Software Security CSG 379/ Karl Lieberherr ============================================ Due date: September 27, 2004 The home directory of the course is: http://www.ccs.neu.edu/home/lieber/courses/csg379/f04/ All paths in this hw are with respect to this directory. f04.html is the course home page. Reading assignment: Read on the average 3 chapters per week from the text book. In 6 weeks you should be done. Disclaimer: If one of the homeworks takes too much time, only complete what you can do in a reasnoable amount of time. The rest of the work you can do in the following week. Part 1: Monitoring Software Behavior ---------------------------- is an excellent defensive technique. Let's assume that if the following calls: open_account(i); ... no deposit(i, amount); ... close_account(i); appear in sequence, you want to send a warning message. An account is opened and closed without ever receiving a deposit. ... means any number of intermediate calls. Write a AspectJ program that does this monitoring. Write one or more Java programs to test your AspectJ program. Turn in your AspectJ program and Java programs with their inputs/outputs. Part 2: Binder has a polynomial-time decision procedure ----------------------------------------------- Consider the propositional case of a Binder program: #f :- #g, #h. #g. #h. This is with respect to the grammar in daj/program.cd (An example is in daj/program.input.) Describe an algorithm that finds a satisfying assignment for such a program in polynomial time in the size of the input. #f :- #g, #h. we interpret as the clause f or !g or !h ! is negation. Turn in your algorithm description in English. Note: The algorithm is very simple. Part 3: Binder and role-based-access control ------------------------------------ Describe how we can use Binder to express role-based access control policies. User1 plays role R1. User2 plays role R3. R3 is a subrole of role R1. Role R1 has permission to read file f. Question: Is User2 allowed to read file? Translate this to Binder and use DAJ to syntactically check your Binder security formula. Copy the code in /home/lieber/.www/courses/csg379/f04/hw/2/test into one of your directories and modifiy the program.input file. Follow the directions in: /home/lieber/.www/courses/csg379/f04/daj/daj-directions to set-up your CCIS environment and run the program. The above link also tells you how to generate a parser yourself. Part 4: Binder version 2 ------------------------ Compare the version of Binder in /home/lieber/.www/courses/csg379/f04/hw/2/test-look-ahead-2 with the version in /home/lieber/.www/courses/csg379/f04/hw/2/test Describe the difference between the two languages. Which one is safer to use? Which one do you prefer? What is the minimal look-ahead that is needed? ==================== Where to turn in: csg379-grader AT ccs.neu.edu Questions to the same address: it reaches both Robbie and me.