Access Control

A lattice is a partially ordered set (L, ≥) in which every subset has a greatest lower bound and a least upper bound. The least upper bound (or greatest lower bound) property is important in access control since we would like to uniquely determine the combined access privileges of any subset of security clearances in the access control model.

Ex. 1 — Is the model shown in Figure 1 a lattice? Why or why not?

Bell-LaPadula Model

The security levels TS, S, C, U stand for Top Secret, Secret, Classified, and Unclassified, respectively. Why is the “covert channel” attack mentioned against the Bell-LaPadula model, a covert attack? First a covert channel is a communication link through which information is NOT supposed to flow. Secondly, it would be undetected by the security mechanisms in place. In the attack example shown in the lecture, the subject with higher clearance may be sending the information contained in the object to the subject with lower clearance.

Ex. 2 — Why is the covert channel attack on Bell-LaPadula Model an issue?

Online Tracking and Fingerprinting

Ex. 3 — One of the hotly contested issues in online tracking is whether tracking should be opt-out or opt-in, i.e., whether the default should be tracking or non-tracking. Does this actually matter, since both provide the same choice?

Ex. 4 — For Do Not Track to be meaningful, there has to be some way of detecting trackers that are not in compliance. What are some ways of doing so?

Ex. 5 — Are there tools you can download that are specifically intended to resist fingerprinting?

Ex. 6 — Are there applications of fingerprinting for fraud prevention?

Ex. 7 — Neither self-regulation in the U.S. nor Government regulation in the EU (e.g., “the cookie law”) has worked particularly well. What are some reasons that these attempts have run into problems?

Ex. 8 — Speculate on what the state of online tracking might look like in 5 years.

Ex. 9 — Experiment with Panopticlick. Try to minimize the identifiability of your usual browser or another browser. What’s the most anonymous you were able to get? With what settings?

Android Apps’ Analysis

Suppose you were hired by Google to analyze the recently published Android application on Google Play store: YogaForDiabities ; and MobInCube. Equipped with skills learnt in COMP8320, you opt to perform static and dynamic analysis of these apps. Essentially, you use Use mitmweb to analyze the network traffic sent and received by these two apps.

Use mitmweb to analyze YogaForDiabities’ traffic

Ex. 10 — What is the value of id sent by YogaForDiabities in HTTP request to http//admin.appnext. com/configuration.aspx?

Ex. 11 — What is the value of adsid sent by YogaForDiabities in HTTP request to http//admin. appnext.com/configuration.aspx?

Ex. 12 — What is the Android OS version and Phone Model on which YogaForDiabities was run? (Hint: Analyze all ‘POST’ requests.)

Ex. 13 — What is the value of cookie (named: ASP.NET SessionId) set by http//admin.appnext.com/ configuration.aspx? What is the type of set cookie?

Ex. 14 — What is the value of cookie (named: afclick) set by http://checkprize4you1.com? And what is the expiry date of the cookie? What is the main difference between this cookie (named: afclick) and ASP.NET SessionId?

Ex. 15 — What is the value of imei shared with https://api.airpush.com/inappads/inappadcall. php?

Ex. 16 — Why adOpt is set to false? Can airpush.com tracks and shows advertisements if it is set to true?

Use mitmweb to analyze MobinCube’s traffic

Ex. 17 — What is the Phone Model and network carrier name (carrierName) on which MobInCube was run?

Ex. 18 — What is the location related permission requested by MobInCube? What is location (latitude and longitude) value shared with https://stats.mobincube.com?

Ex. 19 — Visit privacy policies of YogaForDiabeties (https://homestudioapp.wixsite.com/ yogadiabetes) and MobInCube (http://myappterms.com/reader.php?lang=es), and report whether or not these apps are transparent about the information they collect?

Ex. 20 — What are your recommendations on the security and privacy option of these two apps? Would you recommend these apps to user? Why or why not?