access control 1

Question 1

what is a security policy

Answer 1

a statement of what is and what is not allowed

Policy: A student is not allowed to sit in an exam on behalf of another student

Question 2

what is a security mechanism

Answer 2

a method or tool or procedure for enforcing a security policy
• Mechanism: ID check during exam

Question 3

what is principal and object in access control. what is bucktha seelan and a wig.

Answer 3

 The active entity requesting access to a resource is called principal.
 The resource that access is requested for is called object.

Question 4

what is the reference monitor. what is a referee that looks like a Picasso painting that’s in a class taking care of bucktha seelans

Answer 4

abstract machine enforcing access control; and mediating all access requests. The referee decides whether or not this or that bucktha seelan can enter

Question 5

in the study of computer security, what is the distinction between policy and mechanism=. when you give a paper ( rock paper scissors) to a police he turns into a machine.

Answer 5

apps have specifiic security requirements&raquo_space;» that are specified as security policies that are enforced by security mechanisms.
paper > police > machine.

Question 6

elaborate on what does reference monitor do 1

Answer 6

Reference monitor verifies the identity of the principal making the request.
Reference monitor decides whether access is granted or denied.

Question 7

elaborate on what does reference monitor do 2

Answer 7

 Reference monitor has to find and evaluate the security policy relevant for the given request.
 “Easy” in centralized systems, but in distributed systems,
 how to find all relevant policies?
 how to make decisions if policies may be missing?

Referee has to find the policeman that’s needed to recognise that bucktha seelan’s demands. IN zhonghua, that’s fine.
Across different bucktha seelans in all primary schools, that’s difficult.

Question 8

process of authentication. 6 steps.

Answer 8

1. put in your pass. and your username don’t make it lame
2. and if it’s right you’reauthen-ticat-ed for the night
3. I’ll run for you
4. I’ll make a little process with the rights for you
   security’s issues that you’re not sure exactly what I do

Question 9

distinguish between user, user identity and process

Answer 9

user is a person
user identity is the principal (name used in a system, possibly associated with the user),
process is a subject, which is running under a given user identity

Question 10

elaborate on requests in access control

Answer 10

requests to the refence monitor don’t come directly from a user or their identity, but from a process.
In the language of access control, the process speaks for the user (identity)
the active entity making a request within the system is called the subject
TLDR: the microphone speaks for seelan

Question 11

tell me more about principals and subjects

Answer 11

A principal is an entity that can be granted access to objects or can make statements affecting access control decisions.
• Example: user ID

Subjects operate on behalf of (human users we call) principals; access is based on the principal’s name bound to the
subject in some unforgeable manner at authentication time.
 Example: process (running under a user ID)

The microphone looks like seelans and speaks for him, kinda looks like him and is also bald

Question 12

what is the wig

Answer 12

the object, passive entity, either a file or resource

Question 13

what are access operations

Answer 13

: Vary from basic memory access (read, write) to method calls in object-oriented
systems.
 Comparable systems may use different access operations or attach different meanings to operations which appear to be the same

Question 14

what is the access right

Answer 14

the right to perform an access operation

Question 15

what is a permission

Answer 15

synonym for access right

Question 16

what is a privilege

Answer 16

a set of acerss rights given directly to roles like the admin and operator

Question 17

bell lapadula

Answer 17

execute- read append and right (kikichikicachikicul)

Question 18

observe means what

Answer 18

can read and write right!>

Question 19

alter means what

Answer 19

can append and read and wright sooooooo goooooood

Question 20

what does bell lapadula mean, like, what are the 4 points in it

Answer 20

1. In a multi usere OS, users open files to get access
   - –files are opened for read or for write access so that the OS can avoid conflicts like 2 users simultaneously writing to the same file. You go to the library, the bella librarian (some disney character shit in a poofy dress) opens up a book so you can either read or write in it. she gives you either reading glasses or a pen.
2. write access usually includes read access
   —a user editing a file should not be asked to open it twice, hence write includes observe and alter mode.
   if you select the pen, you also get the reading glasses. if you only select the reading glasses, you only get the reading glasses. Also the pen is weird because it’s attached to a readingglass, like, it’s a readinglass with the spines as pens.
3. few systems implement append.
   — allowing users to alter and object without observing its content is rare usefully (exception: audit log)
   you can’t just have a pen. like a regular pen not the ones that are reading glass spines. cos with that pen, you can’t read the book you’re writing in man, your eyesight isn’t good because of years of computer games, you’ll need the readinglasspens thing. Unless you’re literally writing a piece of shit (log).
4. a file can be used without being opened ( read)
   — like using a crypto key, this can be expressed by an execute that includes neither observe nor alter mode.
   if the librarian taps you on the shoulder, her dress turned black, the smell of rotting oranges and bad meat (like steaK) in the air and hands you the lkeys to the crypt, you are allowed to turn the keys; but you can’t look at them; you can’t twist them ( alter them). good luck.

Question 21

what are access operations on files and directories

Answer 21

read, write execute. for directories this would be to write: rename files in the directory and execute: search directory.

Question 22

what are admin rights policies for access control (what does the judge from good place do)

Answer 22

specific create and delete rights in windows
specific rights like grant and revoke in dmbs.

tldr:
I create I delete
I will grant and revok-e (reh-voh-key)
for dbms

Question 23

what is the state of a system

Answer 23

collection of the current values of all

memory/storage of the system.

Question 24

protection states

Answer 24

A security policy can be seen as defining a subset, called the protection states, of the set of all states a system can potentially be in.
 Execution of programs/processes alters the state of a system.
 Access control ensures that execution of programs, from an initial protection state, does not result in a state outside the protection states.

Question 25

When specifying a security policy, we deal with an abstracted state of a system, why?

Answer 25

cos it contains details revelant to the security policy

Question 26

The state of a system is defined by a triple (𝑆,𝑂, 𝑀). Son of Mine, as said by this ruler.

Answer 26

1. 𝑆𝑆 is a set of subjects, which are the active entities of the system. We
   assume that subjects are also objects; thus 𝑆𝑆 ⊆ 𝑂𝑂.
2. 𝑂𝑂 is a set of objects, which are the protected entities of the system.
3. 𝑀𝑀 is an access matrix; its rows corresponds to subjects and columns
   corresponds to objects.

Question 27

What is the notation in an access matrix

Answer 27

Given an access matrix M, we write Ms,o to mean the entry in M whose row corresponds to subject s and whose column corresponds to object o

For the king on carven throne, each one of his active military staff has a permitted list of how they are to attend to each member of the civilian populace ( kill main, delete, help, etc). And all of this is done with the help of the MATRIX, which is green and glowy.

 Each entry 𝑀𝑀𝑠𝑠,𝑜𝑜 contains a set of access rights of subject 𝑠𝑠 for object 𝑜𝑜.
 The set of access rights specify the kinds of access operations that may be performed on different types of objects, e.g, read, write, and execute for files.
 Some access rights may be generic, i.e., apply to more than one type of object. For example, the ownership right.

Question 28

what is the simple system example in an access matrix

Answer 28

consider a simple system having two processes p1 and p2, two memory segments m1 and m2 and two files f1 and f2

each process has its own private memory segment and owns one file

neither process can control the other process

permitted access operations in clude read write execute and ownership (own)

two bucktha seelans are each carrying a computer server and a notebook in their hands. They both look at each other, neither one of them can fuck with the other

Question 29

what are subjects, objects and access rights. and then give an example.

Answer 29

 Subjects: procedures (or activations of procedures)
 Objects: data structures and procedures
 Access rights for a data object is determined by the operations and procedures that may be
applied to objects of that type

The access rights for an integer variable consists of the arithmetic and relational operators (+,*,

Question 30

consider an access control matrix to control access to fields in a database

Answer 30

 Subjects: authorised users.
 Objects: records and fields
 Access operations can be command in SQL, e.g., Insert and Update (for inserting and updating a record).
 Entries in the access matrix may be determined by evaluating a Boolean expression.
• The access rights are not explicitly stored.
• Whenever a subject attempts to access an object using an access right r (SQL command), an Boolean expression associated with r is evaluated. If it is true, access is allowed, otherwise access is denied.

bucktha gives a ballon to the grand lilnasx in orange (citrix server SQL database). if it is true, access is allowed. bucktha sweats. he wants this. his hair lifts off

Question 31

what is a boolean expression evaluation

Answer 31

subject alan: Attributes role (researcher), groups (faculty)
verb draw: Default 0 (deny unless explicitly granted)

 Rule: Alan draw experiment1 if:
 ‘researcher’ in subject.role and
 ‘faculty’ in subject.groups and
 time.hour ≥ 0 and time.hour < 8

Question 32

what 6 primitive commands did harrison, ruzzo and ullman (HRU) identify

Answer 32

1. i can create bucktha
2. I can create a wig
3. i can give b (bucktha) the right to wear his wig when I give him the miso soup that’s hot and steamy (Mso)
4. I can delete b’s right to the wig. he is sad again.
5. I can kill b
6. I can destroy the wig
7. create subject 𝑠𝑠: creates a new subject s.
8. create object 𝑜𝑜: creates a new object o.
9. enter 𝑟𝑟 into 𝑀𝑀𝑠𝑠,𝑜𝑜: adds right 𝑟𝑟 to cell 𝑀𝑀𝑠𝑠,𝑜𝑜.
10. delete 𝑟𝑟 from 𝑀𝑀𝑠𝑠,𝑜𝑜: deletes right 𝑟𝑟 from cell 𝑀𝑀𝑠𝑠,𝑜𝑜.
11. destroy subject 𝑠𝑠: deletes subject s. The column and row for s in 𝑀𝑀 are also deleted.
12. destroy object 𝑜𝑜: deletes object 𝑜𝑜. The column for 𝑜𝑜 in 𝑀𝑀 is also deleted.

Question 33

can the 6 HRU commands be combined to form more complex commands

Answer 33

yes. can include if conditionals etc etc.

Question 34

what is a copy right

Answer 34

 The copy right or the grant right allows the owner of an object to grant rights to another.
 Only the rights that the owner possesses may be granted.
 The owner may or may not surrender the rights, depending on systems being modelled.
 This right is often considered a flag attached to other rights; thus it is known as the copy flag’

b can give you his wig, but it’ll have a flag attached to it now

Question 35

what is the own right

Answer 35

 The own right enables the possessor to add or delete privileges for themselves.
 The possessor can, for example, delete read or write privilege from itself.
 It also allow the possessor to grant rights to others.
 The owner of an object is usually the creator

Question 36

PRINCIPLE OF ATTENUATION OF PRIVILEGE

Answer 36

A subject may not give rights it does not possess to another
 On most systems, the owner of an object can give rights over the object to other subjects, regardless of whether those rights are enabled or not.
 This does not violate the principle of attenuation of privilege, as long as the owner can grant itself the rights for itself.
 This is the case in Unix/Linux systems