Homework 2

CS155, Spring 2004

Due Thursday, June 3

Problem 1

Cygwin is a Linux-like environment for Windows, consisting of two parts: a  DLL (cygwin1.dll) that acts as a Linux emulation layer, and collection of tools that provide Linux functions. Recall from Lecture 9 that under Windows, the permissions on an object are given by a security descriptor (SD), which includes the security identifier (SID) of the owner, the SID of the group, and an ACL of SIDs and  their permissions. An element of an ACL is called an access control element (ACE) and contains three parts: the type of the ACE, permissions, and the SID for which these permissions apply. The two important types of ACEs are the access allowed ACEs and the access denied ACEs. The order of ACEs is important. The system reads them in sequence until either any needed right is denied or all needed rights are granted. Later ACEs are then not taken into account.

(a) Explain how you would map the rwx  user, group, and other permissions of a UNIX file to a Windows SD for that file. Do you need access allowed ACEs, access denied ACEs, or both?

(b) Windows uses access tokens to identify a user and it's permissions. To switch the user context, an application has to request an access token. This is typically done by calling the Windows  API function LogonUser. The access token is returned and either used in ImpersonateLoggedOnUser to change user context of the current process or in CreateProcessAsUser to change user context of a spawned child process.Explain briefly how you might use these Windows features to provide Unix setuid features in Cygwin.

Problem 2

An unnamed Ivy League University suggests that computer science instructors set up a setuid script to allow students to copy their assignments into the protected course area of a file system. Here is part of the instructions for instructors:  "You can use a local submission script that copies the student's submission to the local account. This involves using a setuid script to have the student be able to run a script as if the class account invoked the script."

(a) What are the likely permission bits for the submit script?

(b) Under reasonable assumptions about how and where grades might be stored, how might you use this script to change your course grade? Do not assume that you will be able to modify the script.

Clarification: Your exploit in 2b) should work on this example of a submit script. We don't expect you to know Perl for this class, but the comments should give you a fair idea of what the code is doing. You can run this script on the elaines if you'd like, but you might want to change the value of the submitdir variable for testing.

Problem 3

One security problem with TCP based network services is that anyone can remotely test whether the service is available. For example, by attempting to connect to port 25 on a specific machine anyone can test whether that machine is running an SMTP server. This makes it easier to find machines that are vulnerable to sendmail bugs.

Can you suggest a method by which only authorized users who posses a certain secret will get a response to a TCP SYN packet?
Hint: look for "port knocking".

Problem 4

In class we saw that Microsoft's NGSCB project requires a special tamper resistant chip one every machine. The chip holds a secret key used for signing the boot executable code. These signatures are then used for attestation, i.e. for proving to a remote server what code is running on the user's machine.

(a) Suppose user A is able to extract the secret signing key from the tamper resistant chip in his machine. Explain the implications of this for the validity of the attestation process. How could A use this key to fool a remote server about the software running on A'a machine?

(b) How would you defend against this problem? You may assume that the private key extracted from the chip is published on the web (anonymously) so that anyone can mount the attack from part (a).

Problem 5

Slide 20 of Lecture 14 shows an IP spoofing attack that was devised in 1985 for 4.2 BSD Unix. One shortcoming of this and other early versions of Unix is that sequence numbers for network packets are chosen very predictably. In particular, 4.2 BSD maintains a global initial sequence number that is incremented by 128 each second and by 64 after each connection is started. 

For concreteness, let us assume that host A, the intended victim, listens on port 514 for remote execution requests. When a request arrives on this port, A checks the originator of the request against a list of trusted hosts in the .rhosts file. This comparison uses the source IP address field in the arriving packet. Assume that host B in slide 20 of Lecture 14 is in the .rhosts file of machine A.

Since ports are managed by TCP, a TCP connection must be established before a remote execution request can be issued and completed. As we saw in Lecture 14, a TCP connection is established using a handshake of three messages: SYN, SYN-ACK, and ACK. If a client C wants to connect to a server S, then the SYN message from C to S contains a sequence number c chosen by C, the SYN-ACK message contains sequence number c+1 and a sequence number s chosen by the server, and ACK contains the sequence numbers c+1 and s+1.  Another fact about TCP that is useful in understanding the attack is that if a machine receives a message that it is not expecting, the machine may send an RST message to "reset" the TCP connection. When a machine receives a RST message, it closes any open or half-open port and returns to the LISTEN state, waiting for another connection.

 (a) The first step of the attack is to flood some port on B, say port 21. Explain the purpose served by this step. (You may need to read the rest of this problem to figure out the answer.)

(b) In the second step of the attack, evil E creates a real connection from victim A. What is the purpose of this step? (Ideally, E would like to do steps one and 2 at the same time.)

(c) The real action begins with the third step, where evil E sends a SYN packet to A, with a forged return address. The return address on this packet is port 21 on bystander B. How will E calculate or estimate the sequence number that A uses? Keep in mind that since A sends a return SYN-ACK to B, evil E will not see the sequence number in A's SYN-ACK message.

(d) In step four, E sends an ACK message to A. Explain how E chooses both sequence numbers.

(e) In step five, E uses the now completed TCP connection on port 514 to execute a command on A. To do this, A sends a null followed by a user name, followed by a command. Explain some scenarios where a attacker with control of machine E would have this kind of information. Assuming that E knows the IP address of machine A that he or she wishes to attack, make a list of all the other information that E must collect in order to mount this attack.

(f) This attack can be executed remotely. In other words, E does not have to be on the same local area network as A or B. Assuming that A and B are on a local area net behind a firewall, what kind of firewall policy would prevent this attack without blocking any "reasonable" network traffic by honest users.