mail addressed to external hosts is routed to “smtphost”, which forwards it to the destination.
There are no other servers available to the outside on “smtphost”.
- Please model this using an access control matrix.
Use three hosts, “smtphost”,
“innie” for a host on the CoE network, and
“outie” for an outside host.
Don’t forget to include the HTTP servers!
- Write a command that allows “innie”
to exchange email directly with “outie”,
bypassing “smtphost” entirely.
- Now consider a second host called
“reallyinnie” on the CoE network.
This host has just been added to the network and has no rights initially.
Write a command that gives it the ability to send email to
“outie” if, and only if, “innie”
can send mail directly to “outie”.
- (15 points) Suppose Alice has r and w rights over the file book.
Alice wants to copy r rights to book to Bob.
- Assuming there is a copy right c, write a command to do this.
- Now assume the system supports a copy flag; for example, the right r with the copy flag would be written as rc. In this case, write a command to do the copy.
- In the previous part, what happens if the copy flag is not copied?
- (20 points) The proof of Theorem 3.1 states that we can omit the delete and destroy commands as they do not affect the ability of a right to leak when no command can test for the absence of rights. Justify this statement. If such tests were allowed, would delete and destroy commands affect the ability of a right to leak?
- (20 points) Prove or disprove: The claim of Lemma 3.1 holds when x is an object.
- (20 points) The Take-Grant Protection Model provides two rights, take and grant, that enable the transfer of other rights. SPM’s demand right, in many ways analogous to take, was shown to be unnecessary. Could take similarly be dropped from the Take-Grant Protection Model?
- (10 points) In Figure 4–1, suppose that edge t3 went from s1 to s4. Would the resulting system be secure?