Quick and Dirty Answers to Test 1

1. Secret {nato,seato,nuke,fra-frg}
   (must dominate both of the other labels)

2. purge_u_(w) = { (u',c)* | major(u) = major(u') }

3. non-bypassable (always invoked)
   tamperproof
   small (verifiable)

4. In a syncronized fashion, a cooperating high and low-level
   process do the following:
   At each time interval the low-level user tries to access
   the tape drive (success=1, failure=0),
   At each time interval, the high-level user either takes
   control or neglects to take control of the drive (0, takes
   control; 1 neglect to).

5. a) Look for repeated groups of 3 or more characters (2 if desperate)
      count distances between
      find least common multiple (this is # of alphabets)

   b) nopqrstuvwxyzabcdefghijklm (plain alphabet)
      evilpurzadcfghjkmnoqstwxyz (cipher alphabet)

6. a(2) Tagged architectures would need new OS (no backward 
        compatability)
   b(3) Base & Bound registers protect users spaces from each
        other, allowing multi-user systems
   c(3) Matrix would be very large and sparse (waste space)
        Adding deleting rows/columns (subjects/objects) would
         be slow (possibly require disk paging)
   d(2) None of the labels dominates the other two

7. All of the models are easy to understand and build (well, just as
   easy as BLP).

   Original:  Add two new rules, simple-integrity & *-integrity (just
              inverses of BLP rules.  Effectively isolates information
	      at each level (not practical).

   Double-Label:  Same as above, but includes integrity as well as
              confidentiality labels.  Unfortunately, there is no
              "official scheme" for determining "integrity labels",
              hard to label folks thusly.

   Floating Labels:  Integrity labels (of subject/object) are adjusted 
              downward on access (observe/modify respectively).  No
              limitation on access provided by integrity rules.  Labels
              quickly float down; no information provided once all labels
              drop down.

8. Both capabilities and ACL are views on the access-matrix concept and
   are (theoretically) adequate to implement the b-matrix.  ACL's are
   more space efficient and better at determining acceess to a specific
   object; but capabilities (unforgeable, pointer-style, tokens) are
   intrinsically more efficient (despite making check & remove permission
   trickier).

9. a) No, the fence merely protects the OS from users.
   b) No, the b/b protect the OS & users from other users.
   c) Yes, the user can set some of his memory to be non-writable,
      preventing some accidental damage.

10.  User C could forge the publication of B's public key (i.e. use
     his own instead, and claim it is B's).  By intercepting each
     message headed for B, he can now (by using his own keys--which
     everyone else will think are B's--and the published public keys)
     participate in conversation with any other user (acting as B).

11.  you really care.  Right?