1. HP Laboratories has developed a trusted version of the open source Linux operating system. Information on this system is available from a paper here. According to the criteria defined in the Orange Book for rating trusted computing systems, in what division/class would you place the trusted Linux from HP Labs? Explain your answer.
2. Modern processors efficiently provide memory protection at the level of an address space. However, to protect memory at a finer-grain level in the x86 architecture, segment privilege level (SPL) as well as page privilege level (PPL) bits have to be exploited. The authors of the paper (Chiueh et. al.) use these hardware provided protection bits to develop a safe kernel extension facility for Linux. First, discuss why the kernel must be protected from extensions. Then, discuss in detail how the SPL/PPL mechanisms are used to ensure that kernel extensions do not have unguarded access to other parts of the kernel’s address space.
3. To evaluate the password hardening scheme proposed by them, Reiter et. al. introduce the notion of keystroke entropy. Explain what this entropy is? Can we use a similar notion of entropy to passwords that are English phrases. If your answer is yes, derive the entropy for a phrase that is n characters long. If not, explain why this cannot be done.
4. Consider
a system in which similar users can belong to groups and groups can contain
users as well as other groups. The system allows both positive and negative
access rights to be associated for a resource with any user or group. Clearly,
when user U makes a request, the system must check not only the access
rights associated directly with U but also the rights of groups to which
U belongs as well (transitively). Discuss an efficient representation of
the access control information in such a system. Based on this, show how a
request from a user is granted or denied.
Consider the following idea for improving efficiency in this system. All access
rights, based on U’s membership to various groups are pre-computed and
stored where they can be quickly looked up when a request arrives from U.
However, if the security policy changes (new groups are added/deleted or access
rights associated with current groups are changed), the pre-computed access
rights may have to be invalidated or updated. Discuss when such pre-computing
may be beneficial and the overheads associated with update/invalidation.
5. In
Multics, an access bracket can be associated with a segment rather than a
single ring. What motivated the design of an access bracket instead of a single
ring being associated with a segment?
The Bell and La Padula report discusses the integration of their mandatory
access policy (MAC) in the context of Multics. Explain how a MAC policy can be
implemented in Multics?
6. In our discussion of MAC policies for confidentiality of information, we assumed a shared object model where objects can be read or written. In message oriented systems, services are accessed via send and receive calls (or an remote procedure call that makes use of send/receive in a certain way). Develop rules similar to the read-down and write-up rule for message passing systems. Explain your answer.