Assignment 8, due Apr 18

Always, on every assignment, please write your name legibly as it appears on your University ID and on the class list! All assignments will be due at the start of class on the day indicated, and unless there is what insurance companies call "an act of God" - something outside your control; the only exceptions to this rule will be by advance arrangement.

For those taking the course by video link, assignments may be submitted electronically by E-mail to Rajiv Raman. Please do not use obscure attachment formats! Plaintext E-mail is preferred to HTML, Word, RTF or other even more obscure formats!

1. Consider an improved version of the Amoeba system (with nice long keys instead of the short ones of the original Amoeba) on which a user wishes to construct a secure server for some abstract resource class. The server is launched as a single process with a capability from the public registry of available services. It uses one of these public services to draw a random number, its IDprivate. It then registers with its local kernel to allow others to request its services, and it creates a capability for itself and registers this, with the name of its service, with the registry of available services. Finally, it goes into its loop awaiting service requests and offering whatever service it is supposed to deliver.

   Assume that the Amoeba kernel is indeed correctly implemented and secure against attacks from applications, and assume that physical attacks on the system are impossible. That is, our attacker must operate by writing code that runs as an application under our improved Amoeba.

   The above outline implies a serious vulnerability that an attacker might be able to exploit in order to pursue two distinctly different approaches to identity theft, so that the attacker's server is used where clients intended to use our new secure server. Note: This is a case where two different approaches to exploiting the same vulnerability lead to the same end result.

   Identify the vulnerability and explain at least one and preferably both exploits.

2. Grade your professor's work? Look at this material on the web:
     http://homepage.cs.uiowa.edu/~dwjones/voting/miamitest.pdf
   This is a consulting report to Miami-Dade County after having a visit to observe their pre-election tests. Many of the observations in this report relate to the security of their electronic voting system, including the tabulating center. Most of it relates to administrative issues such as those we have just discussed.

   The following handout, given to the press at the start of testing describes the general procedures for the test and may provide useful background:
     http://homepage.cs.uiowa.edu/~dwjones/voting/miamihandout.pdf
   The vendor's on-line demo (including a brief movie) for the voting system that was being tested may also provide useful background:
     http://www.essvote.com/HTML/fla/ivotronic/iVotronic_tour.html

   Some appropriate questions to consider: What security issues did this report not address? What security issues does it ignore? How much of the report deals with issues that are security related in the strictest sense? How much of the report deals with issues that are not security related, in the broadest sense.

   Finally, it is interesting to ask, did the report address the problems that led to the forced resignation of Constance Kaplan, the election director in Miami Dade County, just before April first? She had accidentally failed to configure the voting machines to properly handle the case where election workers have to intervene after a voter flees the polling place after starting to vote but without properly terminating the voting session; as a result, such ballots were cancelled where Florida law requires that they be cast.