Computer Security: Art and Science

17.7 Exercises

1:
Implement the transmission protocol in the example that follows Definition 17�2. Measure how much information is sent over a 10-minute period.
2:
Two UNIX processes wish to communicate but cannot use standard IPC mechanisms. However, both can run ps(1) as a subprocess.

Devise a protocol whereby the two processes can communicate using their environment lists.
Implement the protocol. Measure the (actual) rate of transmission.
3:
Consider the rule of transitive confinement. Suppose a process needs to execute a subprocess in such a way that the child can access exactly two files, one only for reading and one only for writing.

Could capabilities be used to implement this? If so, how?
Could access control lists implement this? If so, how?
4:
A company wishes to market a secure version of the Swiss Cheese Operating System (SCOS), known as much for its advanced user and database management features as for its security vulnerabilities. The company plans to build a virtual machine to run SCOS and run that virtual machine on a second system, the Somewhat Secure Operating System (SSOS). The marketing literature claims that the VM running SCOS provides total isolation, thereby eliminating any potential security problems.

Does this arrangement provide total isolation? If your answer is not "yes," discuss what features the VM would need to include to provide total isolation or show why this arrangement cannot provide total isolation.
The literature states that "the VM mediates all accesses to real system resources, providing an impenetrable barrier to any attacker trying to break out of the SCOS and attack other copies of SCOS running on the SSOS." Do you agree or disagree with this statement? Why? (If you would need more information in order to make a decision, state what information you would need and why.)
5:
In the Janus system, when the framework disallows a system call, the error code EINTR (interrupted system call) is returned.

When some programs have read or write system calls terminated with this error, they retry the calls. What problems might this create?
Why did the developers of Janus not devise a new error code (say, EJAN) to indicate an unauthorized system call?
6:
The following system call adds read permission for a process (for_ pid) if the caller (call_ pid) owns the file, and does nothing otherwise. (The operating system supplies call_ pid; the caller supplies the two latter parameters.)

function addread(call_pid, for_pid : process_id; fid: file_id):integer; begin if (call_pid = filelist[fid].owner) then addright(filelist[fid].access_control_list, for_pid, "r"); addread := (call_pid = filelist[fid].owner); end.

Is the variable addread directly or indirectly visible, or not visible?
Is the variable filelist[fid].owner directly or indirectly visible, or not visible?
Is the variable filelist[fid].access_control directly or indirectly visible, or not visible?
7:
In the covert flow tree technique, it is possible for some part of the tree to enter a loop in which recognition of attribute a depends on recognition of attribute b, which in turn is possible when attribute a is recognized.

Give a specific example of such a loop.
Should such a loop occur, the covert flow tree path is labeled with a repeat parameter that dictates the maximum number of times that branch may be traversed. Discuss the advantages and drawbacks of this solution.
8:
Section 17.3.2.3 derives a formula for I(A; X). Prove that this formula is a maximum with respect to p when p = M / (Mm + 1), with M and m as defined in that section.
9:
Prove that if the pump crashes, either every message in the pump has been delivered or the sender detects that a message has been lost and resends it.

Top

1:	Implement the transmission protocol in the example that follows Definition 17�2. Measure how much information is sent over a 10-minute period.
2:	Two UNIX processes wish to communicate but cannot use standard IPC mechanisms. However, both can run ps(1) as a subprocess. Devise a protocol whereby the two processes can communicate using their environment lists. Implement the protocol. Measure the (actual) rate of transmission.
3:	Consider the rule of transitive confinement. Suppose a process needs to execute a subprocess in such a way that the child can access exactly two files, one only for reading and one only for writing. Could capabilities be used to implement this? If so, how? Could access control lists implement this? If so, how?
4:	A company wishes to market a secure version of the Swiss Cheese Operating System (SCOS), known as much for its advanced user and database management features as for its security vulnerabilities. The company plans to build a virtual machine to run SCOS and run that virtual machine on a second system, the Somewhat Secure Operating System (SSOS). The marketing literature claims that the VM running SCOS provides total isolation, thereby eliminating any potential security problems. Does this arrangement provide total isolation? If your answer is not "yes," discuss what features the VM would need to include to provide total isolation or show why this arrangement cannot provide total isolation. The literature states that "the VM mediates all accesses to real system resources, providing an impenetrable barrier to any attacker trying to break out of the SCOS and attack other copies of SCOS running on the SSOS." Do you agree or disagree with this statement? Why? (If you would need more information in order to make a decision, state what information you would need and why.)
5:	In the Janus system, when the framework disallows a system call, the error code EINTR (interrupted system call) is returned. When some programs have read or write system calls terminated with this error, they retry the calls. What problems might this create? Why did the developers of Janus not devise a new error code (say, EJAN) to indicate an unauthorized system call?
6:	The following system call adds read permission for a process (for_ pid) if the caller (call_ pid) owns the file, and does nothing otherwise. (The operating system supplies call_ pid; the caller supplies the two latter parameters.) function addread(call_pid, for_pid : process_id; fid: file_id):integer; begin if (call_pid = filelist[fid].owner) then addright(filelist[fid].access_control_list, for_pid, "r"); addread := (call_pid = filelist[fid].owner); end. Is the variable addread directly or indirectly visible, or not visible? Is the variable filelist[fid].owner directly or indirectly visible, or not visible? Is the variable filelist[fid].access_control directly or indirectly visible, or not visible?
7:	In the covert flow tree technique, it is possible for some part of the tree to enter a loop in which recognition of attribute a depends on recognition of attribute b, which in turn is possible when attribute a is recognized. Give a specific example of such a loop. Should such a loop occur, the covert flow tree path is labeled with a repeat parameter that dictates the maximum number of times that branch may be traversed. Discuss the advantages and drawbacks of this solution.
8:	Section 17.3.2.3 derives a formula for I(A; X). Prove that this formula is a maximum with respect to p when p = M / (Mm + 1), with M and m as defined in that section.
9:	Prove that if the pump crashes, either every message in the pump has been delivered or the sender detects that a message has been lost and resends it.