Homework 3

CS155, Spring 2005

Due: Thursday, June 2nd


Problem 1

This problem asks several questions about various access control concepts covered in class.

  1. Alice can read and write the file x, can read the file y, and can execute the file z. Bob can read x, can read and write y, and cannot access z.
    1. Write a set of access control lists for this situation, and say what each list is associated with.
    2. Write a set of capability lists for this situation, and say what each list is associated with.
  2. Consider how a system with capabilities as its access control mechanism could deal with Trojan horses.
    1. In general, do capabilities offer more or less protection against Trojan horses than do access control lists? Justify your answer in light of the theoretical equivalence of ACLs and C-Lists.
    2. Consider now the inheritance properties of new processes. If a creating process controls which capabilities the created process is given initially, how could the creator limit the damage that a Trojan horse could do?
    3. Can capabilities protect against all Trojan horses? Either show that they can, or describe a Trojan horse process that C-Lists cannot protect against.
  3. Given the security levels TOPSECRET, SECRET, CONFIDENTIAL, and UNCLASSIFIED (ordered from highest to lowest), and the categories A, B, and C, say what type of access (read, write, or both) is allowed according to the Bell-La Padula model in the following situations. Assume discretionary access controls allow anyone access unless otherwise specified.
    1. Paul, cleared for (TOPSECRET, { A, C }), wants to access a document classified (SECRET, { C }).
    2. Anna, cleared for (CONFIDENTIAL, { C }), wants to access a document classified (CONFIDENTIAL, { B }).
    3. Jesse, cleared for (SECRET, { C }), wants to access a document classified (CONFIDENTIAL, { C }).
    4. Sammi, cleared for (TOPSECRET, { A, C }), wants to access a document classified (CONFIDENTIAL, { A }).
    5. Robin, who has no clearances (and so works at the UNCLASSIFIED level), wants to access a document classified (CONFIDENTIAL, { B }).
  4. A computer system provides protection using the Biba policy. How would a virus spread if:
    1. the virus were placed on the system at system low (the compartment which all other compartments dominate)?
    2. the virus were placed on the system at system high (the compartment which dominates all compartments)?

Problem 2

  1. Consider the trusted computing architecture discussed in class. Suppose, the attestation process did not include a key exchange between the remote server and the attested application. Would the resulting attestation mechanism convince the remote server of the validity of the attested application? If so, explain why. If not, describe an attack.
  2. Recall that the trusted computing architecture includes a hardware TPM in every machine. The TPM contains a secret signing key and the resulting signatures are used for attestation. Suppose that, for ease of deployment, the Trusted Computing Group chose to put the same secret key in all TPM's in the world. How would this decision affect security? Describe a potential attack on the attestation mechanism that results from this design.

Problem 3

  1. Explain the benefits of storing passwords in a password file using a secret salt (pepper).
  2. What happens if the secret salt is 128 bytes long? Is the system more secure? Is the system usable?

Problem 4

  1. Consider the earlybird worm signature generation system. Recall that the system only finds worm signatures that consist of a consecutive sequence of characters. Give an example of a vulnerability that a worm can exploit that cannot be detected using such signatures.
  2. Suppose earlybird was able to generate signatures that contain wild cards (for example, "script/*.cgi"). Give an example of a vulnerability that a worm can exploit that cannot be detected using such signatures.

Problem 5

This problem asks you about the basic edge sampling algorithm described in lecture. You should solve this problem using the information given in the slides. Assume that network packets have sufficient space to contain start, end, distance fields.

Suppose that attack agents, a victim, and routers implementing an edge sampling algorithm are arranged in a full binary tree of depth n. The attack agents are at the leaves of the tree and the victim is at the root, as in the lecture slides on IP traceback (lecture 16). Suppose that there are m attack agents, distributed evenly among the leaves. For example, if n = 6, there are 32 leaves. If m = 8, then assume that every fourth leaf (reading from left to right across the top of the tree) is an attack agent. The remaining leaves are network hosts that are not involved in the attack.

  1. Suppose that n = 6 and m = 8 and the probability p of a router writing its address into the start field of a packet is 1/2. Consider the result of sending 100 packets from each attack agent. Is it feasible for the victim to reconstruct all 8 paths? Explain, giving some indication of what information the victim is likely to receive.
  2. Suppose n = 32. What range of values of p seems likely to let the victim reconstruct paths to some number of attack agents with reasonable reliability? You do not need to work out all the probabilities exactly unless this is the kind of thing you like to do for fun. Just explain the likely information received at the victim for at least four values of p, including values that seem fine, and at least one value that is too small and one that is too big.