Computer Security: Art and Science

29.12 Exercises

1:
Consider the two interpretations of a time field that specifies "1 A.M." One interpretation says that this means exactly 1:00 A.M. and no other time. The other says that this means any time during the 1 A.M. hour.

How would you express the time of exactly 1 A.M. in the second interpretation?
How would you express "any time during the 1 A.M. hour" in the first interpretation?
Which is more powerful? If they are equally powerful, which do you think is more psychologically acceptable? Why?
2:
Verify that the modified version of Requirement 29.2.4 shown as Requirement 29.3.1 on page 875 counters the appropriate threats.
3:
Currently, the program described in this chapter is to have setuid-to-root privileges. Someone observed that it could be equally well-implemented as a server, in which case the program would authenticate the user, connect to the server, send the command and role, and then let the server execute the command.

What are the advantages of using the server approach rather than the single program approach?
If the server responds only to clients on the local machine, using interprocess communication mechanisms on the local system, which approach would you use? Why?
If the server were listening for commands from the network, would that change your answer to part (b)? Why or why not?
If the client sent the password to the server, and the server authenticated, would your answers to any of the three previous parts change? Why or why not?
4:
The little languages presented in Section 29.3.2.3 have ambiguous semantics. For example, in the location language, does "not host1 or host2" mean "not at host1 and not at host2" or "not at host1, or at host2"?

Rewrite the BNF of the location language to make the semantics reflect the second meaning (that is, the precedence of "not" is higher than that of "or"). Are the semantics unambiguous now? Why or why not?
Rewrite the BNF of the time language to make the semantics reflect the second meaning (that is, the precedence of "not" is higher than that of "or"). Are the semantics unambiguous now? Why or why not?
5:
Suppose an access control record is malformed (for example, it has a syntax error). Show that the access control module would deny access.
6:
The canary for StackGuard simply detects overflow that might change the return address. This exercise asks you to extend the notion of a canary to detection of buffer overflow.

Assume that the canary is placed directly after the array, and that after every array, access is checked to see if it has changed. Would this detect a buffer overflow? If so, why do you think this is not suitable for use in practice? If not, describe an attack that could change a number beyond the buffer without affecting the canary.
Now suppose that the canary was placed directly after the buffer but�like the canary for StackGuard�was only checked just before a function return. How effective do you think this method would be?

Top

1:	Consider the two interpretations of a time field that specifies "1 A.M." One interpretation says that this means exactly 1:00 A.M. and no other time. The other says that this means any time during the 1 A.M. hour. How would you express the time of exactly 1 A.M. in the second interpretation? How would you express "any time during the 1 A.M. hour" in the first interpretation? Which is more powerful? If they are equally powerful, which do you think is more psychologically acceptable? Why?
2:	Verify that the modified version of Requirement 29.2.4 shown as Requirement 29.3.1 on page 875 counters the appropriate threats.
3:	Currently, the program described in this chapter is to have setuid-to-root privileges. Someone observed that it could be equally well-implemented as a server, in which case the program would authenticate the user, connect to the server, send the command and role, and then let the server execute the command. What are the advantages of using the server approach rather than the single program approach? If the server responds only to clients on the local machine, using interprocess communication mechanisms on the local system, which approach would you use? Why? If the server were listening for commands from the network, would that change your answer to part (b)? Why or why not? If the client sent the password to the server, and the server authenticated, would your answers to any of the three previous parts change? Why or why not?
4:	The little languages presented in Section 29.3.2.3 have ambiguous semantics. For example, in the location language, does "not host1 or host2" mean "not at host1 and not at host2" or "not at host1, or at host2"? Rewrite the BNF of the location language to make the semantics reflect the second meaning (that is, the precedence of "not" is higher than that of "or"). Are the semantics unambiguous now? Why or why not? Rewrite the BNF of the time language to make the semantics reflect the second meaning (that is, the precedence of "not" is higher than that of "or"). Are the semantics unambiguous now? Why or why not?
5:	Suppose an access control record is malformed (for example, it has a syntax error). Show that the access control module would deny access.
6:	The canary for StackGuard simply detects overflow that might change the return address. This exercise asks you to extend the notion of a canary to detection of buffer overflow. Assume that the canary is placed directly after the array, and that after every array, access is checked to see if it has changed. Would this detect a buffer overflow? If so, why do you think this is not suitable for use in practice? If not, describe an attack that could change a number beyond the buffer without affecting the canary. Now suppose that the canary was placed directly after the buffer but�like the canary for StackGuard�was only checked just before a function return. How effective do you think this method would be?