CS 526 Fall 2004

 

Assignment 4 Solutions

 

Note: The points add to 8.0 for a correct homework.

Please see Ferit Erin for any questions about grading and answers first.

 

(4.11.3)

 

(a)

 

Without integrity no system can provide confidentiality. In case of not maintaining the integrity, the existence of the information can be revealed thus compromising the confidentiality. If the information kept in the data is altered the data might be still confidential but may contain “garbage”, which makes its confidentiality meaningless.

Other than that to be able to enforce confidentiality, at least you need the integrity of the hardware the system is running upon. If there is no integrity, then there is no guarantee of secure operations on that system, which compromises confidentiality.

 

(b)

 

A system can provide integrity without confidentiality. For example, a public library has a database about the books stored in the database. Since the library is open to public, everyone can access this database, so there is no confidentiality at all, but since the users accessing the database are not allowed to change the information stored in the database integrity of the system is not compromised.

 

Note from TA: Each part 1 point – Total 2 points

Standard deductions were (for each part):

·        -1.0      for no answer

• -0.5      for incorrect answer.

For this question the answer depends on your definition of integrity and confidentiality. Other solutions are also accepted if enough reasoning is given.

 

(5.8.2)

(b)

Anna does not have read permission as  

Since {B} is not a subset of {C}.

 

Anna does not have write permission as  

Since {C} is not a subset of {B}.

 

Note from TA: 1 point

Standard deductions were:

·        -1.0      for no/incorrect answer

 

(5.8.7)

Raising the maximum security level will not violate any properties of the model.

Because (s,o,p)SxOxP ( satisfy the simple security condition relative to f if

and only if one of the following holds:

a.  p=e or p=a

b.  p=r or p=w and f_s(s) dom f_o(o)

if maximum security level of s, f’_s(s) is raised, because f_s(s) is a subset of f’_s(s)

f’_s(s) dom f_o(o) holds. So simple security condition relative to f will not be violated

A state (b, m, f, h) satisfies the *-property if and only if for each sS the

following hold

a.

b.

c.

Raising the maximum security changes f_s(s) but does not change current security

level f_c(s), so *-property will not be violated.

The ds-property does not concern the f, so the ds-property will not be violated.

Therefore, raising the maximum security level will not violate any properties of the model

 

Another Solution:

 

Consider the security level of a subject s is raised from ls to l’s where ls < l’s.

Let T be the moment of raising the classification of s. Before T, s could read any object o with a security level lo  ls (provided the discretionary access control also allows it) but not with a security level lo > ls. s could also write to any object o with a security level lo  ls (provided the discretionary access control also allows it) but not with a security level lo < ls.

The security of the system is not violated after T for the following reasons:

 

• After T, the capability of s to read objects is same as before except now s is able to read any object o with a security level ls < lo·l’s. Potentially, s is able to obtain the information that it is not authorized to read before. However, it should not be considered as a security violation as the raising of classification gives an authorization to s to read more information. The only question is whether s can leak any information that it is not authorized to do so.

To be considered as a leak, s must somehow read information on object o with lol’s and give it to some subject s1 with ls1 < lo by writing the information to another object o1 with lo1 ls1 so that s1 can read the information via o1.

Consider the write capability of s, it is same as before except now s is unable to write to any object o with a security level ls  lo < l’s. Since lo1 ls1 < lo l’s, the leaking scenario we have considered is not possible. Thus, the simple security condition is preserved after T.

• As s has write accesses to potentially fewer objects (a subset of the objects it could write

to before T) after T, the *-property is still preserved after T if it was preserved before T.

• The raising of classification does not affect the discretionary access control matrix, so the

            ds-property is still preserved after T if it was preserved before T.

Hence, the security of the system after T is not violated.

 

Note from TA: 1 point

Standard deductions were:

·        -0.5      for incorrect answer

·        -1.0      for no answer

 

Question: Modeling Multics in the Bell-LaPadula Security Model

(Courtesy Chi-Bun Chan)

 

 

 

 

Note from TA: 1 point for each operation

Standard deductions were:

·        -0.1 to -0.5      for incorrect answer

·        -1.0                  for no answer