Course Hero

Register now to access 7 million high quality study materials (What's Course Hero?) Course Hero is the premier provider of high quality online educational resources. With millions of study documents, online tutors, digital flashcards and free courseware, Course Hero is helping students learn more efficiently and effectively. Whether you're interested in exploring new subjects or mastering key topics for your next exam, Course Hero has the tools you need to achieve your goals.

3 Pages

hw2-key

Course: CS 498, Fall 2008
School: University of Illinois,...
Rating:
 
 
 
 
 

Word Count: 987

Document Preview

Assurance: Information Homework 2 Answer Key Due September 16, 2005 Graded to 100 points. Each of the 6 questions worth the same number of points. 1. Classify each of the following as mandatory or discretionary policy. a. The file access control mechanisms of the UNIX operating system. Discretionary. Ordinary users can change access to files. b. A military facility in which only generals can enter a particular...

Register Now
Search

Unformatted Document Excerpt

Coursehero >> Illinois >> University of Illinois, Urbana Champaign >> CS 498

Course Hero has millions of student submitted documents similar to the one
below including study guides, practice problems, reference materials, practice exams, textbook help and tutor support.

Course Hero has millions of student submitted documents similar to the one below including study guides, practice problems, reference materials, practice exams, textbook help and tutor support.
Assurance: Information Homework 2 Answer Key Due September 16, 2005 Graded to 100 points. Each of the 6 questions worth the same number of points. 1. Classify each of the following as mandatory or discretionary policy. a. The file access control mechanisms of the UNIX operating system. Discretionary. Ordinary users can change access to files. b. A military facility in which only generals can enter a particular room. Mandatory. Can only change access by becoming a general. c. A university registrar's office, in which a faculty member can see the grades of a particular student provided that the student has given written permission for the faculty member to see them. Discretionary. Ordinary student can change access control. 2. In the Bell-LaPadula lattice label model, why is it meaningless to have compartments at the lowest clearance level (e.g. Unclassified:NUC and Unclassified:EUR)? Sorry about this one. I thought when I assigned the question it had a structural answer. But now I believe that it only has an answer that uses the semantics of the word Unclassified. The compartments are an attempt to reduce information to a need to know basis which doesn't make sense if the data is already unclassified. As several of you have pointed out, the compartments still provide separation at the lowest level even if it is an odd concept given the name unclassified. In most MLS systems, the bottom level is not compartmentalized and processes do not run at system low. Rather system low is used to label general system information that needs to be read by all programs. 3. Given the security levels: TOP SECRET > SECRET > CONFIDENTIAL > UNCLASSIFIED, and the categories A, B, and C, specify the accesses allowed (read, write, append). Assume DAC allows all access. a. Paul at TOP SECRET:{A,C}. Document at SECRET:{B, C} None. The compartments do not have a subset relationship b. Anna at CONFIDENTIAL:{C}. Document at CONFIDENTIAL:{B} None. The compartments do not overlap. c. Jesse at SECRET:{C}. Document at CONFIDENTIAL:{C} Read. d. Sammi at TOP SECRET:{A,C}. Document at CONFIDENTIAL:{A} Read. e. Robin at UNCLASSIFIED. Document at CONFIDENTIAL:{B} Append. 4. Consider the labeling scheme of the Pitbull LX described in class. If you substituted the LX definition of dominate for the Bell-LaPadula definition, would the LX MAC scheme satisfy the Basic Security Theorem? Why or why not? What are the implications? This question had some clarifications on the newsgroup. In addition to considering replacing the BLP dominate operator with the LX dominate operator, I wanted you to consider the implication of replacing the read-down/write-up rules of BLP with effectively read-down, write-down, and execute down. In addition, there are different labels for each of the three permissions. The LX system does not satisfy the Basic Security Theorem, because it does not satisfy the *-property. It is checking that subject the dominates the object for the append case instead of having the object dominate the subject as the *-property specifies. This implies that a subject running with compartments for project1 and project2 will be able to read data labeled project1 and append it to a file labeled project2. This is an information flow between two unrelated compartments. 5. In Biba's Low-Water-Mark policy, the integrity level of a subject is reduced by reading low integrity files. Explain how this policy would work if object integrity levels were changed instead. How would it still maintain transitive integrity? Another question that had a clarification on the newsgroup. In addition to changing the model to adjust the object levels instead of the subject levels, the object levels would need to be changed on write rather than being changed on read. You can think about it as a lower integrity subject infecting an object by writing low integrity data to it. 1. s element of S can read o element of O if and only if i(s) <= i(o) 2. if s element of S writes o element of O, new i'(o) = min(i(s), i(o)) 3. s element of S can execute o element of O if and only if i(s) >= i(o) With these constraints, you can make an argument that low integrity data from one subject will not transitively propagate to another subject of higher integrity. Consider a case of s1 and s2, where i(s1) < i(s2). Once s1 writes to an object o, i(o) will be at most i(s1) which is less than i(s2). Thus by rule 1, s2 cannot read any file written by s1. More precisely you can reverse the sense of the proof of Theorem 6.1. Assume an information path exists between s1 and s_n+1, and assume the reads and writes on the path were performed in order. By induction for any k between 1 and n, i(o_k) is the minimum for all objects between 1 and k-1. Otherwise, you would either have a subject reading data at a lower integrity level (violating rule 1), or you would have a subject writing data at a higher integrity level (violating rule 2). 6. In the Clark-Wilson model, can TP's be executed in parallel? Explain your answer or give some execution constraints. There are a few constraints on TP execution. If two TP's are working on the same CDI, their execution must be coordinated. The TP's implement transactions that are performed against the CDI's to transform them from one valid state to another (as specified in CR2). Interleaving two transactions may leave the CDI in an indeterminate state. Or if one TP is reading a CDI while another TP is executing changes to that CDI, the results of the reading TP are suspect. Two TP's reading the same CDI should be ok, and TP's operating on independent sets of CDI's may also execute in parallel. Similarly, CR5 describes TP's that transform UDI's to CDI's. Clearly, another execution dependency exists between the UDI transforming TP and any other TP's that will operate on the resulting TP data.