Question The access-control matrix could be used to determine whether a process can switch

from, say, domain A to domain B and enjoy the access privileges of domain B. Is this approach
equivalent to including the access privileges of domain B in those of domain A?
Answer: Yes, this approach is equivalent to including the access privileges of domain B in those
of domain A as long as the switch privileges associated with domain B are also copied over to
domain A.

Question Explain why a capability-based system such as Hydra provides greater flexibility than
the ring protection scheme in enforcing protection policies.
Answer: The ring-based protection scheme requires the modules to be ordered in a strictly
hierarchical fashion. It also enforces the restriction that system code in internal rings cannot
invoke operations in the external rings. This restriction limits the flexibility in structuring the code
and is unnecessarily restrictive. The capability system provided by Hydra not only allows for
unstructured interactions between different modules, but also enables the dynamic instantiation
of new modules as the need arises.

Question Consider a system in which “computer games” can be played by students only
between 10 P.M. and 6 A.M., by faculty members between 5 P.M. and 8 A.M., and by the
computer center staff at all times. Suggest a scheme for implementing this policy efficiently.
Answer: Set up a dynamic protection structure that changes the set of resources available with
respect to the time allotted to the three categories of users. As time changes, so does the
domain of users eligible to play the computer games.When the time comes that a user’s
eligibility is over, a revocation process must occur. Revocation could be immediate, selective
(since the computer staff may access it at any hour), total, and temporary (since rights to access
will be given back later in the day).

Question What hardware features are needed for efficient capability manipulation? Can these
be used for memory protection?
Answer: A hardware feature allowing a capability object to be identified as either a capability of
accessible object. Typically, several bits are necessary to distinguish between different types of
capability objects. For example, 4 bits could be used to uniquely identify 24 or 16 different types
of capability objects. These could not be used for routine memory protection as they offer little
else for protection apart from a binary value indicating whether they are a capability object or
not.

Question Discuss the strengths and weaknesses of implementing an access matrix using
access lists that are associated with objects.
Answer: The strength of storing an access list with each object is the control that comes from
storing the access privileges along with each object, thereby allowing the object to revoke or
expand the access privileges in a localized manner. The weakness with associating access lists
is the overhead of checking whether the requesting domain appears on the access list. This
check would be expensive and needs to be performed every time the object is accessed.

Question Discuss the strengths and weaknesses of implementing an access matrix using
capabilities that are associated with domains.
Answer: Capabilities associated with domains provide substantial flexibility and faster access to
objects. When a domain presents a capability, the system just needs to check the authenticity of
the capability and that could be performed efficiently. Capabilities could also be passed around
from one domain to another domain with great ease allowing for a system with a great amount of
flexibility. However, the flexibility comes at the cost of a lack of control; revoking capabilities and
restricting the flow of capabilities is a difficult task.

Unit IV : Security QA Page 1 of 3

Question What is the need-to-know principle? Why is it important for a protection system to
adhere to this principle?
Answer: A process may access at any time those resources that it has been authorized to
access and are required currently to complete its task. It is important in that it limits the amount
of damage a faulty process can cause in a system.

Question How are the access-matrix facility and the role-based access-control facility similar?
How do they differ?
Answer: The roles in a role-based access control are similar to the domain in the access-matrix
facility. Just like a domain is granted access to certain resources, a role is also granted access
to the appropriate resources. The two approaches differ in the amount of flexibility and the kind
of access privileges that are granted to the entities. Certain access-control facilities allow
modules to perform a switch operation that allows them to assume the privileges of a different
module, and this operation can be performed in a transparent manner. Such switches are less
transparent in role-based systems where the ability to switch roles is not a privilege that is
granted through a mechanism that is part of the access-control system, but instead requires the
explicit use of passwords.

Question Buffer-overflow attacks can be avoided by adopting a better programming

methodology or by using special hardware support. Discuss these solutions.
Answer: One form of hardware support that guarantees that a buffer overflow attack does not
take place is to prevent the execution of code that is located in the stack segment of a process’s
address space. Recall that buffer-overflow attacks are performed by overflowing the buffer on a
stack frame, overwriting the return address of the function, thereby jumping to another portion of
the stack frame that contains malicious executable code, which had been placed there as a
result of the buffer overflow. By preventing the execution of code from the stack segment, this
problem is eliminated.
Approaches that use a better programming methodology are typically built around the use of
bounds-checking to guard against buffer overflows. Buffer overflows do not occur in languages
like Java where every array access is guaranteed to be within bounds through a software check.
Such approaches require no hardware support but result in runtime costs associated with
performing bounds-checking.

Question A password may become known to other users in a variety of ways. Is there a simple
method for detecting that such an event has occurred? Explain your answer.
Answer: Whenever a user logs in, the system prints the last time that user was logged on the
system.

Question The list of all passwords is kept within the operating system. Thus, if a user manages
to read this list, password protection is no longer provided. Suggest a scheme that will avoid this
problem. (Hint: Use different internal and external representations.)
Answer: Encrypt the passwords internally so that they can only be accessed in coded form. The
only person with access or knowledge of decoding should be the system operator.

Question Discuss a means by which managers of systems connected to the Internet could have
designed their systems to limit or eliminate the damage done by a worm. What are the
drawbacks of making the change that you suggest?
Answer: “Firewalls” can be erected between systems and the Internet. These systems filter the
packets moving from one side of them to the other, assuring that only valid packets owned by
authorized users are allowed to access the protect systems. Such firewalls usually make use of
the systems less convenient (and network connections less efficient).

Unit IV : Security QA Page 2 of 3

Question Make a list of six security concerns for a bank’s computer system. For each item on
your list, state whether this concern relates to physical, human, or operating-system security.
Answer: In a protected location, well guarded: physical, human. Network tamperproof: physical,
human, operating system. Modem access eliminated or limited: physical, human. Unauthorized
data transfers prevented or logged: human, operating system. Backup media protected and
guarded: physical, human. Programmers, data entry personnel, trustworthy: human.

Question What are two advantages of encrypting data stored in the computer system?
Answer: Encrypted data are guarded by the operating system’s protection facilities, as well as a
password that is needed to decrypt them. Two keys are better than one when it comes to
security.

Question What commonly used computer programs are prone to man-in-the middle attacks?
Discuss solutions for preventing this form of attack.
Answer: Any protocol that requires a sender and a receiver to agree on a session key before
they start communicating is prone to the man-in the middle attack. For instance, if one were to
implement on a secure shell protocol by having the two communicating machines to identify a
common session key, and if the protocol messages for exchanging the session key is not
protected by the appropriate authentication mechanism, then it is possible for an attacker to
manufacture a separate session key and get access to the data being communicated between
the two parties. In particular, if the server is supposed to manufacture the session key, the
attacker could obtain the session key from the server, communicate its locally manufactured
session key to the client, and thereby convince the client to use the fake session key. When the
attacker receives the data from the client, it can decrypt the data, re encrypt it with the original
key from the server, and transmit the encrypted data to the server without alerting either the
client or the server about the attacker’s presence. Such attacks could be avoided by using digital
signatures to authenticate messages from the server. If the server could communicate the
session key and its identity in a message that is guarded by a digital signature granted by a
certifying authority, then the attacker would not be able to forge a session key, and therefore the
man-in-the-middle attack could be avoided.

Question Compare symmetric and asymmetric encryption schemes, and discuss under what
circumstances a distributed system would use one or the other.
Answer: A symmetric encryption scheme allows the same key to be used for encrypting and
decrypting messages. An asymmetric scheme requires the use of two different keys for
performing the encryption and the corresponding decryption. Asymmetric key cryptographic
schemes are based on mathematical foundations that provide guarantees on the intractability of
reverse-engineering the encryption scheme, but they are typically much more expensive than
symmetric schemes, which do not provide any such theoretical guarantees. Asymmetric
schemes are also superior to symmetric schemes since they could be used for other purposes
such as authentication, confidentiality, and key distribution.

Unit IV : Security QA Page 3 of 3