1. Show that the three security services-confidentiality, integrity, and availabilty- are sufficient to deal with the threats of disclosure, disruption, deception, and usurpation.

2. A respected computer scientist has said that no computer can ever be made perfectly secure. Why might she have said this?

3. Consider a computer system with three users: Alice, Bob, Candy. Alice owns the file alicerc, and Bob and Cyndy can read it. Cyndy can read and write the file bobrc, which Bob owns, but Alice can only read it. Only Cyndy can read and write the cile cyndyrc, which she owns. Assume that the owner of each of these files can execute it.

a. Create the corresponding access control matrix.

b. Cyndy gives Alice permission to read cyndyrc, and Alice removes Bob's ability to read alicerc. Show the new access control matrix.

4. A noted computer security expert has said that without integrity, no system can provide confidentiality.

a. Do you agree? Justify your answer

5. Classify each of the following as an example of a mandatory, discretionary, or originator controlled policy, or a combination thereof. Justify your answers.

a. The file access control mechanisms of the UNIX operating system.

b. A system in which no memorandum can be distributed without the author's consent.

c. A military facility in which only generals can enter a particular room.

1. confidentiality prevents disclosure,availability prevents disruption,integrity prevents accepting wrong data. availability and integrity will prevent disruption. the possessed data if wrongly held then its availability is affected. if actual data is impersonated then integrity is affected.

2. computers are invented by humans. they are programmed by humans. humans may tend to make mistakes and may fail to take care of all real-time possibilities. hence may not be perfectly secure

3.a. o-->owner r-->read w-->write x-->execute

alicerc babrc cyndyrc

alice ox

bob rr

cyndy

3b alicerc babrc cyndyrc

alice ox r r

bob ox

cyndy r rw orwx

4. Integrity means that information is correct, and that data has not been corrupted in any way. integrity ensures that information has not been compromised, that the information is valid and is a result of authenticated and controlled activities. If we don’t have any way to confirm and ensure that this is true, we can’t guarantee confidentiality.

5.a.discretionary access control

Since users can assign and modify permissions that they possess, access control is discretionary.

5.b.originator access control

This would be originator access control. This is because if I am the author of the memorandum I am

the one who can say my information can be distributed, no one else can.

5.c.mandatory access control

The system controls access and an individual cannot change that. There is a somewhat tricky scenario

though that could possibly make this discretionary; if there is an owner of the 'military facility' and this person also had the ability to promote military personnel to 'general'. In this way the facility owner could grant access to their facility.