CS 526 Fall 2004
Assignment 2 Solutions
Note:
The points add to 8.0 for a correct
homework.
Please see Ferit Erin for any questions about
grading and answers first.
Q1-1.12
1. e
Rhonda registering the domain “AddisonWesley.com"
and refusing to the let the publishing house buy or use the domain name is a
violation of availability. Her registering that domain name and refusing to
sell prevents the publishing house with that name from using it, making it
unavailable to the public who assumes that address will house the publishing company's
site.
Violation of integrity: Rhonda
has registered the domain name in bad faith in order to keep the domain out of
the hands of the trademark holders and use the name recognition for her profit.
If she establishes a storefront, (origin) integrity is violated since many
users can be fooled into believing they are dealing with the publishing company
when in actuality they are dealing with Rhonda. Their supposed source of
information is not what it appears to be.
Note from TA: 1 point
Standard deductions
were:
Q2-1.12
2. e.
To measure the web's percent of
total bandwidth used and prevent further use, routers could be used. A simple
rule in the router's table could state that once the bandwidth reaches 80%
simply drop the packets before they leave the network. The same would be true
for incoming web traffic.
The policy enforced here could
be one dealing with abuse of network resources. For example the policy might
state that excessive web usage should not occur on the network. The
administrators have then defined excessive as more then 80%.
Note from TA: 1 point
Standard deductions
were:
Q3-1.12
3.
Keeping a cryptographic
algorithm secret to provide security usually does not. The
idea being that if someone does not know how the algorithm works then they
cannot break it. This is usually not true.
However, keeping something like
the key used for a cryptographic algorithm secret is the only way for the
system to remain secure. This is one example in which security is only obtained
through obscurity.
Note from TA: 1 point
Standard deductions
were:
Q4-1.12
8.
It is not possible to design and
implement even very simple systems without making assumptions about trust. This
is due to several facts.
• The
system design must be trusted to function as planned, or there is not much use
for the system.
• The
system designer must be trusted not to put malicious/faulty components in the
system.
• The
components used to build the system must be trusted to function correctly.
This
trust is usually based on the reputation of the individual/company who built
the components.
The only way one does not have to
assume anything about trust is if we design and implement as system which we do
not care about having correct functionality or security
Note from TA: 1 point
Standard deductions
were:
Q5-2.8 5. a.
command copy all rights(p; q; s)
if read in a[p; s]
then
enter read into a[q; s]
if write in a[p; s]
then
enter write into a[q; s]
if execute in a[p;
s]
then
enter execute into a[q; s]
if append in a[p; s]
then
enter append into a[q; s]
if list in a[p; s]
then
enter list into a[q; s]
if modify in a[p; s]
then
enter modify into a[q; s]
if own in a[p; s]
then
enter own into a[q; s]
if copy in a[p; s]
then
enter copy into a[q; s]
end
One
method for doing this would be to create two rights for every right currently
in the system. Having one of these rights would mean that you actually have
that right over the given object. The other would mean that you are allowed to
have that right over the object.
Since
you cannot check the absence of a right, you can have only allowed rights and
not denied rights. So for example we could indicate this new right by simply
appending a + to the end of the right's name. So allowing a subject to have the
read right over an object we would enter read+ into that square in the matrix.
The following command would obey these new allow rights.
command copy all rights(p; q; s)
if read in a[p; s] and read+ in a[q; s]
then
enter read into a[q; s]
if write in a[p; s]
and write+ in a[q; s]
then
enter write into a[q; s]
if execute in a[p;
s] and execute+ in a[q; s]
then
enter execute into a[q; s]
if append in a[p;
s] and append+ in a[q; s]
then
enter append into a[q; s]
if list in a[p; s]
and list+ in a[q; s]
then
enter list into a[q; s]
if modify in a[p; s]
and modify+ in a[q; s]
then
enter modify into a[q; s]
if own in a[p; s]
and own+ in a[q; s]
then
enter own into a[q; s]
if copy in a[p; s]
and copy+ in a[q; s]
then
enter copy into a[q; s]
end
Note from TA: each
part 1 point: total 2 points
Standard deductions
were:
Q6
The
fundamental reason why the safety question for biconditional monotonic
protection systems are undecidable is because unlike monoconditional monotonic
protection systems you cannot reduce the chain of leaks from one subject to
another to a single subject, Sinit. This inability
to reduce leak chains prevents the enumeration of commands through all possible
chains because the termination of single chain may or may not be infinite. It
is the inability to bound the length of a leak chain
that presents the problem of undecidability. This is discussed in Claim 3 of
Theorem 8, in Harrison and Ruzzo's paper, “Monotonic
Protection Systems". They suppose that all commands have a single
condition, making them monoconditional, which allows them to ascertain the
following; “For all i; 1 <= i
<= n + 1, Q i-1 weakly covers Q i-1 ri xi yi.”
However,
if the assumption of all commands not having a single condition is not present
then this relation between Q i-1 ri xi yi and Q i-1 does not hold. Since Qi-1ri xi yi weakly covers Qi-1 might actually occur, there is no bounding on
the number of commands in the chain. Without a bound on the number of commands
in the chain it is impossible to tell if the right will ever be leaked, making
the question undecidable.
Note from TA: 2
points
Standard deductions
were: