CPSC 481/681 SPRING 2006 QUIZ #1 7 MAR 2006 NAME:

Size: px

Start display at page:

Download "CPSC 481/681 SPRING 2006 QUIZ #1 7 MAR 2006 NAME:"

Scot Palmer
6 years ago
Views:

1 CPSC 481/681 SPRING 2006 QUIZ #1 7 MAR 2006 NAME: There are 6 questions on this quiz. Each question is individually weighted. If you do not understand the question, please ask for clarification. 1

2 I. (24 Points) Use the concepts below to best match with the following statements. a certification authority b integrity c availability d security policy e security mechanism f confidentiality policy g DAC h covert channel i secure system j access control matrix k Chinese Wall model l MAC m ciphers n sandbox o mitigation of covert channels p authentication q Biba Model r Public Key Cryptosystem s Clark-Wilson Integrity Model t Bell-LaPadula Model prevents the unauthorized access to objects an environment in which the actions of a process are restricted according to a security policy key properties are existence and bandwidth a statement of what is and what is not allowed an individual user can set an access control mechanism to allow or deny access to an object binding of an identity to a subject an entity that issues certificates model of a security policy that refers equally to confidentiality and integrity transposition and substitution an entity or procedure that enforces some part of the security policy system mechanism controls access to an object and an individual user cannot alter that access the simple security condition and the *-property form the basis for this security model - 2 -

3 II. (16 Points) Classify each of the following as a violation of confidentiality, integrity, or availability and justify your answer (25 words or less). a. Alice forges Bob s signature on a deed. b. Alice copies Bob s program. c. Alice crashes Bob s web server. d. Alice spoof s Bob s IP address to gain access to his computer

4 III (8 Points) Create an access control matrix for the following situation: The computer system has 3 users, Alice, Bob, and Kathy. The files on the system have the attributes of read, write, own, and execute. Assume that the owner of a file can read that file. Alice owns the file abc, which Bob and Kathy can write Bob owns the file def, which Kathy can read and execute. Kathy owns the file xyz, which Alice can execute

5 IV. (16 Points) Using the Bell-LaPadula model, the simple security condition, the *-property, and the scenario below, specify if the action is allowed in each scenario and briefly (25 words or less) state the reason for your answer. We have 4 security levels, TOP SECRET, SECRET, CONFIDENTIAL, and UNCLASSIFIED (highest to lowest). We also have categories X, Y, AND Z. Alice is cleared for SECRET and categories X and Y. a. Can she read a document classified TOP SECRET, Y? b. Can she write a document classified TOP SECRET, Y? c. Can she read a document classified SECRET, X? d. Can she write a document classified CONFIDENTIAL, Z? e. Can she write a document classified SECRET, Y? f. Can she read a document classified CONFIDENTIAL, X? g. Can she read a document classified CONFIDENTIAL, Z? h. Can she write a document classified UNCLASSIFIED, Y? - 5 -

6 V. (20 Points) a. In a classical cryptosystem, also called a symmetric cryptosystem, what does Alice need to know to be able to securely communicate with Bob? b. In a classical cryptosystem describe how Alice would encrypt the message m and how Bob would decrypt the encrypted message. c. In a Public Key Cryptosystem what does Alice need to know to be able to securely communicate with Bob? d. In a Public Key Cryptosystem describe how Alice would encrypt the message m and how Bob would decrypt the encrypted message. e. Using a Public Key Cryptosystem, describe how Alice would convenience Bob that the message m really did come from Alice and not from Kathy

7 VI. (16 Points) On the left are the names of the 8 design principles relative to secure systems and on the right is a brief description of the 8 design principles. Match the names with the principles. least common mechanism open design separation of privilege a. a subject should be given only those privileges that it needs in order to complete its task. b. unless a subject is given explicit access to an object, it should be denied access to that object. c. security mechanisms should be as simple as possible. psychological acceptability d. all accesses to objects be checked to ensure that they are allowed. fail-safe defaults complete mediation e. the security of a mechanism should not depend on the secrecy of its design or implementation. f. a system should not grant permission based on a single condition. least privilege g. mechanisms used to access resources should not be shared. economy of mechanism h. security mechanisms should not make the resource more difficult to access than if security mechanisms were not present

Chapter 9: Database Security: An Introduction. Nguyen Thi Ai Thao

Chapter 9: Database Security: An Introduction Nguyen Thi Ai Thao thaonguyen@cse.hcmut.edu.vn Spring- 2016 Outline Introduction to Database Security Issues Types of Security Threats to databases Database