UNIVERSITY OF SURREY c

Size: px

Start display at page:

Download "UNIVERSITY OF SURREY c"

Laureen Sutton
6 years ago
Views:

1 CS/M27/14/AS07 UNIVERSITY OF SURREY c Faculty of Engineering and Physical Sciences Department of Computing MSc Security Technologies and Applications Module ; 99 credits CSM27: Computer Security Level M Examination Time allowed: 2 hours Autumn Semester 2007 Answer TWO questions. Use \calculatorstrue or \calculatorsfalse in your preamble! Each question carries b± b 2 4ac 2a marks Where appropriate the mark carried by an individual part of a question is indicated in square brackets [ ] Solutions

2 CS/M27/14/AS07 Page 2 Solutions 1. This question concerns security policies and security issues using a hypothetical business (NetMail) as an example. NetMail provides accounts to private users (charging a monthly fee), where the can be accessed remotely from any location over the network. (a) Define Organisational Security Policy. [3 marks] The set of laws, rules, and practices that regulate how an organisation manages, protects, and distributes resources to achieve specified security policy objectives. (b) Define Automated Security Policy, and explain its relation to the Organisational Security Policy. [5 marks] The set of restrictions and properties that specify how a computing system prevents information and computing resources from being used to violate an organisational security policy. [3 points] The scope of the organisational policy is the entire organisation including people, computer systems, and other systems. The scope of the automated policy is limited to the computer system, and includes those restrictions that can be handled by a computer system. [2 points] (c) Suggest a Policy Objective for NetMail, where you address both the needs of the service provider and the needs of the customers. [5 marks] Many phrasings are possible. As a minimum the answer should address the confidentiality of (user need) and protecting resources against unauthorised use (ensuring payment of fees for the provider). (d) List four assets which NetMail would have to protect. E.g. goodwill/reputation, /secrets belonging to the customers, network resources, payments due. [one mark per example] (e) List and explain four threats which NetMail would have to address. [8 marks] Tricksters maliciously disabling services (as demonstrated by DOS attacks) (availability) Unauthorised users benefitting from services without payment. (confidentiality) sent with a falsified sender identity on the service (integrity). QUESTION 1 CONTINUES ON NEXT PAGE

3 CS/M27/14/AS07 Page 3 Solutions Spying (unauthorised access) to users (confidentiality). [2 marks per threat] (f) For each of your four threats, answer whether it is one of availability, confidentiality, or integrity. See above [1 mark per reasonable classification] (g) Explain the difference between a threat, a vulnerability, and an attack. Use an example from computer security to clarify your explanation. [5 marks] A vulnerability is a weakness in the computer system which can be exploited by a threat. A threat is an object or entity which can cause damage or loss. For instance unauthorised users wanting to take advantage of Net- Mail without payment is a threat. There are many possible vulnerabilities which this threat could exploit, such as weak passwords (users using overintuitive passwords) or inadequate input-checking or escaping (opening for sql-insertion attacks). An attack is an explicit action by an unauthorised user, such as doing sqlinsertion (exploiting the lack of input-checking) or making a password search (exploiting either weak passwords or insufficient size of the password space). (h) Give two examples of common vulnerabilities which are relevant for NetMail. [2 marks] Two common examples are inadequate input checking in web forms and weak passwords (as mentioned above). (i) It is suggested to use authentication with username and password to limit access to unauthorised users. Give one other purpose of user authentication, and give examples of how this can be used to control vulnerabilities. The other purpose is auditing/logging, which allows tracing (detection) of users in the event of an attack. In the event that a legitimate user abuses his privileges for illegitimate actions, the audit log makes it possible to identify the offender and react to the damage (by seeking legal or criminal justice, closing the account, etc.). (j) A consultant recommends setting a two-month expiry time on passwords; e.g. forcing users to change their password every two months. Would you recom- QUESTION 1 CONTINUES ON NEXT PAGE

4 CS/M27/14/AS07 Page 4 Solutions mend this? Write a short argument for your view, including at least one reason in support of and one reason against the suggestion. [6 marks] Limited lifetime on passwords makes search attacks harder as they would have to succeed within the lifespan of the password to be useful. [2 points] On the other side, having to change the password often, users are unlikely to be able to find good passwords which are hard to guess all the time. They may find it harder to remember, and hence choose to write them down. [2 points] Own conclusion is an open question. Marking should focus on clarity and consistency of the argument. [2 points] (k) Imagine you are sysadmin for a relatively small organisation, with people working in different locations. A person working off-site calls you. He has forgotten his password and needs urgent, remote access to the system. There is no predefined security policy. What precautions would you take before issuing a new password to him? A reasonable approach would be to check with the person s manager that he has a legitimate need off-site. Then get a mobile phone number from a trusted source and call the person back with a new, machine-generated password. In general, at least two precautions should be included. Total marks: 50 SEE NEXT PAGE

5 CS/M27/14/AS07 Page 5 Solutions 2. This question concerns software security and related issues. Please note that Part 2(d) concerns a security bug in the code in the appendix (pages 13-14). (a) Why does the Intel 80x86 processor offer different protection rings? [3 marks] The protection rings provide a coarse access control. It allows the OS to restrict access to privileged resources (like memory) to using a limited set of system calls running in an inner ring. User processes running in an outer ring gets no access to protected resources. (b) Which security policies are implemented using the protection rings? Give reasons for the policies. [5 marks] A process can only get access to object in an outer ring (i.e. no direct access to data at a higher security level). [2 points] A process can only invoke procedures in its own ring. [1 points] If a process could invoke procedures in an outer ring, another process in the outer ring could modify the procedure and wait until an inner ring process invokes it with higher privileges. [2 points] (c) Give two examples of how security mechanisms can be bypassed by an attacker with access to a lower layer. A harddrive can be removed and accessed and modified using a separate computer, including changing the password file. A database server will often have its own user database and access control. An administrator with superuser privileges in the operating system, even without any privileges in the database, can modify the database and/or its access modes by tampering with directly in memory or on disk. [2 marks per example] (d) A Unix password file looks as follows. root:htlh542ynpo/a:0:0:root:/root:/bin/bash georg:djfqe126gxvwk:1000:1000:george Doe:/home/georg:/bin/tcsh andre:cfelol3t152jg:1003:1003:andre:/home/andre:/bin/bash Each line is one user account, each of which has a number of fields separated by colons (:). The fields are (1) username, (2) encrypted (hashed) password, QUESTION 2 CONTINUES ON NEXT PAGE

6 CS/M27/14/AS07 Page 6 Solutions (3) numeric user ID (which is 0 for the superuser), (4) group ID (of the user s default group), (5) real name (so-called GECOS field), and (6) login shell. It is technically possible to have several lines with the same numeric user ID, but these will be treated as the same user by the system. It is desirable to let the users change the GECOS field. (This can contain phone number and other information besides the real name, but for simplicity we consider only the real name.) The appendix (pages 13-14) gives the C code (chfn.c) of a program designed to do this. This program will always run as the superuser (via the setuid bit), so it is absolutely essential that it be safe. (i). Give three examples of general principles for secure coding (programming), including rationale (e.g. in the form of examples of common vulnerabilities they may prevent). [6 marks] (A) Check your inputs. Defining all bad inputs may be difficult. Better practice is to define good inputs (e.g. alphanumeric characters and space in this case), and refuse anything which is not defined as good. Examples: SQL injection. (B) Check data passed to complex subsystems (programs). Users may exploit unused functionality, such as the -f option to login(1) in the rlogin bug. (C) Principle of least privilege. Access should be denied by default, and just enough privileges granted for the task at hand. This limits the damage of other vulnerabilities. [one point per principle; two if supported by an example] (ii). There is a security bug in chfn.c. Explain how a regular user can make an attack to obtain superuser access. [10 marks] There is nothing to prevent the users from including both colons and newlines in the argument. An argument like foobar:/bin/bash\nwheel::0:0::/bin/bash (where \n is a newline character), would effectively give a new superuser account with no password. (iii). Make the necessary corrections to the code, to prevent the attack above. (Correct C code is not necessary. Unambiguous pseudo-code is completely satisfactory.) [5 marks] QUESTION 2 CONTINUES ON NEXT PAGE

7 CS/M27/14/AS07 Page 7 Solutions The keyword is input checking. If the argument string contains any newlines or colons, the program should exit immediately with an error message. The perfect solution adds a loop at 39, looping through the string to return an error if anything but an alphanumeric character or punctuation character is detected. (iv). Why is the password file itself only modified by using the rename() system call in Line 88 to let the temporary file take the place of the password file? What vulnerability would be caused by writing directly to the password file in Line 63? [5 marks] If an interrupt appears during the loop surrounding Line 65, it would potentially leave the password file in an inconsistent state. Users can cause interrupts, so this would be very vulnerable to sabotage. [2 points] Using rename() has two advantages. Firstly, the work involving the password file is shorter and faster, and it becomes less likely that an event such as power-loss can affect it. [1 points] Secondly, it is a system call which is atomic preventing interrupts (signals). (It is still vulnerable to sudden hardware failure though.) [2 points] (e) When you log onto a Windows computer on the console, it is recommended always to hit Ctrl+Alt+Del before typing username and password. What happens when you hit Ctrl+Alt+Del? What is the risk if you do not use it? [6 marks] Ctrl+Alt+Del is a secure attention sequence [1 points]. It sends a signal directly to the OS to invoke the login screen [1 points], and it cannot be intercepted by other software [1 points]. A common attack would be to start a program pretending to be the login screen, and let it run waiting for a naïve user to try to log in. The program would then record the username and password before launching the real login program, giving the attacker access to your username and password. [3 points] (f) Most CPUs do not distinguish between different types of data, but there are some exceptions. In what way do these exceptions improve security? Address both threats and controls in your answer. [6 marks] QUESTION 2 CONTINUES ON NEXT PAGE

8 CS/M27/14/AS07 Page 8 Solutions Motorola can distinguish between code and data. Viruses place executable code in memory intended for data, and redirect pointers to cause this code to be executed (threat). If the CPU considers this memory space to be data, it will not accept to execute it (control). [4 points] Some CPUs can distinguish between different data types, and raise exceptions if a type violation occurs. This can prevent software bugs from being exploited. [2 points] Total marks: 50 SEE NEXT PAGE

9 CS/M27/14/AS07 Page 9 Solutions 3. The Bell-LaPadula model is a state-machine used to formulate security properties. (a) A state is normally written as a tuple (b, M, f). Give a short definition of each of the three parameters defining the state. (It does not matter if you mix up the three symbols b, M, and f. You should focus on the information provided by the state parameters.) [9 marks] The set of accesses currently in use b. E.g. b is a list of tuples (s, o, a), where subject s has opened object o in mode specified by a (read/write/etc). M is the access control matrix M = [M s,o ] where M s,o is a list of access rights s has to o. f defines the security levels of objects and subjects, including three functions f S (s), f C (s), and f O (o) giving respectively the security level of subject s, the current security level of s, and the security level of an object o. (b) Define the Simple Security (SS) Property of Bell-LaPadula. A state (b, M, f) satisfies the SS-property if (s, o, a) b, (a {read, write} f O (o) f S (s)). (c) Define the *-Property of Bell-LaPadula. A state (b, M, f) satisfies the SS-property if both (i). (s, o, a) b, (a {append, write} f C (s) f O (o)). (ii). (s, o, a) b, a {append, write}; (s, o, a ) b, a {read, write}; f O (o ) f O (o) A definition with more English and less Maths would be equally good. (d) Describe the information flows that the Bell-LaPadula policies intend to prevent. Bell-LaPadula intends to forbid all information flows from a subject to subjects of lower classification. (e) What is a covert channel? Give an example of a covert channel in Bell- LaPadula and explain why this is a problem. QUESTION 3 CONTINUES ON NEXT PAGE

10 CS/M27/14/AS07 Page 10 Solutions A covert channel is a means to transmit information outside the objects recognised by the model, and thus provides a way to transmit information independently of the policies in the model [2 points] The most famous example of a covert channel in BLP is the following. A subject with low clearance creates an object o. A subject with high clearance can either upgrade o to a higher level (1) or leave it unchanged (0). When the low subject tries to read o, it will either have a success (0) or be denied access (1). One bit of information has been transmitted. [2 points] (f) Mention three important limitations of Bell-LaPadula. Does not consider integrity Does not consider management of access rights Allows covert channels. [9 marks] (g) What are the purpose and applications of the Chinese Wall model? [2 marks] The Chinese Wall model is made to avoid conflicts of interests [1 points] in a consultancy business, i.e. avoid information flow between competing clients [1 points]. (h) Give a brief summary of the security policies in the Chinese Wall model. [3 marks] The clients are divided into conflict of interest (COI) classes. An object may be sanitised (declassified) in which case it can be read freely, despite any following policy [1 points]. If a subject has ever had access to an object associated with client A, it can never access any object belonging to other clients in the same COI class. [1 points] If a subject has read access to an object o, than he can only get write access to object associated with the same client as o [1 points]. (i) Consider processing of expense claims in a medium-sized business/department. Staff who incur expenses in their line of work can claim it back from the employer. Explain the concept of Separation of Duties. [2 marks] Separation of duties means that certain tasks can only be performed when two subject co-operate. The typical paper-based example is a signature of approval, where a requestor cannot approve his own requests. QUESTION 3 CONTINUES ON NEXT PAGE

11 CS/M27/14/AS07 Page 11 Solutions Give an example of a threat which can be controlled using separation of duties (in the scenario of expense claims), and explain how it might be controlled. The best example is excessive (ill-judged) expenses. [2 points] Requiring approval from a second person makes it more difficult to abuse the system. [2 points] False claims could be picked up as well, but this does not require the same level of judgement, and can thus more easily be picked up during processing of the claim. [1 mark for false claims if excessive claims is not mentioned] Identify a suitable security model for the processing of expense claims, and briefly sketch the key features needed in the scenario. [5 marks] The Clark-Wilson model considers integrity problems and supports separation of duties. [1 points] An expense claim, as written by the employer, is an unconstrained data item (UDI), as it originates outside the model. [1 points] An UDI has to be validated and transformed to a constrained data item (CDI) before it can be processed by the finance department. [1 points] This would have to involve checking that the data in the claim are complete and consistent with adequate receipts. [1 points] Then a budget holder (or an approver different from the claimant) would have to countersign the claim. A claim without independent approval cannot lead to any payment (but can be considered a consistent CDI in the model). [1 points] (The approval probably could be made before the consistency check on the claim, without making a difference.) Total marks: 50 INTERNAL EXAMINER: Hans Georg Schaathun EXTERNAL EXAMINER: Keith Martin October 6, 2010, 14:19

12 CS/M27/14/AS07 Page 12 Solutions Appendix SEE NEXT PAGE

13 CS/M27/14/AS07 Page 13 Solutions chfn.c for Question 2 1 / $Id : chfn. c, v /10/19 14:54:08 c s s 1 h s Exp $ / 2 / Snipped i n c l u d e d header f i l e s / 3 4 char ptmp = "/ e t c /ptmp" ; / temporary l o c k f i l e ( filename ) / 5 char passwd = "/ e t c /passwd" ; / password f i l e ( filename ) / 6 7 struct passwd g e t p a s s e n t ( ) ; / compatible v e r s i o n o f getpwent / 8 / the s t r u c t ( record ) c o n t a i n s the f i e l d s pw_name ( username ), 9 pw_passwd ( encrypted password ), pw_uid ( user ID ; i n t e g e r ), 10 pw_gid ( group ID ; i n t e g e r ), pw_gecos (GECOS/ aka Real Name), 11 pw_dir (home d i r e c t o r y ), pw_shell ( l o g i n s h e l l ). / int main ( int argc, char argv [ ] ) { 14 char username ; username = get_username ( ) ; / g e t name o f a c t i v e user / 17 i f ( argc <= 1 ) { 18 p r i n t ( " Error : no argument. \ n" ) ; 19 return 1 ; 20 } 21 chfn ( username, argv [ 1 ] ) ; / F i r s t argument i s the new r e a l name. / return 0 ; 24 } / The chfn ( ) f u n c t i o n a c t u a l l y changes the passwd f i l e. / 27 int chfn ( char uname, char newfn ) { 28 / Input parameters : username o f account to be changed 29 new data f o r the GECOS f i e l d / 30 struct passwd pwd ; 31 int fd, gotcha =0; 32 FILE t f ; / i s t h i s too long a f u l l name to change to? / 35 i f ( s t r l e n ( newfn ) > GECOSMAXLEN) { 36 f p r i n t f ( stdout, " 550 I n v a l i d gecos too long \ r \n" ) ; 37 return ( 1 ) ; 38 } / The ptmp f i l e i s used as a l o c k f i l e. I f i t e x i s t s, 41 some o t h e r program i s working on the password f i l e. 42 I f i t does not e x i s t, we are a l l o w e d to c r e a t e i t. / 43 while ( ( f d = open ( ptmp, O_WRONLY O_CREAT O_EXCL, 6 4 4)) <0) { 44 s l e e p ( 1 ) ; / Wait u n t i l f i l e can be opened / 45 } / Make a b u f f e r e d stream a s s o c i a t e d with the ptmp f i l e j u s t opened. / SEE NEXT PAGE

14 CS/M27/14/AS07 Page 14 Solutions 48 i f ( ( t f = fdopen ( fd, "w" ) ) == NULL) { 49 ( void ) unlink (ptmp ) ; 50 f p r i n t f ( stdout, " 550 f a t a l system e r r o r ( fdopen )\ r \n" ) ; 51 return ( 1 ) ; 52 } / Copy password to temp f i l e, f i x i n g the r i g h t l i n e. 56 The g e t p a s s e n t ( ) reads the system password f i l e, 57 r e t u r n i n g a passwd s t r u c t. / 58 for ( gotcha =0; (pwd = g e t p a s s e n t ( ) )!= NULL; ) { 59 i f ( strcmp ( pwd >pw_name, uname) == 0) { 60 pwd >pw_gecos=newfn ; 61 gotcha++; 62 } 63 f p r i n t f ( t f, "%s :% s :%d:%d:% s :% s :% s \n", 64 pwd >pw_name, pwd >pw_passwd, 65 pwd >pw_uid, pwd >pw_gid, 66 pwd >pw_gecos, pwd >pw_dir, 67 pwd >pw_ shell ) ; 68 } / did I f i n d t h i s guy in / e t c / passwd ( he might be in YP) / 71 i f (! gotcha ) { 72 ( void ) unlink (ptmp ) ; 73 f p r i n t f ( stdout, " 550 User %s not found in %s \n",uname, passwd ) ; 74 return ( 1 ) ; 75 } / and clean up / 78 ( void ) f f l u s h ( t f ) ; 79 i f ( f e r r o r ( t f ) ) { 80 ( void ) unlink (ptmp ) ; 81 f p r i n t f ( stdout, " 550 f a t a l system e r r o r ( f e r r o r )\ r \n" ) ; 82 return ( 1 ) ; 83 } 84 ( void ) f c l o s e ( t f ) ; / move temp f i l e i n t o r e a l f i l e / i f ( rename (ptmp, passwd ) < 0) { 89 ( void ) unlink (ptmp ) ; 90 f p r i n t f ( stdout, " 550 f a t a l system e r r o r ( rename )\ r \n" ) ; 91 return ( 1 ) ; 92 } f p r i n t f ( stdout, " 220 Gecos changed f o r user %s \ r \n", uname ) ; 95 return ( 0 ) ; 96 }

Session objectives. Identification and Authentication. A familiar scenario. Identification and Authentication

Session objectives. Identification and Authentication. A familiar scenario. Identification and Authentication Session objectives Background Identification and Authentication CSM27 Computer Security Dr Hans Georg Schaathun University of Surrey Autumn 2008 Week 3 Recognise the purposes of (password) identification.