Due Date: Th January 18, 2018 at 11:59pm.
In this project, you will design a defense that protects programs from compromise by preventing them from relying on adversary-controlled data being input to programs in unexpected ways.
Inputs: You are given: (1) a program P that makes a set of system calls (actually calls to libc functions that make system calls) made by the program to open (and read/write) files and (2) an operating system with a reference monitor and an access control policy.
Goal: Ensure that each program P's system calls only allows an adversary-controlled file to be opened if the program expects that file to possibly be an adversary-controlled file.
Outputs: Design of a defense that implements the security goal. You may make changes to the program and/or the operating system (reference monitor) as well as develop simple analyses to help configure the defenses.
In building a defense, you will have to answer the following questions:
What processes are adversaries of the program P?
What files are adversary-controlled relative to program P?
How do you recognize when program P is going to open an adversary-controlled file?
How do you know if a program P "expects" that it may open an adversary-controlled file?
How does the OS determine whether to allow or deny each file open operation?
How does the OS determine whether a program P "expects" it may open an adversary-controlled file, so the OS can restrict P to only open adversary-controlled files when it expects it may?
Utilize your background knowledge on multilevel (lattice) security models from CSE 543 to answer the questions above. See CSE 543 Slides and Lattice Model Paper for background.
There will be a dropbox created on Canvas to submit your design. Please submit your design, including answers to the questions above, by 11:59pm on Th January 18, 2018.
You are to complete this on your own. Any sharing of text or help in the design process for this project is expressly forbidden. Do not discuss this project with anyone.