Assignment 3
Please read the general instructions for hand-in assignments.
The deadline for this assignment is Monday, October 3, 2005, 10:15 (am).
If you find a question unclear, please ask Björn for clarification, and check this space for such clarifications!
- Chinese Wall: clarifications added in boldface
Mechanisms and policies [3p]
- Describe what security mechanisms and security policies are,
- give a concrete example of each, and
- describe how security mechanisms and security policies in general should be related.
BLP [3p]
Suppose we want to allow high-level subjects to write low-level objects in the BLP model.
- Explain why this is not possible in the basic BLP model
- Explain each of the two standard solutions to the problem, and their respective advantages and disadvantages. Motivate your answers.
States and transitions [3p]
Given the following access control matrix and the command transfer_read as defined in the lecture notes,
- Draw a transition diagram showing the reachable states.
- Is the system safe with respect to the read+ right/permission? Motivate and explain your answer.
F | |
---|---|
A | read+ |
B | |
C |
Chinese Wall [5p]
In Gollman's book, page 54-55, an example is given to explain why the ss-property of the Chinese Wall model is not sufficient.
Explain how the example works in the Chinese Wall model, under the following assumptions:
- Initially, for all o
- x(o) = { Company_B } if y(o) = Company_A
- x(o) = { Company_A } if y(o) = Company_B
- The following accesses are performed:
- Analyst_A reads o from Company_A
- Analyst_A writes o1 (with info from o) in Bank
- Analyst_B reads o1 from Bank
- Describe the transitions of the system given the above accesses.
- For each of the transitions, analyse whether the ss-property and *-property permit them or not.
- After the actions above (if they are possible), describe the state and how the ss- and *-properties affect the future actions of Analyst_B
Describe and motivate any further assumptions you make on the example.
Quantities [4p]
Consider the following (atomic; considered as a whole) program, where the variable x has level "top secret", and the variable y has level "unclassified".
Is the program authorized to run in the Denning's quantitative model (see lecture notes)? Under which circumstances? Describe all information flows, and motivate your answers carefully!
z := 1; if (is_prime(x)) then z := 0; end if y := z;