**UC Davis Students: Due May 19, 1997 at 11:59PM**

**NTU Students: Due May 26, 1997 at 11:59PM**

- (
*40 points*) In the proof of the Harrison, Ruzzo, and Ullman theorem, we discussed the motion of the head of the tape to the left. Motion to the right would require us to take into account reaching the end of the tape. Please complete the proof presented in class by showing how the move (*q*,*X*) = (*p*,*Y*,*R*) can be represented as two commands, one covering the case where the head does not reach a new tape cell, and one where the head does reach a new tape cell. - (
*30 points*) This question uses the Take-Grant model. Please give a sequence of rule applications showing how**p**can acquire the right*r*for**x**in the following protection graph, or prove that**p**cannot acquire those rights.

- (
*40 points*)A*protected subsystem*is a subject that is invoked by other subjects, and acts on their behalf. It is typically constrained, so that it can alter local variables and parameters, but nothing else (including other global information). Please extend the access control matrix model discussed in class to allow for the explicit existance of protected subsystems. To enter a protected subsystem*S*, use the primitive**enter***S***with parameters**(*o*_{1},*r*_{1}), ..., (*o*,_{n}*r*), where_{n}*o*is an object that the subsystem can access and_{i}*r*the set of rights that the subsystem may use to access_{i}*o*; to exit the protected subsystem, use the primitive_{i}**exit***S*with parameters (*o*_{1},*r*_{1}), ..., (*o*,_{n}*r*). In your answer, define each of these operations in terms of the changes they induce on the access control matrix at the time of entry and of exit._{n} - (
*20 points*) Why is labelling (associating labels with objects and subjects) a security requirement? That is, why could a trusted computing base not simply maintain an access control table with entries for each subject and each object rather than having labels associated with each object? - (
*20 points*) What restrictions are placed on two subjects (processes) that wish to send messages to, and receive messages from, each other:- according to the Bell-LaPadula model?
- according to the Biba model?

- (
*20 points*)The *-property (no writes down) of the Bell-LaPadula model is designed to prevent subjects from leaking information to subjects at a lower security level. How could this rule be used to enforce integrity constraints (that is, prevent system programs from being altered maliciously)?

**Extra Credit**

- What assumptions with respect to trust would an implementation of the
Clark-Wilson model make? In particular, if you wanted to attack a system that
implemented the Clark-Wilson model, what flaws would you hypothesize? Please
discuss flaws related to the implementation and operation of system aspects
related to the model
*only*(that is, passwords being stored in the clear is not a relevant flaw).

You can get this document in Postscript, ASCII text, or Framemaker version 5.1.

Send email to cs253@csif.cs.ucdavis.edu.

Department of Computer Science

University of California at Davis

Davis, CA 95616-8562