1. In most systems today, one identifi es oneself using a simple name such as “tom” or “twd.” a. Such simple names are generally not used within the operating system to identify users, but are translated into some sort of numeric ID. Explain why. b. It may be `necessary, when logging in, to specify some sort of domain, such as “cs,” in which to look up your user name. Thus I might log in as “cstwd.” What is the rationale for using such domains? c. Suppose it is necessary to combine two systems so that each user in one can log into the other. Unfortunately, the intersection of the sets of user names of the two systems is not null. Say, there are two different people with user names of “tom,” one in one system and one in the other. The system administrator decides to resolve the problem by renaming one “tom1” and the other “tom2”. That was easy. However, the administrator now realizes that the real problem is that the space of numeric user IDs, the ones used internally by the two systems, are the same in both systems. Thus there is a user 17 in one system and also in the other system, but they refer to different people. Suggest a means for assigning user IDs in the future so that collisions will not be a problem in the event that systems are merged.
2. Tenex was an operating system for DEC PDP-10 computers used in the late ’60s and early ’70s. It had a number of features, including one that allowed user code to be invoked in response to each page fault. It stored passwords in plain text (i.e., unencrypted) in a fi le that was adequately protected. A user could supply his or her password not only when logging in, but also from a program so as to switch from one protection domain to another. The system code that checked for a correct password would do so one character at a time, moving from left to right, stopping when it encountered an incorrect character. It was soon discovered that it was relatively easy to fi gure out any user’s password. Explain how. (Hint: a few guesses were required.)
3. By default, Windows allows users to access directories even though they do not have explicit permission to follow a path through the directories’ parents. In Unix, there is no getting around the requirement that you must have execute permission in each directory in order to follow a path through the directories. The sorts of permissions one can specify for Unix fi les and directories are read, write, and execute. Windows allows one to specify read, write, execute, and delete, and does so via ACLs rather than via permission vectors. a. Describe a situation in which, in order to provide the desired access control for a fi le in Unix, one must take advantage of the requirement for execute permission in all directories in its path. b. Explain why this can’t be done in Windows. Describe an access-control situation that Windows can handle but Unix cannot
4. Many Unix systems allow a thread to transmit a fi le descriptor via a Unix-domain socket. The intent is that the receiver gains, via the received fi le descriptor, the same access rights to the fi le that the sender had via the original fi le descriptor. Thus, for example, if the sender had opened a fi le for reading and writing and then transmitted the fi le descriptor to the receiver, the receiver now has the fi le open for reading and writing. a. Show, in terms of the open-fi le structures described in Chapter 1, what actually happens when a fi le descriptor is transmitted from one process to another. b. Show how this technique could be used to implement a print server.
5. We showed in Section 8.2.1 that Unix’s chroot system call is not suffi cient to restrict a process to a subtree of the directory hierarchy. Describe what easily enforced additional measures can be taken to restrict a process to a subtree securely
*6. A security problem popular in the late 1960s and early 1970s was the mutually suspicious users problem. User A has a proprietary program. User B has proprietary data. B wants to run A’s program on B’s data, but wants to make certain that A doesn’t get a copy of the data. A wants B to use A’s program (for a fee), but doesn’t want B to get a copy of it. The solution is to set up a protection domain that has read access to B’s data, execute-only access to A’s code, write access to a solutions fi le that can be read only by B, and no other access rights. a. Can such a protection domain be established in Windows? Explain. b. Can such a protection domain be established in Unix? Explain. (Hint: consider the chroot system call. Also, your solution might take advantage of a trusted third party to set things up.)
1. Section 8.2.3 discusses covert channels and describes one involving the processor utilization. Describe the measures that can be taken to eliminate such a covert channel.
2. In normal Unix systems (and Windows systems), one’s access rights for a fi le are checked only when the fi le is opened. However, in SELinux, they are checked at every access to the fi le. Explain why this change was made.
9. In the SELinux example in Section 8.2.2, roles are established for users participating in an accounting activity. Suppose user john attempts to run the program requestPO. Assuming no SELinux rules other than those given in the text, explain what prevents user john from using this program to request a PO
We would like to add discretionary access control to a capability-based system. As described in Section 8.2.3, such a system might support persistent processes — processes that survive crashes and retain their capabilities indefi nitely. Assuming such a facility, describe how you might add support for discretionary access control. You may also assume the system provides directory-like objects that contain name-capability pairs: one can search such an object for a particular name; if the name exists, and one has the read-capability capability for the object, then one can retrieve the associated capability.
11. It is sometimes said that an access matrix such as Figure 8.2 can represent everything there is about access control in a system. Furthermore, it said that representing such a matrix by columns (i.e., storing the entries along with the object heading the column) and representing the matrix by rows (i.e., storing the entries along with the subject heading the row) are equivalent. Such columns are known as access-control lists and such rows are known as capability lists. Taking this discussion one step further, it might be argued that a capability system can be represented as an access matrix. This turns out not to be a valid characterization. Explain why not.