CSM27 Exercises. Hans Georg Schaathun. November 25, Week In session. 1.2 Weekly Exercises. Security problems brain storming

Transcription

1 CSM27 Exercises Hans Georg Schaathun November 25, Week In session Security problems brain storming Classication of brain stormed problems. 1.2 Weekly Exercises Current Security Problems Find 3-5 news articles (printed press or WWW) about security issues, problems, or incidents. From the articles, select one or two separate incidents or issues to analyse. For each incident/issue 1. classify the problem (condentiality, integrity, availability) 2. identify the threat and the vulnerability. 3. identify any useability or reliability issues. Remember that each instance may represent more than one class, threat, and vulnerability. Give reasons for your answers Expected length about pages, plus copies of the ve news articles. A thorough 2 study of a single incident is better than a shallower study of two separate incidents. exercise.sty,v /02/28 13:33:32 css1hs Exp 1

2 2 Week In session Gollmann 2.7 Discuss: is a good graphical user interface an appropriate criterion for purchasing a security product? There are arguments both ways. A good user interface is essential to avoid human errors. A good user interface can make the operator or administrator more eective. Save time. Support methodological and systematic work. What actually constitutes a good user interface depends on the people who will be operating it. Graphical user interfaces work best for occasional users. Non-graphical user interfaces are often more ecient for expert users, using the interface frequently. Regardless of whether it is graphical or not, it needs to be good, and work for the people using it. The user interface is not sucient. The user interface in itself does not buy any security. The underlying product must be eective. 2.2 Weekly Exercises Exam Paper Preparation Draft an Organisational Security Policy for the Exam Paper Preparation Process. You may of course use the brain stormings in class as input. Addressing only one specic process, the policy should not be long, but you should make sure to include all the key features mentioned in the lecture. Do not forget a clear Policy Objective, an extensive list of assets, and the responisibilities of the people involved. It exercise.sty,v /02/28 13:33:32 css1hs Exp 2

3 is a good idea to list roles of all the relevant users (convener, checker, administrator, etc.) in order to clarify their responsibilities. It does not matter if your policy ts the actual procedures of any particular university, as long as you have the basic elements of a convenor setting the exam, an indpendent checker for quality assurance, and an administrator to check the formalities. You may make reasonable assumptions as you see t, but such 2.3 Extra Exercises Gollmann 2.9 Identify the security perimeters that may be applicable when analyzing personal computer (PC) security. In your analysis, consider when it is appropriate to assume that the room the PC is placed in, the PC itself, or some security module within the PC lies within the security perimeter. With respect to some threats, the perimeter is probably always the room. At the very least, access to the room would normally allow an attacker to pull the power, making the service unavailable. With respect to condentiality and integrity, the physical PC itself could only be outside the security perimeter if either the critical contents on the harddrive is encrypted or some tamper proof security modules prevents connecting the drive to another box. Otherwise, the disk could be removed to be copied or modied. If physical access is controlled, such as by guarding the room, the perimeter does become the room. Similarly, if the PC is portable, it becomes the interior security modules (which probably have to be tamper-resistant) because the user can take the box home and pick it to pieces, The following is Gollmann's solution: I have the following scenarios in mind: PC with/without network connectivity, PC in a protected room; PC that cannot be removed from the oce, PC with limited input facilities (e.g. only keyboard, so it is really dicult to add software manually), PC (laptop) users can take home so that they have access to the hardware, PC with a tamper resistant security module inside Gollmann 2.8 Look for further examples where a security mechanism in one layer can be bypassed by an attacker who has access to a layer below. exercise.sty,v /02/28 13:33:32 css1hs Exp 3

4 Open question [Gollmann]: a device that can be booted with two dierent operating systems might serve as another example. The access control data set by one operating system will not be understood by the other operating system; access to data that has been protected at a logical level thus can be circumvented by changing the underlying operating system. 3 Week In session Gollmann 3.7 If you are required to use several passwords at a time, you may consider keeping them in a `password book'. A password book is a protected le containing your passwords. Access to the password book can again be controlled through a master password. What are the advantages of such a scheme? What are the disadvantages of such a scheme? Overall, do you think it is a good idea or not? Again, there is no one correct answer. The advantages and disadvantages depend a lot on what the alternative is. Against such a solution, a password book gives a single point of failure, and if the master key is compromised, everything is compromised. Furthermore, accessing the password le, sometimes means showing several passwords in cleartext on the screen, vulnerable to spying and surveillance. On the other hand, good routines can reduce the risk of jeopardising the master key or key le considerably. Remembering all the individual passwords is often humanly infeasible. Forgetting passwords is unacceptable due to the loss of availability, and the solutions to recover forgotten passwords risk introducing additional Thus, a password book may be a necessary `evil'. 3.2 Weekly Exercises Gollmann 2.4 Medical records pose particular security problems. Assume that your medical records can be accessed on-line. On one hand, this information is sensitive and should be protected exercise.sty,v /02/28 13:33:32 css1hs Exp 4

5 from disclosure. On the other hand, in an emergency it is highly desirable that whoever treats you has access to your record. Create a plan for how prevention, detection, and recovery can be used to secure a medical records system. Does your plan depend on identication and authentication? In what way? Give reasons for your answers. The answers are open to personal preferences. Prevention may be the most obvious approach, but there is a strong case that detection may be eective. If abuse can be detected, typically abuse by medical personnel, then both disciplinary and judicial actions can be made. Medical personnel abusing their access, could at the very least lose their licence to practice. This would deter most of them from abuse. More severe punishment or demands for compensation would deter more potential abusers. Although prevention may look like the natural choice, it is potentially harmful, as too restrictive policies can prevent access in an emergency. One could, however, look for solutions where access depends on two keys, such as one smart card carried by the patient, and one key available to registered health personnel. But would every patient always carry their card? Access should obviously be restricted to health personnel, so it should depend on a token (smart card) issued to registered medical professionals. If that token is personal, identifying the user, each on-line access can be logged to provide an audit trail. The patients could then be allowed to inspect who have viewed their data, and be allowed to report any suspicious access. Reported incidents would then be subject to appropriate disciplinary and judicial actions Assume that you are only allowed to use the 26 characters from the English alphabet (case insensitive) and the 10 digits (0-9) to construct passwords. How many dierent passwords are possible if a password is exactly n characters long, for n = 4, 6, 8? The number of passwords of lentgh n is 36 n. 2. Suppose the passwords are made case sensitive. How many dierent passwords are now possible for lengths n = 4, 6, 8? exercise.sty,v /02/28 13:33:32 css1hs Exp 5

6 The alpabet has increased to 62 characters, so we get 62 n. 3. How many passwords are possible if the length is at most n for n = 4, 6, 8? We are still assuming 26 lower-case letters, 26 upper-case letters, and 10 digits. 3.3 Extra Exercises The following exercises will not be assessed or discussed in session, but they are good, exam-relevant training. You may also want to see the `Exercise Samples' on the web pages for relevant exercises with sample solutions from last year From Gollmann Chapter Assume that passwords have length six and all alphanumerical characters, upper and lower case, can be used in their construction. How long will a brute force attack take on average if it takes one tenth of a second to check a password? it takes a microsecond to check a password? There are 62 symbols and 62 6 possible password. In the rst case the search takes 90 years; in the second it taks 8h. The purpose of the exercise is to demonstrate that speed-ups in password checking are not relevant to individual end users but help an attacker. (Gollmann) 3.4 Assume that you are only allowed to use the 26 characters from the alphabet to construct passwords of length n. Assume further that you are using the same password in two systems where one accepts case sensitive passwords but the other does not. Give an upper bound at the number of attempts required to guess the case sensitive version of a password. You should search rst for the case-insensitive password, using 26 n checks. Having found this, there are 2 n possible combinations of upper/lower case. The total number of checks needed is then 26 n + 2 n. 4 Week In session [Gollmann 4.3] Discuss: What are the dierences between groups and roles, if there are any dierences at all? [Gollmann 4.9] You are given a set of categories. Implement a lattice-based needto-withhold policy where you selectively withdraw access rights from subjects. exercise.sty,v /02/28 13:33:32 css1hs Exp 6

7 4.2 Weekly Exercises Suppose you have M users on a system, each of whom has 50 les. You distinguish between alter, observe, and execute for each le. How many bytes do you need to store the access control matrix for these users and les when M = 10, M = 100, M = 500, M = 4415? We have 50M les and M users, so the access matrix has 50M 2 entries. Each entry is 3 bits (for three access modes), so we need 150M 2 bits to store it. Use a calculator to calculate the exact size for dierent M. [Gollmann 4.6] Let (L, ) be a lattice of security levels where L is a nite set. Show that unique elements System Low and System High must exist in such a lattice. By system low we mean a security level which is dominated by every other security level. Similarly, system high is level dominating every other security level. (This proof is simpler than the one attempted in class.) Assume that there is no element System High. Then there must be two elements A and B such that there is no element X L with A < X or B < X. (That is, two elements A and B which are not dominated by a common element dierent from A and B.) Since A and B have a least upper bound by denition, we get A = lub(a, B) = B. Assume than that System High is not unique, so that A and B are both System High. Then we have A B and B A, implying A = B by the denition of a partial ordering. It follows by contradiction that there be a unique System High. The proof for System Low is similar. Consider the graf of user and group privileges in the slide on Group-based access control. Explain why the graf is not a lattice. What change would you have to make to turn it into a lattice? The graf does not have a largest lower bound (System Low). To turn it into a lattice, System Low would have to be added, e.g. as a nobody user dominated by every le. 4.3 Extra Exercises Gollmann 4.5 You are given a security policy stating that a subject has access to an object if and only if the security level of the subject dominates the security level of the object. What is exercise.sty,v /02/28 13:33:32 css1hs Exp 7

8 uid1 root uid2 uid3 the eect of using this lattice with this policy? guest Users (uid1, uid2, uid3) have access to their own le as well as those of guest. Guest has only to her own les and nothing else. Root has access to everything Gollmann 4.7 Construct the lattice of security labels for the security levels `public', `condential', and `strictly condential', and for the categories ADMIN, LECTURERS, and STUDENTS. Which objects are visible to a subject with security label (condential,students) in a need-to-know policy? How many labels can be constructed from n security levels and m categories? For illustration, consider the values n=16 and m=64. Draw the lattice following the model from the slides. A subject with (condential,{students}) can see objects with (condential,{students}), (public,{students}), (condential, ), or (public, ). You have n security levels and m categories. Because each category can be either present or not, we get 2 m combinations of categories. Any combination of categories can be combined with any security level, giving n2 m security labels. For n = 16 = 2 4 and m = 64, we get security labels. exercise.sty,v /02/28 13:33:32 css1hs Exp 8