Assignment 4: Confidentiality/Integrity Policy
Start date 23 September, due beginning of class 1 October.
- Pick ALL the correct answer choices for
each question. For T/F
questions, answer T (for True)
and F (for False) .
Back up your answer with a brief explanation or example (e.g.,
you are making, an example of why a false statement is false, etc.)
(a) (5 Pts) T/F: M1 and M2 are secure protection mechanisms for the
program p. The intersection of M1 and M2 (i.e., satisfying all the common
conditions imposed by both mechanisms) is also (i.e., always) a
secure protection mechanism.
(b) (5 Pts) According to the Bell-LaPadula model, a secure system is
the one (i) that supports simple security property only, (ii)
that supports *-property, (iii) that supports both simple security
property and *-property, (iv) none of the above.
- A non-expert in security makes the following statement:
of some system is the most basic requirement in
support verification of integrity and/or confidentiality of that or
some other system. (a) (5 Pts) It is True or False. (b) (10 Pts)
one reason supporting your answer for (a).
- Modeling Multics in the Bell-LaPadula Security Model
For each of the following, give code for the rule and a proof that your
rule is secure. The level of detail in the code should be comparable
to the slides in class; the level of detail of the proof should go a
bit beyond the slides - similar to the discussion in class.
Remember that for discretionary access control, to alter a subject's
permission on an object requires having write on the parent of that
object, except for the funny behavior near root.
- (10 Pts) release-write
- (10 Pts) rescind-execute
- (10 Pts) Assume you've created and proven all the read/append/execute
Can you think of a simple way to do the write rules?
Just a few sentences - no code or proof.
- Consider a modified definition of secure system: "A secure system
the one that starts in an authorized state, is always in an
authorized state at the beginning and end of each time window W, and
always terminates in an
authorized state." For example, the time window W = 10 microseconds,
and the authorized states are S1, S2, S3, S4. The system starts in S1
or S2, and at the beginning of every 10 microseconds, the system must
be in one of these four states, and at the end of every 10
microseconds, it must be in one of these states. When the system
terminates it must be in S3 or S4.
(a) (20 Pts) Suppose you are desigining an operating
that implements this definition. And there exists an operating system
SecureOS that implements the Definition 4-2. How
would the each of the following four modules: process scheduler,
interrupt handler, system call interface and loader in SecureOS
different from each such module in wSecureOS. The difference for each
must be stated in 1-2 sentences.
(b) (10 Pts) Give a real-world example where such an
operating system can be used without breaching security.