Homework #1

Due: April 14, 2025
Points: 100

Questions

  1. (18 points) How do laws protecting privacy impact the ability of system administrators to monitor user activity?

  2. (25 points) This exercise asks you to consider the consequences of not applying the principle of attenuation of privilege to a computer system.
    1. What are the consequences of not applying the principle at all? In particular, what is the maximal set of rights that subjects within the system can acquire (possibly with the cooperation of other subjects)?
    2. Suppose attenuation of privilege applied only to access rights such as read and write, but not to rights such as own and grant_rights. Would this ameliorate the situation discussed in part (a)? Why or why not?
    3. Consider a restricted form of attenuation, which works as follows. A subject q is attenuated by the maximal set of rights that q, or any of its ancestors, has. So, for example, if any ancestor of q has r permission over a file f, q can also r f. How does this affect the spread of rights throughout the access control matrix of the system?

  3. (25 points) The proof of Theorem 3.1 states that we can omit the delete and destroy commands as they do not affect the ability of a right to leak when no command can test for the absence of rights. Justify this statement. If such tests were allowed, would delete and destroy commands affect the ability of a right to leak?

  4. (30 points) Prove or give a counterexample: The predicate can•share(α, x, y, G0) is true if and only if there is an edge from x to y in G0 labeled α, or if the following hold simultaneously:
    1. There is a vertex with an s-to-y edge labeled \alpha.
    2. There is a subject vertex x′ such that x′ = x or x′initially spans to x.
    3. There is a subject vertex s′ such that s′ = s or s′ terminally spans to s.
    4. There is a sequence of subjects x1, …, xn with x1 = x′, xn = s′, and xi and xi+1 (1 ≤ i < n) being connected by an edge labeled t, an edge labeled g, or a bridge.

  5. (12 points) The discussion of acyclic creates imposes constraints on the types of created subjects but not on the types of created objects. Why not?

UC Davis sigil
Matt Bishop
Office: 2209 Watershed Sciences
Phone: +1 (530) 752-8060
Email: mabishop@ucdavis.edu
ECS 235B, Foundations of Computer and Information Security
Version of March 30, 2025 at 5:14PM

 You can also obtain a PDF version of this.

Valid HTML 4.01 Transitional Built with BBEdit Built on a Macintosh