Assignment 5: Bell LaPadula Model, Biba Integrity Model

Start date 1 October, due beginning of class 8 October.

1. For T/F questions, answer T (for True) and F (for False) . Back up your answer with a brief explanation or example (e.g., assumptions you are making, an example of why a false statement is false, etc.)
(a) (5 Pts) T/F: Release-read and rescind-read have identical semantics in Multics instantiation of Bell LaPadula model. By semantics we mean that : two systems with same semantics lead to the same output/error on the same input.
(b) (5 Pts) T/F: Integrity level of a subject remains static for subjects and objects in Biba's strict integrity model.

2. (a) (10 Pts) Question 5.8.6 in textbook (about hierarchy) - page 150. (b) (10 Pts) By an example, show what problem/problems may arise in Bell LaPadula model if an object hierarchy function does not result in a tree, but results in a graph (such as a Directed Acyclic Graph or Graph with cycles).

3. (10 Pts) We want to build a system that implements both Bell Lapadula and Biba strict Integrity Models. Is it possible especially when a subject would have "high" privilege for BLP and "high" integrity for Biba, and an object that such subjects can access have "higher" classification level in BLP and "higher" integrity level in Biba ("higher" dominates "high"). Explain.

4. (10 Pts) Consider that you are designing a "self-destructive" operating system. All the processes (subjects) are at the highest level of integrity at the beginning, and as they start reading user submitted data (objects of lower integrity), their integrity level changes to lower integrity. The integrity level of the operating system is the minimum of such levels of all processes. As the system reaches the lowest integrity level, it stops functioning (self-destroys). Which integrity model you would use for designing this system and why.