Ch 17

Rings of protection separate functions into domains and order them hierarchically. (T/F)

True (17.4)

In a dynamic protection system, sometimes access rights to objects shared by different users need to be revoked. (T/F)

True (17.6)

The default set of access rights are used if no entry in the access list is found. (T/F)

True (17.6.2)

UNIX operating system associates a protection domain with the ____.

User (17.4.2)

Which of the following is true of the Java programming language in relation to protection?

When a class is loaded, the JVM assigns the class to a protection domain that gives the permissions of that class. (17.12.2)

The ability to copy an access right from one domain to another may be realized as follows

A right R is copied from domain A to domain B, but the right R could not be copied from domain B to another domain. (17.5)

Which of the following is an advantage of compiler-based enforcement of access control?

Access privileges are closely related to the linguistic concept of a data type. (17.12.1)

________________ is not a protection mechanism.

Intrusion Prevention (17.11)

The kernel should not run with a higher level of privileges than user processes. (T/F)

False (17.3)

Domains cannot share access rights (T/F)

False (17.4.1)

Role-based access control (RBAC) increases the security risk associated with superusers. (T/F)

False (17.8)

Object means __________

hardware or software object (17.4)

What is the difference between mechanisms and policies?

Mechanisms determine how something will be done, while policies decide what will be done (17.1)

A capability list for a domain is ____________________

a list of objects together with the operations allowed on those objects. (17.6.3)

A protection domain is a collection of access rights, each of which is __________

a pair <object-name, rights-set> (17.4.1)

The owner right allows ___________

addition of new rights and removal of some rights (17.5)