Computer Security: Art and Science

25.10 Exercises

1:
You have been hired as the security officer for Compute Computers, Inc. Your boss asks you to determine the number of erroneous login attempts that should be allowed before a user's account is locked. She is concerned that too many employees are being locked out of their accounts unnecessarily, but is equally concerned that attackers may be able to guess passwords. How would you determine an appropriate value for the threshhold?
2:
Why should the administrator (or the superuser) account never be locked regardless of how many incorrect login attempts are made? What should be done instead to alert the staff to the attempted intrusion, and how could the chances of such an attack succeeding be minimized?
3:
Consider the trace-based approach to anomaly-based intrusion detection. An intrusion detection analyst reports that a particular pattern of system usage results in processes with "low entropy," meaning that there is little uncertainty about how the system processes behave. How well would a cluster-based analysis mechanism for anomaly-based intrusion detection work with this system? Justify your answer.
4:
Use a Colored Petri Automaton (see Section 25.3.2) to describe the xterm attack discussed in Section 23.3.1.
5:
One view of intrusion detection systems is that they should be of value to an analyst trying to disprove that an intrusion has taken place. Insurance companies and lawyers, for example, would find such evidence invaluable in assessing liability. Consider the following scenario. A system has both classified and unclassified documents in it. Someone is accused of using a word processing program to save an unclassified copy of a classified document. Discuss if, and how, each of the three forms of intrusion detection mechanisms could be used to disprove this accusation.
6:
GrIDS uses a hierarchy of directors to analyze data. Each director performs some checks, then creates a higher-level abstraction of the data to pass to the next director in the hierarchy. AAFID distributes the directors over multiple agents. Discuss how the distributed director architecture of AAFID could be combined with the hierarchical structure of the directors of GrIDS. What advantages would there be in distributing the hierarchical directors? What disadvantages would there be?
7:
As encryption conceals the contents of network messages, the ability of intrusion detection systems to read those packets decreases. Some have speculated that all intrusion detection will become host-based once all network packets have been encrypted. Do you agree? Justify your answer. In particular, if you agree, explain why no information of value can be gleaned from the network; if you disagree, describe the information of interest.
8:
This exercise asks you to consider sources of errors in thumbprints (see Section 25.6.2.3). Recall that a thumbprint is computed from the contents of a connection over some interval of time. Consider clocks on two different computers. Initially, they are synchronized. After some period of time has passed, the clocks will show different times. This is called clock skew.

Why might clock skew introduce differences in the thumbprints of a connection?
Why might propagation delays introduce differences in the thumbprints of a connection?
Staniford-Chen and Heberlein computed thumbprints based on contents only, rather than on contents plus information gleaned from the packet header. Suppose they computed the thumbprint over the contents plus the packet header. What errors might this introduce? Could they have chosen some fields of the TCP and IP headers that would not have introduced errors? If so, state which ones, and why.
9:
Consider how enciphering of connections would affect thumbprinting.

If the connection contents were enciphered using an end-to-end encipherment protocol, would thumbprinting work? Why or why not?
If the connection contents were enciphered using a link encipherment protocol, would thumbprinting work? Why or why not?
10:
This exercise examines deterministic packet selection (see Section 25.6.2.3). Assume that the packet header contains spaces for routers to enter their IP addresses.

Suppose the header contains space for 30 router addresses. Initially, these spaces contain all zero bits. As the packet passes through a router, the router inserts its IP address into the first available location in this space. If there is no room left (because the packet has passed through 30 routers), the router does not insert its address. Describe how an attacker could conceal the route that the packet takes as it travels to its destination.
Now suppose the header uses variable-sized space for a list of router addresses. Initially, no router addresses are attached. As the packet passes through a router, the router adds its IP address to this list. Would this prevent the attack in your answer to part (a)? Why or why not? What other problems would this variable-length router address field cause?
11:
Consider the "counterworm" in the example on that begins on page 764.

Pretend you are a technical expert called as a witness in a lawsuit between the sender of the "counterworm" and the target. What arguments could you make for and against the sending of the worm?
How might the arguments for a company providing "worms" to fix security problems in their software differ from those for providing a "counterworm"? How would they be the same?

Top

1:	You have been hired as the security officer for Compute Computers, Inc. Your boss asks you to determine the number of erroneous login attempts that should be allowed before a user's account is locked. She is concerned that too many employees are being locked out of their accounts unnecessarily, but is equally concerned that attackers may be able to guess passwords. How would you determine an appropriate value for the threshhold?
2:	Why should the administrator (or the superuser) account never be locked regardless of how many incorrect login attempts are made? What should be done instead to alert the staff to the attempted intrusion, and how could the chances of such an attack succeeding be minimized?
3:	Consider the trace-based approach to anomaly-based intrusion detection. An intrusion detection analyst reports that a particular pattern of system usage results in processes with "low entropy," meaning that there is little uncertainty about how the system processes behave. How well would a cluster-based analysis mechanism for anomaly-based intrusion detection work with this system? Justify your answer.
4:	Use a Colored Petri Automaton (see Section 25.3.2) to describe the xterm attack discussed in Section 23.3.1.
5:	One view of intrusion detection systems is that they should be of value to an analyst trying to disprove that an intrusion has taken place. Insurance companies and lawyers, for example, would find such evidence invaluable in assessing liability. Consider the following scenario. A system has both classified and unclassified documents in it. Someone is accused of using a word processing program to save an unclassified copy of a classified document. Discuss if, and how, each of the three forms of intrusion detection mechanisms could be used to disprove this accusation.
6:	GrIDS uses a hierarchy of directors to analyze data. Each director performs some checks, then creates a higher-level abstraction of the data to pass to the next director in the hierarchy. AAFID distributes the directors over multiple agents. Discuss how the distributed director architecture of AAFID could be combined with the hierarchical structure of the directors of GrIDS. What advantages would there be in distributing the hierarchical directors? What disadvantages would there be?
7:	As encryption conceals the contents of network messages, the ability of intrusion detection systems to read those packets decreases. Some have speculated that all intrusion detection will become host-based once all network packets have been encrypted. Do you agree? Justify your answer. In particular, if you agree, explain why no information of value can be gleaned from the network; if you disagree, describe the information of interest.
8:	This exercise asks you to consider sources of errors in thumbprints (see Section 25.6.2.3). Recall that a thumbprint is computed from the contents of a connection over some interval of time. Consider clocks on two different computers. Initially, they are synchronized. After some period of time has passed, the clocks will show different times. This is called clock skew. Why might clock skew introduce differences in the thumbprints of a connection? Why might propagation delays introduce differences in the thumbprints of a connection? Staniford-Chen and Heberlein computed thumbprints based on contents only, rather than on contents plus information gleaned from the packet header. Suppose they computed the thumbprint over the contents plus the packet header. What errors might this introduce? Could they have chosen some fields of the TCP and IP headers that would not have introduced errors? If so, state which ones, and why.
9:	Consider how enciphering of connections would affect thumbprinting. If the connection contents were enciphered using an end-to-end encipherment protocol, would thumbprinting work? Why or why not? If the connection contents were enciphered using a link encipherment protocol, would thumbprinting work? Why or why not?
10:	This exercise examines deterministic packet selection (see Section 25.6.2.3). Assume that the packet header contains spaces for routers to enter their IP addresses. Suppose the header contains space for 30 router addresses. Initially, these spaces contain all zero bits. As the packet passes through a router, the router inserts its IP address into the first available location in this space. If there is no room left (because the packet has passed through 30 routers), the router does not insert its address. Describe how an attacker could conceal the route that the packet takes as it travels to its destination. Now suppose the header uses variable-sized space for a list of router addresses. Initially, no router addresses are attached. As the packet passes through a router, the router adds its IP address to this list. Would this prevent the attack in your answer to part (a)? Why or why not? What other problems would this variable-length router address field cause?
11:	Consider the "counterworm" in the example on that begins on page 764. Pretend you are a technical expert called as a witness in a lawsuit between the sender of the "counterworm" and the target. What arguments could you make for and against the sending of the worm? How might the arguments for a company providing "worms" to fix security problems in their software differ from those for providing a "counterworm"? How would they be the same?