Assignment 5: Bell LaPadula Model, Biba Integrity Model
Start date 1 October, due beginning of class 8 October.
questions, answer T (for True)
and F (for False) .
Back up your answer with a brief
explanation or example (e.g.,
you are making, an example of why a false statement is false, etc.)
(a) (5 Pts) T/F: Release-read and rescind-read have identical semantics
in Multics instantiation of Bell LaPadula model. By semantics we mean that : two systems with same semantics lead to the same output/error on the same input.
(b) (5 Pts) T/F: Integrity level of a subject remains static for
subjects and objects in Biba's strict integrity model.
2. (a) (10 Pts) Question 5.8.6 in textbook (about hierarchy) - page
150. (b) (10 Pts) By an example, show what problem/problems may arise in
Bell LaPadula model if an object hierarchy function does not result in
a tree, but results in a graph (such as a Directed Acyclic Graph or Graph with
3. (10 Pts) We want to build a system that implements both Bell Lapadula
and Biba strict Integrity Models. Is it possible especially when a
subject would have "high" privilege for BLP and "high" integrity for
Biba, and an object that such subjects can access have "higher"
classification level in BLP and "higher" integrity level in Biba
("higher" dominates "high"). Explain.
4. (10 Pts) Consider that you are designing a "self-destructive"
operating system. All the processes (subjects) are at the highest level
of integrity at the beginning, and as they start reading user submitted
data (objects of lower integrity), their integrity level changes to
lower integrity. The integrity level of the operating system is the
minimum of such levels of all processes. As the system reaches the
lowest integrity level, it stops functioning (self-destroys). Which
integrity model you would use for designing this system and why.