Homework 2

CS155, Spring 2006

Due: Thursday, May 25

Problem 1 - Kerberos

1. Explain how the Bellovin-Merritt attack on Kerberos V4 can be used to recover user passwords.
2. How did Kerberos V5 fix this problem?

Problem 2 - Finding bugs

Taint analysis is a general approach for finding many kinds of program bugs. In most forms of taint analysis, a value from an unknown or untrusted source is considered tainted. If the value is tested or manipulated in some way, then it may become untainted. If a tainted value is used an argument to a sensitive operation, then an error is reported. For example, PERL user input is considered tainted, and an error is reported if tainted values are used in system calls. If a tainted PERL value is compared to a pattern that is contained literally in the program, and not read from some other source, then it is considered untainted.

1. Taint analysis can be used to find buffer overflow vulnerabilities in source code by disallowing tainted array indices. Explain why a value should be considered untainted only if there are checks to make sure it is bigger than some minimum value and smaller than some maximum value - it is not enough to just check that it is less than some maximum value. You may want to refer to the following Linux device driver code.

    /* 2.4.5/drivers/char/drm/i810_dma.c */
    if (copy_from_user(&d, (drm_i810_copy_t *)arg, sizeof(d)))
            return -EFAULT;

    if(d.idx > dma->buf_count) return -EINVAL;
    buf = dma->buflist[ d.idx ];
    buf_priv = buf->dev_private;
    if (buf_priv->currently_mapped != I810_BUF_MAPPED) return -EPERM;

    if (copy_from_user(buf_priv->virtual, d.address, d.used))
            return -EFAULT;

2. Tainting can be applied to source code, by simulated execution that keeps track of whether the values of variables could be tainted or not, or applied at run-time by keeping track (in an interpreter, for example) of whether the actual value is tainted. In a project for detecting malware via runtime taint analysis, researchers at CMU automatically insert taint tracking instructions. For example, the following code

        recv(socketfd, buf1, …);
   	    memcpy(buf2, buf1, …);
        y = x;
        strcpy(dummy->buf, buf1);
        dummy->fnptr();
   

   is instrumented by inserting the indented lines

   	 recv(socketfd, buf1, …);
         NewTaint(buf1, …);
     memcpy(buf2, buf1, …);
         PropTaint(buf2, buf1, …);
     y = x;
         PropTaint(&y, &x, …);
     strcpy(dummy->buf, buf1);
        PropTaint(dummy->buf, buf1, …);
        TaintAssert(&fnptr, …); 
     dummy->fnptr();
   

   The first function call creates a new taint tracking flag for buf1. The next call sets the taint flag for buf2 to the flag value for buf1, and so on. The TaintAssert function makes sure that the taint flag for the given argument does not indicate that the value is tainted. If TaintAssert is called with a tainted argument, and error is reported. Explain the error in this code and how tainting analysis catches it.

Problem 3 - TCG

In class we discussed the Trusted Computing architecture (TCG) and the associated TPM hardware.

1. Can the TPM be used to prevent a virus from modifying the machine's Master Boot Record (MBR)? If so, explain why. If not, explain why not.
2. Suppose user A is able to extract the secret signing key from the tamper resistant chip in his machine. Explain the implications of this for the validity of the attestation process. How could A use this key to fool a remote server about the software running on A'a machine?
3. How would you defend against this problem? You may assume that the private key extracted from the chip is published on the web (anonymously) so that anyone can mount the attack from part (a).

Problem 4 - Web browser security

A web server requires each user to log in. However, the implementers of the web site are worried about storing passwords on the server, since they are afraid someone might break in and steal them. Therefore, they decide to use a clever idea. When a user creates an account, the account number is stored on the server and the user's password is stored in a cookie on the user's machine. Then, when the user tries to log in later, the server compares the password typed in by the user with the password stored in the user's cookie.

1. Assuming that the implementers have not thought of any other clever ideas, how would you log into another users account without knowing their password?
2. What methods could you use to keep passwords in cookies, but prevent the attack you devised in part (a)?

Problem 5 - TCP Sequence numbers

Suppose a spammer sends spam email from IP address a.b.c.d. This IP address is quickly added to a blacklist and mail servers ignore all emails from this IP address.

1. Can the spammer evade the blacklisting mechanism by sending packets with a spoofed source IP address? Recall that the SMTP protocol runs on top of TCP. You may assume that the victim mail server generates random and unpredictable TCP sequence numbers for new connections.
2. Suppose a certain mail server generates TCP sequence numbers for new connections using a predictable algorithm, say the initial sequence number for connection i is simply the number i. Explain exactly how a spammer can fool the mail server into accepting spam from it by spoofing source IP addresses in packets.

   Recall that SMTP is an interactive protocol. An SMTP transcript looks as follows:

   Sender:      MAIL FROM:   <someone@somewhere.com>
   Mail Serv:   250 Ok
   
   Sender:      RCPT TO: <target@victim.com>
   Mail Serv:   250 Ok
   
   Sender:      DATA
   Mail Serv:   354 End data with .
   Sender:      Some message data
                Second line
                .
   Mail Serv:   250 Ok
   ... and the message is delivered.
   

Problem 6 - SYN Floods

SYN-flooding attacks have created a lot of trouble on the Internet. For each of the following possible defenses against SYN flooding, explain how well you think this defense will work, and how an attacker might work around the defense..

1. Increase the size of the network connections table by a factor of 10.
2. Identify the origin of the attack by looking at the source address in the incoming packets. Reject SYN requests that come from a host that has recently sent more than 5 requests
3. Set a limit or quota on the number of incomplete connections, and discard SYN packets if the number of incomplete connections reaches the limit. This should be combined with a practice of keeping track of how long a connection has remained incomplete, and discarding state associated with incomplete connections that have timed out. A connection is incomplete if the server has sent a SYN-ACK response and has not received a corresponding ACK.
4. When the network connections table is full, and a new SYN packet arrives, randomly choose to either ignore the SYN packet, or randomly choose an existing incomplete session to delete from the table. If an incomplete session is deleted, then the new SYN packet can be answered. When analyzing this alternative, try to consider the best probabilities to use in making your decisions.
5. Set up another machine (firewall) that answers all SYN packets, then forwards the connection messages on to the intended receiver if the connection is completed. The firewall can have a larger network connection table since it has few other jobs to perform.