Assignment 4: Confidentiality/Integrity Policy

Start date 23 September, due beginning of class 1 October.

  1. Pick ALL the correct answer choices for each question. For T/F questions, answer T (for True) and F (for False) . Back up your answer with a brief explanation or example (e.g., assumptions you are making, an example of why a false statement is false, etc.)
    (a) (5 Pts) T/F: M1 and M2 are secure protection mechanisms for the program p. The intersection of M1 and M2 (i.e., satisfying all the common conditions imposed by both mechanisms) is also (i.e., always) a secure protection mechanism.
    (b) (5 Pts) According to the Bell-LaPadula model, a secure system is the one (i)  that supports simple security property only, (ii) that supports *-property, (iii) that supports both simple security property and *-property, (iv) none of the above.

  2. A non-expert in security makes the following statement: Availability of some system is the most basic requirement in order to support verification of integrity and/or confidentiality of that or some other system. (a) (5 Pts) It is True or False. (b) (10 Pts) Give one reason supporting your answer for (a).
     
  3. Modeling Multics in the Bell-LaPadula Security Model
    For each of the following, give code for the rule and a proof that your rule is secure. The level of detail in the code should be comparable to the slides in class; the level of detail of the proof should go a bit beyond the slides - similar to the discussion in class.
    Remember that for discretionary access control, to alter a subject's permission on an object requires having write on the parent of that object, except for the funny behavior near root.
    1. (10 Pts) release-write
    2. (10 Pts) rescind-execute
    3. (10 Pts) Assume you've created and proven all the read/append/execute rules. Can you think of a simple way to do the write rules? Just a few sentences - no code or proof.

  4. Consider a modified definition of secure system: "A secure system is the one that starts in an authorized state, is always in an authorized state at the beginning and end of each time window W, and always terminates in an authorized state." For example, the time window W = 10 microseconds, and the authorized states are S1, S2, S3, S4. The system starts in S1 or S2, and at the beginning of every 10 microseconds, the system must be in one of these four states, and at the end of every 10 microseconds, it must be in one of these states. When the system terminates it must be in S3 or S4.
        (a) (20 Pts) Suppose you are desigining an operating system wSecureOS that implements this definition. And there exists an operating system SecureOS that implements the Definition 4-2. How would the each of the following four modules: process scheduler, interrupt handler,  system call interface and loader in SecureOS be different from each such module in wSecureOS. The difference for each module must be stated in 1-2 sentences.
        (b) (10 Pts) Give a real-world example where such an operating system can be used without breaching security.