1. Compare and contrast the various issues of building security into a system from the initial implementation versus adding security to an existing system. Discuss the problems and issues of one approach versus the other. Consider the functionality provided by the reference monitor in a TCB. Discuss the problems and issues to retrofit a reference monitor to an existing implementation versus implementing the reference monitor from the initial implementation. Good answers will address each of the previous stated points and will also provide specific examples with explanations.
2. Provide examples in your home or work computing environment that support the following principles. Relate it to your computing environment, be specific. Hint: The examples could range from internal workings of various mechanisms; to policies; to processes you have used in implementation; to functionality provided by an application visible to the user. Provide examples and discuss to show your understanding of each concept.
Granularity of Access:
3. Requirements question.
Describe what a functional requirement is.
Describe what an assurance requirement is.
Provide an example of each by writing an actual functional requirement and the corresponding assurance requirement using some aspect of a system for your example. For example you could write a requirement based on user interface behavior, file access, audit logging or various other areas of functionality. It does not have to be long but it needs to demonstrate your understanding of these concepts.
4. Different formal security models describe different access models. Formal security models are useful reference models for evaluating the attributes of various implementations. The following phrases are used to describe some specific access models. Identify the security model each phrase is associated with and provide what the phrases mean in the context of the respective security model. Add some information about each security model along with each phrase and a practical example to show your understanding of the respective security model.
· No read up, no write down.
· Read up, write down. Or stated differently; No read down, no write up.