Professional Documents
Culture Documents
alicerc
own, execute
bobrc
read
cyndyrc
-
Bob
read
own, execute
Cyndy
read
read, write
own, read,
write, execute
Alice
alicerc
own, execute
bobrc
read
cyndyrc
read
Bob
own, execute
Cyndy
read
read, write
own, read,
write, execute
b.
2.
TODO
The proof of Theorem 1 states that we can omit the delete and destroy commands a
s they do not affect the ability of a right to leak when no command can test for
the absence of rights. Justify this statement. If such tests were allowed, woul
d delete and destroy commands affect the ability of a right to leak?
The kep part of Theorem 1 is that the sequence of commands is MINIMAL. This mean
s that after ck (the final command) is executed, right r has been leaked from th
e system with initial state s0. Suppose there is a delete or destroy command in
the sequence. Since commands can only test for the presence of a right, if a com
mand fails to activate because the right has previously been deleted, then the c
ommand and the delete are unnecessary. This contradicts the claim that the seque
nce of commands is minimal. Hence, all deletes or destroys can be omitted.
If a test for the absence of rights existed, delete and destroy commands would a
ffect the ability of a right to leak because a subsequent command could check fo
r the absence of a right and then call some other command or operation. Hence, o
mitting the delete or destroy commands would have an impact.
3.
a. Discretionary. In UNIX systems, users set permissions for which users can acc
ess which files.
b. Originator because this system prohibits memoranda from being distributed wit
hout the creator s consent.
c. Mandatory. The policy will be enforced regardless of who approves or disappro
ves.
d. Discretionary. The faculty member is given permission to see the student's gr
ades, but since the student did not create that information, this is not an orig
inator access policy.
4.
a. Paul cannot read because {A, C} is not a subset of {B,C}. Paul cannot write b
ecause TOP SECRET > SECRET.
b. Anna cannot read because {C} is not a subset of {B}. Anna cannot write becaus
M2 M3 M4 M5 ....
M2 M3 M4
M2 M3
M2
Starting in the top left corner, and proceding along the diagonals from the left
most column to the topmost row, advance each Mi by one transition. As each Mi ad
vances, we can determine if the corresponding si is unsafe by whether a right le
aks on that transition. If a right does not leak, we cannot correspondingly say
that si is safe because it may be the case that we simply have not yet reached t
he transition that will leak a right. Hence, by this mechanism, we run each mach
ine one transition at a time. When a machine, and therefore a system, is declare
d unsafe, we add it to our list of unsafe systems. By this method, we may recurs
ively enumerate which protection systems are unsafe.