PaxsonSpring 2011CS 161Computer SecurityHomework 4Due: Monday May 2, at 11:59pmInstructions. Submit your solution electronically via your class account by Monday May 2,at 11:59pm. You should upload a single file, HW4.pdf. Your writeup should include yourname, your class account name (e.g., cs161-xy), your TA’s name, the discussion sectiontime where you want to pick up your graded homework, and “HW4” prominently on thefirst page. Use a legible font and clearly label each solution with the problem/subproblemto which it belongs. You must submit a PDF file; we will not accept other formats.You must work on your own on this homework.Updated 24Apr11: due date shifted three days later to Monday (with the consideration men-tioned in the next paragraph). Also, some typos fixed.Note: while this assignment is due on Monday May 2, you need to turn it in by the originaldue date of Friday April 29 if you want to assure that it will be graded and available foryou to pick up several days before the final exam on May 12.Note: some of these problems look back to topics addressed earlier in class. Keep in mindthat the final exam will be comprehensive across all topics.Problem 1 DNSSEC (20 points)DNSSEC (DNS Security Extensions) is designed to prevent network attacks such as DNSrecord spoofing and cache poisoning. When queried about a record that it possesses,such as when the DNSSEC server for example.com is queried about the IP address ofwww.example.com, the DNSSEC server returns with its answer an associated signature.For the following, suppose that a user R (a resolver, in DNS parlance) sends a query Qto a DNSSEC server S, but all of the network traffic between R and S is visible to anetwork attacker N . The attacker N may send packets to R that appear to originatefrom S.(a) Suppose that when queried for names that do not exist, DNSSEC servers such asS simply return “No Such Domain,” the same as today’s non-DNSSEC servers do.This reply has no associated signature.Describe a possible attack that N can launch given this situation.(b) Suppose now that when queried for a name Q that does not exist, S returns a signedstatement “Q does not exist.”1. Describe a DoS attack that N can launch given this situation.Page 1 of 72. Describe a circumstance under which N can still launch the attack you sketchedin the first part above; or explain why this attack no longer works.(c) One approach for addressing the above considerations is to use NSEC Records. Asmentioned in lecture, when using NSEC S can return a signed statement to theeffect of “when sorted alphabetically, between the labels L1and L2there are noother labels.” Then if the label L3in the query Q lexicographically falls betweenL1and L2, this statement serves to inform R that indeed there’s no informationassociated with L3.We discussed in lecture how NSEC has a shortcoming, which is that an attackercan use it to enumerate all of the labels in the given domain that do indeed exist.To counter this thread, in the April 6 section materials we introduced the NSEC3Record, which is designed to prevent DNS responses from revealing unnecessaryinformation. NSEC3 uses the lexicographic order of hashed labels, instead of theirunhashed order. In response to a query without a matching record, NSEC3 returnsthe hashed names that come just before and just after the hash of the query.Suppose that the server S has records for a.example.com, b.example.com, andc.example.com, but not for abc.example.com. In addition, assume that a hashesto 30, b to 10, c to 20, and abc to 15.If the query Q from R is for abc.example.com, what will S return in response?Describe how R uses this to validate that abc.example.com indeed does not exist.(d) In more detail, the way the hashes work in NSEC3 is they are computed as afunction of the original name plus a salt and an iteration parameter, as follows:Define H(x) to be the hash of x using the Hash Algorithm selected bythe NSEC3 RR, k to be the number of Iterations, and || to indicateconcatenation. Then define:IH(salt, x, 0) = H(x || salt), andIH(salt, x, k) = H(IH(salt, x, k-1) || salt), if k > 0Then the calculated hash of a name isIH(salt, name, iterations)In an NSEC3 reply, the name of the hash function, the salt and the number ofiterations are also included (that is, they are visible and assumed to be easilyknown). All replies from a given server use the same salt value and the sameHomework 4 Page 2 of 7 CS 161 – SP 11number of iterations.Suppose an attacker has a list of “names of interest,” i.e., labels for which they wantto know whether the given label is in a particular domain. If the attacker can getall of the NSEC3 responses for the particular domain, can they determine whetherthese names exist? If so, sketch how. If not, describe why not.(e) What is the purpose of the salt in NSEC3 replies?(f) What is the purpose of the iteration parameter in NSEC3 replies?(g) The specification of NSEC3 also sets an upper bound on the iteration parameter.What threat does that protect against?Problem 2 Covert Channels (20 points)Consider a highly secured operating system that runs jobs for multiple users, but triesto assure strict isolation between the jobs, i.e., the jobs have no means to communicatewith one another. The OS not only prohibits use of shared memory and any other formsof interprocess communication (pipes, sockets, shared memory, signals, use of the pscommand), but also eliminates shared resources such as a global file descriptor pool.The OS does, however, provide read-only access to a common file system. This filesystem does not make available “access time” information.(a) Sketch how two cooperating processes could use the common file system to createa covert channel for communication. You can assume that the OS tries to optimizeperformance when accessing files by caching recently accessed blocks.(b) In rough terms, what is the capacity of your covert channel? State any assumptionsyou make in your estimate.(c) Suppose the OS eliminates the common read-only system in its entirety, thoughretains the performance technique of caching recently accessed blocks. Can twocooperating processes still communicate? If so, sketch how, and again estimate inrough terms the capacity of the channel. If not, then explain why communicationis no longer possible.Problem 3 Detecting Worms (20 points)Assume that you are working for a security company that has to monitor a network linkfor worm traffic. The link connects a
View Full Document
Unlocking...