Вы находитесь на странице: 1из 6

UNIVERSITY OF WATERLOO David R. Cheriton School of Computer Science

CS 458/658

Computer Security and Privacy


(Due: March 8, 2010 8:30 am)

Total marks: 55

Winter 2010

1. [8 marks total] Identification and Authentication.


(6 marks) Suppose Alice wishes to log on to her personal bank account over the Internet to do some online banking. She searches for her bank on Google and finds a likely match as the first search result, so she proceeds to click on the that link. How can Alice identify the owner of the website that she is on (1 mark)? How can Alice authenticate the owner of the website (1 mark)? What risk is Alice taking if she fails to properly authenticate the owner (1 mark)? Assuming that Alice has found the legitimate website for her bank, how can the website identify Alice (1 mark)? How can it authenticate her (1 mark)? What risk is her bank taking if it does not properly authenticate Alice?


(2 marks) Alice develops a new challenge-response protocol. It has the benefit that the response is computable by humans, which simplifies deployment. In the protocol, the server’s challenge is a random word. The user computes her response as (‘random word’ XOR ‘password’). Assume that the random word and the password have the same length. Comment on the security of this protocol.

2. [12 marks total] Basic Principles of Information Protection. In The Protection of Information in Computer Systems, Section I.A., (Mandatory reading for lecture 9) Saltzer and Shroeder present eight design principles for trusted systems. Many systems still fail to follow the principles faithfully. For each of the failures below, state what (1 mark) principle that you believe is most clearly violated, and justify your answer by explaining how the rule was violated (1 mark) and why the programmer might have violated the rule (1 mark). For example,


(1 mark) What : Principle of Psychological Acceptability (1 mark) How : The CAPTCHA image

(1 mark) What: Principle of Psychological Acceptability (1 mark) How: The CAPTCHA image is far too difficult for a human to read, causing user frustration. (1 mark) Why: The developer is aware of the various CAPTCHA cracking utilities available to attackers and sought to make his CAPTCHAs too strong for them to defeat.

(Note: you should choose a different principle for each part.)


(3 marks) The new graduate student admissions software which is used to admit grad students to the School of Computer Science at University of Waterloo will only run with administrator privileges.


(3 marks) See the following code snippet:

Example Language: Java String filename = System.getProperty("com.domain.application.dictFile"); File dictionaryFile = new File(filename);

f onsenci(u)-1.87468(t)-3.04891(e)2.356179(t)-1.8776(e)2.35254(r)-1.87468(r)-259.198(e)-352.25hityts



3. [8 marks total]

Bell-LaPadula Confidentiality Model / Biba Integrity Model. In the

Bell-LaPadula Confidentiality Model. Suppose Sergeant Alice has clearance level (Secret, { Army, Navy, Air Force} ), and there are five documents with the following classification levels:

Document D101 has classification level (Secret, { Navy, Air Force, Coast Guard } )

Document D102 has classification level (Confidential, { Air Force} )

Document D103 has classification level (Unclassified, { Marines, Air Force, Coast Guard } )

Document D104 has classification level (Top Secret, { Marines, Army, Navy, Air Force} )

Document D105 has classification level (Secret, { Army } )


(4 marks) Which of these documents can Alice read (2 marks)? Which can she write to (2 marks)? Note: you should use the following dominance hierarchy:

Unclassified Confidential Secret Top Secret.


(4 marks) Now, assume the dynamic Biba Integrity Model with low watermark prop- erty. Viewing the above clearance and classification levels as integrity levels, suppose Alice performs the following five steps:

Alice reads from D101

Alice writes to D102

Alice reads from D103

Alice writes to D104

Alice writes to D105

After each of these five steps, what is Alice’s integrity level (2 marks), and what is the integrity level of the documents she just accessed (2 marks)?

4. [8 marks total]


(a) (4 marks) You are setting up a new web site for a local business. The web site is hosted on its own server, and will interact heavily with a database which is hosted on a second server. The database server also serves a number of internal servers, as well as applications on the desktop computers of company employees. Unfortunately, security is not high on management’s priority list (they never took this course!) and there is only room in the budget for a single firewall. Where should you place it (1 mark), and why (2 marks)? Where would you place a second firewall, if more room was found in the budget (1 mark)?



(1 mark) Suppose that UW has determined that YouTube has a detrimental effect on students’ productivity, and has added a rule to their firewall in order to ban access to YouTube from all UW machines. Give an example of a way a user could evade their firewall.


(3 marks) There are different kinds of spoofing attacks, depending on who is spoofing what addresses to whom. Suppose that in order to defend against spoofing attacks, UW sets up a packet filtering gateway that blocks all packets originating from UW whose source address is not of the form 129.97.x.y. What kind of traffic spoofing attack does this rule protect against (1 mark)? They also set up a rule to block traffic originating from outside of UW whose source address is of the form 129.97.x.y. What kind of packet spoofing attack does this rule protect against (1 mark)? What kind of spoofed traffic is still possible (1 mark)?

5. [19 marks total] Intrusion Detection (Coding question). Firewalls do not protect against inside attackers or insiders making mistakes, and they can be subverted. In this case, intru- sion detection systems are the next line of defense. A host-based intrusion detection system (IDS) monitors and analyzes the internals of a computing system rather than the network packets on its external interfaces.


(13 marks) Your objective is to build a host-based IDS that uses signatures to detect anomalous sequences of syscalls. Note that we will build your intrusion detection program on the ugster machines.

Your program should be called ids and the source should appear in a file called ids.cc.

The client will use the UNIX strace utility to trace system calls made by a user process.

The IDS will watch a process and all of its child processes to see if any process issues a sequence of system calls that match a specified pattern.

The patterns should be located in a configuration file called ids.conf. This file should conform to the specifications given at the end of this question.

The IDS will look for sequences of 3 to 8 system syscalls.

If any process is observed to have produced a sequence from the file, a string should be logged to stderr including the name of the sequence matched, the (UTC) time and date at which the sequence was detected, and the command line string (argv) used to launch the offending process. The format of the log entries should match specifications given at the end of this question.

The IDS should obtain input piped into standard input from the strace utility. For example:

$strace -f -s2000 ProcessName 2>&1 | ./ids


(1 mark) Give an example of a way that a process could evade your IDS to run untrusted code.


Note: If your program does not conform to the correct specifications, this is will be considered a programming fault. If our input files and output checker fail to interact correctly with your program, it will be considered a security flaw and reflected in the mark you receive on this problem.

What to hand in

Using the “submit” facility on the student.cs machines (not the ugster machines or the uml virtual environment), hand in the following files:

a2.pdf: A PDF file containing your written answers for questions 1–4, your design documentation for question 5, and your answers to 5(b) and 5(c). It must contain, at the top of the first page, your name, UW userid, and student number. -3 marks if it doesn’t! Be sure to “embed all fonts” into your PDF file. Some students’ files were unreadable in the past; if we can’t read it, we can’t mark it.

ids.c, malicious.c: Your intrustion detection implementation and client for question 5. If you have additional support files, name them something matching ids-*.c, ids-*.h, malicious-*.c or malicious-*.h.

Makefile: A Makefile that will compile your intrusion detection program. Note that we will build your intrusion detection program on the ugster machines.