Homework #1

Due: January 19, 2024
Points: 100

Questions

1. (18 points) A network in the College of Engineering is set up so that individual hosts (really, virtual machines) can run HTTP (web) servers that are available to the outside. (Here, available means the ability to read and write data.) The hosts can also run email (SMTP) servers available to other hosts on the CoE network, but these are not available to the outside. Instead, all outside mail is routed to a machine named “smtphost”, which forwards it to the internal host, and all internal mail addressed to external hosts is routed to “smtphost”, which forwards it to the destination. There are no other servers available to the outside on “smtphost”.

   In what follows, use “g” to represent the HTTPS “get” right, “p” the HTTP put right, “s” the email “send” right, and “r” the email “receive” right.

   1. Please model this using an access control matrix. Use three hosts, “smtphost”, “innie” for a host on the CoE network, and “outie” for an outside host.
   2. Write a command that allows “innie” to exchange email directly with “outie”, bypassing “smtphost” entirely.
   3. Now consider a second host called “reallyinnie” on the CoE network. This host has just been added to the network and has no rights initially. Write a command that gives it the ability to send email to “outie” if, and only if, “innie” can send mail directly to “outie”.

2. (20 points) Minsky states that “privileges should not be allowed to grow when they are transported from one place in the system to another.” Does this differ from the Principle of Attenuation of Privilege as stated in class? If not, show they are the same; if so, how do they differ?

3. (12 points) Someone asks, “Since the Harrison-Ruzzo-Ullman result says that the security question is undecidable, why do we waste our time trying to figure out how secure the Linux operating system is?” Please give an answer justifying the analysis of the security of the Linux system (or any system, for that matter) in light of the HRU result.

4. (30 points) Theorem 3.1 states: “Suppose two subjects s₁ and s₂ are created and the rights in A[s₁, o₁] and A[s₂, o₂] are tested. The same test for A[s₁, o₁] and … A[s₁, o₂] ∪ A[s₂, o₂] will produce the same result.” Justify this statement. Would it be true if one could test for the absence of rights as well as for the presence of rights?

5. (30 points) Consider the construction in Section 3.5.2 that shows how to simulate three-parent joint creation using two-parent joint creation. In the original paper, cr_C(s, c) = c/R₃ (that is, the t right was omitted) and link₂(S, A₃) = A₃/t ∈ dom(S) (the second part was omitted). Why won’t this work?

Matt Bishop Office: 2209 Watershed Sciences Phone: +1 (530) 752-8060 Email: mabishop@ucdavis.edu

ECS 235B, Foundations of Computer and Information Security Version of January 5, 2024 at 2:57PM

You can also obtain a PDF version of this.