Software Security Homework 4 CSG 379/ Karl Lieberherr ============================================ Due date: October 18, 2004 The home directory of the course is: http://www.ccs.neu.edu/home/lieber/courses/csg379/f04/ f04.html is the course home page. Reading assignment: Read on the average 3 chapters per week from the text book. In 6 weeks you should be done. Part 1: Implementing the Chinese Wall Policy using Aspects -------------------------------------------------- A continuing focus of this course is how we can separate security concerns from the base application to have a more flexible and safer way to manage security policies. In hw we implement a checker for the chinese wall policy described below: From the paper: http://citeseer.ist.psu.edu/cache/papers/cs/30329/http:zSzzSzwww2.cs.uregina.cazSz~pwlfongzSzPubzSzsp-2004.pdf/fong04access.pdf Access Control By Tracking Shallow Execution History Philip W. L. Fong Department of Computer Science University of Regina Regina, Saskatchewan, Canada S4S 0A2 Philip W. L. Fong. Access Control By Tracking Shallow Execution History. In Proceedings of the 2004 IEEE Symposium on Security and Privacy (S&P 2004), pages 43-55, Berkeley, California, USA, May 9-12, 2004 Set in a commercial context, in which a consultant shall not advise clients whom he or she has insider knowledge of a competitor, the Chinese Wall security policy is designed to avoid any conflict of interest that may arise due to the unchecked flow of information across datasets belonging to competing parties. Let O be a set of data objects, S a set of subjects, G a set of company datasets, and T a set of conflict of interest classes. Associated with each data object o in O is a permanent label group[o] in G describing the company dataset in which o belongs. Similarly, a permanent label type[g] in T is assigned to each company dataset g in G; the label describes the conflict of interest class in which a company dataset belongs. A subject s may access a data object o only if one of the following holds: Subject s has already accessed another object o0 belonging to the same company dataset of o, that is, group[o] = group[o0]. Every object o0 that subject s has accessed so far belongs to a company dataset whose con- flict of interest class is different from that of the company dataset in which o belongs, that is, type[group[o]] != type[group[o0]]. A reference monitor enforcing the Chinese Wall policy may do so by keeping track of the set of objects previously accessed by each subject. =========================== Design a group of objects and assign to each object of class Secret a value of G. For class G we have an access() method defined. Also assign to each element of G a permanent conflict of interest class. Use the setup in directory chinese-wall. Use any mechanism you find suitable to define such a group of objects. Then choose a set of Secret-object and s1, s2, ... and consider a sequence of calls: s1.access(), s2.access(), ... Separate from the base application you implement a a chinese wall checker that "listens" to the sequence of access calls that the application generates and it checks for violations. Implement your checker through a security automaton as described in the paper. This will have the advantage that we can reuse the security automaton software if we want to check other policies, like low-water-mark, or one-out-of-k. The task would be to generate different transition function for different policies. It is best to use a policy-specific language for each policy and then to translate a sentence in that language into a transition function. Turn in your base program and your chinese wall checker as a separate aspect. Part 2: Efficient checking of security policies. ---------------------------------------- In which parts of the program do you you need to check policies? When the entire program is known, you can analyze the program statically and only check the parts dynamically where there might be a security violation. The parts where we know for sure that there is no security violation we can ignore. Consider a security policy implemented using AspectJ. Consider an AspectJ pointcut p and ask the question: if I make this call foo() will I never reach a node that satisfies p? If the answer is positive for the call graph abstraction of the program, we know that we can turn off monitoring until foo() completes. Prove that if we could design an algorithm that checks efficiently (i.e., in polynomial-time) that a call to foo() never leads to a join point satisfying p, then we would have an efficient algorithm for the unsatisfiability problem. More formally, consider a graph (representing a static call graph for a Java program) and an AspectJ pointcut p. Consider all the execution trees resulting from a call to a method, say foo(). If we would have an efficient algorithm for the question: is there an execution tree where p selects a join point we would have an efficient algorithm for satisfiability of boolean formulas. http://www.ccs.neu.edu/research/demeter/biblio/unified.html serves as background. Make the connection to the Select-First problem. Part 3: The weakest link ------------------------ Read the paper http://www.zurich.ibm.com/security/publications/2003/PfiWai2003FIM-BBAE-Cambridge.pdf and consider section 8: Security. 1. Protocols are expected to have security justifications. How would you design a security justification for a software application? 2. Focus on the sentence: "the protocol cannot get more secure than the underlying operating system and the browser." This is why we have a course on software security. Let's assume that the browser is all written in Java implying that we cannot have buffer overflow or double delete vulnerabilities. Can you think of an other vulnerability in the browser that could be used to break the BBAE protocol? Optional: The Netscape Browser is open source. Can you spot a vulnerability in the source code of Netscape With respect to BBAE? Turn in your analysis for 1 and 2.