Due: Thursday, April 29th
(b) Suppose the OS marks the stack memory pages as non-execute. Can a stack overflow be used to get a root shell on the machine? If so, briefly explain how. If not, explain why not.
Coding rules and program execution rules may be expressed using finite automata. When the Meta-Compilation (MC) system is used to check source code for security problems, the checks are given by finite automata. For example, lecture 3 contains a slide showing an automata for the rule, "when an integer is received from an untrusted source, an upper bound and a lower bound check must be applied before calling any of the functions memcpy, copyin, copyout, using the integer in an array reference, or using the integer as a bound in an iterative loop." Draw finite automata representing the following rules, to be enforced in source code by something like the MC system, or to be enforced on system calls by Janus (lecture 5) or a related system. If you believe that the rule cannot be expressed by an automaton, explain why.
(a) After a process reads file f, it cannot connect to the network.
(b) Always do d[n-1] = '\0' after strncpy(d,s,n).
(c) A process must open a file before reading from it.
(d) A process must open a file before reading from it and close it afterwards,
(e) A memory location must be allocated before it is read and must not be freed twice.
(a) Race conditions are a common problem in operating system protection mechanisms. An easy example involves Unix symbolic links, which contain a path and are resolved at access time. To avoid problems with symbolic links, a programmer may write code with the function of the following pseudo-code:
lstat (myfile, sb);
if (sb is not a symlink) {
rm myfile;
}
The lstat command returns the status of a symbolic link. The purpose of the test is to make sure that the rm command is not applied to a symbolic link. However, there is a race condition here. Explain how another program running in parallel could cause this program to delete an arbitrary file.
(b) Explain generally why race conditions are an issue in system call interposition tools.
(c) List two particular race conditions that arise in Janus and explain one useful solution to these race conditions problems.
A current security company markets a solution to help customers recognize a commercial web site. The purpose of this solution is to prevent users from typing their passwords into fake sites. When a user comes to a site using this solution, the user enters a username and looks for a picture previously chosen by the user.. When the user sees his or her own personal mark, he or she knows this is the real website – not a fake. With this assurance, it is safe for the user to type a password into the browser. Let us assume that the E-Buy site uses this marking scheme.
(a) An E-Buy customer is given a choice between several pictures. When a user chooses a picture, this is the picture that will be be shown every time the user logs into the E-Buy site. Where do you think the association between user names and pictures is stored? On the E-Buy server, or the user's computer? Why?
(b) Assume that the association between a user name and the user's picture is stored in the server's database. Describe a man-in-the-middle attack that allows a fake E-Buy site to show a user their E-Buy picture.
(c) One technique that could prevent the man-in-the-middle attack is a cookie in the user's browser. Explain how the cookie could prevent the attack.
(d) Why is the cookie solution inconvenient? More specifically, why does the mechanism using cookies make the picture concept less convenient for users who travel or have other specific computing habits?
(e) If every E-Buy user has a cookie identifying that user to E-Buy, why would E-Buy also want to ask for passwords?
(f) Describe an attack that might let someone steal a user's cookie. Can you use this cookie-stealing attack as part of a larger attack to impersonate E-Buy customers?