Homework 2

CS155, Spring 2003

Due Thursday, May 22

Problem 1

Access control lists (ACLs) and capabilites were discussed in the lecture on access control. This question asks you to make some comparisons between these two approaches. Assume you have n users, named Alice, Bob, Carol, David, ... Xavier, Yves, Zena, ... and m files. 

  1. How many entries are there in the access control matrix for n users and m files? How many ACLs would you use in an ACL implementation? How many capabilities in a capability implementation? If you add a new user to the system, how many ACLs might you have to change and how many capabilities might you have to issue? 
  2. One feature of capabilities is that in a capability-based system, one user can give a capability to another. Assume that a capability is a random or cryptographically generated number that the resource monitor can check when a user tries to access a file. For the ACL system, assume that only the owner of a file can change the ACL. Suppose that Alice starts a project and creates a file. Alice asks Bob to join the project and gives him access, Bob asks Carol to join and wants to give her access, and Carol similarly asks David. This process continues until a total of k users are working on the project. Explain and compare the sequence of actions that must occur in an ACL system and a capability system. Which works better for this purpose?
  3. Continuing the example above, suppose that Alice is tired of having everyone else edit her project file. What does she need to do to revoke access to everyone to that  has joined the project? Compare the effort involved in the ACL and capability implementations.

Problem 2

Suppose that UNIX user A (not root) starts program B which execs program C. Assume that the file containing program B does not have setuid or setguid bits set. However, the file containing program C has the setuid bit set and the owner of the file is D. What are the real user id (RUID), effective user id (EUID), and saved user id (SUID) of program B and program C? If D is not root, then what changes can program C make to its RUID and EUID? Just list the set of possible values for each; do not describe all the possible system calls for all the different versions of UNIX. If D is root, what changes can be made? Explain why the designers of program C might use system calls to change the user id if D is root. 

Problem 3

Faq-O-Matic is a CGI-based system that automates the process of maintaining a FAQ (Frequently Asked Questions list). Among other features, this software allows visitors to your FAQ to take part in keeping it up-to-date. A Faq-O-matic web site has numbered pages, with a url of the form http://www.website.net/cgi-bin/faqomatic/fom?file=10  taking the visitor to page 10. If a browser attempts to retrieve a page http://www.website.net/cgi-bin/faqomatic/fom?file=n  and there is no page named n.html, then Faq-O-Matic will return html to the browser that contains the error message There is no page n. Explain some attacks that could be carried out using Faq-O-Matic (as it is described here), either against an FAQ managed using Faq-O-Matic, or a user of such a site.  Be as specific as you can about what you send to Faq-O-Matic, what you post to an unsuspecting user, and so on.

Problem 4

Suppose you are the security administrator for a popular web site. You are aware that the developers who wrote the code for the site were not security conscious. As a first step you decide to defend against SQL injection attacks. What would you do?

Problem 5

  1. Draw the message flow in the Kerberos authentication protocol when a user wants to access some network service. Assume the user already has a TGT. Write the main information exchanged in each flow.
  2. Suppose the secret key stored on a network server is exposed. Explain how a hacker can eavesdrop on all past and future communication to that network server by sniffing (and possibly recording) network traffic.
  3. If the KDC crashes then users can no longer authenticate themselves to network services. Describe in detail how you would design a Kerberos domain that does not have a single point of failure. What are the security implications of your design (is your network more vulnerable to attack)?

Problem 6

Recall that in the EFS encrypting file system, every file F is encrypted using a file key KF which is in turn encrypted using the user's public key. User A gives user B access to the file by adding an encryption of KF under B's public key to the file meta-data.

  1. Explain why simply removing the encryption of KF under B's public key from the file meta-data does not prevent B from viewing future changes to the file.
  2. Design a revocation mechanism for EFS that would prevent B from accessing future versions of the file.

Problem 7

Suppose you maintain a file server and perform a regularly-scheduled virus scan of all files on the server. Users of the server decide to protect some of their files using an encrypted file system. What problem does this present? Describe how you would solve this problem for CFS and for EFS.  Explain the relative advantages and disadvantages of each file system in this situation.