[CCCure CISSP] CISSPstudy Digest, Vol 20 Polyinstantiation vs Polymorphism?

Clement Dupuis clement.dupuis at cccure.com
Thu Feb 11 09:25:00 EST 2010 

Good day Tom and All,

WOW, this is a fully loaded question.

Database Views *could be a far fetch example *of polymorphism if you look at
the fact that even thou you have a single database view define you could get
different results when you access the database view.  The view is
interpreted as the user is accessing the DB.  So if the data within the
tables he has access to has changed he may get different results.   Poly
means multiple and Morph means form,  which means the data might be
presented to the user in multiple forms.  However the term is usually use
only with Object Oriented Programming (OOP).  I have not seen it use as a
generic term within DB and views.  A view is a view and Polymorphism is
polymorphism.

*POLYMORPHISM*

However,  in the context of the CBK and Application Security,  the term
polymorphism relates to how two different objects will produce different
results even thou you send the exact same same method or command is sent to
each of the object.   On the Sun Microsystem web site they have a nice
example of this using one object which was created from the bicycle class
and another object created from the furniture class.   The first object is
the bicycle wheel,  when you send the command SPIN to the bicycle wheel it
will start turning.   If you send the command SPIN to a picture frame object
created using the furniture class,  the frame on the wall will go from being
displayed vertically to being displayed horizontally.   Same command but two
completely different behavior according to the object you interact with.
That is polymorphism within object oriented.

The description above is a simplified view of polymorphism.  There are
different types of polymorphisms but you do not need to get that low in the
details.

It could also be two objects crated from the same class but containing
different variables/data.   If you send the same command or call the same
method on both objects, the results might be different if they store
different data.  So that could be another case as well where the same class
is used to create the objects.


*POLYINSTANTIATION*

Let's take the table below as an example:

Name of ship         Departure        Arrival
Cargo            Security Clearance

OKLAHOMA          Norfolk             Haiti
FOOD             Unclassified
OKLAHOMA          Norfolk             Ukraine               WEAPON
Secret

In this case you have different version of the information that will be
presented according to the security clearance of the subject accessing the
data within the DB.  If you have a Secret security clearance you would see
that the ship is loaded with weapon going from Norfolk to Ukraine.  If you
are a clerk on base without the need to know and having only an unclassified
security clearance you would see within the DB that the ship is going from
Norfolk to Haiti with food.  That would satisfy your curiosity and you would
not know about the real cargo.

I hope this helps

Take care

Clement



On Thu, Feb 11, 2010 at 08:49, <twitwicki at hannaford.com> wrote:

>
>
> All,
>      Here's a question that come out of a sample question that I've been
> puzzling over:
>
> Are Database Views an example of Polymorphism or Polyinstantiation?
> The case for Polymorphism is that the different output is produced from the
> same input to two different objects - the "objects" in this case being
> different views of the database.  This is the author's answer.
> The case for Polyinstantiation is that it is frequently used to
> hide/replace attributes that may not be accessed by a lower security level
> such as in preventing inference attacks.
>
> Any insight from the group would be appreciated.  By the way, my exam date
> is Feb 20 in Boston.  I feel prepared, but there is a lot of material and
> my fear is that some questions may go deeper into some areas.  Wish me
> luck!
>
> Tom Witwicki, CIPP
> Director, Information Security
> Hannaford Bros. Co.
> 207-885-2073
>
> Join me on Linkedin!
> http://www.linkedin.com/in/tomwitwicki
>
>
>
>
>
> _______________________________________________
> CISSPstudy mailing list
> CISSPstudy at cccure.org
> http://cccure.org/mailman/listinfo/cisspstudy_cccure.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cccure.org/pipermail/cisspstudy_cccure.org/attachments/20100211/ebbecdfa/attachment.html>

More information about the CISSPstudy mailing list