Lecture 12 Outline (April 24, 2015)

Reading: §4, 5–5.2.1
Assignment: Program 2, due April 27, 2015; Homework 2, May 1, 2015

1. Greetings and felicitations!
   1. For program 2, source code analyze works on pc33, pc34, pc36, pc37, pc38, pc39, pc40, pc41, pc42, pc43, pc44, pc45, pc46, pc51, pc55, pc57, pc58; does not work on pc35, pc47, pc48, pc49, pc50, pc53; don't know about pc52, pc54, pc56, or pc60 as they were down when I checked
2. Discussion problem of the day
3. Policy
   1. Sets of authorized, unauthorized states
   2. Secure systems in terms of states
   3. Mechanism vs. policy
4. Types of Policies
   1. Military/government vs. confidentiality
   2. Commercial vs. integrity
5. Types of Access Control
   1. Mandatory access control
   2. Discretionary access control
   3. Originator-controlled access control
6. High-level policy languages
   1. Characterization
   2. Example: DTEL
7. Low-level policy languages
   1. Characterization
   2. Example: tripwire configuration file
8. Policies in natural language
9. Goals of confidentiality policies
10. Bell-LaPadula Model with levels only
    1. Security levels
    2. Simple security property
    3. *-property
    4. Discretionary security property

The Task

Student is to perform a remote security evaluation of one or more computer systems. The evaluation should be conducted over the Internet, using tools available in the public domain.

What the student must submit

In conducting this work, you should imagine yourself to be a security contracted by the owner of the computer system(s) to perform a security evaluation.

The student must provide a written report which has the following sections: Executive summary, description of tools and techniques used, dates and times of investigations, examples of data collected, evaluation data, overall evaluation of the system(s) including vulnerabilities.