Information Security

October – December
2009
Coursework
assignment 2

BSc Computer Science

1
exercise1

a) Password characters may be any ASCII characters from 1 to 127, inclusive.

b) Password characters may be any alphanumeric characters (i.e., “A” through “Z”, “a”
through “z” and “0 through “9”).

c) Password characters must be digits (i.e., “0” through “9”).

(Note: You may need to use a calculator to solve this exercise.)

exercise2

a) Mary

b) go2work

c) cat&dog

d) 3.1515pi

exercise 3

a) Write a set of access control lists for this scenario. Which list is associated with which
file?
Alice:{(x, rw), (y, r), (z, e)}
Bob:{(x, r), (y, r)}

b) Write the access control matrix for the system described above.

x y z
Alice rw r e
Bob r rw -

Key:
rw = Read/Write
r = Read
e = execute
- = cannot access

c) Write the list of subjects and the list of objects for this system.
Subjects: Alice and Bob
Objects: x, y, z

exercise 4

a) Access control matrix.

2
 b) Access control list.
In access control lists it is easier to authorise access during executions because it does not require
much space like access control matrix. Adding, deleting and creating access rights is also easier
than other two mechanisms because you can easily add or delete new processes from the access
control list.

(A) Access control matrix:

(i) ease of determining authorised access during execution: simple (just look up the appropriate
entry in the table).
(ii) ease of adding access for a new subject: not so simple – a new row in the matrix will need to
be created and completed.
(iii) ease of deleting access by a subject: relatively simple, since it simply means deleting a row in
the access control matrix.
(iv) ease of creating a new object to which all subjects have access by default: relatively simple,
since it simply means creating a column in the access control matrix with all entries ‘positive’.

(C) Per-object access control list (that is, one list for each object indicates all the subjects
who have access to that object;corresponds to one column of the matrix):
(i) ease of determining authorised access during execution: reasonable, as long as access to the
per-object access control lost is straightforward.
(ii) ease of adding access for a new subject: not simple, since every object’s access control list
will need to be modified.
(iii) ease of deleting access by a subject: not simple, since every object’s access control list will
need to be modified.
(iv) ease of creating a new object to which all subjects have access by default: simple.

c) Per-subject list of access rights (i.e., an access control mechanism that maintains – for
each subject – a list of objects that the subject has access to).

exercise 5

The restrictions that are places on two active subjects in the Bell-La Padua model is that a subject at
a given security level may not read an object at a higher security level and the a subject at a given
security level must not write to any object at a lower security level.

With Bell-La Padua users can create content only at or above their own security level, similarly users
can view content only at or below their own security level.

exercise 6

The standard Unix operating system use discretionary access control, which governs the ability of
subjects to access objects and it allows users the ability to make policy decisions and assign security
attributes.

The Unix system doesn’t allow policy administrators to implement organisation wide security policies
so that’s why it is a discretionary access control operating system.