Software Security Homework 5 CSG 379/ Karl Lieberherr ============================================ Due date: October 25, 2004 The home directory of the course is: http://www.ccs.neu.edu/home/lieber/courses/csg379/f04/ f04.html is the course home page. Reading assignment: Read on the average 3 chapters per week from the text book. In 6 weeks you should be done. Part 1: Implementing the Refined Chinese Wall Policy using Aspects ---------------------------------------------------------- The Chinese Wall security policy is a hybrid security policy that addresses both confidentiality and integrity. We want to refine our rule from last week to deal with indirect flow of information. If John has access to Oil A and Bank A and Jane has access to Oil B and Bank A and access means read/write, we could have indirect flow of information: If John is allowed to read Oil A and write into Bank A, it may transfer information about Oil A that can then be read by Jane. We call the Chinese Wall policy from last week CW-preliminary. Now we formulate CW-simple for read. We assume that the set of objects is partitioned into sanitized and unsanitized objects. Sanitized objects can be thought of as hiding the identity of the company behind it or as being for "public" release. To sanitized objects we offer free read access. CW/read: s can read o iff either of the following holds: The two conditions from CW-preliminary with access = read access, i.e., 1. there is an object o' such that s has accessed o' and group(o') = group(o) (INSIDE Chinese Wall). 2. Every object o0 that subject s has accessed so far belongs to a group whose type is different from that of the group in which o belongs, that is, type[group[o]] != type[group[o0]] (OUTSIDE Chinese Wall). plus in addition: 3. o is sanitized. Now we add a write condition: CW/write: s can write to object o iff BOTH of the following hold: 1. the CW/read condition permits s to read o. 2. For all unsanitized o' that s can read: group[o] = group[o'] See the original Chinese Wall paper by Brewer and Nash (1989): http://www.gammassl.co.uk/topics/chinesewall.html http://www.gammassl.co.uk/topics/chwall.pdf Also in course directory hw/5/chwall.pdf for formal definitions. See http://www.ccs.neu.edu/home/lieber/courses/csg379/f04/readings/c92cwall.pdf for improving the original Chinese Wall. Part 1.A: ========= Discuss how the improved Chinese Wall Policy with separate read/write rules addresses the "indirect flow of information" problem mentioned above. Consider the case where Jane and John get together in private and share their work experiences. Security is a social problem and with technology we try to make it less likely that unwanted actions happen. Part 1.B: ========= Update your Chinese Wall implementation from the previous homework. Each object not only has a group but also a sanitized flag. Ideally, we would like to define the update as an aspect that enhances the aspect from the previous homework. Can this be achieved or is it easier to enhance the previous access code by manually editing it? Discuss the design space for the update and motivate your design decision. The chwall.pdf paper contains a proposal of a reduction: It seems sensible, therefore, to regard all company datasets, bar one, as containing sensitive information belonging to some particular corporation. We reserve the remaining dataset, yo (say), for sanitized information relating to all corporations. It is unnecessary to restrict access to such sanitized information. This can be accomplished without need to rework any of the preceding theory by asserting that this distinguished company dataset, yo, is the sole member of some distinguished conflict of interest class, xo. Can you use this to simplify your design? For testing your new policy, use the set-up from the previous homework but refine it with sanitized information and the read/write distinction. Part 1.C: ========= Can the improved Chinese Wall policy be modeled by a security automaton? Can it be modeled by a shallow history automaton? Part 2: ======= Implement the Low-Water-Mark security policy (e.g., described in the paper by Philip Fong (see hw 4)). Take a similar approach as with the Chinese Wall policy by using aspects. Part 3: ======= What are the six steps behind Microsoft threat modeling? See: http://msdn.microsoft.com/security/securecode/threatmodeling/default.aspx?pull=/msdnmag/issues/03/11/resourcefile/default.aspx Create a threat model for your improved Chinese Wall Policy. What is the risk that your pointcuts don't capture the right access calls?