CIS/CSE 774   -   Fall 2013

Information about Exam 3


General Overview

  • When: Thursday, December 5 in class.
  • How: Open book, open papers, open notes, closed friends.

  • Coverage:
  • Everything from Exam 1 and Exam 2, plus...
  • Military security policies (Bell-La Padula)
  • Commercial integrity policies (Biba's Strict Integrity)
  • RBAC, including: roles, permission assignments, user assignments, role inheritance, sessions, static separation of duty, dynamic separation of duty
  • Representing and reasoning about security and integrity policies in the access-control logic
  • Representing and reasoning about RBAC in the access-control logic
  • Short version: everything through HW 9

  • Types of Questions You Should Expect

    Note: I don't promise to ask only the following sorts of questions. However, if you can answer these sorts of questions, you should be in good shape.

  • When given a set of security (or integrity) labels/levels, an ordering on them, and an assignment of levels to principals and objects, you should be able to determine whether discretionary read/write access to a particular object is allowed for a particular principal.
  • When given a set of roles, permission assignment, user assignment, and role-hierachy relation, you should be able to calculate the following:
  • authorized permissions for a given role
  • authorized users for a given role
  • permissions for a given session
  • When given a set of roles, permission assignment, user assignment, role-hierachy relation, and static and dynamic separation-of-duty relations, you should be able to determine whether the collection of definitions is self-consistent. Furthermore, if there are inconsistencies among the definitions, you should be able to identify them and explain the problems succinctly and precisely.
  • When given an access-control scenario, define a set of of roles, permission assignment, user assignment, and role-hierachy relation, and static and dynamic separation-of-duty relations, to accurately reflect the scenario. As a small piece of this, you should be able to distinguish between static and dynamic separation of duty and to choose correctly between the two of them.
  • When given a ``real life'' scenario that incorporates military security policies, commercial integrity policies, or RBAC, you should be able to formally describe the scenario in the access-control logic and show how access-control decisions are made using the inference rules of the access-control logic.

  • For Some Practice

    The 2011 exam, and some sample solutions


    The Aftermath:

    The exam itself, plus sample solutions


    Last modified: Mon Dec 9 09:44:34 EST 2013
    Susan Older / sueo@ecs.syr.edu