(20 points) Companies usually restrict the use of electronic mail
to company business but do allow minimal use for personal reasons.
How might a company detect excessive personal use of electronic
mail, other than by reading it? Hint: Think about the personal use of a company
Intuitively, it seems reasonable to ban all personal use of
electronic mail on company computers. Explain why most companies
do not do this.
(16 points) Consider a system that allows multiple owners of an
object. This system allows an owner to grant rights to other subjects,
and to delete them, except that the owner cannot delete another own
An object o has two owners, p and q. What happens if p deletes all of q’s rights to the object?
Specifically, does this prevent q from accessing the object?
Assume there are two types of own rights, an ``original own''
ownorig and an ``added own''
ownadd. The own right
ownorig cannot be copied or added, whereas the
ownadd right enables the possessor to add or
delete rights (except for the ownorig right).
If p has ownorig and q has
ownadd, how does your answer to the first part
(10 points) Peter Denning formulated the principle of attenuation
of privilege as ``a procedure cannot access an object passed as a
parameter in ways that the caller cannot.'' Contrast this formulation to
that of the Principle of Attenuation of Privilege as stated in class
(``A subject may not increase its rights, nor grant rights it does not
possess to another subject''). In particular, which is the ``subject''
and which is the ``other subject'' in the formulation used in class?
(30 points) The proof of Theorem 3.1 states the following: Suppose two subjects s1 and s2 are
created and the rights in A[s1, o1] and A[s2, o2] are tested. The same test for A[s1, o1] and A[s1, o2] =
A[s1o2] ∪ A[s2, o2] will produce the same result. Justify this statement. Would it be true if one could
test for the absence of rights as well as for the presence of rights?
(24 points) Prove or disprove: The claim of Lemma 3.1 holds when x is an object.
(20 points) Prove Theorem 3.3. Hint: Use a diagonalization argument to test each system as the set of protection systems is enumerated.