Homework 2

CS255, Spring 2002

Problem 1

This problem asks about a SunShop Shopping Cart Security Vulnerability posted May, 02 2002. SunShop is a PHP/MySQL based shopping system. When a new customer registers on the site, the customer is able to insert JavaScript into records that are executed every time the administrator looks at the customer listing in the administrator area. This allows a malicious customer to redirect the administrator to any page in the administrator area. Because the administrator is already authenticated, the malicious user does not need to have the administrator's password. The redirection makes it possible to do everything the administrator can do, e.g. generating new shopping coupons.

List principles from Lecture 4 (either from the Viega and McGraw list or from the Wheeler's suggestions) that you think were not given sufficient attention  in the design of the SunShop web site. What do you think the patch or new version of the site does to prevent the vulnerability described above.

Problem 2

In class we have discussed capabilities and access control lists. Recall that Unix file protection is simply an optimization of access control lists in which there are only three “accessors”: owner, group, and public. The group of a set of named individuals. For each of the following protection problems, explain whether the problem can be solved with Unix and whether the problem can be solved using capabilities. For each applicable mechanism, explain your solution.

  1. Rick wants his files readable by everyone except Jennifer.
  2. Helen and Anna want to share some secret files.
  3. Cathy wants some of her files to be public.

Problem 3

Given the security levels TOPSECRET, SECRET, CONFIDENTIAL, and UNCLASSIFIED (ordered from highest to lowest), and the categories A, B, and C, say what type of access (read, write, both, or neither) is allowed in the following situations. Assume a user can read or write a file of the same classification as the user, and can read/write up/down according to the Bell-LaPadula model.. 

  1. Paul, cleared for (TOPSECRET, { A, C }), wants to access a document classified (SECRET, { C }). 
  2. Anna, cleared for (CONFIDENTIAL, { C }), wants to access a document classified (CONFIDENTIAL, { B, C }). 
  3. Jesse, cleared for (SECRET, { C }), wants to access a document classified (CONFIDENTIAL, { C }). 
  4. Sammi, cleared for (TOPSECRET, { A, C }), wants to access a document classified (CONFIDENTIAL, { A }). 
  5. Robin, who has no clearances (and so works at the UNCLASSIFIED level), wants to access a document classified (CONFIDENTIAL, { B }). 

Problem 4

A computer system provides protection using the Biba policy. How would a virus spread if: 

  1. the virus were placed on the system at system low (the compartment which all other compartments dominate)?
  2. the virus were placed on the system at system high (the compartment which dominates all compartments)

Problem 5

You start working for a company that does contract software development for security-conscious clients. The company has the following software rules to prevent information flow from high to low:

Explain why these rules do not prevent information flow from high to low and write a short code example to prove it. Your program should consist of one or two input statements, some statements containing assignments, and one output to low. You can assume there are two input files, called in_high and in_low, and two output files, called out_high and out_low. (Hint: in the if statement above, x and y do not need to have the same level.)

Problem 6

After getting your degree, you apply for a job as director of a large university computer center that has just put its ancient operating system out to pasture and switched over to Unix. You get the job. Fifteen minutes after starting work, your assistant burst into your office screaming: “Some students have discovered the algorithm we use for encrypting passwords and posted it on the bulletin board.” What should you do?

Problem 7

DNSTools is a commercial solution for DNS configuration. This is what the vendor tells about DNSTools: "DNSTools is a DNS configuration and DNS administration utility that eases the burden of network and system administrators by presenting all of their DNS data in an easy-to-use web interface and allowing them to modify that data quickly and easily. With a few simple clicks, you can modify a host name, add a new mail record, add new DNS name servers, delete an entire domain, or add an alias or second IP address to an existing host. These are just a few examples of what DNSTools provides." 

There is a significant security problem for versions before 2.0 beta 5. The URLs for access as an authenticated user and administrator are 


  1. Explain what is wrong here. How can a malicious person act as an authenticated user or administrator?
  2. What are the consequences of this problem? Explain some things that a malicious person might accomplish in an environment running DNSTools and outline the sequence of DNSTools operations.

Problem 8

The Risks Digest is an electronic periodical moderated by Peter Neumann that documents risks encountered in various situations. Some are computer system problems and some are not. (For example, one Risks announcement explained how US Navy ships use radio frequencies that are used for garage door openers in Australia. When a US ship docks in an Australian port, all the garages for miles around may open.)  Pick out one article from the site at http://catless.ncl.ac.uk/Risks that describes a security vulnerability that is relevant to this class. Discuss it (write no more than one page). Is it an example of a more general problem? Has that problem been encountered before? Suggest a technical solution or administrative procedure that would decrease the likelihood of similar problems arising in the future.

Acknowledgements: Some problems are based on course material by Anita Jones and Matt Bishop.