[Announcement] Homework 4 is out

[sujin0529]

Hi all, this is an announcement about homework 4.

Homework 4 is a programming assignment requiring you to implement two access control systems: ACL-based and capability-based.

Here is the GitHub classroom link for this homework: ( https://classroom.github.com/a/ph079V2_ )

Auto grading

Your implementation will be graded using GradeScope. Please check GradeScope guideline.

Ignore GitHub Action results.

Due date

Due: 05. 11 (Thu.) 23:59:59 Late Due: 05. 13 (Sat.) 23:59:59 (late submission penalty).

[bonjune]

I see a mismatch of homework specification and the code.

The specification in README.md says that create command should return Normal. However, the return type of create function is defined as Acl.t in acl.mli.

[sujin0529]

Hi,

Create, which says that should return Normal, is not create function, but the Create command. So, you can implement the create function according to the type defined in acl.mli.

Thanks.

[ICubE-]

Doc says:

acm is an access control matrix such that acm : subject -> object -> permission list.

But doesn't it have to be object -> subject -> permission list?

[yeonhee-ryou]

Doc says:

acm is an access control matrix such that acm : subject -> object -> permission list.

But doesn't it have to be object -> subject -> permission list?

@ICubE- You MUST NOT change the type of { ACL, Capability }.run, and acm is a parameter of them. Please follow the type definition of type t in each module, src/acl.ml and src/capability.ml, not the document.

[ICubE-]

@yeonhee-ryou I read the document and the code once more.

In acl.ml, type t = permission list SubjectMap.t ObjectMap.t. In capability.ml, type t = permission list ObjectMap.t SubjectMap.t.

But in the document, following quote is written only in ACL part.

acm is an access control matrix such that acm : subject -> object -> permission list.

Isn't it supposed to be changed like this? In ACL part, acm : object -> subject -> permission list In Capability part, acm : subject -> object -> permission list

[sujin0529]

Hi, You can understand acm as a Map type, not a function type.

In ACL part, type t = permission list SubjectMap.t ObjectMap.t In Capability part, type t = permission list ObjectMap.t SubjectMap.t

Thanks.

[bonjune]

void init() {
  create_subject("attacker");
  create_subject("deputy");
  create_object("secret_file");
  create_object("deputy");
  create_object("wizard");
  enter(Execute, "attacker", "deputy");
  enter(Execute, "attacker", "wizard");
  enter(Own, "wizard", "secret_file");
}

void attacker() {
  int fd = open("wizard", Execute);
  execute_with_capability(fd, "deputy");
}

void deputy(int proc) {
  execute_with_capability(proc, "wizard");
}

void wizard(int fd) {
  int fd = open("secret_file", Read);
  read_with_capability(fd, "secret_file");
}

What is the desired output? Can deputy execute wizard because it passes proc which is an execution capability to wizard? Or, deputy just can't exeucte wizard because it does not have the right permission?

[KihongHeo]

Computer science resembles real life. You don't have permission to enter my office. But if I give you the key, then ..?

[adzaky15]

In the type command declaration below

type command =
...
  (* below only for capability *)
  | Open of string * Object.t * permission
  | Execute_with_capability of string * Object.t * string
  | Read_with_capability of string * Object.t

it seems that the first string is the name of capability (like "fd" for example).

What is the second string in Execute_with_capability?

[yeonhee-ryou]

@adzaky15 The second string is the target process to be executed. It is stated in the document but the example is wrong. The document will be updated as follow:

- For example, `Execute_with_capability (object_file, perm, proc)` 
+ For example, `Execute_with_capability (perm, object_file, proc)`
 will execute the target process `proc` with the capability `perm` to access object `object_file`.

[sujin0529]

@bonjune Please check this issue. Additionally, Own permission doesn't contain the Read permission. So, wizard can't read the secret_file in this case.

void init() {
  create_subject("wizard");
  create_object("secret_file");
  enter(Own, "wizard", "secret_file");
}
...
void wizard(int fd) {
  int fd = open("secret_file", Read);
  read_with_capability(fd, "secret_file");
}

If you want to read the secret_file with wizard, you can use the confer command. wizard can read the secret_file when wizard confers Read permission about secret_file to itself.

[bonjune]

@bonjune Please check this issue. Additionally, Own permission doesn't contain the Read permission. So, wizard can't read the secret_file in this case.

void init() {
  create_subject("wizard");
  create_object("secret_file");
  enter(Own, "wizard", "secret_file");
}
...
void wizard(int fd) {
  int fd = open("secret_file", Read);
  read_with_capability(fd, "secret_file");
}

If you want to read the secret_file with wizard, you can use the confer command. wizard can read the secret_file when wizard confers Read permission about secret_file to itself.

Then what is the purpose of having Own permission? I thought Own is superior permission class which allows Read and Write..?

[KihongHeo]

Same as Linux. In Linux, if you own a file but do not have r, then you cannot read the file.

[snurf198]

I found that there is execute function defined in acl.ml file. Should I add it and implement it? Or is it unnecessary? And also, I don't understand the difference between processes and cmds parameters in run function.

[snurf198]

Also, am I allowed to change let function to let rec function?

[marvin-koch]

Hello, I have a question concerning the type of the run function. In the homework it is stated that a process is associated with a subject and not an object. Shouldn't the type of run then be (Subject.t * command list) list -> Subject.t -> command list -> t -> result ?

[sujin0529]

@snurf198

you can modify or remove Acl.{ create, confer, remove, read } functions. The type signatures are provided in src/acl.mli for your convenience. So, you can remove them if you don't need those functions.

I'm sorry, but I don't understand the question that you don't know the difference between process and cmds. Can you explain what you don't know?

You can change let function to let rec function if needed.

Thanks.

[sujin0529]

@marvin-koch processes is associated with an object in main.ml. So, the type of run function is correctly defined.

Thanks.

[snurf198]

@snurf198

you can modify or remove Acl.{ create, confer, remove, read } functions. The type signatures are provided in src/acl.mli for your convenience. So, you can remove them if you don't need those functions.

I'm sorry, but I don't understand the question that you don't know the difference between process and cmds. Can you explain what you don't know?

You can change let function to let rec function if needed.

Thanks.

@sujin0529 I mean since processes includes commands, I think cmds parameter is not needed.

[sujin0529]

@snurf198 Oh, I see! We start from the attacker process. So, cmds argument is a necessary argument to start with the command of the attacker process.

However, we must also have information on all processes. So we also need processes argument.

So we need cmds and processes both.

Thanks.

[anisrashidov]

1. By access, you mean read only, right?
2. Also, it is said that we are given acm (acm : subject -> object -> permission list), but in primitive operations we are given an acl (acl: object -> subject -> permission list). However, how are we supposed to use primitive operations if the acm and acl structures are different? Please clarify on that.

[snurf198]

Am I allowed to change the signature here?

[sujin0529]

@anisrashidov

1. Yes, you can answer whether the attacker can read the secret file or not.
2. I think this answer will answer your question.

Thanks.

[sujin0529]

@snurf198

You MUST NOT change the type of Capability.run, but you can modify or remove Capability.{ create, confer, remove, fopen, read } functions. The type signatures are provided in src/capability.mli for your convenience.

Please refer to the README.

Thanks.

[sujin0529]

If you have any questions in the future, please open a new issue :)

[anisrashidov]

If the output contains only single line, then why should we return Access.result type in every function as described below???

[sujin0529]

@anisrashidov Refer to the issue.

If you have any questions in the future, please open a new issue :)