CSE543 - Computer and Network Security Module: Firewalls

1 3 YSTEMS AND )NTERNET)NFRASTRUCTURE AND 3 ECURITY 2 ESEARCH #ENTER$EPARTMENT OF #OMPUTER 3 CIENCE AND %NGINEERING0 ENNSYLVANIA 3 TATE 5 NIVERSITY 5 NIVERSITY 0 ARK 0!CMPSC443 - Introduction to Computer and Network SecurityPageCSE543 - Computer and Network SecurityModule: FirewallsProfessor Trent Jaeger1 Tuesday, October 30, 12 CMPSC443 - Introduction to Computer and Network SecurityPageExam Three kinds of questions 12 short answer What (3pts each) 5 long answer Why (6-7pts each) 3 constructions How (10 pts each)2 Tuesday, October 30, 12 CMPSC443 - Introduction to Computer and Network SecurityPageShort Answer Three kinds of questions 12 short answer What (3pts each)3 CSE543 /Fall 2010 - MidtermTuesday, October 19, 2010 Professor Trent JaegerPlease read the instructions and questions carefully. You will be graded for clarity and correctness. Youhave 75 minutes to complete this exam, so focus on those questions whose subject matter you know legibly and check your answers before handing it Answer - some will be one or two words no more than 3 sentences1.

2 (4pts) What is the di erence betweenprotectionandsecurity?answer: A system that provides Security ensures the protection of its data ( , enforcement of itssecurity goals) even when a user may run code that has malicious intent. Systems that provideprotection enforce the specified policy only if the user runs trusted (3pts)Defineprotection : The permissions available to every system principal at a particular time a snapshot of thesystem s access (3pts) How can you configure a file s access control list in Windows to permit every subject but oneto access that file?answer: Add a negative ACE at the beginning of the file s ACL, give everyone access in next (4pts) What is the purpose of apublic key infrastructure? Why is there a risk for who is using mykey? answer: Bind a public key to an identity securely on internet scale. System cannot protect privatekey from (4pts) How would a server procedure be designed for a Hydra system to avoid theconfused deputyproblem?

3 Answer: Use capability templates to instantiate input capabilities for the server procedure from theclient and use only those capabilities to avoid using unauthorized (4pts) What mechanisms does Multics use to protect thesecrecyof objects?answer: Multics authorizes access to segments which represent memory and I/O (files). There are avariety of policies. Protection rings provide the mediation points for enforcing integrity. The accessand call bracket policies describe the integrity policy of a Multics system. MLS and ACLs 2010 - MidtermTuesday, October 19, 2010 Professor Trent JaegerPlease read the instructions and questions carefully. You will be graded for clarity and correctness. Youhave 75 minutes to complete this exam, so focus on those questions whose subject matter you know legibly and check your answers before handing it Answer - some will be one or two words no more than 3 sentences1.

4 (4pts) What is the di erence betweenprotectionandsecurity?answer: A system that provides Security ensures the protection of its data ( , enforcement of itssecurity goals) even when a user may run code that has malicious intent. Systems that provideprotection enforce the specified policy only if the user runs trusted (3pts)Defineprotection : The permissions available to every system principal at a particular time a snapshot of thesystem s access (3pts) How can you configure a file s access control list in Windows to permit every subject but oneto access that file?answer: Add a negative ACE at the beginning of the file s ACL, give everyone access in next (4pts) What is the purpose of apublic key infrastructure? Why is there a risk for who is using mykey? answer: Bind a public key to an identity securely on internet scale. System cannot protect privatekey from (4pts) How would a server procedure be designed for a Hydra system to avoid theconfused deputyproblem?

5 Answer: Use capability templates to instantiate input capabilities for the server procedure from theclient and use only those capabilities to avoid using unauthorized (4pts) What mechanisms does Multics use to protect thesecrecyof objects?answer: Multics authorizes access to segments which represent memory and I/O (files). There are avariety of policies. Protection rings provide the mediation points for enforcing integrity. The accessand call bracket policies describe the integrity policy of a Multics system. MLS and ACLs , October 30, 12 CMPSC443 - Introduction to Computer and Network SecurityPageExam Three kinds of questions 5 long answer Why (6-7pts each) Longer what questions that want to know why and how4 Long Answer - no more than 3 paragraphs15. (7pts) Specify how domain transitions occur in UNIX, SELinux, and Multics. Just outline themechanisms no specific rules are required.

6 Indicate the Security advantages of SELinux and Multicsover UNIX domain transitions in your : UNIX transitions domains viasetuid. The UID of the process changes to that of the ownerof the defines rules to limit when domain transitions are permitted and what the destinationdomain will be. These rules constrain who can cause a transition (not every invocation gains privilege)and limits the privileges based on the caller (di erent callers get di erent privileges).Multics defines domain transitions via call brackets that state when low privileged processes maytransition to higher and vice versa. Multics also defines gatekeepers to ensure that higher privilegedcode cannot be compromised by low integrity inputs. Multics defines multiple ring levels (not justroot) and protects (7pts) What are the components that ensure integrity in a Clark-Wilson integrity system and a Bibaintegrity system ( , there are two di erent sets to be specified)?

7 How do these components ensureintegrity in each system?answer: Using Clark-Wilson, we need to add Integrity Verification Procedures to test integrity atthe outset, and verified Transformation Procedures to handle the high integrity data. TPs must beassured to operate on high integrity data correctly and protect themselves from low integrity Biba, we only add integrity guards to protect normal processes from low integrity inputs, andwe can proceed as long as no low integrity inputs reach the high integrity processes, defined by (7pts) Why is it necessary to prevent forgery of capabilities in capability systems to meet referencemonitor guarantees? Specify the conditions under which it is necessary toweaken(reduce) thepermissions available to a : If a capability can be forged, then a process can create its own permissions to any objectthat it can name.

8 This would circumvent the tamperproofing of system policies, and nothing wouldbe must weaken a capability when a high secrecy subject fetches a capability from a low secrecymemory. Because this capability may have been created by a low secrecy subject, it may have writepermission to low secrecy objects. Since this would violate the *-property, such capabilities must beweakened to remove the write (7pts) What purpose does theticketin a Kerberos message serve? Why can t Mallory spoof Aliceto Bob by generating an authenticator claiming to be from Alice{Alice, timestamp}Ksessionandreplaying a ticket for which she knows the session key from a previous session with Bob{Bob, M allory, timestamp, lif etime, Ksession}KBob T GS?answer: A ticket is used to securely provide the session key to the server. It includes the names ofthe client and server for which the session key applies, a freshness timestamp, the ticket s lifetime,and the session key.

9 Because the ticket is encrypted in a key known only to Bob and the TGS, andonly the format is well-defined, the ticket securely conveys the Mallory substitutes her ticket, Bob will be able to see that the ticket says that it is for a commu-nication from Mallory to Bob, so he will know it is not from Alice. Plus, the timestamp may haveexpired, but that is not Problems - take your time and answer clearly and , October 30, 12 CMPSC443 - Introduction to Computer and Network SecurityPageExam Three kinds of questions 3 constructions How (10 pts each)5 Long Answer - no more than 2 paragraphs15. (7pts) How does the trust model of a trusted platform module (TPM) impact the ability of a contentprovider to enforce digital rights management (DRM) on the user of the TPM-enabled device?answer: A TPM is not tamperproof, so the user of the system is trusted in the model ( , not toextract the key from the hardware), and a core root of trust measurement ( , BIOS) is also DRM is about controlling the rights of the user, perhaps in ways unacceptable to some users,the user is an adversary to the DRM system.

10 As a result, there is a conflict between the trust andthreat models in a DRM (7pts) How does the trust placed in a CA of a PKI (assume there is no registration authority) compareto that of the authentication server in Kerberos?answer: CA certfies a mapping between a set of identifying attributes (business, website URL, etc.)are correctly mapped to a private key corresponding to the public key in the CA-signed Kerberos, the AS stores secret keys with each user in the system, so it must ensure the mappingfrom the key to the real Kerberos AS and PKI CA have to identify thevalidity of the mapping between an entity and akey, but the PKI CA hasto ensure more , aKerberos AS stores a secret for eachuserand must securely generate session keys, whereas aPKI CA must only protect its private (7pts) What is the di erence between the representation of subjects ( , entities with access toobjects) in the Clark-Wilson Integrity Model and a typical access matrix ( , UNIX)?