Computer Security: Art and Science

5.8 Exercises

1:
Why is it meaningless to have compartments at the UNCLASSIFIED level (such as (UNCLASSIFIED, { NUC }) and ( UNCLASSIFIED, { EUR }))?
2:
Given the security levels TOP SECRET, SECRET, CONFIDENTIAL, and UNCLASSIFIED (ordered from highest to lowest), and the categories A, B, and C, specify what type of access (read, write, or both) is allowed in each of the following situations. Assume that discretionary access controls allow anyone access unless otherwise specified.

Paul, cleared for (TOP SECRET, { A, C }), wants to access a document classified (SECRET, { B, C }).
Anna, cleared for (CONFIDENTIAL, { C }), wants to access a document classified (CONFIDENTIAL, { B }).
Jesse, cleared for (SECRET, { C }), wants to access a document classified (CONFIDENTIAL, { C }).
Sammi, cleared for (TOP SECRET, { A, C }), wants to access a document classified (CONFIDENTIAL, { A }).
Robin, who has no clearances (and so works at the UNCLASSIFIED level), wants to access a document classified (CONFIDENTIAL, { B }).
3:
Prove that any file in the DG/UX system with a link count greater than 1 must have an explicit MAC label.
4:
In the DG/UX system, why is the virus prevention region below the user region?
5:
In the DG/UX system, why is the administrative region above the user region?
6:
Prove that the two properties of the hierarchy function (see Section 5.2.3) allow only trees and single nodes as organizations of objects.
7:
Declassification effectively violates the *-property of the Bell-LaPadula Model. Would raising the classification of an object violate any properties of the model? Why or why not?
8:
Prove Theorem 5�4. (Hint: Proceed along lines similar to the proof of Theorem 5�3.)
9:
Prove Theorem 5�5.
10:
Consider Theorem 5�6. Would the theorem hold if the requirement that z₀ be a secure state were eliminated? Justify your answer.
11:
Prove Theorems 5�9 and 5�11.
12:
Consider McLean's reformulation of the simple security condition, the *-property, and the ds-property (see page 146).

Does this eliminate the need to place constraints on the initial state of the system in order to prove that the system is secure?
Why do you believe Bell and LaPadula did not use this formulation?

Top

1:	Why is it meaningless to have compartments at the UNCLASSIFIED level (such as (UNCLASSIFIED, { NUC }) and ( UNCLASSIFIED, { EUR }))?
2:	Given the security levels TOP SECRET, SECRET, CONFIDENTIAL, and UNCLASSIFIED (ordered from highest to lowest), and the categories A, B, and C, specify what type of access (read, write, or both) is allowed in each of the following situations. Assume that discretionary access controls allow anyone access unless otherwise specified. Paul, cleared for (TOP SECRET, { A, C }), wants to access a document classified (SECRET, { B, C }). Anna, cleared for (CONFIDENTIAL, { C }), wants to access a document classified (CONFIDENTIAL, { B }). Jesse, cleared for (SECRET, { C }), wants to access a document classified (CONFIDENTIAL, { C }). Sammi, cleared for (TOP SECRET, { A, C }), wants to access a document classified (CONFIDENTIAL, { A }). Robin, who has no clearances (and so works at the UNCLASSIFIED level), wants to access a document classified (CONFIDENTIAL, { B }).
3:	Prove that any file in the DG/UX system with a link count greater than 1 must have an explicit MAC label.
4:	In the DG/UX system, why is the virus prevention region below the user region?
5:	In the DG/UX system, why is the administrative region above the user region?
6:	Prove that the two properties of the hierarchy function (see Section 5.2.3) allow only trees and single nodes as organizations of objects.
7:	Declassification effectively violates the *-property of the Bell-LaPadula Model. Would raising the classification of an object violate any properties of the model? Why or why not?
8:	Prove Theorem 5�4. (Hint: Proceed along lines similar to the proof of Theorem 5�3.)
9:	Prove Theorem 5�5.
10:	Consider Theorem 5�6. Would the theorem hold if the requirement that z₀ be a secure state were eliminated? Justify your answer.
11:	Prove Theorems 5�9 and 5�11.
12:	Consider McLean's reformulation of the simple security condition, the *-property, and the ds-property (see page 146). Does this eliminate the need to place constraints on the initial state of the system in order to prove that the system is secure? Why do you believe Bell and LaPadula did not use this formulation?