| 1. | Give an example of the use of physical separation for security in a computing environment. |
| 2. | Give an example of the use of temporal separation for security in a computing environment. |
| 3. | Give an example of an object whose security level may change during execution. |
| 4. | Respond to the allegation "An operating system requires no protection for its executable code (in memory) because that code is a duplicate of code maintained on disk." |
| 5. | Explain how a fence register is used for relocating a user's program. |
| 6. | Can any number of concurrent processes be protected from one another by just one pair of base/bounds registers? |
| 7. | The discussion of base/bounds registers implies that program code is execute-only and that data areas are read-write-only. Is this ever not the case? Explain your answer. |
| 8. | A design using tag bits presupposes that adjacent memory locations hold dissimilar things: a line of code, a piece of data, a line of code, two pieces of data, and so forth. Most programs do not look like that. How can tag bits be appropriate in a situation in which programs have the more conventional arrangement of code and data? |
| 9. | What are some other levels of protection that users might want to apply to code or data, in addition to the common read, write, and execute permission? |
| 10. | If two users share access to a segment, they must do so by the same name. Must their protection rights to it be the same? Why or why not? |
| 11. | A problem with either segmented or paged address translation is timing. Suppose a user wants to read some data from an input device into memory. For efficiency during data transfer, often the actual memory address at which the data are to be placed is provided to an I/O device. The real address is passed so that time-consuming address translation does not have to be performed during a very fast data transfer. What security problems does this approach bring? |
| |
| 12. | A directory is also an object to which access should be controlled. Why is it not appropriate to allow users to modify their own directories? |
| 13. | Why should the directory of one user not be generally accessible (for read-only access) to other users? |
| 14. | Describe each of the following four kinds of access control mechanisms in terms of (a) ease of determining authorized access during execution, (b) ease of adding access for a new subject, (c) ease of deleting access by a subject, and (d) ease of creating a new object to which all subjects by default have access. per-subject access control list (that is, one list for each subject tells all the objects to which that subject has access) per-object access control list (that is, one list for each object tells all the subjects who have access to that object) access control matrix capability
|
| 15. | Suppose a per-subject access control list is used. Deleting an object in such a system is inconvenient because all changes must be made to the control lists of all subjects who did have access to the object. Suggest an alternative, less costly means of handling deletion. |
| 16. | File access control relates largely to the secrecy dimension of security. What is the relationship between an access control matrix and the integrity of the objects to which access is being controlled? |
| 17. | One feature of a capability-based protection system is the ability of one process to transfer a copy of a capability to another process. Describe a situation in which one process should be able to transfer a capability to another. |
| 18. | Describe a mechanism by which an operating system can enforce limited transfer of capabilities. That is, process A might transfer a capability to process B, but A wants to prevent B from transferring the capability to any other processes. Your design should include a description of the activities to be performed by A and B, as well as the activities performed by and the information maintained by the operating system. |
| 19. | List two disadvantages of using physical separation in a computing system. List two disadvantages of using temporal separation in a computing system. |
| 20. | Explain why asynchronous I/O activity is a problem with many memory protection schemes, including base/bounds and paging. Suggest a solution to the problem. |
| 21. | Suggest an efficient scheme for maintaining a per-user protection scheme. That is, the system maintains one directory per user, and that directory lists all the objects to which the user is allowed access. Your design should address the needs of a system with 1000 users, of whom no more than 20 are active at any time. Each user has an average of 200 permitted objects; there are 50,000 total objects in the system. |
| 22. | If passwords are three uppercase alphabetic characters long, how how much time would it take to determine a particular password, assuming that testing an individual password requires 5 seconds? Argue for a particular amount of time as the starting point for "secure." That is, suppose an attacker plans to use a brute force attack to determine a password. For what value of x (the total amount of time to try as many passwords as necessary) would the attacker find this attack prohibitively long? If the cutoff between "insecure" and "secure" were x amount of time, how long would a secure password have to be? State and justify your assumptions regarding the character set from which the password is selected and the amount of time required to test a single password.
|
| 23. | Design a protocol by which two mutually suspicious parties can authenticate each other. Your protocol should be usable the first time these parties try to authenticate each other. |
| 24. | List three reasons people might be reluctant to use biometrics for authentication. Can you think of ways to counter those objections? |
| 25. | False positive and false negative rates can be adjusted, and they are often complementary: Lowering one raises the other. List two situations in which false negatives are significantly more serious than false positives. |
| 26. | In a typical office, biometric authentication might be used to control access to employees and registered visitors only. We know the system will have some false negatives, some employees falsely denied access, so we need a human override, someone who can examine the employee and allow access in spite of the failed authentication. Thus, we need a human guard at the door to handle problems, as well as the authentication device; without biometrics we would have had just the guard. Consequently, we have the same number of personnel with or without biometrics, plus we have the added cost to acquire and maintain the biometrics system. Explain the security advantage in this situation that justifies the extra expense. |
| 27. | A flaw in the protection system of many operating systems is argument passing. Often a common shared stack is used by all nested routines for arguments as well as for the remainder of the context of each calling process. Explain what vulnerabilities this flaw presents. Explain how the flaw can be controlled. The shared stack is still to be used for passing arguments and storing context.
|
| 28. | Outline the design of an authentication scheme that "learns." The authentication scheme would start with certain primitive information about a user, such as name and password. As the use of the computing system continued, the authentication system would gather such information as commonly used programming languages; dates, times, and lengths of computing sessions; and use of distinctive resources. The authentication challenges would become more individualized as the system learned more information about the user. Your design should include a list of many pieces of information about a user that the system could collect. It is permissible for the system to ask an authenticated user for certain additional information, such as favorite book, to use in subsequent challenges. Your design should also consider the problem of presenting and validating these challenges: Does the would-be user answer a truefalse or a multiple-choice question? Does the system interpret natural language prose? |
