CS 261 Homework 2
Instructions
This problem set is due Tuesday, October 7.
You may work together and discuss the questions on this homework with
others, but the writeup you turn in must be your own. You may use any
source you like (including other papers or textbooks), but if you use
any source not discussed in class, you must cite it.
Question 1
Consider a imperative programming language that is designed
to prevent inadvertent disclosure of confidential information.
The programmer is required to insert sensitivity labels at certain
points, and the compiler checks at compile-time that they are consistent.
In this hypothetical language:
- the programmer must label every variable as either SECRET or PUBLIC;
- program inputs are labelled SECRET;
- all outputs must be labelled PUBLIC; and,
- constants can be labelled either SECRET or PUBLIC,
according to whichever is more convenient.
The compiler requires that, for each expression E in the program,
all subexpressions of E must have the same label as the label on E.
Also, the compiler forbids assigning a SECRET value to a PUBLIC variable.
This is the core language.
Assume that the core language has no support for I/O, other than for
reading inputs or writing outputs.
- Suppose the core language is extended with if-then-else statements.
Give an example of a program where information can flow from a SECRET
input to a PUBLIC output.
- Suppose the core language is extended with pointer types.
The compiler's checks are extended so that &x is considered to have
the same label as x, and so that *p has the same label as
p. Pointer
arithmetic and type-casts to/from pointer types are forbidden, all
pointer dereferences are automatically bounds-checked by the compiler,
and pointers must be used in a type- and memory-safe way.
Give an example of a program where information can flow from a SECRET
input to a PUBLIC output.
Question 2
You've been assigned two htmlfilter implementations
that were submitted to me in HW1.
Your goal: assess whether they implementations meet the
security goals set out in HW1.
(You do not need to review how well they meet the functionality requirements.)
To begin, I will email you
your assigned implementations.
Implementations are identified by a two-digit
code (e.g., 17.tar); I will assign you two of those implementations.
Download those two implementations from this directory.
Critique the design and implementation of both.
- What is the two-digit ID number of your first assigned implementation?
What are its main security weaknesses? Or, if you found none,
what are the best features of its design/implementation?
- What is the two-digit ID number of your second assigned implementation?
What are its main security weaknesses? Or, if you found none,
what are the best features of its design/implementation?
- If you were forced to choose between these two implementations,
which one would you judge to be more likely to meet its security goals?
Why?
Promise: Your answers on this homework will not affect the grades
of anyone else. You can feel free to critique an implementation honestly
and frankly without fearing that your comments will have any negative
effect on that person's grade. Grades for HW1 will have already been assigned
by the time I see your solution.
I will not show your evaluation to the authors of your assigned
implementations.