Exam 1: Midterm Solutions

Part of the assignments for 22C:169, Spring 2006
by Douglas W. Jones
THE UNIVERSITY OF IOWA Department of Computer Science

Score Distribution

                                  X   X
__________________________________X_X_X___________X_______X___X_____________
 0 . 1 . 2 . 3 . 4 . 5 . 6 . 7 . 8 . 9 . 10. 11. 12. 13. 14. 15. 16. 17. 18
                                    B                   A

Solutions

  1. Background: This exam was formatted for printing using a web server, and it was written in HTML on a Unix system. All files on the computer science departmental server are potentially shared, and when a file is stored in the "web space" on the server, the web browser has the same access rights to the file as the public have. Assume that this file is in the directory ~dwjones/wwwdir/security/hw/ and note that the assignments for this course are all indexed on the web at http://homepage.cs.uiowa.edu/~dwjones/security/hw/. Note that, if the web browser does not find an index.html file in a directory, and if it can read the directory, it makes the directory into a web page constructed from the data returned by the ls command.

    a) Suggest 3 different barriers that could have been used to prevent students from accessing the web page containing this exam during its development, assuming that it is stored, continuously, in the assignments directory during this time. (3 points)

    -- Set the access rights to the directory .../hw/ to rwx--x--x so that only the owner can list the directory. This prevents anyone but the owner from finding the name of the exam file. This prevents users with access to the file system from finding the file name.

    -- Make sure that there is an .../index.html/ file in the directory, and that this file does not contain a link to the exam file. This prevents web users from finding the name of the exam file.

    -- Use an obscure file name. In effect, the file name itself becomes equivalent to a password.

    -- Set the access rights on the file holding the exam to rw------- whenever possible.

    Note: Many people said things like "use a hidden file name", not specifying the way the name is hidden; File names starting with dot are not very well hidden in Unix/Linux. Some said to password protect the file. Individual files in Unix/Linux can't be password protected. Some suggested using ornate features of Apache. These weren't discussed in class and therefore weren't really relevant as exam answers.

    b) Which of the above barriers depend on user authentication, and which depend on something else; if the barrier depends on something else, what? (2 points)

    The use of a secret file name is not an authentication-based scheme. The use of an index.html file to prevent listing of the directory is not authentication-based. All of the mechanisms that involve file ownership and access rights are authentication based.

    Only one student did parts a and b perfectly.

  2. Background: Here is a "simple" layout of information on who has access to what memory segments in a computer system with two users, 3 memory segments and a 2-level ring system typical of semi-secure computer systems since the 1960s:
    User State Kernel State
    User A Segment X Segment Z
    User B Segment Y Segment Z

    a) Construct the access matrix describing this system. Note that the presence of multiple rings (security levels) means that there are more than two users here! Also note that there is just one access right, RW, so we either grant RW access to some object or we don't. (3 points)

    X Y Z
    A as user RW
    A as kernel RW RW
    B as user RW
    B as kernel RW RW

    2 did perfectly here, the remainder had access matrices with just 2 rows and various other evidence of difficulty.

    b) Construct the access control list for segment X based on your answer to part a). (1 point)

    X
    A as user RW
    A as kernel RW

    2 did perfectly here. Several failed to squeeze out the no-access entries from the access matrix.

    c) Construct the capability list for (unprivileged) user A based on your answer to part a). (1 point)

    A as user X
    RW

    2 did perfectly here. 1 gave the same answer to parts b and c. Several failed to squeeze out the no-access entries from the access matrix.

    d) Describe the consequence, from the point of view of the domain of execution, and with reference to your answer to part a) above, of the domain of execution as user A makes a system call. (1 point)

    When a user makes a system call, the domain of execution changes from the user's unprivileged state to that user's privileged state.

    Thei was a hard problem. None really got it right, although several got some credit without mentioning the domain of execution.

  3. Problem: Exercise 1.3 in the text can be considered to be a trick question: "Should risk analysis of a computer center include flooding damage even if the center is in a high and dry location?" What is the trick? (1 point).

    To declare that the center is in a high and dry location implies that a risk analysis has already been completed with regard to flooding. Perhaps it was trivial, taking just a second to note that the building is on a hilltop, but the wording implies that the analysis has been done.

    Several students mentioned water damage from sprinklers or other non-flood sources. The risk of such water damage ought to be considered, but that misses the clear trick in this question. Two students clearly got the trick.

  4. Background: Consider the hypothetical Unix shell command anon. 
    	anon comm a b c

    The above use of the anon command causes the command comm a b c to be executed anonymously. That is, comm is executed as if it was typed in at a shell prompt, but it is executed by the most thoroughly undistinguished user, anon. Anon is guaranteed to be a member of no groups and is guaranteed to have the fewest rights of any user, the exact opposite of the super user. Anon has whatever access to files that members of the general public have, and anon has no personal home directory. Standard input, standard output and standard error are not changed by this command.

    a) What are the protection attributes (access rights, group and owner IDs) of the object file for the anon service. (1 point)

    It must be owned by ANON, group ANON, and --S--Sr-x, although there are problems with the owner and group rights no matter how you formulate things.

    Too many students just gave the access rights bits, without giving the ownership and group of the file. One just said SUID, with no more. 2 did well.

    b) Aside from the basics needed by execve to launch anon, what should this new application do in order to strip away any remaining connection to the domain of the user who launched it. (Note, you want it to be impossible for the launched application to be traced back to yourself.) (1 point)

    The application should: Change the real user ID and real group ID to the effective user ID and group ID. Change the working directory to something anonymous instead of the user's current working directory. Clear out the environment of anything that identifies the user such as $HOME and $PATH, installing a standard environment instead.

    Many students had one of these, only one student mentioned 2, for full credit.

    c) Given a working anon command, how could you use it to protect yourself from security threats, and what kinds of security threats would it protect you against. (1 point)

    Use it to run untrusted code, so that that code cannot masquerade as yourself to damage or examine your files. If you open attachments delivered in your E-mail using anon, for example, the risk of virus infection would plummet.

    Several people got full credit here, but too many just said "use it to send anonymous E-mail", one of the weakest and most obvious thing you could do with this command.

    d) Given a working anon command, how could it be used to aid an attack against a less than perfectly secure system, and exactly what aid does it provide. (1 point)

    If the system is vulnerable to attack, launching that attack by way of the anon command could be used to make it harder to trace that attack back to the user who launched it.

    This was the easiest question on the exam. Everyone got it.

  5. Background The Unix password encryption scheme assumes that there exists such a thing as a trapdoor function. A week ago, I bought a 40 gigabyte external disk drive for under 100 dollars. Many systems still limit passwords to 8 characters. The vast majority of passwords are composed of a mixture of upper and lower-case letters with digits, adding up to 62 characters. Assume that this is 64 for the sake of this problem.

    a) How much does it cost to store the dictionary needed to invert the trapdoor function applied to 8 character passwords. Approximate to keep your computations simple. (1 point)

    The file to invert the trapdoor function needs to store all (26)8 passwords (this is 248). Each password is 8 bytes, so it takes 251 bytes. Ignore the fact that passwords can be packed into 6 bytes each, it's not worth the effort. One gigabyte is 230 bytes, so we need 221 gigabytes. That is 2,000,000 gigabytes. Each drive has 40 gigabytes, so we need 2,000,000/40 drives, which is 500,000 drives. At $100 per drive, this is $5,000,000 worth of disk drives.

    1 student got this right. Many forgot the need to store the full trapdoor function, so they needed 248 bytes of storage. Others forgot to dollarize the result.

    b) If the information you are protecting has a cash value of one million dollars, how big a password should you use to protect it? Approximate to keep your computations simple. (1 point)

    You need 8 characters, since inverting the trapdoor function for 7-character passwords would take %5,000,000/64 worth of disk drives, which is much less than one million.

    Only 1 student got this.

  6. Background: Active data formats are immensely appealing. By including executable code in documents, for example, you can transmit the algorithm used to format the document instead of transmitting the output of the formatting algorithm. This can produce very impressive compression for many documents. In addition, this allows for active documents, for example, those containing animation and interaction with the user.

    Problem: What must be present in the domain in which an active data object is elaborated in order for such a document to pose a security threat? (2 points)

    The domain must not include any ability to write to or modify permanent objects other than the output medium on which the active object is being asked to record or display its content.

    Active objects that read from their domain pose less of a threat -- they cannot become viruses, but they might copy information that should not be copied, so the domain in which the active object is elaborated should not have read or inspect access to any data that it would be illegal to incorporate into the active object's output.

    Half the class got half credit here for discussing the need to execute active objects in a sandbos (for example, that created by the anon command), but none got full credit because none addressed the question head on and tackled what must not be available in the sandbox.