Computer Security: Art and Science

24.11 Exercises

1:
Extend the example of deriving required logging information to the full Bell-LaPadula Model with both security levels and compartments.
2:
In the example of deriving required logging information for the Chinese Wall model, it is stated that the time must be logged. Why? Can something else be logged to achieve the same purpose?
3:
The Windows NT logger allows the system administrator to define events to be entered into the security log. In the example, the system administrator configured the logger to record process execution and termination. What other events might the system administrator wish to record?
4:
Suppose a notifier sends e-mail to the system administrator when a successful compromise of that system is detected. What are the drawbacks of this approach? How would you notify the appropriate user?
5:
Describe a set of constraints for the Clark-Wilson model that lead to a description of the conditions that an audit mechanism should detect. Give these conditions.
6:
Why is adherence to the principle of complete mediation (see Section 13.2.4) a necessity for logging of file accesses?
7:
A network monitor records the following information while recording a network connection.

System prompts that name neither the user nor the system
System control files such as the password file
A file containing a list of dictionary words
A user's start-up file
A system banner
A source code file
A Web page downloaded from a remote site

Which type of information should the monitor check to see if it must sanitize the data to conceal the names of the users and the names and addresses of the computers involved?
8:
Fisch, White, and Pooch [353] define four levels of log sanitization.

Simple sanitization, in which all information except the commands issued by an intruder are deleted
Information-tracking sanitization, in which sensitive information is entered into a symbol table as it is encountered, a unique identifier is assigned, and whenever that information is encountered it is replaced with the associated identifier
Format sanitization, in which compressed or encoded data is transformed into its original form, the original form is sanitized using information-tracking sanitization, and the resulting data is returned to its transformed format
Comprehensive sanitization, in which all data is analyzed and sanitized as in information-tracking and format sanitization

Discuss the level of anonymity of each level of sanitization. Which level could be automated, and to what degree would human oversight be required?
9:
Prove or disprove that state-based logging and transition-based logging are equivalent if and only if the state of the system at the first transition is recorded.
10:
Suppose a remote host begins the TCP three-way handshake with the local host but never sends the final ACK. This is called a half-open connection. The local host waits for some short time and then purges the information from its network tables. If a remote host makes so many half-open connections that the local host cannot accept connections from other hosts, the remote host has launched a syn flood attack (See Section 26.4 for more details.) Derive logging and auditing requirements to detect such an attack.
11:
What are the logging and auditing requirements for the NFS operations MKDIR and WRITE?
12:
In the LAFS file system, what does the following policy line say?

prohibit:0800-1700:*:root:solitaire:exec:ok

What is the effect of specifying the status field?
13:
Write a program that will slice a log file with respect to a given object. Your program should take an object identifier (such as a process or file name) and a log file as input. Your program should print the minimum set of statements that affect the object, either directly or indirectly.

Top

1:	Extend the example of deriving required logging information to the full Bell-LaPadula Model with both security levels and compartments.
2:	In the example of deriving required logging information for the Chinese Wall model, it is stated that the time must be logged. Why? Can something else be logged to achieve the same purpose?
3:	The Windows NT logger allows the system administrator to define events to be entered into the security log. In the example, the system administrator configured the logger to record process execution and termination. What other events might the system administrator wish to record?
4:	Suppose a notifier sends e-mail to the system administrator when a successful compromise of that system is detected. What are the drawbacks of this approach? How would you notify the appropriate user?
5:	Describe a set of constraints for the Clark-Wilson model that lead to a description of the conditions that an audit mechanism should detect. Give these conditions.
6:	Why is adherence to the principle of complete mediation (see Section 13.2.4) a necessity for logging of file accesses?
7:	A network monitor records the following information while recording a network connection. System prompts that name neither the user nor the system System control files such as the password file A file containing a list of dictionary words A user's start-up file A system banner A source code file A Web page downloaded from a remote site Which type of information should the monitor check to see if it must sanitize the data to conceal the names of the users and the names and addresses of the computers involved?
8:	Fisch, White, and Pooch [353] define four levels of log sanitization. Simple sanitization, in which all information except the commands issued by an intruder are deleted Information-tracking sanitization, in which sensitive information is entered into a symbol table as it is encountered, a unique identifier is assigned, and whenever that information is encountered it is replaced with the associated identifier Format sanitization, in which compressed or encoded data is transformed into its original form, the original form is sanitized using information-tracking sanitization, and the resulting data is returned to its transformed format Comprehensive sanitization, in which all data is analyzed and sanitized as in information-tracking and format sanitization Discuss the level of anonymity of each level of sanitization. Which level could be automated, and to what degree would human oversight be required?
9:	Prove or disprove that state-based logging and transition-based logging are equivalent if and only if the state of the system at the first transition is recorded.
10:	Suppose a remote host begins the TCP three-way handshake with the local host but never sends the final ACK. This is called a half-open connection. The local host waits for some short time and then purges the information from its network tables. If a remote host makes so many half-open connections that the local host cannot accept connections from other hosts, the remote host has launched a syn flood attack (See Section 26.4 for more details.) Derive logging and auditing requirements to detect such an attack.
11:	What are the logging and auditing requirements for the NFS operations MKDIR and WRITE?
12:	In the LAFS file system, what does the following policy line say? prohibit:0800-1700:*:root:solitaire:exec:ok What is the effect of specifying the status field?
13:	Write a program that will slice a log file with respect to a given object. Your program should take an object identifier (such as a process or file name) and a log file as input. Your program should print the minimum set of statements that affect the object, either directly or indirectly.