CS4394 Tutorial 2
.pdf
School
City University of Hong Kong**We aren't endorsed by this school
Course
CS 4394
Subject
Computer Science
Date
Dec 19, 2024
Pages
19
Uploaded by btrsynov
CS4394 Tutorial 2Mr. Jinghang WENjh.wen@my.cityu.edu.hkWeekly Tutorial , City University of Hong Kong 21:30 pm - 22:20 pm, Thursday
1. Give examples of information that is highly reliable with little sensitivity and information that is not so highly reliable but with greater sensitivity.
•Not highly reliable with greater sensitivity➢Military intelligence from a double spy.1. Give examples of information that is highly reliable with little sensitivity and information that is not so highly reliable but with greater sensitivity.•Highly reliable with little sensitivity➢Published peer-reviewed papers.
2. Why is Biba Strict Integrity called the “dual” of the BLP model?
2. Why is Biba Strict Integrity called the “dual” of the BLP model? Biba Strict Integrity•A subject's integrity cannot be tainted by reading bad (lower integrity) information; •A subject cannot taint more reliable (higher integrity) information by writing into it.Answer•Integrity labels with subjects and objects analogous to clearance levels in BLPHigher-integrityLower-integrityreadreadreadwritewritewriteNo Read-DownNo Write-Up
3. If a subject asks to read an object and satisfies the BLP confidentiality requirements but fails the Biba integrity requirements, should the access be granted?
3. If a subject asks to read an object and satisfies the BLP confidentiality requirements but fails the Biba integrity requirements, should the access be granted?ScenarioAnswer•No, confidentiality and integrity are orthogonal problems. An access is allowed only if allowed by both the BLP rules and the Biba rulesLower-integrityreadNo Read-DownHigher-confidentialityLower-confidentialityHigher-integrityreadRead-DownBLP confidentiality Bibaintegrity
4. What do Biba’s three integrity policies, i.e., Strict integrity policy, Low water mark policy, and Ring policy, have in common?
4. What do Biba’s three integrity policies, i.e., Strict integrity policy, Low water mark policy, and Ring policy, have in common?Strict integrity policy➢Simple integrity property: subject 𝑠can read object 𝑜only if 𝑖(𝑠) ≤ 𝑖(𝑜).➢Integrity *- property: subject 𝑠can write to object 𝑜only if 𝑖(𝑜) ≤ 𝑖(𝑠).Low water mark policy➢If s reads 𝑜, then 𝑖′(𝑠) = min(𝑖(𝑠), 𝑖(𝑜)), where 𝑖′(𝑠) is the subject's new integrity level after the read.➢Subject 𝑠can write to object 𝑜only if 𝑖(𝑜) ≤ 𝑖(𝑠).Ring policy➢This focuses on direct modification and solves some problems of the LWM Policy.➢Any subject can read any object, regardless of integrity levels.➢Subject 𝑠can write to object 𝑜only if 𝑖(𝑜) ≤ 𝑖(𝑠).Answer•All of Biba's three policies preclude a subject from writing up in integrity. (No write up)
5. Can system controllers modify development code/test data?
5. Can system controllers modify development code/test data?System controllers :must have ability to downgradecode once it is certified for production so other entities cannot write to it; Development : production programs under development and testing but not yet in production state.Answer•Yes. i(development) ≤i(system controllers) •Subject 𝑠can write to object 𝑜only if 𝑖(𝑜) ≤ 𝑖(𝑠).TypeConfidentialityIntegritySystem controllers (SL,{SP,SD}){ISP,{IP,ID})Development(SL,{SD}){ISL,{ID})
6. Why is it necessary for system controllers to have to ability to downgrade? What form of tranquility underlies the downgrade ability?
6. Why is it necessary for system controllers to have to ability to downgrade? What form of tranquility underlies the downgrade ability?Downgrademeans the ability to move software (objects) from development to production.Answer•Moving objects from the development to production world means changing their labels. •BLP and Biba do not specify how to achieve it. •Weak Tranquility : Subjects and objects do not change labels in a way that violates the spirit of the security policy{ISL,{ID}}{IO,{IP}}
7. What is the purpose of the four fundamental concerns of Clark and Wilson?
7. What is the purpose of the four fundamental concerns of Clark and Wilson?•Authentication➢Identity of all users must be properly authenticated.•Audit➢Modifications should be logged to record every program executed and by whom, in a way that cannot be subverted.•Well-formed transactions ➢Users manipulate data only in constrainedways. Only legitimate accesses are allowed.•Separation of duty ➢The system associates with each user a valid set of programs they can run and prevents unauthorized modifications. Thus, preserving integrity and consistency with the real world.Answer•Maintain consistency among the various components of the system state.
8. What is the difference between certification and enforcement rules?
8. What is the difference between certification and enforcement rules?C1: All IVPs must ensure that CDIs are in a valid state when the IVP is run.C2: All TPs must be certified as integrity-preserving.C3: Assignment of TPs to users must satisfy separation of duty.C4: The operation of TPs must be logged.C5: TPs executing on UDIs must result in valid CDIs.E1: Only certified TPs can manipulate CDIs.E2: Users must only access CDIs by means of TPs for which they are authorized.E3: The identify of each user attempting to execute a TP must be authenticated.E4: Only the certifier of a TP may change the list of entities associated with that TP.Answer•Enforcement rules specify security requirements that should be supported by the protection mechanisms in the underlying system. •Certification rules specify security requirements that the application system should uphold as transactions (interaction) happen.CDI: constrained data itemsUDI: unconstrained data itemsTP: transformation proceduresIVP: Integrity Verification Procedures
9. In the example conflict classes, if you accessed a file from General Motors, then subsequently accessed a file from Microsoft, will you then be able to access another file from GM?
9. In the example conflict classes, if you accessed a file from General Motors, then subsequently accessed a file from Microsoft, will you then be able to access another file from GM?Conflict of interest classes (COI)➢Contain datasets of companies in competition.➢Assume that each object belongs to exactly one COI class.Consider the following conflict classes•{ Ford, Chrysler, GM }•{ HSBC, Standard Charter, Citicorp }•{ Microsoft }Answer•Yes, they are from different COI sets. You are free to access files from companies in any other conflict class.