Computer Security: Art and Science

27.12 Exercises

1:
A system administrator on a development network workstation wants to execute a program stored on a floppy disk. What steps could the Drib take to configure the workstation to prevent the system administrator from mounting the floppy and executing the program?
2:
Suppose a user has physical access to computer hardware (specifically, the box containing the CPU and a hard drive). The user does not have an account on the computer. How can the user force the computer to shut down? To reboot?
3:
Some systems support dynamic loading, in which system library routines are not loaded until they have been referenced. A library can be updated independently of any programs that use the library. If the program loads the library routines dynamically, the updated routines will be used. If the program does not load the library routines dynamically, the program will use the versions of the routines that were in the library at link time. This exercise examines this property from the viewpoint of security.

From the point of view of assurance, what problems might dynamic loading introduce? (Hint: Think about the assumptions the programmer made when writing the code that calls the library functions.)
Does dynamic loading violate any of Saltzer and Schroeder's principles of secure design [865]? (See Chapter 13.) Justify your answer.
If an attacker wanted to implant a Trojan horse into as many processes as possible, how would dynamic loading lower the amount of work that the attacker would need to do?
4:
Suppose there is no system dedicated to the bootable CD-ROM discussed in Section 27.7.2. How would you go about constructing such a CD-ROM? Discuss procedures, and justify them. What is the problem with updating a running system and burning a CD-ROM of the changes only?
5:
The Web server on the DMZ Web server system renames temporary files used to record transactions. The name has the form trns followed by the integer representation of the date and time, followed by one or more digits. Why are the extra digits necessary?
6:
Consider a developer who has both an ISP workstation and a devnet workstation on his desk, and who wants to move a program from the ISP workstation to the devnet workstation.

Assume that the user is not allowed to mount media such as the floppy disk. Thus, he would not be able to access the data on the disk as though it were a file system. Would he be able to access the data in some other way? (Hint: Must data on all media be accessed as though it were a file system, or can it be read in some other way?)
Assume that the root user is asked to mount the floppy for the user, so he can access data on it. What precautions should root take before making the data available to the user?
Suppose the ISP workstation were removed. How could the Drib prevent the developer from bringing a floppy into his office?
Suppose the floppy reader were removed from the development network workstation. Would this solve the problem? Why or why not? Discuss the advantages and disadvantages of this approach.
7:
The second line of the Web server starting script puts the process ID number of the Web server wrapper into a file. Why? (Hint: Think of how to terminate the process automatically.)
8:
This exercise reconsiders the use of NIS to distribute user information such as password hashes.

In general, why might an administration want to use encryption techniques to protect the transmission of NIS records over a network?
Why is secrecy of the NIS records not important to the system administrators?
Assume the devnet firewall (and the inner and outer firewalls) did not prevent outside users from monitoring the development network. How important would secrecy of the NIS records be then? Why?
The NIS client accepts the first response to its query that it receives from any NIS server. Why is physical control of the development network critical to the decision not to use cryptography to protect the NIS network traffic?
9:
The system administrators on the development network believe that any password can be guessed in 180 days of continuous trial and error. They set the lifetime of each password at a maximum of 90 days. After 90 days, a password must be changed. Why did they use 90 days rather than 180 days?
10:
Section 27.7.1 discusses CGI scripts on the DMZ Web server system. It points out that Web pages change too frequently to be placed on a CD-ROM, but that the CGI scripts are changed infrequently enough to allow them to be placed on the CD-ROM.

In light of the fact that the CGI scripts do not contain data, why is their alteration a concern?
CGI scripts can generate Web pages from data stored on the server. Discuss the integrity issues arising from storing of the data that those scripts use on writable media but storing of the scripts themselves on read-only media. In particular, how trustworthy are the pages resulting from the script's use of stored data? (Hint: See Section 6.2.)
Assume that the CGI scripts are to be changed frequently. Devise a method that allows such changes and also keeps the interface to those scripts on read-only media. Where would you store the actual scripts, and what are the benefits and drawbacks of such a scheme?
11:
Brian Reid has noted that "[p]rogrammer convenience is the antithesis of security" [835]. Discuss how the Drib's trade-off between security and convenience exemplifies the conflict between users (programmers) and security. In particular, when should the principle of psychological acceptability (see Section 13.2.8) override other principles of secure design?
12:
Computer viruses and worms are often transmitted as attachments to electronic mail. The Drib's development network infrastructure directs all electronic mail to a mail server. Consider an alteration of the development network infrastructure whereby workstations download user mail rather than mounting the file system containing the mailboxes.

The Drib has purchased a tool that scans mail as it is being received. The tool looks for known computer worms and viruses in the contents of attachments, and deletes them. Should this antivirus software be installed on the mail server, on the desktop, or on both? Justify your answer.
What other actions should the Drib take to limit incoming computer worms and viruses in attachments? Specifically, what attributes should cause the Drib to flag attachments as suspicious, even when the antivirus software reports that the attachment does not contain any known virus?
What procedural mechanisms (such as warnings) should be in place to hinder the execution of computer worms and viruses that are not caught by the antivirus filters? Specifically, what should users be advised to do when asked to execute a set of instructions to (for example) print a pretty picture?

Top

1:	A system administrator on a development network workstation wants to execute a program stored on a floppy disk. What steps could the Drib take to configure the workstation to prevent the system administrator from mounting the floppy and executing the program?
2:	Suppose a user has physical access to computer hardware (specifically, the box containing the CPU and a hard drive). The user does not have an account on the computer. How can the user force the computer to shut down? To reboot?
3:	Some systems support dynamic loading, in which system library routines are not loaded until they have been referenced. A library can be updated independently of any programs that use the library. If the program loads the library routines dynamically, the updated routines will be used. If the program does not load the library routines dynamically, the program will use the versions of the routines that were in the library at link time. This exercise examines this property from the viewpoint of security. From the point of view of assurance, what problems might dynamic loading introduce? (Hint: Think about the assumptions the programmer made when writing the code that calls the library functions.) Does dynamic loading violate any of Saltzer and Schroeder's principles of secure design [865]? (See Chapter 13.) Justify your answer. If an attacker wanted to implant a Trojan horse into as many processes as possible, how would dynamic loading lower the amount of work that the attacker would need to do?
4:	Suppose there is no system dedicated to the bootable CD-ROM discussed in Section 27.7.2. How would you go about constructing such a CD-ROM? Discuss procedures, and justify them. What is the problem with updating a running system and burning a CD-ROM of the changes only?
5:	The Web server on the DMZ Web server system renames temporary files used to record transactions. The name has the form trns followed by the integer representation of the date and time, followed by one or more digits. Why are the extra digits necessary?
6:	Consider a developer who has both an ISP workstation and a devnet workstation on his desk, and who wants to move a program from the ISP workstation to the devnet workstation. Assume that the user is not allowed to mount media such as the floppy disk. Thus, he would not be able to access the data on the disk as though it were a file system. Would he be able to access the data in some other way? (Hint: Must data on all media be accessed as though it were a file system, or can it be read in some other way?) Assume that the root user is asked to mount the floppy for the user, so he can access data on it. What precautions should root take before making the data available to the user? Suppose the ISP workstation were removed. How could the Drib prevent the developer from bringing a floppy into his office? Suppose the floppy reader were removed from the development network workstation. Would this solve the problem? Why or why not? Discuss the advantages and disadvantages of this approach.
7:	The second line of the Web server starting script puts the process ID number of the Web server wrapper into a file. Why? (Hint: Think of how to terminate the process automatically.)
8:	This exercise reconsiders the use of NIS to distribute user information such as password hashes. In general, why might an administration want to use encryption techniques to protect the transmission of NIS records over a network? Why is secrecy of the NIS records not important to the system administrators? Assume the devnet firewall (and the inner and outer firewalls) did not prevent outside users from monitoring the development network. How important would secrecy of the NIS records be then? Why? The NIS client accepts the first response to its query that it receives from any NIS server. Why is physical control of the development network critical to the decision not to use cryptography to protect the NIS network traffic?
9:	The system administrators on the development network believe that any password can be guessed in 180 days of continuous trial and error. They set the lifetime of each password at a maximum of 90 days. After 90 days, a password must be changed. Why did they use 90 days rather than 180 days?
10:	Section 27.7.1 discusses CGI scripts on the DMZ Web server system. It points out that Web pages change too frequently to be placed on a CD-ROM, but that the CGI scripts are changed infrequently enough to allow them to be placed on the CD-ROM. In light of the fact that the CGI scripts do not contain data, why is their alteration a concern? CGI scripts can generate Web pages from data stored on the server. Discuss the integrity issues arising from storing of the data that those scripts use on writable media but storing of the scripts themselves on read-only media. In particular, how trustworthy are the pages resulting from the script's use of stored data? (Hint: See Section 6.2.) Assume that the CGI scripts are to be changed frequently. Devise a method that allows such changes and also keeps the interface to those scripts on read-only media. Where would you store the actual scripts, and what are the benefits and drawbacks of such a scheme?
11:	Brian Reid has noted that "[p]rogrammer convenience is the antithesis of security" [835]. Discuss how the Drib's trade-off between security and convenience exemplifies the conflict between users (programmers) and security. In particular, when should the principle of psychological acceptability (see Section 13.2.8) override other principles of secure design?
12:	Computer viruses and worms are often transmitted as attachments to electronic mail. The Drib's development network infrastructure directs all electronic mail to a mail server. Consider an alteration of the development network infrastructure whereby workstations download user mail rather than mounting the file system containing the mailboxes. The Drib has purchased a tool that scans mail as it is being received. The tool looks for known computer worms and viruses in the contents of attachments, and deletes them. Should this antivirus software be installed on the mail server, on the desktop, or on both? Justify your answer. What other actions should the Drib take to limit incoming computer worms and viruses in attachments? Specifically, what attributes should cause the Drib to flag attachments as suspicious, even when the antivirus software reports that the attachment does not contain any known virus? What procedural mechanisms (such as warnings) should be in place to hinder the execution of computer worms and viruses that are not caught by the antivirus filters? Specifically, what should users be advised to do when asked to execute a set of instructions to (for example) print a pretty picture?