CS 8803b Computer Systems Security
Homework II
Due Date:  Monday, November 22, 1999

  1. One of the requirements of a security kernel is verifiability. This could be a very difficult task even when the source code of the kernel is made available. You should read the paper "Reflections on Trusting Trust" (a Turing award lecture available from http://www.acm.org/classics/sep95).   Based on the arguments made in the paper, comment on the feasibility of verifiable kernels. Explain your answer.
  2. Consider a file system that performs an access check on open() operations. Once a file is opened, reads and/or writes can be carried out without access checks.  Does such a system meet the completeness requirement of a reference monitor? Explain your answer.
  3. We discussed a state-machine model for a simple security policy. The policy required constraints  and flow analysis. If we have a discretionary access control policy, would its state-machine model require constraints or flow analysis? Explain your answer.
  4. Modern processors support user/system execution modes and this capability is used  in meeting the isolation requirement of a security kernel. If such support is not provided, software-fault isolation may be used to enforce isolation. Discuss if this can be done, and if your answer is yes, explain how .
  5. Non-repudiation means that that the sender of a message cannot deny at a later time that he/she did not send the message.  Explain how non-repudiation can be provided in a system that employs public keys. Is it possible to provide non-repudiation in a shared key system? Explain your answer.