Chapters 7 and 8 Homework Problems
  1. Bell-LaPadula can be summarized as: No read __up__, no write __down__.

  2. What is the primary difference between the low water mark principle and the high water mark principle? Give two examples, one where the low water mark principle applies and one where the high water mark principle applies. Which of these principles deals with confidentiality and which deals with data integrity?

    Solution: Following the low water mark principle, the lowest security level attained would remain in force while in the high water mark principle, the highest security level attained would remain in force. For example, LOMAC (as discussed in the book) implements the low water mark principle. In LOMAC there could be two levels, "high" for software on the system and "low" for the network. Then any program that, say, gets data from the network would be downgraded from high to low. This approach might help to contain viruses, for example.

    A standard BLP implementation could implement the high water mark principle. For example, when a user with a SECRET clearance logs into a classified computer, he would start at the UNCLASSIFIED level and only move up to a higher level as required.

  3. Give the title and very brief summary of a research paper that discusses a covert channel.

    Solution: There are many research papers on covert channels. While not technically a research paper, I found this paper very interesting.

  4. According to Ross Anderson, "The likelihood that a resource will be abused depends on its __value__ and the number of people who have __access__ to it."

  5. With respect to inference control, what are trackers? Briefly discuss two methods designed to defeat trackers.

    Solution: Trackers are the queries made of a database in attempt to draw inferences. For example, in a supposedly anonymous medical database, a few well-crafted queries might enable one to obtain private medical information of a specific individual. All of the "query control" methods discussed in the textbook are designed to defeat trackers. Examples include "n-respondent k%-dominance rule", cell suppression, the lattice model and randomization.