Docstoc

CSCE 790 – Secure Database Systems_4_

Document Sample
CSCE 790 – Secure Database Systems_4_ Powered By Docstoc
					  Test 2
Preparation
Lectures Covered
   Sept. 30.   Lecture 11:      Software Security and Risk Management
   Oct. 5.     Lecture 12:      Identification and Authentication

   Oct. 12.    Lecture 13:      Malicious Code
   Oct. 14.    Lecture 14:      Access Control
   Oct. 19.    Lecture 15:      Access Control – DAC
   Oct. 21.    Lecture 16:      Access Control – MAC
   Oct. 26.    Lecture 17:      Access Control – RBAC
   Oct. 28.    Lecture 18:      Database Security
   Nov. 2.     Lecture 19:      Inference Problem & Privacy Preserving
                                 Data     Mining




Lecture 19                    CSCE 522 - Farkas                           2
Lecture Materials
   All slides for the lecture on the previous
    slide




Lecture 19           CSCE 522 - Farkas           3
Reading Materials
   Pfleeger and Pfleeger:
     Chapter 3:everything, no specifics about a
       particular virus is asked, e.g., no question like
       “What is the Brain virus?” will be asked, in 3.4
       just understand types of malicious code types
     Chapter 4: 4.3, 4.4, 4.5, 4.6, 4.7, 4.8, 4.9
     Chapter 5: 5.1, 5.2, 5.3, Related sections of
       5.6, 5.7, 5.8
     Chapter 6: everything except 6.3
     Chapter 10: 10.3, 10.4
Lecture 19              CSCE 522 - Farkas                  4
Additional readings
1.    G. McGraw, Software Security ,
      http://www.cigital.com/papers/download/bsi1-swsec.pdf
2.    An Introduction to Computer Security: The NIST Handbook,
      http://csrc.nist.gov/publications/nistpubs/800-12/handbook.pdf : Chapter
      16, Identification and Authentication, pages 180-194
3.    Ravi Sandhu and P. Samarati, Access Control: Principles and Practice,
      IEEE Communications, Volume 32, Number 9, September 1994
      http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.30.5029
4.    Ravi Sandhu, Lattice-Based Access Control Models, IEEE Computer,
      Volume 26, Number 11 (Cover Article), November 1993
      http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.54.8395



Lecture 19                        CSCE 522 - Farkas                              5
 Additional Reading
5.     Ravi Sandhu, Edward Coyne, Hal Feinstein and Charles Youman, Role-
       Based Access Control Models, IEEE Computer, Volume 29, Number 2,
       February 1996 http://csrc.nist.gov/rbac/sandhu96.pdf
6.    Multilevel Secure Relational Data Model (S. Jajodia, R. S. Sandhu.
      Toward a Multilevel Secure Relational Data Model. Proc. 1991 ACM
      Int'l. Conf. on Management of Data (SIGMOD), 50-59.
      http://www.list.gmu.edu/articles/infosec_collection/20.pdf )
7.    Jajodia, Meadows: Inference Problems in Multilevel Secure Database
      Management Systems
      http://www.acsac.org/secshelf/book001/book001.html, essay 24
8.    I. Moskowitz, M. H. Kang: Covert Channels – Here to Stay?
      http://citeseer.nj.nec.com/cache/papers/cs/1340/http:zSzzSzwww.itd.nrl.na
      vy.milzSzITDzSz5540zSzpublicationszSzCHACSzSz1994zSz1994mosko
      witz-compass.pdf/moskowitz94covert.pdf
 Lecture 19                       CSCE 522 - Farkas                           6
Sample questions
   Given security levels: Secret (S) < Top-Secret
    (TS) and domains {Navy (N), Air Force (AF)}
     Show  the lattice structure of the security labels
      composed from these levels and domains.
     Using original BLP, list the security labels that John
      Hammer with (S,{N,AF}) clearance is permitted to 1)
      read 2) write. (5 points)




Lecture 19                 CSCE 522 - Farkas                   7
Sample questions
   Given a query Q=Sum(Female and CSCE and
    2000) over relation Students={Name, Sex,
    Major, Year}. Construct a tracker for Q.

   Indirect information flow may be created by
    inferences. Give an example of an unauthorized
    inference that cannot be controlled using
    traditional access control.


Lecture 19            CSCE 522 - Farkas          8
Sample questions
   Explain and compare open and closed
    access control models. How do they
    guarantee information confidentiality and
    availability?

   What are the 2 BPL Axioms? Explain how
    they prevent downward information flow?

Lecture 19          CSCE 522 - Farkas           9
Sample questions
   Explain what the sentence “Think like an attacker” means
    for software developers. How can this approach strengthen
    software security?
    Consider the following role hierarchy, where
    R1,R2,R3,R4,R5 are the roles, and p1,p2,p3,p4,p5,p6,p7,p8
    are the privileges assigned to the roles by which they are
    listed. (picture here!)
      What are all the privileges available for R3?
      If a user, cleared for R1, wants to use privileges p1,p2, and
        p5 only, at what role should s/he login? Why?

Lecture 19                   CSCE 522 - Farkas                     10

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:4
posted:8/26/2011
language:English
pages:10