HOMEWORK 3 KEY ENTS 689i Network Immunity Fall 2008
Questions 1. A directory is also an object to which access should be controlled. Why is it not appropriate to allow users to modify their own directories? A directory is a mechanism by which access control rights can be maintained. In particular, a list is kept on a peruser basis of which files that user has access to. If the user also had write permissions to the directory itself, he or she could modify their own permissions to any file on the system. This clearly could be used to subvert the access control policies of other users on the system and therefore cannot be allowed. Some students also pointed out the management issues with allowing multiple people to change the same data structure, however the security risk is the more important factor. 2. (20 points) Pfleeger, Chapter 4, exercise 22. a) (5 points) If passwords are three uppercase alphabetic characters long, how long (that is, how much time) would it take to determine a particular password, assuming that testing an individual password requires 5 seconds? 263 * 5 = 17576 * 5 = 87880 seconds = 1464.7 minutes = 24.4 hours = just over 1 day. b) (5 points) Argue for a particular amount of time as the starting point for "secure." That is, suppose an attacker plans to use a brute force attack to determine a password. For what value of x (the total amount of time to try as many passwords as necessary) would the attacker find this attack prohibitively long? For this answer, you were supposed to pick an actual length of time and argue why it would be OK. Expected answers were a minimum of a couple of months up to a reasonable number of years. An answer that mentions password change policies, such as “it's reasonable to ask a user to change his or her password once per year” were good. It's also reasonable to note that different systems may warrant different values for x. For example, your bank account password may be more sensitive than your Yahoo subscription (or possibly not). c) (10 points) If the cutoff between "insecure" and "secure" were x amount of time, how long would a secure password have to be? State and justify your assumptions regarding the character set from which the password is selected and the amount of time required to test a single password. Assumptions: 1. Y is the length of a password 2. N is the number of possible characters to choose from
3. A is the amount of time that it takes an attacker guess and check a single password The maximum amount of time required to crack any given password is thus NY * A. Since we want that value to be less than X, we can setup an inequality and solve for Y, which is what the question asks for. Assuming values of N = 72 (lowercase letters, uppercase letters, numbers, and 10 “symbols”), X = 1 year, and A = 5 milliseconds. Therefore, we have: 72Y * 5 > 3.1536 x 1010 72Y > 6.307 x 109 Y >= 6 (Passwords must be 6 characters or greater, given my assumptions) It is also reasonable to argue that this is simply a worst case and that the attacker really only needs to get through (something like) 50% of his or her guesses to find a particular password. You could then incorporate such a probability into your calculation. 3. (12 points, 2pts each) Pfleeger, Chapter 5, exercise 5. Can a user cleared for have access to documents classified in each of the following ways under the military security model? a) NO : insufficient “level” b) YES c) NO: need compartment “cow” d) NO: need compartment “moose” e) YES f) NO: need compartment “moose”
4. (28 points, 4pts each) A group of students have accounts on a standard Unix system. All students are members of the group students and have accounts named student1, student2, etc. There are also a number of nonstudent users on the system who are not members of the group students. The following are a set of directory listings from the system: /home/student1 rwr—r student1 students myhomework.txt rwxrxrx student1 students mygame.exe drwx student1 students secret /home/student1/secret rw student1 students mysecretkey rwxrwxrwx student1 students mydiary.txt /home/student2 rw student2 students myhomework.txt rwSrx student2 students mygame.exe Assuming that students all have read and execute (but not write) permissions for each other's home directories, answer the following questions: a) Can student2 read student1's homework? YES b) Can student1 read student2's homework? NO c) Can student2 read student1's secret key? NO: no permissions on the directory /home/student1/secret d) Can student2 modify student1's diary? NO: same reason. No directory permissions. e) Can student2 execute student1's game program? If so, with what user and group permissions will that process execute? YES. With user: student2 and group: students (student2's normal permissions) f) Can student1 execute student2's game program? If so, with what user and group permissions will that process execute? YES. Because the program is marked SETUID, it will execute with its owner's permissions for user: student2. Both students have the same group, but technically the group permissions came from student1's primary group: students. g) Can nonstudents execute student2's game program? If so, with what user and group permissions will that process execute? NO
5. (10 points) Briefly explain (12 paragraphs) what code authentication is and how it can help with the Trojan problem. The question asked about “code authentication,” which could be interpreted to specifically mean authentication of executable code that will be loaded into memory and run, or simply as file authentication on executable programs. In either case the idea is that, along with the content itself, the file producer/distributer will also provide some “proof” to the consumer to demonstrate that they actually produced the distributed content. Typically, this proof takes the form of a cryptographic private key signature on a digest (hash) of the file's contents. The public key used to verify this signature is typically distributed in a certificate that binds the key to the rightful owner, also using cryptography. This approach relies on a working public key infrastructure (PKI). The producer's responsibility is to protect their private key, sign all valid content, and not sign any invalid content. The consumer's responsibility is to verify all content before executing it, including the necessary certificate verification steps. Since a trojan is a program that appears to do something good, but in fact has some hidden functionality, it is not usually apparent to the user that his or her program has been replaced (“trojaned”). However, if the user requires that only authenticated content be executed, then the trojan producer should not be able to forge a signature for any trusted party and therefore will be unable to fool the user into running his trojan program. More generally, modifications to existing files, e.g., those made by viruses, should also be detected since those modifications will invalidate the signature. 6. (10 points) Briefly explain (~1 paragraph) what a runtime packer is. Explain (12 paragraphs) how and why some malicious software use runtime packing techniques. NOTE: Answer taken from http://www.virusbtn.com/resources/glossary/packer.xml. I was not hoping to get verbatim answers, but that appears to have happened a fair amount. Packers are wrappers put around pieces of software to compress and/or encrypt their contents. They can be used by legitimate software to minimize download times and storage space or to protect copyrighted coding, but are commonly used in malware to disguise the contents of malicious files from malware scanners. Runtime packers essentially unpack (i.e. decrypt or decompress) executable files as they run the first stage is the unwrapping process, and the unpacked file is then loaded into memory and run. A file can be packed numerous times with slight changes to the packing method, or with small and insignificant changes to the file inside, thus producing a final file which appears different from another identical file packed differently. A great deal of malware is regularly repacked in this way to try to beat detection, a technique known as polymorphism. Anti malware software can get around this by unpacking some packers as part of the scanning process. 7. (10 points) Explain (23 paragraphs) the difference between virus scanning and integrity verification. What are the relative advantages and disadvantages of each? The basic idea here is that virus scanners can prevent or detect known malware and things that look like known malware, but it's much harder for them to detect new threats. They also require constant updates and are always “reactive.” False positives are also a potential issue. Integrity verification cannot identify specific malware or prevent it directly, but can be used to
make sure that all trusted content has not been changed, thereby thwarting the ability of the malware to execute. One disadvantage is that, if using integrity verification for virus protection, you have to take your original “snapshot” before the virus is installed. In general, integrity verification is a more “principled” and general approach to detection, but is more challenging to maintain in some instances. An additional challenge to integrity verification is mutable data, which cannot be assigned a static hash value. One possibility would be to develop higherlevel constraints on the data and verify its “integrity” at a higher level (a la ClarkWilson integrity verification procedures).