Set 01

Detailed Scheme and Solution

Faculty Engineering and Technology
Examination Semester End Examination February 2022
Programme Computer Science and
B. Tech. Department
Engineering
Semester / Year 6th / 3rd Batch 2019
Course Code 19CSC315A
Course Title Information Security and Protection

Q. Detailed Solution Marks

No.
1. a. Define the CIA Triad of Confidentiality, Integrity and Availability and describe
their role in Information Security and Protection

The basic components of security and protection of information and information

systems are Confidentiality, Integrity and Availability. Security Services handle the
triad: confidentiality services, integrity services and availability services.

Confidentiality

Confidentiality is concealment of information or resources. Confidential information

can be sensitive information, personal records, propietary information, trade
secrets, etc. It originated in the Need-to-Know principle. Confidentiality is supported
by Access Control mechanism which can be of the following types: 1) System-
dependent (e.g., password protected) access control, and 2) Cryptographic
encryption; e.g., encrypted data file. System-dependent access control is more
complete than cryptographic one. However, if the system-dependent mechanism
fails, then data becomes visible.
9
Confidentiality can also be about the existence of data. Existence itself is the
information to be protected from access. Sometimes it is more revealing than data
itself; for example, the presence of a mole in the organization. Resources including
network configuration, equipment, etc., need to be hidden.

All mechanisms for confidentiality require support services from the system: E.g., OS
Kernel. Assumptions and Trust underlie confidentiality mechanisms.

Integrity

Integrity refers to the trustworthiness of data or resources. It Includes Data Integrity:

content of information and Origin Integrity: source of information. Origin integrity is
often called authentication. Source may bear on the accuracy and credibility. Also,
on the trust placed on the information.

Example: A news item prints as received a leaked information but attributes it to a

wrong source. Preserves Data Integrity but corrupts Source Integrity.

19CSC315A Page 1 of 13
 Set 01
Integrity Mechanisms are either prevention mechanisms or detection mechanisms.
Prevention mechanisms
1. Prevent unauthorized users from accessing information; for example:
someone breaks into a database server
2. Prevent authorized users from modifying data in an unauthorized manner.
Example: A company accountant diverts money to the personal account and
hides the transactions
Detection mechanisms only report if data is not trustworthy. Either report cause of
integrity violation (A specific part of a file is altered). Or, only report a violation (A
file is now corrupt). They do not prevent violations of integrity

Integrity is different from Confidentiality. Confidentiality is about data being either

compromised or not, whereas Integrity includes both data correctness and data
trustworthiness.

Integrity is affected by both the origin of data as well as how well date is protected
along the path. This makes evaluation of integrity difficult: Relies on assumptions
(about source) and trust (on that source) two of which are often overlooked.

Availability

Availability is the ability to use information or resources. Its relevance to security

comes from deliberate denial of access to data or service making it unavailable or
unusable.

Example: A bank has a primary and secondary server to validate a cheque. An

employee compromises the secondary server so that it always validates cheques to
his/her account regardless of the actual balance. And then stops the primary server
(denial of service).

System designs usually assume normal patterns: patterns of use or parameters that
control the usage; e.g., Login times, network traffic patterns. These are usually
modelled using a statistical model.

Compromising availability is often via Denial of Service (DOS). Manipulate

use/control parameters so that the statistical model is invalid. Availability
mechanisms fail as the environment is now changed.

Detection of DOS is difficult: 1) DOS event may look like an atypical event; hence,
need to determine if unusual patterns are due to deliberate manipulation or, just an
atypical event. 2) Atypical but non DOS events contribute to the statistics; DOS may
not appear as atypical at all.
b. List six common threats and give one example for each

1. Snooping/Eavesdropping: Unauthorized interception of information; e.g.,

eavesdropping
2. Modification/Alteration: Unauthorized change of information; e.g.,
6
unauthorized modification of a database entry
3. Masquerading/Spoofing: Impersonation of one entity by another; e.g.,
Man-in-the-Middle attack
4. Repudiation of Origin: A denial that an entity sent (or created) something;
e.g., the sender denies having sent an email

19CSC315A Page 2 of 13
 Set 01
5. Denial of Receipt: A denial that an entity received some information or
message; e.g., a customer denies having received the product purchaged
6. Delay: A temporary inhibition of a service; e.g., OTP for authentication is
deliberately delayed
7. Denial of Service: A long-term inhibition of service; e.g., a database server is
unable to serve due to network flood attack

c. Describe the specific steps needed in the specification, design and

implementation of information systems for their assurance

Trust cannot be quantified precisely. Assurance is about this aspect of trust. It

attempts to provide a basis for how much a system can be trusted. Specification,
design and implementation of information systems form the basis for their
assurance.

Assurance in information systems needs specific steps:

1. Detailed specifications of desired/undesirable behaviour
2. Analysis of the design showing that the system does not violate the
specifications
3. Arguments/proofs that the implementation, operation and maintenance
produce the desired behaviour 5

A system satisfies a specification if the specification correctly states how the system
will function. Similar definitions hold for a design or an implementation.

Specification: A specification is a statement of the desired functionality. What the

system is allowed to do or not allowed to do.

Design: The design should satisfy the specifications. Design Verification involves the
question of whether a design satisfies specifications

The implementation creates a system that satisfies the given design. If the design
satisfies a set of specifications, the implementation also satisfies the specifications.

2 a. An information system has three users A, B, and C and defines read, write and
execute rights. Each user has a private and a publicly accessible file; user X’s files
are named x_priv and x_pub, respectively. A public file is accessible to read by
all users, while the owner has all rights over it. No one except the owner has any
right over a private file while its owner has all its rights.
1) Create the Access Control Matrix (ACM) to represent the protection
state of the system 2+3+3
+2
ACM =
=
A_priv A_pub B_priv B_pub C_priv C_pub 10
A RWE RWE R R
B R RWE RWE R
C R R RWE RWE

19CSC315A Page 3 of 13
 Set 01
2) Two groups of users are created, {A, B} and {B, C}. The publicly accessible
files from each group are made write-able by all the group members.
Develop a command make.group.writeable(f, X, Y) for file f using the
HRU/ACM model primitives for this transformation
command make.group.writable(f, X, Y):
insert W into ACM[f, X];
insert W into ACM[f, Y];
end
3) Identify a sequence of make.group.writeable() commands to achieve
the transformation in ii. Above
make.group.writable(A_priv, A, B);
make.group.writable(B_priv, A, B);
make.group.writable(B_priv, B, C);
make.group.writable(C_priv, B, C);

4) Formulate the updated ACM

Updated ACM =
A_priv A_pub B_priv B_pub C_priv C_pub
A RWE RWE W R R
B W R RWE RWE W R
C R W R RWE RWE

b. Consider the information system from Q2a. Employing the Take-Grant model,
answer the following:
1) User B has take right over A and has a grant right over C. Formulate the
Protection Graph to model the state in Q2a.2) along with these rights

3+2+1
=
6

19CSC315A Page 4 of 13
 Set 01
2) Prove that all the users share the same rights over all the objects
The set {A, B, C} is an island. Hence, they can share the same rights over all the
objects.
3) Identify the common set of rights over x_priv and x_pub files
The common rights over x_priv: RWE; same with x_pub
c. List the primitives of the HRU/ACM model and elaborate on one of them
create subject s;
create object o;
enter r into A[s, o];
delete r from A[s, o];
destroy subject s;
destroy object o;
The student is expected to elaborate on one primitive command; e.g.,
1. Precondition: 𝑠 ∈ 𝑆 4

Primitive command: create subject s

Postconditions:
𝑆 ′ = 𝑆 ∪ {𝑠}, 𝑂′ = 𝑂 ∪ {𝑠}
(∀𝑦 ∈ 𝑂′ )[𝐴′ [𝑠, 𝑦] = 𝜙]; (∀𝑥 ∈ 𝑆 ′ )[𝐴′ [𝑥, 𝑠] = 𝜙]
(∀𝑥 ∈ 𝑆)(∀𝑦 ∈ 𝑂)[𝐴′[𝑠, 𝑜] = 𝐴[𝑠, 𝑜]]
This primitive command creates a new subject s. Note that s must not exist as a
subject or an object before this command is executed. This operation does not add
any rights. It merely modi�es the matrix.
3 a. Define and explain Confidentiality Policy, Integrity Policy and Availability Policy
with an example of each

Confidentiality Policy
A confidentiality Policy is one which is concerned with the protection of
confidentiality of the information in the system, i.e., against its unauthorized
disclosure.
The first concern is of Information Flow which can happen through two forms: 1)
Leakage of rights and 2) Unauthorized transformation of information without 6
leakage of rights. Since the rights of subjects need to change, a confidentiality policy
need to be able to handle changes in authorization.
An example of a confidentiality policy is policy governing the access to information
in a military. Another is that governing a government organization which holds
citizen information.
Integrity Policy
An integrity policy is concerned with the protecting the integrity of information or
resource. It identifies authorized ways of altering information and entities that are
authorized to do the alteration. The authorization derives from many relationships

19CSC315A Page 5 of 13
 Set 01
and also external influence. In many systems, separation of duty is imposed which
forbids a single entity from completing a transaction on its own.

Availability Policy
An availability policy is concerned with the availability of resource for its intended
use. It describes the services to be provided. It may also list the range of parameters
within which the services are accessible; e.g., a secure browser may not be allowed
to download applets. In addition, it may also identify the required level of service;
e.g., authorization should be completed within a minute.
An example of an authorization policy would be a Service Level Agreement of a Cloud
Service Provider
b. Define and explain the Discretionary, Mandatory and Originator Controlled
Access Control mechanisms.

A Discretionary Access Control (DAC) is also known as Identity Based Access Control
(IBAC). In this, an individual user (owner) can set an access control mechanism to
allow/disallow access to a particular object. DAC is based on the identity of the
subject and the object involved. An example: A child decides that only her mother
can read her diary.

A Mandatory Access Control (MAC) is also known as Rule-Based Access Control

(RBAC). In MAC, a system mechanism controls access to an object and an individual
user cannot directly alter it. For example, the file system access control is enforced
by the Operating System. Another example is the lawful access to a car owner’s
driving record by police.

In an Originator Controlled Access Control (ORGCON/ORCON), the access is based on 4.5+3.

the creator of the object (or the information it contains). It controls the 5
dissemination of information. An example of an ORCON is the controls specified by =
NDA agreements between a firm and the contractor. 8

Argue why or why not each of these three access control types is employed in each
of the following:
1) Access control to a user file in an operating system
2) The fields of a spreadsheet shared on the cloud can only be changed
with the approval of its creator

1) Since the access control is enforced by the operating system, it is a MAC.

However, the creator/owner of the file can change the access control
making it a DAC. It is not an ORCON as any owner can change the access
control of the file
2) This ORCON since the owner controls the access to change the structure
even by those who are authorized to edit the document. However, the cloud
service provider’s file system is needed to enforce the authorization making

19CSC315A Page 6 of 13
 Set 01
it a MAC. Most operating systems do not implement ORCON but only MAC
and DAC aspects. Thus it is not an ORCON
c. Consider an information protection system whose programs are expressed as
abstract functions. Let c be a confidentiality policy for the system and m1 and m2
be two security mechanisms for a program p = p(i1, i2, …, in) under c.
1) Define a Protection Mechanism m for the system

A protection mechanism for a program 𝑝 = 𝑝(𝑖1 , 𝑖2 , … , 𝑖𝑛 ) is a function 𝑚: 𝐼1 ×

𝐼2 × … × 𝐼𝑛 → 𝑅 ∪ 𝐸 where 𝑅 is the set of outputs of 𝑝 from valid inputs and 𝐸 is a
set of error messages such that, when 𝑖𝑘 ∈ 𝐼𝑘 , 1 ≤ 𝑘 ≤ 𝑛,
1) Either 𝑚(𝑖1 , 𝑖2 , … , 𝑖𝑛 ) = 𝑝(𝑖1 , 𝑖2 , … , 𝑖𝑛 )
2) Or, 𝑚(𝑖1 , 𝑖2 , … , 𝑖𝑛 ) ∈ 𝐸 2+2+2
=
6
2) Identify conditions under which m1 is as precise as m2
Security mechanisms 𝑚1 is as precise as 𝑚2 when for all inputs (𝑖1 , 𝑖2 , … , 𝑖𝑛 ), if
𝑚2 (𝑖1 , 𝑖2 , … , 𝑖𝑛 ) = 𝑝(𝑖1 , 𝑖2 , … , 𝑖𝑛 ), then 𝑚1 (𝑖1 , 𝑖2 , … , 𝑖𝑛 ) = 𝑝(𝑖1 , 𝑖2 , … , 𝑖𝑛 ).

3) Identify conditions under which m1 is more precise than m2

Security mechanisms 𝑚1 is more precise than 𝑚2 when there exists an input

(𝑖1 , 𝑖2 , … , 𝑖𝑛 ), such that 𝑚1 (𝑖1 , 𝑖2 , … , 𝑖𝑛 ) = 𝑝(𝑖1 , 𝑖2 , … , 𝑖𝑛 ), but 𝑚2 (𝑖1 , 𝑖2 , … , 𝑖𝑛 ) ≠
𝑝(𝑖1 , 𝑖2 , … , 𝑖𝑛 ).
4 a. State the Simple Security Condition and *-Property of Bell-LaPadula Model and
explain how they prevent
1) Unauthorized disclosure in Military, and
2) Protect the privacy of citizens in Government organizations

Simple Security Condition: A subject s can read an object o iff 𝐼𝑠 𝑑𝑜𝑚 𝐼𝑜

*-Property: A subject s can read an object o iff 𝐼𝑜 𝑑𝑜𝑚 𝐼𝑠

3+3
In a military organization, the Simple Security Condition prevents leakage of =
information from and about an object at a higher level of classification to subjects 6
whose clearance is below its security level. This prevents unauthorized disclosure.
The *-Property is used to prevent indirect disclosure by not allowing a subject to
write to any object with a clearance level below it. Thus, the subject cannot disclose
the information about and from an object at a higher level to a subject at a lower
level by copying the information into an object at a lower level accessible to the
intended recipient.

In a government organization, confidentiality policy is meant for protecting the

privacy of the citizens and government employees should limit the distribution of
the personal information and some documents. The Simple Security Condition

19CSC315A Page 7 of 13
 Set 01
prevents the personal information being accessible or its existence known by
persons without the required executive privilege. The *-Property stops indirect
leakage of information via its distribution using a document at a lower clearance
level.
b. A military department has TOP SECRET, SECRET, CONFIDENTIAL and
UNCLASSIFIED security levels for its staff and three categories of documents
OPERATIONS, TACTICAL and STRATEGIC
1) Determine the read and write permissions that an officer with clearance
(SECRET, {OPERATIONS, TACTICAL}) can have over documents classified
as (CONFIDENTIAL, {TACTICAL})

(SECRET, {OPERATIONS, TACTICAL}) dom (CONFIDENTIAL, {TACTICAL})

Hence, the officer has read access (Simple Security Condition) but no write access to
these documents (*-Property).

2) Determine the read and write permissions that an officer with clearance
(SECRET, {STRATEGIC}) can have over documents classified as (TOP
SECRET, {TACTICAL, STRATEGIC})

(TOP SECRET, {TACTICAL, STRATEGIC}) dom (SECRET, {STRATEGIC})

2+2+3
Hence, the officer does not have read access to these documents (Simple Security =
Condition) but can write to them (*-Property). 7

3) Amir with security clearance (TOP SECRET, {TACTICAL, STRATEGIC})

wants to send a message using email to Bindu with a clearance level
(SECRET, {TACTICAL}). All emails are considered documents. Explain how
this can be arranged under the Bell-LaPadula model

(TOP SECRET, {TACTICAL, STRATEGIC}) dom (SECRET, {TACTICAL}). Hence, Amit

cannot write an email (document) that Bindu can read. The *-Property of the Bell-
LaPadula model is created to prevent indirect leakage of information using a
document of a lower classification.
Bell-LaPadula model provides a mechanism for allowing this type of communication.
A subject has a maximum security level and a current security level. The maximum
security level must dominate the current security level. A subject may (effectively)
decrease its security level fromthe maximumin order to communicate with entities
at lower security levels.
Amit can set his current security level to (SECRET, {TACTICAL}) which is valid and send
the email which would acquire that level. Then Bindu can read it.
c. State the rules of Biba’s Strict Integrity Model
1) Explain how they are related to Bell-LaPadula model 2+2+2
=
2) Explain how they prevent direct and indirect modification of entities 6
without authorization

19CSC315A Page 8 of 13
 Set 01

The rules of Biba’s Strict Integrity Model are:

1. Subject s can read object o iff 𝑙(𝑠) ≤ 𝑙(𝑜)
2. Subject s can write to object o iff 𝑙(𝑜) ≤ 𝑙(𝑠)
3. Subject s1 can execute s2 iff 𝑙(𝑠2 ) ≤ 𝑙(𝑠1 )

1) Rules 1. and 2. of Biba’s Model are precise converses of Bell-LaPadula’’s Simple

Security Condition and *-Property, respectively. Hence, Biba’s Model is
considered as a dual of Bell-LaPadula.

2) Rule 2. of Biba’s Model prevents a subject from altering an object at a higher

integrity level thus prevents its direct modification. This would prevent the
lowering of the trust level of the object.
Rule 1. prevents a subject of higher integrity level from access an object of lower
trustworthiness and thus prevent lowering of the integrity level of the subject.
This would prevent that particular subject from lowering the trustworthiness of
objects subsequently.
5 a. Design a Clark-Wilson based integrity model for a savings bank’s integrity
requirements by clearly identifying the Constrained Data Items (CDIs), Integrity
Constraints, Integrity Verification Procedures (IVPs) and Transformation
Procedures (TPs)

CDIs: Bank balance, Account balances, transfers, cheques, etc.

Integrity Constraints (ICs): For the bank balance, if D be the amount of money
deposited so far today, W the amount of money withdrawn so far today, YB the
amount of money in all accounts at the end of yesterday, and TB the amount of
money in all accounts so far today, then the integrity constraint for the bank balance 6
is
𝐷 + 𝑌𝐵 − 𝑊 = 𝑇𝐵
IVPs: Procedures that make sure that the bank balance meets its integrity constraint,
and similarly each account balance is balanced after each transaction, etc.
TPs: Depositing money, withdrawals, money transfers, etc.
The Enforcement and Certification Rules of the Clark-Wilson model needs to be
implemented by calling IVPs after each TP call. The IVPs need to verify the required
ICs.
b. A hospital has contracted a medical diagnostic company which contributes to
patient records in the form of test results information. The hospital has
implemented a Clinical Information System Security Policy
1) State the Confinement Principle of the security policy 2+2+2
=
6
Confinement Principle: Information from one medical record may be appended to a
different medical record if and only if the access control list of the second record is
a subset of the access control list of the first.

19CSC315A Page 9 of 13
 Set 01

2) Explain the working of this principle at the diagnostic company end

At the diagnostic company, this principle being implemented means that the test
information will be appended to the patient record only after the responsible
clinician adds the diagnostic company’s clinician to the ACL of the patient record.

3) Argue how this will help protect the patient privacy and medical record
integrity

The (implicitly stated) NDA between the hospital and the diagnostic company
prevents the disclosure information from patient record.

The clinician at the diagnostic company is bound by law to only append correct test
result information and not alter any other part of the record. This preserves the
record integrity
c. Bob wants to receive encrypted messages from Alice using RSA encryption. He
selects two primes p = 43 and q = 59 and the key parameters, e = 14 and d = 937.
Alice wants to send the message “STOP” to Bob. Using mapping {(A, 0), (B, 1),
…., (Z, 25)} and message blocks of size 4 integers, compute the cyphertext and
decoded plaintext messages. Verify the encryption mechanism for this instance

From the given parameters, n = pq = 2537

Alice wants to send message “STOP” to Bob using RSA. She encodes this as: S → 18,
T → 19, O → 14, P → 15, i.e., 1819 1415 grouped into blocks of 4 since the encoding
for ZZ namely 2525 is less than 2537
Thus, m = m1m2 = 18191415. Message blocks m1 and m2 are encoded as 8
c1 = m1e mod n = 181913 mod 2537 = 2081
c2 = 145113 mod 2537 = 2182
Thus, the encrypted message is 20812182
Bob uses his private key (n, d) = (2537, 937) to decrypt:
2081937 mod 2537 = 1819 → ST
2812937 mod 2537 = 1415 → OP
Thus, the received message is STOP which is same as the sent message.
This verifies that the RSA encryption has worked correctly
6 a. Explain the working of a private key cryptography system using Vignere Cipher

The Vigenere Cypher treats letters as numbers: [A=0, B=1, C=2, …, Z=25] 4
Given m, a positive integer and a key 𝐾 = (𝑘1 , 𝑘2 , … , 𝑘𝑚 ), the encryption and
decryption functions are:

19CSC315A Page 10 of
13
 Set 01
𝑒𝐾 (𝑝1 , 𝑝2 , … , 𝑝𝑛 ) = (𝑝1 + 𝑘1 , 𝑝2 + 𝑘2 , … , 𝑝𝑛 + 𝑘𝑛 ) 𝑚𝑜𝑑 26
𝑑𝐾 (𝑐1 , 𝑐2 , … , 𝑐𝑛 ) = (𝑐 − 𝑘1 , 𝑐2 − 𝑘2 , … , 𝑐𝑛 − 𝑘𝑛 ) 𝑚𝑜𝑑 26
Example:
• Plaintext: CRYPTOGRAPHY
• Key: LUCKLUCKLUCK
• Ciphertext: N L A Z E I I B L J J I
b. Explain the evolution of three generations of firewalls in protecting
organizations’ network perimeter

The National Institute of Standards and Technology (NIST) 800-10 divides firewalls
into three generations:
1. Packet filters (1st Generation)
2. Stateful inspection (2nd Generation)
3. Application Firewall (3rd Generation)
1. Packet filters (1st Generation)
These validate packets based on protocol, source and/or destination IP addresses,
source and/or destination port numbers, time range, Differentiate Services Code
Point (DSCP), type of service (ToS), and various other parameters within the IP
header. This is accomplished using Access Control Lists (ACL) on routers or switches
and are normally very fast. Traffic enters or exits an interface, ACLs are used to
match selected criteria and either permit or deny individual packets.
Advantages: Located in just about every device on the network. Routers, switches,
wireless access points, Virtual Private Network (VPN) concentrators, and so on may
all have the capability of being a packet-filtering firewall.
8
Caveats: No visibility into the data portion of the IP packet. They match only
individual packets, which enables an individual with malicious intent to easily
circumvent security by crafting packets, misrepresenting traffic using well-known
ports, or tunnelling traffic unsuspectingly within traffic allowed by the ACL rules.

2. Stateful Inspection (2nd Generation)

These allow internal connections out (i.e. outbound traffic) and allow only inbound
traffic in response to a valid request or traffic that is explicitly allowed by an ACL.
They have the ability to dynamically filter packets at the network layer. Traffic enters
or exits an interface, ACLs are used to match selected criteria and either permit or
deny individual packets.

These have the all the advantages of the first generation in addition to being able to
dynamically filter packets.

However, they carry over the disadvantages of the first generation apart from being
more complex to implement and configure

19CSC315A Page 11 of
13
 Set 01
3. Application Firewall {Next Generation Firewall} (3rd Generation)
These are an evolution from a stateful firewall, that is application aware, i.e. capable
to recognize and block applications according to specific patterns and fingerprints
peculiar of the application itself. Unlike a traditional firewall control by mean of the
“IP Address – Port/Protocol“, NGFW enforces “user – application” paradigm based
on users authenticated on external repositories (Active Directory, LDAP or Radius).
Traffic enters or exits an interface, ACLs are used to match selected criteria and
either permit or deny individual packets.
Advantages: Advanced control, based on an application signature that provides
control at the application layer. Can leverage application knowledge for use in
interrogating threats
Caveats: Much higher skill set to ensure proper Application-Identity integration for
deriving optimal benefit from the investment

c. A software firm develops backend process software for banks and oil companies.
Two of its developers, Ankitha and Surya, work on projects for Axis Bank and
State Bank of India
1) Develop a Chinese Wall model to address the Conflict of Interest (COI)

There are two COI classes: Bank COI and Oil Company COI
The Bank COI consists of Company Datasets (CDs) from all the banks that are
customers of the software firm
Similarly, the Oil Company COI has the CDs of all the Oil Companies to which the firm
creates/sells its software.

2) State the CW-Simple Security Condition and CW-* Property

3+2+3
CW-Simple Security Condition: A subject S can read an object O if and only if any of =
the following is true: 8
1. There is an object O’ such that S has accessed O’ and CD(O’) = CD(O)
2. For all objects O’, 𝑂′ ∈ 𝑃𝑅(𝑆) ⟹ 𝐶𝑂𝐼(𝑂′ ) ≠ 𝐶𝑂𝐼(𝑂′ ), where PR(S) is the
set of objects previously read by S
3. O is a sanitized object

CW-*-Property: A subject S may write to an object O if and only if both of the

following conditions hold:
1. The CW-simple security condition permits S to read O
2. For all unsanitized objects O’, S can read O’⟹ 𝐶𝐷(𝑂′ ) = 𝐶𝐷(𝑂)

3) Argue how they prevent direct and indirect leakage of information

between Ankitha and Surya leading to COI

19CSC315A Page 12 of
13
 Set 01

The CW-Simple Security Condition prevent direct COI. Initially PR(S) is null. If Anktha
has read one document O from a CD(O), this condition would prevent S from reading
any document from any COI class different from that of O. Thus she cannot access
an Oil Company CD once she works on a Bank CD.

The CW-*-Property stops indirect leakage of information. If Ankitha has read and
object O, in future he/she can only write to objects from the same CD(O). Thus, she
cannot write to an object from Bank COI class to which Surya may has access.
*CO – Course Outcome

Course Outcomes
1 Describe elements of security and mechanisms to provide information security
assurance
2 Explain how security can be provided and monitored using IT infrastructure
3 Recommend appropriate security provisions at application, operating system and
network levels to secure information
4 Analyze IT security practice in a given scenario for threats and vulnerabilities and
suggest countermeasures
5 Design software solutions with consideration for security and apply provisions for
security in IT infrastructure

19CSC315A Page 13 of
13