689ihw3 Key
689ihw3 Key
3 KEY
ENTS 689i Network Immunity
Fall 2008
Questions
1. A directory is also an object to which access should be controlled. Why is it not
appropriate to allow users to modify their own directories?
A directory is a mechanism by which access control rights can be maintained. In particular, a
list is kept on a peruser basis of which files that user has access to. If the user also had write
permissions to the directory itself, he or she could modify their own permissions to any file on
the system. This clearly could be used to subvert the access control policies of other users on the
system and therefore cannot be allowed.
Some students also pointed out the management issues with allowing multiple people to change
the same data structure, however the security risk is the more important factor.
2. (20 points) Pfleeger, Chapter 4, exercise 22.
a) (5 points) If passwords are three uppercase alphabetic characters long, how long (that
is, how much time) would it take to determine a particular password, assuming that
testing an individual password requires 5 seconds?
263 * 5 = 17576 * 5 = 87880 seconds = 1464.7 minutes = 24.4 hours = just over 1 day.
b) (5 points) Argue for a particular amount of time as the starting point for "secure."
That is, suppose an attacker plans to use a brute force attack to determine a password.
For what value of x (the total amount of time to try as many passwords as necessary)
would the attacker find this attack prohibitively long?
For this answer, you were supposed to pick an actual length of time and argue why it would
be OK. Expected answers were a minimum of a couple of months up to a reasonable
number of years. An answer that mentions password change policies, such as “it's reasonable
to ask a user to change his or her password once per year” were good. It's also reasonable to
note that different systems may warrant different values for x. For example, your bank
account password may be more sensitive than your Yahoo subscription (or possibly not).
c) (10 points) If the cutoff between "insecure" and "secure" were x amount of time, how
long would a secure password have to be? State and justify your assumptions regarding
the character set from which the password is selected and the amount of time required
to test a single password.
Assumptions:
1. Y is the length of a password
2. N is the number of possible characters to choose from
3. A is the amount of time that it takes an attacker guess and check a single password
The maximum amount of time required to crack any given password is thus NY * A. Since
we want that value to be less than X, we can setup an inequality and solve for Y, which is
what the question asks for. Assuming values of N = 72 (lowercase letters, uppercase letters,
numbers, and 10 “symbols”), X = 1 year, and A = 5 milliseconds. Therefore, we have:
72Y * 5 > 3.1536 x 1010
72Y > 6.307 x 109
Y >= 6 (Passwords must be 6 characters or greater, given my assumptions)
It is also reasonable to argue that this is simply a worst case and that the attacker really only
needs to get through (something like) 50% of his or her guesses to find a particular
password. You could then incorporate such a probability into your calculation.
3. (12 points, 2pts each) Pfleeger, Chapter 5, exercise 5.
Can a user cleared for <secret;{dog, cat, pig}> have access to documents classified in each
of the following ways under the military security model?
a) <top secret;{dog}>
NO : insufficient “level”
b) <secret;{dog}>
YES
c) <secret;{dog,cow}>
NO: need compartment “cow”
d) <secret;{moose}>
NO: need compartment “moose”
e) <confidential;{dog,pig,cat}>
YES
f) <confidential;{moose}>
NO: need compartment “moose”
4. (28 points, 4pts each) A group of students have accounts on a standard Unix system. All
students are members of the group students and have accounts named student1,
student2, etc. There are also a number of nonstudent users on the system who are not
members of the group students. The following are a set of directory listings from the
system:
/home/student1
rwr—r student1 students myhomework.txt
rwxrxrx student1 students mygame.exe
drwx student1 students secret
/home/student1/secret
rw student1 students mysecretkey
rwxrwxrwx student1 students mydiary.txt
/home/student2
rw student2 students myhomework.txt
rwSrx student2 students mygame.exe
Assuming that students all have read and execute (but not write) permissions for each
other's home directories, answer the following questions:
a) Can student2 read student1's homework?
YES
b) Can student1 read student2's homework?
NO
c) Can student2 read student1's secret key?
NO: no permissions on the directory /home/student1/secret
d) Can student2 modify student1's diary?
NO: same reason. No directory permissions.
e) Can student2 execute student1's game program? If so, with what user and group
permissions will that process execute?
YES. With user: student2 and group: students (student2's normal permissions)
f) Can student1 execute student2's game program? If so, with what user and group
permissions will that process execute?
YES. Because the program is marked SETUID, it will execute with its owner's permissions
for user: student2. Both students have the same group, but technically the group permissions
came from student1's primary group: students.
g) Can nonstudents execute student2's game program? If so, with what user and group
permissions will that process execute?
NO
5. (10 points) Briefly explain (12 paragraphs) what code authentication is and how it can
help with the Trojan problem.
The question asked about “code authentication,” which could be interpreted to specifically mean
authentication of executable code that will be loaded into memory and run, or simply as file
authentication on executable programs. In either case the idea is that, along with the content
itself, the file producer/distributer will also provide some “proof” to the consumer to
demonstrate that they actually produced the distributed content. Typically, this proof takes the
form of a cryptographic private key signature on a digest (hash) of the file's contents. The public
key used to verify this signature is typically distributed in a certificate that binds the key to the
rightful owner, also using cryptography. This approach relies on a working public key
infrastructure (PKI). The producer's responsibility is to protect their private key, sign all valid
content, and not sign any invalid content. The consumer's responsibility is to verify all content
before executing it, including the necessary certificate verification steps.
Since a trojan is a program that appears to do something good, but in fact has some hidden
functionality, it is not usually apparent to the user that his or her program has been replaced
(“trojaned”). However, if the user requires that only authenticated content be executed, then the
trojan producer should not be able to forge a signature for any trusted party and therefore will be
unable to fool the user into running his trojan program. More generally, modifications to
existing files, e.g., those made by viruses, should also be detected since those modifications will
invalidate the signature.
6. (10 points) Briefly explain (~1 paragraph) what a runtime packer is. Explain (12
paragraphs) how and why some malicious software use runtime packing techniques.
NOTE: Answer taken from http://www.virusbtn.com/resources/glossary/packer.xml. I was not
hoping to get verbatim answers, but that appears to have happened a fair amount.
Packers are wrappers put around pieces of software to compress and/or encrypt their contents.
They can be used by legitimate software to minimize download times and storage space or to
protect copyrighted coding, but are commonly used in malware to disguise the contents of
malicious files from malware scanners.
Runtime packers essentially unpack (i.e. decrypt or decompress) executable files as they run
the first stage is the unwrapping process, and the unpacked file is then loaded into memory and
run. A file can be packed numerous times with slight changes to the packing method, or with
small and insignificant changes to the file inside, thus producing a final file which appears
different from another identical file packed differently. A great deal of malware is regularly
repacked in this way to try to beat detection, a technique known as polymorphism. Anti
malware software can get around this by unpacking some packers as part of the scanning
process.
7. (10 points) Explain (23 paragraphs) the difference between virus scanning and integrity
verification. What are the relative advantages and disadvantages of each?
The basic idea here is that virus scanners can prevent or detect known malware and things that
look like known malware, but it's much harder for them to detect new threats. They also require
constant updates and are always “reactive.” False positives are also a potential issue.
Integrity verification cannot identify specific malware or prevent it directly, but can be used to
make sure that all trusted content has not been changed, thereby thwarting the ability of the
malware to execute. One disadvantage is that, if using integrity verification for virus protection,
you have to take your original “snapshot” before the virus is installed. In general, integrity
verification is a more “principled” and general approach to detection, but is more challenging to
maintain in some instances. An additional challenge to integrity verification is mutable data,
which cannot be assigned a static hash value. One possibility would be to develop higherlevel
constraints on the data and verify its “integrity” at a higher level (a la ClarkWilson integrity
verification procedures).