(20 points) Consider the construction of the three-parent joint creation operation from the two-parent joint creation operation shown in Section 3.5.2. One paper had crC(s, c) = c/R3 and link2(S, A3) = A3/t ∈ dom(S). Why is this not sufficient to derive the three-parent joint creation operation from the two-parent joint creation operation?
(18 points) Given the security levels L4, L3, L2, L1, and L0 (ordered from highest to lowest), and the categories C1, C2, and C3, specify what type of access (read, write, both, or neither) under the Bell-LaPadula model is allowed in each of the following situations. Assume that discretionary access controls allow anyone access unless otherwise specified.
Tom, cleared for (L4, {C2, C3}), wants to access a document classified (L3, {C2}}.
Annie, cleared for (L2, {C1}), wants to access a document classified (L2, {C2}).
Katie, cleared for (L0, {C3}), wants to access a document classified (L4, {C1, C3}).
Paul, cleared for (L3, {C1, C2}, wants to access a document classified (L3, {C1, C2}).
Judy, cleared for (L4, {C1, C2, C3}), wants to access a document classified (L3, {C1, C2}).
Sylvester, cleared for (L0, ∅) wants to access a document classified (L4, {C3}).
(18 points) Repeat the above question, but under the Biba Strict Integrity Policy model rathe than the Bell-LaPadula model.
(20 points) Prove Theorem 6.1 for the strict integrity policy of Biba’s model.
(14 points) In the Clark-Wilson model, must the TPs be executed serially, or can they be executed in parallel? If the former, why; if the latter, what constraints must be placed on their execution?
(10 points) In the Brewer-Nash (Chinese Wall) model, why must sanitized objects be in a single company dataset in their own conflict of interest class, and not in the company dataset corresponding to the institution producing the sanitized object?