! 

Assignment #4

Type of assignment: This assignment should be done in same groups as those formed for the term project, except problem #1.

Note: The assignment submission should clearly list the student members of the group, their names, and student numbers on the first page.

Points: The maximum number of points for this assignment is 35, which will be prorated accordingly after all assignments are posted. Weight of each problem is in parenthesis.

Format:

  1. Assignment submissions are accepted in the following formats only: HTML (extension .html), PDF (.pdf), ASCII text (.txt). Assignments submitted in any other format will be discarded. All text in the assignment submissions must be typed and figures plotted to be easy to read and understood. Spelling, grammar, and other language errors will result in fewer points credited to the corresponding problem solutions.
  2. Your submission file should be named to reflect the names of the group members, and the assignment number, e.g., alice_bob-assignment_1.pdf.

Problems

  1. (10 points) (Authentication) Sysadmin Joy has created a unix passwd file (first two characters are the salt) for the students of EECE 412 and decided to assign a unique password to each of the students. Unfortunately, he always chooses passwords that are very weak, but after reading Section 11.2 in the Bishop's textbook, he has made some improvements.

    Since Joy has decided to tempt fate by refusing to use shadowed passwords, can you teach her a lesson?

    In your solution, address and/or answer the following:

    1. (7) Find the password associated with your student ID.
    2. (3) Detail the methods / tools you used to extract your password, as well as how long it took you to find the password for your account and/or bonus accounts.

    Notice: For posting passwords for any of bonus1, bonus2, or bonus3 accounts on WebCT Discussion Group, the person who posts it first, will get 5 (for bonus1), 8 (for bonus2), 30 (for bonus3) bonus points.

Do problem #1 individually and submit your solution to the problem by sending an e-mail message to the Teaching Assistant via WebCT before the deadline.

For most of the following problems, the following scenario will be used:

Today with business, especially consulting, going global, your group is charged with security administration of an online banking system for a private Small In-the-Middle-Of-Nowhere Bank, SIBeria, that plans eventually to have 10,000 customers and 1,000 employees. SIBeria got an excellent Internet connection, though, so that they can serve customers from all over the world, you know. You have to configure access control mechanisms available in the WebCT to precisely enforce the following policy:

    Policy 1:

    1. Each customer can examine his or her account, deposit to and withdraw from it.
    2. Any clerk at SIBeria can see any account in the bank, except accounts of other employees who also customers of SIBeria. (They are not overly concerned with privacy in SIBeria, you know).
    3. Any manager can do anything that the clerks can do, plus see accounts of any clerk, but not those of other managers.
    4. VPs can do what the managers can do, plus see the accounts of all managers and see the accounting books of the bank.
    5. The CEO can do what the VPs can do, plus see VPs' accounts and change the accounting books.

The SIBeria has been just opened and has only few customers and employees. Here they are:

customers: A, B, C, D, E, F, G.

clerks: H, I, J, K, L, M, N.

managers: O, P, Q, R, S, T.

VPs: U, V, X, Y.

CEO: Z

all of the above are customers of SIBeria. Also, B, D, K, S, V, and Z have 2 accounts each. F & G have a joint account.

Problems

    1. (10) (DAC) Assuming that SIBeria's online banking mechanisms support only discretionary access control (DAC) policies. Write down configuration of SIBeria's access controls that support Policy #1 for the users in the above scenario.

    2. (10) (BLP) Now assume that SIBeria's online banking mechanisms support only Bell-LaPadula policies. Write down configuration of SIBeria's access controls that support Policy #1 for the users in the above scenario.

    3. (10) (RBAC) Now assume that SIBeria's online banking mechanisms support only Role-based Access Control (RBAC) policies. Write down configuration of SIBeria's access controls that support Policy #1 for the users in the above scenario.

    4. (10) Compare and contrast DAC, BLP, and RBAC models in terms of their suitability for SIBeria. Consider administrative scalability, i.e., the amount of work an administrator has to do to add/remove a customer/clerk/manager/VP/CEO, or to create a new account.

      Also consider the cost of single administrative mistake in the worst case, explain how much damage it could create.

    5. (20) (Ideal) Develop an alternative access control model that will be better than the DAC, BLP, and RBAC for the task of administering online banking system at SIBeria. That is, if one compares and contrasts your policy with DAC, BLP, or RBAC using the criteria from problem 5, your model will demonstrate better characteristics. Write down configuration of SIBeria access controls that support Policy #1 for the users in the above scenario, assuming the mechanisms can support your model.

Copyright © 2003-2007 Konstantin Beznosov