CS4394 Tutorial 1
.pdf
School
City University of Hong Kong**We aren't endorsed by this school
Course
CS 4394
Subject
Computer Science
Date
Dec 19, 2024
Pages
38
Uploaded by btrsynov
CS4394 Tutorial 1Mr. Jinghang WENjh.wen@my.cityu.edu.hkWeekly Tutorial , City University of Hong Kong 21:30 pm - 22:20 pm, Thursday
1. Think about the way you use your computer in your personal life. Which is most important: confidentiality, integrity, availability? Justify your answer.
1. Think about the way you use your computer in your personal life. Which is most important: confidentiality, integrity, availability? Justify your answer.• Confidentiality: Who can read information?• Integrity: Who can write, modify or generate information?• Availability: Are resources available when needed?It all depends on the context•For example, if you're using e-banking services, integrity is crucial, as it ensures that your financial transactions are accurate and haven't been tampered with. •In other situations, confidentiality might be more important, such as protecting personal data from unauthorized access. •Availability becomes critical for services you rely on continuously, like accessing your files in the cloud.
2. What is the connection of integrityand authentication? Can you illustrate with examples?
2. What is the connection of integrityand authentication? Can you illustrate with examples?•Integrity: Making sure that some piece of data has not been altered from some "reference version”•Authentication: Making sure that a given entity (with whom you are interacting) is who you believe it to be•Connection: The authentication is a way to enforce the integrity. Or the authenticity is a special case of integrity.•Example: Submit your original transcript to the university when enrolling the school. The transcript is sealed in an envelope with a stamp.
3. Can you name at least one situation in which authenticationand non-repudiation are extremely important?
3. Can you name at least one situation in which authenticationand non-repudiation are extremely important?•Non-repudiation: The assurance that someone cannot deny the validity of something•Digital signature : Online contract•It is really generated by the entity•The entity cannot deny the signature
4. What is the primary purpose of military security? Are there also any other aspects we need to protect in practice?
4. What is the primary purpose of military security? Are there also any other aspects we need to protect in practice?•Military security•Defined as the ability of a nation to defend itself ?•The Simple Security Property, *-Property and Tranquility Property formalize a large portion of multi-level security , which is also sometimes called military security•Purpose•Confidentiality•Integrity•Availability
5. Why are we not concerned with how the labels get there?
5. Why are we not concerned with how the labels get there?•Label •On any folder reflects the sensitivity of the information contained within that folder•Contains both a hierarchical component and a set of categories• (Secret: {Nuclear, Crypto})• (Top Secret: {Crypto})It is hard to model the generation of labels and it is more convenient to assume they are already there
6. Explain why the Principle of Least Privilege makes sense.
6. Explain why the Principle of Least Privilege makes sense.•Need-to-know policy•only have access to the minimum resources needed to perform their tasks•reduces the risk of accidental or intentional misuse of privilegesIt is widely implemented in reality, is based on this principle
7. State informally what the Simple Security property says.
7. State informally what the Simple Security property says.•Simple Security property•Each subject Sand object Ois assigned a confidentiality level (LS and LO, respectively)•A subject Scan read an object Oonly if LO ≤ LS (“read down”)A subject at a given security level may not read an object at a higher security levelsecret
8. State informally what the *-Property says.
8. State informally what the *-Property says.•*-Property •Each subject Sand object Ois assigned a confidentiality level (LS and LO, respectively)•A subjectS can write to an object Oonly if LS ≤ LO (“write up”)Users can create content only at or above their own security levelsecret
9. What must be true for a subject to have both read and write access to an object?
9. What must be true for a subject to have both read and write access to an object?Each subject Sand object Ois assigned a confidentiality level (LS and LO, respectively)•Simple Security property :A subject Scan readan object Oonly if LO ≤ LS (“read down”)•*-Property :A subject Scan writeto an object Oonly if LS ≤ LO (“write up”)The clearance of a subject is exactly the same as the classification of the objectsecretreadwritewrite
10. Why not just use strong tranquilityall the time?
10. Why not just use strong tranquilityall the time?•The Strong Tranquility Property : Subjects and objects do not change labels during the lifetime of the system•The Weak Tranquility Property : Subjects and objects do not change labels in a way that violates the spirit of the security policyWeak tranquility is desirable for situation that allows a low clearance level to accumulate higher clearance levels progressively. (Unclassified:{ }) (Top Secret: {Crypto})What if the labels are allowed to change? We clearly need an additional rule that governs changing labels
11. Is the following a covert channel? Why or why not? Send 0| Send 1--------------------------------------------------Write (SH, F0, 0)| Write (SH, F0, 1)Read (SL, F0)| Read (SL, F0)
11. Is the following a covert channel? Why or why not? •A covert channel is a path for the illegal flow of information between subjects within a system, utilizing system resources that were not designed to be used for inter-subject communication•Example
11. Is the following a covert channel? Why or why not? •No. F0 has its classification label. The lower clearance subject (SL) cannot observe any difference in both cases (send 0 and send 1)Only read and write are involved in this case The clearance level : SH > SLIFSH can write F0 :F0 >= SH > SLSL cannot read F0Send 0| Send 1--------------------------------------------------Write (SH, F0, 0)| Write (SH, F0, 1)Read (SL, F0)| Read (SL, F0)
12. Analyse whether each of the following channels is a type of covert channel.•Timing channel•Storage channel
12. Analyse whether each of the following channels is a type of covert channel.Timing channelStorage channel•Both sender and receiver must have access to some attribute of a shared object•Both sender and receiver must have access to some attribute of a shared object•Both sender and receiver have access to a time reference (real-time clock, timer, ordering of events)•The sender must be able to modify the attribute.•The sender must be able to control the timing of the detection of a change in the attribute of the receiver•The receiver must be able to reference (view) that attribute•A mechanism for initiating both processes, and sequencing their accesses to the shared resource must exist•A mechanism for initiating both processes, and sequencing their accesses to the shared resource must exist
12. Analyse whether each of the following channels is a type of covert channel.AnswersYou log into a forum with encrypted traffic, but the third parties can still observe covert info, e.g., online activities, and possibly infer your time zoneEncrypted file: infer if it is text, image or video with its size
13. Why would it be infeasible to eliminate every potential covert channel?
13. Why would it be infeasible to eliminate every potential covert channel?Answers1.Covert channel uses system resources not intended for information transfer, making it hard to detect every covert channel.2.Protection is inherently costly if you need to implement countermeasures for as many unintended channels as possible
14. How to use an SRMM table to search for a potential covert channel?
14. How to use an SRMM table to search for a potential covert channel?•SRMM stands for shared-resource matrix methodology. •Build a table describing system commands and potential effects on shared attributes of objects•R: operation References (provides information about the attribute under some circumstances)•M: operation Modifies the attributes under some circumstancesREADWRITEDESTROYCREATEFile existenceRMMFile sizeRMMMFile levelRMM
14. How to use an SRMM table to search for a potential covert channel?Suppose you have the following operation•CREATE (S, O)•If no object with name O exists on the system, create a new object O at level LS•Otherwise, do nothingAfter this operation, you know that the file existsIf you see an R and M in the same row, that indicates a potential channelREADWRITEDESTROYCREATEFile existenceRMMFile sizeRMMMFile levelRMMWhy potential?
15. What do you think of the statement that one way to mitigate covert channels is to introduce randomness into the channel? Justify your answer.
15. What do you think of the statement that one way to mitigate covert channels is to introduce randomness into the channel? Justify your answer.Covert channel mitigation•Eliminate it by modifying the system implementation•Reduce the bandwidth by introducing noise into the channel•Monitor it for patterns of usage that indicate someone is trying to exploit itAnswers•Randomness increases the difficulty to get useful information from a covert channel. For example, adding dummy contents to two encrypted files so that one cannot distinguish the files from their sizes.
16. If a computer system satisfies BLP, does it necessarily satisfy non-interference (NI)? Why or why not?
16. If a computer system satisfies BLP, does it necessarily satisfy non-interference (NI)? Why or why not?Non-interference properties•If security demands that SH must never communicate with SL, there shouldn’t be anything that SH can do that has effects visible to SL.•It is possible to turn any MLS policy into an NI policy.•It is NOT true that any NI policy can be reformulated into an MLS policy.Answers•No. Give an example of a system that satisfies BLP but not NI. The firewall case satisfies the BLP model: INTERNET < Firewall < LANIf we went to explicitly define an NI rule to refuse a channel from the INTERNET directly into the LAN.Then, NI is violated since the INTERNET will interfere with the LAN.
17. Explain why it’s difficult to prove non-interference for realistic systems.
17. Explain why it’s difficult to prove non-interference for realistic systems.Answers•The interferences are common in real-world system. •The Interferences most involve low-level system attributes.➢The attributes are scattered, diverse, and hard to capture.•Although NI seems good by definition, it could be extremely hard for security engineers to implement.➢How to represent the attributes in programming language.•Some interferences are benign.➢For example, to mark whether a file is stored in the cache speed up the data retrieval process.