This problem asks about a SunShop Shopping Cart Security Vulnerability posted May, 02 2002. SunShop is a PHP/MySQL based shopping system. When a new customer registers on the site, the customer is able to insert JavaScript into records that are executed every time the administrator looks at the customer listing in the administrator area. This allows a malicious customer to redirect the administrator to any page in the administrator area. Because the administrator is already authenticated, the malicious user does not need to have the administrator's password. The redirection makes it possible to do everything the administrator can do, e.g. generating new shopping coupons.
List principles from Lecture 4 (either from the Viega and McGraw list or from the Wheeler's suggestions) that you think were not given sufficient attention in the design of the SunShop web site. What do you think the patch or new version of the site does to prevent the vulnerability described above.
In class we have discussed capabilities and access control lists. Recall that Unix file protection is simply an optimization of access control lists in which there are only three “accessors”: owner, group, and public. The group of a set of named individuals. For each of the following protection problems, explain whether the problem can be solved with Unix and whether the problem can be solved using capabilities. For each applicable mechanism, explain your solution.
Given the security levels TOPSECRET, SECRET, CONFIDENTIAL, and UNCLASSIFIED (ordered from highest to lowest), and the categories A, B, and C, say what type of access (read, write, both, or neither) is allowed in the following situations. Assume a user can read or write a file of the same classification as the user, and can read/write up/down according to the Bell-LaPadula model..
A computer system provides protection using the Biba policy. How would a virus spread if:
You start working for a company that does contract software development for security-conscious clients. The company has the following software rules to prevent information flow from high to low:
Every variable is labeled high or low.
Constants 0, 1, 2, ... and functions +, *, and so on that are not declared by the programmer are both high and low.
An expression is considered high if all of its parts are high and low if all of its parts are low.
All input from high sources is stored in high variables and similarly for low input.
All output to high sources must be values of high expressions and similarly for low output.
An assignment to a high variable can only assign the value of a high expression and similarly for low.
An if statement is allowed if the test is allowed and all assignments carried out as a result of the test are allowed. For example, if (x==1) y=z+1; is allowed as long as x and 1 are the same level and y and z are the same level.
Explain why these rules do not prevent information flow from high to low and write a short code example to prove it. Your program should consist of one or two input statements, some statements containing assignments, and one output to low. You can assume there are two input files, called in_high and in_low, and two output files, called out_high and out_low. (Hint: in the if statement above, x and y do not need to have the same level.)
After getting your degree, you apply for a job as director of a large university computer center that has just put its ancient operating system out to pasture and switched over to Unix. You get the job. Fifteen minutes after starting work, your assistant burst into your office screaming: “Some students have discovered the algorithm we use for encrypting passwords and posted it on the bulletin board.” What should you do?
DNSTools is a commercial solution for DNS configuration. This is what the vendor tells about DNSTools: "DNSTools is a DNS configuration and DNS administration utility that eases the burden of network and system administrators by presenting all of their DNS data in an easy-to-use web interface and allowing them to modify that data quickly and easily. With a few simple clicks, you can modify a host name, add a new mail record, add new DNS name servers, delete an entire domain, or add an alias or second IP address to an existing host. These are just a few examples of what DNSTools provides."
There is a significant security problem for versions before 2.0 beta 5. The URLs for access as an authenticated user and administrator are
http://example/dnstools.php?section=hosts&user_logged_in=true
http://example/dnstools.php?section=security&user_logged_in=true&user_dnstools_administrator=YES
The Risks Digest is an electronic periodical moderated by Peter Neumann that documents risks encountered in various situations. Some are computer system problems and some are not. (For example, one Risks announcement explained how US Navy ships use radio frequencies that are used for garage door openers in Australia. When a US ship docks in an Australian port, all the garages for miles around may open.) Pick out one article from the site at http://catless.ncl.ac.uk/Risks that describes a security vulnerability that is relevant to this class. Discuss it (write no more than one page). Is it an example of a more general problem? Has that problem been encountered before? Suggest a technical solution or administrative procedure that would decrease the likelihood of similar problems arising in the future.
Acknowledgements: Some problems are based on course material by Anita Jones and Matt Bishop.