微信客服:xiaoxionga100
微信客服:ITCS521
INFO5301-INFO5301代写-Assignment 4
时间:2023-03-17
INFO5301 Assignment 4
Information Security Management
This tutorial contains three exercises to learn practical applicability of security models. You should
attempt to answer these questions individually during the allocated time.
Exercise 1
Duration: 10 mins
The following Table explains security clearances for subjects and security classification for
objects in a company.
Subject Security Level Clearance
Alice Top Secret (TS)
Bob Secret (SC)
James Confidential (C)
Karl Unclassified (UC)
Object Security Level Classification
Payroll information Top Secret (TS)
Security Logs Secret (SC)
Activity logs Confidential (C)
Staff directory Unclassified (UC)
1.1 If Bell-La Padula security model is implemented, explain the following statements are
right or wrong, and why ?
1.1.1 James can obtain entrance door lock codes stored in security logs to enter the building
after office hours.
Answer: Wrong.
Bell-La Padula model is based on two primary rules;
• Simple-Security Property (ss-property or No Read UP): A subject can not read object
in the higher security clearance level.
• The star property (∗-property or No Write Down: A subject can not move information
from an object with a higher security classification (or write) to an object with a lower
classification.
1
INFO5301 Information Security Management
James is in level C, which is lower than the security level of Security Logs, SC. Thus, James
can not read security logs under Bell-La Padula model.
1.1.2 Alice can write to activity logs of the company.
Answer: Wrong. Despite Alice is in the highest security level, this violates ∗−property and
is not allowed.
"No write down" prevents someone with a higher security clearance mistakenly or inten-
tionally sharing confidential information by writing to an object at a lower security level.
1.1.3 Karl can add entry to payroll information folder.
Answer: Right. Although it seems odd, writing to higher security levels from lower level
subjects are not prohibited under Bell-La Padula model.
Therefore, Karl who is in the UC level can append an entry to TS payroll information.
The intuition behind this is that if a subject with new information wants to update the system
or wants to provide feedback, it is safer to let the subject to update higher security levels than
revealing potentially secret information to lower levels.
1.2 If Biba security model is implemented, explain the following statements are right or
wrong, and why ?
1.2.1 Alice can read activity logs of the company.
Answer: Wrong. Biba model is focused on preserving integrity and based the following
two rules;
• No read Down: Subject S can read object O only if Is (Integrity level of S) less than or
equal to Io (Integrity level of O).
• No write UP: Subject S can write to object O only if Io is less than or equal to Is.
Alice is in the highest security level and therefore under Biba model reading lower classified
information is prohibited.
1.2.2 Karl can add entry to payroll information folder.
Answer: Wrong. This violates the "No write UP" rule in Biba model.
This rule prevents information in higher security levels contaminated with unreliable infor-
mation from lower levels.
(Discussion:10 mins)
Exercise 2
Duration: 8 mins
Assume a Bell-La Padula model with security levels (H, L), such that H ≥ L, and security
categories (A, B).
2.1 Draw a lattice of security labels with directed arrows representing dominance relation-
ship among the labels. Note: Given a set of security levels and categories (L,C); (L1,C1) domi-
Information Security Management Page 2 of 5
INFO5301 Information Security Management
nates (L2,C2) iff; L1 ≥ L2 and C2 ⊆ C1.
Answer:
2.2 What does a path between two nodes in the lattice mean?
Answer: A path in the lattice from one node (L1) to another (L2) says that L2 dominates
L1. That means “information is allowed to flow" from L1 to L2. That can happen in either of
two ways:
- a subject at level L2 can read a level L1 object, or
- a subject at level L1 can write a level L2 object.
(Discussion:7 mins)
Exercise 3
Duration: 15 mins
Now, assume that the above company has decided to expand the security model presented
in Table 1 categorising objects in each security class into categories according to "need-to-
know" principle. The considered tree categories are (i) Financial - [FIN], (ii) Operational -
[OPR], and (iii) Research - [RES].
3.1 Draw a lattice for to show dominance relationship among difference combinations of
category labels in a given security level.
Answer:
3.2 Assume that Bob is cleared into security level (SC, [FIN, OPR]), and the following three
objects (files in this case) are classified as below;
Information Security Management Page 3 of 5
INFO5301 Information Security Management
• time_sheet.xls is classified as (C, [FIN]),
• front_door_lock.txt is classified as (SC, [OPR, RES]),
• server_room.txt is classified as (SC, [OPR]).
If Bell-La Padula security model is implemented, explain the following statements are right
or wrong, and why ?
3.2.1 Bob can update the overtime schedule of his team members in time_sheet.xls.
Answer: Wrong.
time_sheet.xls’s security classification C is less than Bob’s security level. time_sheet.xls’s
category is a subset of Bob’s, i.e. [FIN]⊆ [FIN,OPR]. Therefore, Bob dominates time_sheet.xls.
There will be a path from time_sheet.xls to Bob in the lattice.
However, according to “No write Down" rule in Bell-La Padula model, Bob cannot write to
time_sheet.xls, but Bob can read time_sheet.xls.
3.2.2 Bob can change front door lock codes in front_door_lock.txt because Bob has SC
security clearance.
Answer: Wrong.
Despite security levels are equal, front_door_lock.txt’s classification is not a subset of
Bob’s, i.e. [OPR,RES] ̸⊆ [FIN,OPR]. Therefore, there will not be a path between these two
nodes in the lattice, which means information cannot flow between these two nodes.
3.2.3 Bob can can change front door lock codes in server_room.txt because Bob has SC
security clearance.
Answer: Wrong.
Information Security Management Page 4 of 5
INFO5301 Information Security Management
Security levels are the same. server_room.txt’s classification [OPR] is a subset of Bob’s
categories [FIN,OPR]. Therefore, Bob dominates server_room.txt.
However, according to “No write Down" rule in Bell-La Padula model, Bob cannot write to
server_room.txt, but Bob can read server_room.txt.
Discussion: 10 mins
Information Security Management Page 5 of 5
Information Security Management
This tutorial contains three exercises to learn practical applicability of security models. You should
attempt to answer these questions individually during the allocated time.
Exercise 1
Duration: 10 mins
The following Table explains security clearances for subjects and security classification for
objects in a company.
Subject Security Level Clearance
Alice Top Secret (TS)
Bob Secret (SC)
James Confidential (C)
Karl Unclassified (UC)
Object Security Level Classification
Payroll information Top Secret (TS)
Security Logs Secret (SC)
Activity logs Confidential (C)
Staff directory Unclassified (UC)
1.1 If Bell-La Padula security model is implemented, explain the following statements are
right or wrong, and why ?
1.1.1 James can obtain entrance door lock codes stored in security logs to enter the building
after office hours.
Answer: Wrong.
Bell-La Padula model is based on two primary rules;
• Simple-Security Property (ss-property or No Read UP): A subject can not read object
in the higher security clearance level.
• The star property (∗-property or No Write Down: A subject can not move information
from an object with a higher security classification (or write) to an object with a lower
classification.
1
INFO5301 Information Security Management
James is in level C, which is lower than the security level of Security Logs, SC. Thus, James
can not read security logs under Bell-La Padula model.
1.1.2 Alice can write to activity logs of the company.
Answer: Wrong. Despite Alice is in the highest security level, this violates ∗−property and
is not allowed.
"No write down" prevents someone with a higher security clearance mistakenly or inten-
tionally sharing confidential information by writing to an object at a lower security level.
1.1.3 Karl can add entry to payroll information folder.
Answer: Right. Although it seems odd, writing to higher security levels from lower level
subjects are not prohibited under Bell-La Padula model.
Therefore, Karl who is in the UC level can append an entry to TS payroll information.
The intuition behind this is that if a subject with new information wants to update the system
or wants to provide feedback, it is safer to let the subject to update higher security levels than
revealing potentially secret information to lower levels.
1.2 If Biba security model is implemented, explain the following statements are right or
wrong, and why ?
1.2.1 Alice can read activity logs of the company.
Answer: Wrong. Biba model is focused on preserving integrity and based the following
two rules;
• No read Down: Subject S can read object O only if Is (Integrity level of S) less than or
equal to Io (Integrity level of O).
• No write UP: Subject S can write to object O only if Io is less than or equal to Is.
Alice is in the highest security level and therefore under Biba model reading lower classified
information is prohibited.
1.2.2 Karl can add entry to payroll information folder.
Answer: Wrong. This violates the "No write UP" rule in Biba model.
This rule prevents information in higher security levels contaminated with unreliable infor-
mation from lower levels.
(Discussion:10 mins)
Exercise 2
Duration: 8 mins
Assume a Bell-La Padula model with security levels (H, L), such that H ≥ L, and security
categories (A, B).
2.1 Draw a lattice of security labels with directed arrows representing dominance relation-
ship among the labels. Note: Given a set of security levels and categories (L,C); (L1,C1) domi-
Information Security Management Page 2 of 5
INFO5301 Information Security Management
nates (L2,C2) iff; L1 ≥ L2 and C2 ⊆ C1.
Answer:
2.2 What does a path between two nodes in the lattice mean?
Answer: A path in the lattice from one node (L1) to another (L2) says that L2 dominates
L1. That means “information is allowed to flow" from L1 to L2. That can happen in either of
two ways:
- a subject at level L2 can read a level L1 object, or
- a subject at level L1 can write a level L2 object.
(Discussion:7 mins)
Exercise 3
Duration: 15 mins
Now, assume that the above company has decided to expand the security model presented
in Table 1 categorising objects in each security class into categories according to "need-to-
know" principle. The considered tree categories are (i) Financial - [FIN], (ii) Operational -
[OPR], and (iii) Research - [RES].
3.1 Draw a lattice for to show dominance relationship among difference combinations of
category labels in a given security level.
Answer:
3.2 Assume that Bob is cleared into security level (SC, [FIN, OPR]), and the following three
objects (files in this case) are classified as below;
Information Security Management Page 3 of 5
INFO5301 Information Security Management
• time_sheet.xls is classified as (C, [FIN]),
• front_door_lock.txt is classified as (SC, [OPR, RES]),
• server_room.txt is classified as (SC, [OPR]).
If Bell-La Padula security model is implemented, explain the following statements are right
or wrong, and why ?
3.2.1 Bob can update the overtime schedule of his team members in time_sheet.xls.
Answer: Wrong.
time_sheet.xls’s security classification C is less than Bob’s security level. time_sheet.xls’s
category is a subset of Bob’s, i.e. [FIN]⊆ [FIN,OPR]. Therefore, Bob dominates time_sheet.xls.
There will be a path from time_sheet.xls to Bob in the lattice.
However, according to “No write Down" rule in Bell-La Padula model, Bob cannot write to
time_sheet.xls, but Bob can read time_sheet.xls.
3.2.2 Bob can change front door lock codes in front_door_lock.txt because Bob has SC
security clearance.
Answer: Wrong.
Despite security levels are equal, front_door_lock.txt’s classification is not a subset of
Bob’s, i.e. [OPR,RES] ̸⊆ [FIN,OPR]. Therefore, there will not be a path between these two
nodes in the lattice, which means information cannot flow between these two nodes.
3.2.3 Bob can can change front door lock codes in server_room.txt because Bob has SC
security clearance.
Answer: Wrong.
Information Security Management Page 4 of 5
INFO5301 Information Security Management
Security levels are the same. server_room.txt’s classification [OPR] is a subset of Bob’s
categories [FIN,OPR]. Therefore, Bob dominates server_room.txt.
However, according to “No write Down" rule in Bell-La Padula model, Bob cannot write to
server_room.txt, but Bob can read server_room.txt.
Discussion: 10 mins
Information Security Management Page 5 of 5
