Homework 2

Due: April 25, 2018 at 11:59pm
Points: 100

Questions

Remember to justify your answers.

  1. (20 points) Classify each of the following as an example of a mandatory, discretionary, or originator controlled policy, or a combination thereof. Justify your answers.
    1. The file access control mechanisms of the UNIX operating system
    2. A system in which no memorandum can be distributed without the creator’s consent
    3. A military facility in which only generals can enter a particular room
    4. A university registrar’s office, in which a faculty member can see the grades of a particular student provided that the student has given written permission for the faculty member to see them.

  2. (20 points) Given the security levels TOP SECRET, SECRET, CONFIDENTIAL, and UNCLASSIFIED (ordered from highest to lowest), and the categories A, B, and C, specify what type of access (read, write, both, or neither) is allowed in each of the following situations. Assume that discretionary access controls allow anyone access unless otherwise specified.
    1. Paul, cleared for ( TOP SECRET, { A, C } ), wants to access a document classified ( SECRET, { B, C } ).
    2. Anna, cleared for ( CONFIDENTIAL, { C } ), wants to access a document classified ( CONFIDENTIAL, { B } ).
    3. Jesse, cleared for ( SECRET}{C}, wants to access a document classified ( CONFIDENTIAL, { C } ).
    4. Sammi, cleared for ( TOP SECRET}{A, C}, wants to access a document classified ( CONFIDENTIAL, { A } ).
    5. Robin, who has no clearances (and so works at the UNCLASSIFIED level), wants to access a document classified ( CONFIDENTIAL, { B } ).

  3. (20 points) In the Clark-Wilson model, prove that applying a sequence of transformation procedures to a system in a valid state results in the system being in a (possibly different) valid state.

  4. (20 points) A publisher wishes to implement a DRM scheme for its digital books. Please explain why enciphering the contents of the books, and then distributing the appropriate cryptographic keys, is insufficient to provide a digital rights management scheme.

  5. (20 points) A noted computer security expert has said that without integrity, no system can provide confidentiality.
    1. Assume the system provides no integrity controls. Do you agree with the noted computer security expert? Justify your answer.
    2. Now suppose the system has no confidentiality controls. Can this system provide integrity without confidentiality? Again, justify your answer.
UC Davis sigil
Matt Bishop
Office: 2209 Watershed Sciences
Phone: +1 (530) 752-8060
Email: mabishop@ucdavis.edu
ECS 153, Computer Security
Version of April 12, 2018 at 9:24AM

 You can also obtain a PDF version of this.

Valid HTML 4.01 Transitional Built with BBEdit Built on a Macintosh