Final Exam CSG 379 Fall 2004 Karl Lieberherr ========================================================== Question 0: =========== Policy Language Design 40 points Consider the following policy language text. ========================================== // From: // Differential Data Protection // for Dynamic Distributed Applications // by Widener, Schwan and Bustamente policy X1 cut area lower left in stream camera10 viewed by John policy X11 blurr area lower right in stream camera10 viewed by John policy X2 blurr area upper right in stream camera3 viewed by Eric policy X29 blurr area upper left in stream camera32 viewed by Eric7 policy X3 stream access John stream camera4 if time range "9am" "5pm" policy X3 stream access John4 stream camera45 if time range "8am" "6pm" policy Airline1 stream access Caterer stream PassengerRecords if filter FoodPreferences installed policy X4 filter access John filter F1 stream camera1 policy X47 filter access John5 filter F15 stream camera15 policy X5 stream access Jim stream camera4 if filter F3 installed policy X5 stream access Jim8 stream camera48 if filter F39 installed streams camera10 camera3 camera4 camera1 filters F1 F3 ========================================== Write a DAJ class dictionary for this language. The last line in the policy description serves as a declaration of all filter names used in the policy. Describe how you would write an AspectJ program, using DAJ, that checks that all filter names used throughout the policy are declared. For example, in the above example, the filter name FoodPreferences is not declared. Question 1: =========== Input checking 40 points An important security principle is: "Consider All Input as Evil!" Explain how formal language theory can be used to put constraints on inputs. Discuss context-free grammars and the ambiguity problem and how it is addressed by LL(k) grammars. Specifically discuss how context-free grammars are used in DAJ. Question 2: =========== Binder semantics 20 points Consider the following Binder program using the notation from hw 3: #manages(#Jim, #Ruth). // Jim manages Ruth #manages(#Ruth, #Ellen). #manages(#Ellen, #Ravi). #boss(e,m) :- #manages(e,m). // e is boss of m #boss(e,m) :- #boss(e,n), #manages(n,m). #boss(#Jim, #Ravi). Is the last line a correct inference? Explain your answer. 5 Points Write a Binder program for the transitive closure of a graph (15 points). Define a predicate #path so that we can infer: #path(#A,#D). from #edge(#A,#B). #edge(#B,#C). #edge(#C,#D). where #A, #B, #C, #D are nodes in a graph. Question 3: =========== 20 points Consider Principle 2: Practice Defense in Depth (page 96). The book refers to a principle in programming language design: Have a series of defenses so that if an error isn't caught by one, it will probably be caught by another [MacLennan, 1987]. Discuss how application-specific software security policies (remember Bill Gray's project) help with providing a second layer of defense. Question 4: =========== 20 points We have used aspects in this course to modularize crosscutting security concerns. Discuss how AspectJ has lived up to our expectations and how it has not. Our goal was to design applications with security in mind from the start and to keep the security related code separate from the base application code. Question 5: =========== 20 points The text book (Principle 6, page 105) discusses the notion of choke points. Choke points are one way to avoid spreading security code throughout a system. Discuss the connection between choke points and good interface design. Discuss other techniques to avoid spreading security code throughout a system.