UNIVERSITY OF WATERLOO

David R. Cheriton School of Computer Science

CS 458/658 Computer Security and Privacy Winter 2010

ASSIGNMENT 2
(Due: March 8, 2010 8:30 am)

Total marks: 55

1. [8 marks total] Identification and Authentication.

(a) (6 marks) Suppose Alice wishes to log on to her personal bank account over the Internet
to do some online banking. She searches for her bank on Google and finds a likely
match as the first search result, so she proceeds to click on the that link. How can Alice
identify the owner of the website that she is on (1 mark)? How can Alice authenticate
the owner of the website (1 mark)? What risk is Alice taking if she fails to properly
authenticate the owner (1 mark)? Assuming that Alice has found the legitimate website
for her bank, how can the website identify Alice (1 mark)? How can it authenticate her
(1 mark)? What risk is her bank taking if it does not properly authenticate Alice?
(b) (2 marks) Alice develops a new challenge-response protocol. It has the benefit that
the response is computable by humans, which simplifies deployment. In the protocol,
the server’s challenge is a random word. The user computes her response as (‘random
word’ XOR ‘password’). Assume that the random word and the password have the
same length. Comment on the security of this protocol.

2. [12 marks total] Basic Principles of Information Protection.

In The Protection of Information in Computer Systems, Section I.A., (Mandatory reading for
lecture 9) Saltzer and Shroeder present eight design principles for trusted systems. Many
systems still fail to follow the principles faithfully. For each of the failures below, state
what (1 mark) principle that you believe is most clearly violated, and justify your answer by
explaining how the rule was violated (1 mark) and why the programmer might have violated
the rule (1 mark). For example,

1
(1 mark) What: Principle of Psychological Acceptability
(1 mark) How: The CAPTCHA image is far too difficult for a human to read, causing user
frustration.
(1 mark) Why: The developer is aware of the various CAPTCHA cracking utilities available
to attackers and sought to make his CAPTCHAs too strong for them to defeat.
(Note: you should choose a different principle for each part.)

(a) (3 marks) The new graduate student admissions software which is used to admit grad
students to the School of Computer Science at University of Waterloo will only run
with administrator privileges.
(b) (3 marks) See the following code snippet:
Example Language: Java
String filename
= System.getProperty("com.domain.application.dictFile");
File dictionaryFile = new File(filename);
 return(1);
}

3. [8 marks total] Bell-LaPadula Confidentiality Model / Biba Integrity Model. In the

Bell-LaPadula Confidentiality Model. Suppose Sergeant Alice has clearance level (Secret,
{Army, Navy, Air Force}), and there are five documents with the following classification
levels:

• Document D101 has classification level (Secret, {Navy, Air Force, Coast Guard})
• Document D102 has classification level (Confidential, {Air Force})
• Document D103 has classification level (Unclassified, {Marines, Air Force, Coast
Guard})
• Document D104 has classification level (Top Secret, {Marines, Army, Navy, Air Force})
• Document D105 has classification level (Secret, {Army})

(a) (4 marks) Which of these documents can Alice read (2 marks)? Which can she write
to (2 marks)?
Note: you should use the following dominance hierarchy:
Unclassif ied ≤ Conf idential ≤ Secret ≤ T op Secret.
(b) (4 marks) Now, assume the dynamic Biba Integrity Model with low watermark prop-
erty. Viewing the above clearance and classification levels as integrity levels, suppose
Alice performs the following five steps:
• Alice reads from D101
• Alice writes to D102
• Alice reads from D103
• Alice writes to D104
• Alice writes to D105
After each of these five steps, what is Alice’s integrity level (2 marks), and what is the
integrity level of the documents she just accessed (2 marks)?

4. [8 marks total] Firewalls.

(a) (4 marks) You are setting up a new web site for a local business. The web site is
hosted on its own server, and will interact heavily with a database which is hosted on a
second server. The database server also serves a number of internal servers, as well as
applications on the desktop computers of company employees. Unfortunately, security
is not high on management’s priority list (they never took this course!) and there is
only room in the budget for a single firewall. Where should you place it (1 mark), and
why (2 marks)? Where would you place a second firewall, if more room was found in
the budget (1 mark)?

3
 (b) (1 mark) Suppose that UW has determined that YouTube has a detrimental effect on
students’ productivity, and has added a rule to their firewall in order to ban access to
YouTube from all UW machines. Give an example of a way a user could evade their
firewall.
(c) (3 marks) There are different kinds of spoofing attacks, depending on who is spoofing
what addresses to whom. Suppose that in order to defend against spoofing attacks, UW
sets up a packet filtering gateway that blocks all packets originating from UW whose
source address is not of the form 129.97.x.y. What kind of traffic spoofing attack does
this rule protect against (1 mark)? They also set up a rule to block traffic originating
from outside of UW whose source address is of the form 129.97.x.y. What kind of
packet spoofing attack does this rule protect against (1 mark)? What kind of spoofed
traffic is still possible (1 mark)?

5. [19 marks total] Intrusion Detection (Coding question). Firewalls do not protect against
inside attackers or insiders making mistakes, and they can be subverted. In this case, intru-
sion detection systems are the next line of defense. A host-based intrusion detection system
(IDS) monitors and analyzes the internals of a computing system rather than the network
packets on its external interfaces.

(a) (13 marks) Your objective is to build a host-based IDS that uses signatures to detect
anomalous sequences of syscalls. Note that we will build your intrusion detection
program on the ugster machines.
• Your program should be called ids and the source should appear in a file called
ids.cc.
• The client will use the UNIX strace utility to trace system calls made by a user
process.
• The IDS will watch a process and all of its child processes to see if any process
issues a sequence of system calls that match a specified pattern.
• The patterns should be located in a configuration file called ids.conf. This file
should conform to the specifications given at the end of this question.
• The IDS will look for sequences of 3 to 8 system syscalls.
• If any process is observed to have produced a sequence from the file, a string
should be logged to stderr including the name of the sequence matched, the
(UTC) time and date at which the sequence was detected, and the command line
string (argv) used to launch the offending process. The format of the log entries
should match specifications given at the end of this question.
• The IDS should obtain input piped into standard input from the strace utility.
For example:
$strace -f -s2000 ProcessName 2>&1 | ./ids
(b) (1 mark) Give an example of a way that a process could evade your IDS to run untrusted
code.

4
Note: If your program does not conform to the correct specifications, this is will be considered
a programming fault. If our input files and output checker fail to interact correctly with your
program, it will be considered a security flaw and reflected in the mark you receive on this problem.

What to hand in

Using the “submit” facility on the student.cs machines (not the ugster machines or the uml virtual
environment), hand in the following files:

a2.pdf: A PDF file containing your written answers for questions 1–4, your design documentation
for question 5, and your answers to 5(b) and 5(c). It must contain, at the top of the first page,
your name, UW userid, and student number. -3 marks if it doesn’t! Be sure to “embed all
fonts” into your PDF file. Some students’ files were unreadable in the past; if we can’t read
it, we can’t mark it.

ids.c, malicious.c: Your intrustion detection implementation and client for question 5. If you have
additional support files, name them something matching ids-*.c, ids-*.h, malicious-*.c or
malicious-*.h.

Makefile: A Makefile that will compile your intrusion detection program. Note that we will build
your intrusion detection program on the ugster machines.