Homework Six Solutions - Computer Security I | CS 461, Assignments of Computer Science

Material Type: Assignment; Professor: Hinrichs; Class: Computer Security I; Subject: Computer Science; University: University of Illinois - Urbana-Champaign; Term: Fall 2008;

Typology: Assignments

Pre 2010

Uploaded on 03/16/2009

koofers-user-sg5
koofers-user-sg5 🇺🇸

10 documents

1 / 4

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Information Assurance: Homework 6 Answers and Comments
Due October 24, 2008.
1. With this question you will use some of the access control mechanisms provided
by mysql. There are numerous tutorials on basic SQL syntax. Slides from CS411
may be useful: http://www.cs.uiuc.edu/class/fa08/cs411/slides/cs411-06-sql-3.pdf.
Sections 12.1 and 12.2 of the mysql reference manual also provide a quick
overview of the syntax http://dev.mysql.com/doc/refman/5.0/en/sql-syntax.html.
Through part e, just leave your tables in your database. There is no need to
upload anything to compass. Include your answer to part f in the answers you
post to compass.
a. Each of you has a database created on the csil-linux machines. The
database name is <netid>_db, e.g., my database is shinrich_db. To
connect to your database, login to the csil-linux machine and issue the
command.
mysql -p -h csil-projects.cs.uiuc.edu <netid>_db
You will be prompted for a password. Your initial password is
<netid>dbpw.
b. Change your initial password from <netid>dbpw (replace <netid>
with your username) to a safer password using the command
set password = password("<new password>");
c. Create a table called test with attributes a (int) and b (varchar(20)).
Make a the primary key. Insert some values into test for a {1, 2, 3, 4,
5} (you may choose corresponding values for b). Grant read (select)
access for this table to users shinrich and leolson1. Note: you may
also wish to grant access to other users in the class to check your work for
this and for the other problems in this assignment; however, this is not
required. If other students have granted you access, use the command use
<netid>_db; to access their database (replace <netid> with the
username whose tables you want to access), and show tables; to list
the tables and views they have defined.
create table test(a int primary key, b varchar(20));
insert into test values(1, '1st string val');
... same for a=2, 3, 4, 5 ...
grant select on test to shinrich, leolson1;
d. Create a view called test_b that contains only column b from table
test. Grant read (select) and write access (insert, update, and delete) on
this view to users shinrich and leolson1.
pf3
pf4

Partial preview of the text

Download Homework Six Solutions - Computer Security I | CS 461 and more Assignments Computer Science in PDF only on Docsity!

Information Assurance: Homework 6 Answers and Comments

Due October 24, 2008.

  1. With this question you will use some of the access control mechanisms provided by mysql. There are numerous tutorials on basic SQL syntax. Slides from CS may be useful: http://www.cs.uiuc.edu/class/fa08/cs411/slides/cs411-06-sql-3.pdf. Sections 12.1 and 12.2 of the mysql reference manual also provide a quick overview of the syntax http://dev.mysql.com/doc/refman/5.0/en/sql-syntax.html. Through part e, just leave your tables in your database. There is no need to upload anything to compass. Include your answer to part f in the answers you post to compass. a. Each of you has a database created on the csil-linux machines. The database name is _db , e.g., my database is shinrich_db. To connect to your database, login to the csil-linux machine and issue the command. mysql -p -h csil-projects.cs.uiuc.edu _db You will be prompted for a password. Your initial password is dbpw. b. Change your initial password from dbpw (replace with your username) to a safer password using the command set password = password (""); c. Create a table called test with attributes a (int) and b (varchar(20)). Make a the primary key. Insert some values into test for a ∈ {1, 2, 3, 4, 5} (you may choose corresponding values for b). Grant read (select) access for this table to users shinrich and leolson1. Note: you may also wish to grant access to other users in the class to check your work for this and for the other problems in this assignment; however, this is not required. If other students have granted you access, use the command use _db; to access their database (replace with the username whose tables you want to access), and show tables ; to list the tables and views they have defined. create table test(a int primary key, b varchar(20)); insert into test values(1, '1st string val'); ... same for a=2, 3, 4, 5 ... grant select on test to shinrich, leolson1; d. Create a view called test_b that contains only column b from table test. Grant read (select) and write access (insert, update, and delete) on this view to users shinrich and leolson1.

create view test_b as select b from test;

grant select,insert,update,delete on test_b to

shinrich,leolson1;

e. Create a view called test_filter that displays columns a and b from table test, but only for rows in which a > 2. Grant read (select) and write access (insert, update, and delete) on this view to users shinrich and leolson1. create view test_filter as select * from test where a>2; grant select,insert,update,delete on test_filter to shinrich,leolson1; f. In what way is granting write access on test_filter as in step e misleading? It is misleading because users can insert values into test_filter that do not satisfy a>2, or can update existing rows such that they do not satisfy a>2. A careless database administrator might assume that the test_filter view would prevent such operations. i. Do an internet search on the SQL clause with check option , or refer to the MySQL manual at http://dev.mysql.com/doc/refman/5.0/en/create-view.html, and describe how you would change the test_filter view definition to fix this problem. alter view test_filter as select * from test where a>2 with check option; ii. Describe a scenario in which omitting the with check option would be an appropriate policy. Many possible answers here. One example scenario is a to-do list, where only items marked as unfinished appear in the view. The user can set them as finished, which would remove the items from the view while correctly changing the underlying table. For another example, sales representatives may partition customers geographically. When a customer moves, the sales representative can update the address even if it moves the customer out of his geographic area (and adding the customer to another representative's area).

  1. In this question you will work through evaluating labeled access following the Bell-LaPadula confidentiality model and Strict Biba integrity model. For the first two sections consider the following labeled entities: Subject Object Label Alice Zebra L Bob Yak L Carol Whale L

Subject Object Access? Alice Vole Read Bob Yak Read Ellen Zebra Append Dave Vole Nothing In class we only discussed the simple form of labels for Biba, but we mentioned the model could be extended to use the level and category labels as used in Bell-LaPadula. Now interpret the labels as integrity labels in the strict Biba model. Fill the access column with the access that strict Biba would give each subject to the corresponding object: read, append (or pure write). Subject Object Access? Alice Zebra Read and Append Bob Vole Append Ellen Yak Nothing Dave Unicorn Append

  1. Clark-Wilson rules can be used to enforce separation of duty. Identify two enforcement or certification rules that can be applied to enforce separation of duty, and describe how this can be done. Enforcement Rule 4 explicitly addresses separation of duty. The certifier of the TP may not have execute permission for that TP. So a single individual may not certify and program and then execute it. One individual must certify, and then another individual may execute. Enforcement Rule 2 and Certification Rule 3 address the allowed relationship which can be used to enforce separation of duty. The allowed relationship indicates which individuals may execute which programs on which data sets (CDI's). You could identify sensitive sequences of operations and set up the allowed relations to ensure that a single individual could not execute all the sets of sets in one of these sensitive sequences by himself. A lot of folks also mentioned ER3 which discusses authentication. If you described it in terms of enabling accurate enforcement of the allowed relationship or some other restrictions in the system I gave you points.