Assignment 1
Secure Computer Systems
Questions: 1
Review Questions
1 What mechanisms can a virus use to conceal itself?
2 What is the difference between a backdoor, a bot, a keylogger, spyware, and a rootkit? Can they all be present in the same malware?
Problems
3. The question arises as to whether it is possible to develop a program that can analyze a piece of software to determine if it is a virus. Consider that we have a program D that is supposed to be able to do that. That is, for any program P, if we run D(P), the result returned is TRUE (P is a virus) or FALSE (P is not a virus). Now consider the following program:
Program CV :=
{. ..
main-program :=
{
if D(CV) then goto next:
else infect-executable;
}
next:
}
In the preceding program, infect-executable is a module that scans memory for executable programs and replicates itself in those programs. Determine if D can correctly decide whether CV is a virus.
Questions 2:
1. Define a distributed denial-of-service (DDoS) attack.
2. What defenses are possible against TCP SYN spoofing attacks?
3. Using a TCP SYN spoofing attack, the attacker aims to flood the table of TCP connection requests on a system so that it is unable to respond to legitimate connection requests. Consider a server system with a table for 256 connection requests. This system will retry sending the SYN-ACK packet five times when it fails to receive an ACK packet in response, at 30 second intervals, before purging the request from its table.
Assume that no additional countermeasures are used against this attack and that the attacker has filled this table with an initial flood of connection requests. At what rate must the attacker continue to send TCP connection requests to this system in order to ensure that the table remains full? Assuming that the TCP SYN packet is 40 bytes in size (ignoring framing overhead), how much bandwidth does the attacker consume to continue this attack?
Questions: 3
1 List and briefly define three classes of intruders.
2 What is the difference between anomaly detection and signature intrusion detection?
Problems
1. An example of a host-based intrusion detection tool is the tripwire program. This is a file integrity checking tool that scans files and directories on the system on a regular basis and notifies the administrator of any changes. It uses a protected database of cryptographic checksums for each file checked and compares this value with that recomputed on each file as it is scanned. It must be configured with a list of files and directories to check and what changes, if any, are permissible to each. It can allow, for example, log files to have new entries appended, but not for existing entries to be changed. What are the advantages and disadvantages of using such a tool?
Consider the problem of determining which files should only change rarely, which files may change more often and how, and which change frequently and hence cannot be checked. Hence consider the amount of work in both the configuration of the program and on the system administrator monitoring the responses generated.
Questions:
1. What information is used by a typical packet filtering firewall?
2. What is a DMZ network and what types of systems would you expect to find on such networks?
3. Table 9.5 shows a sample of a packet filter firewall ruleset for an imaginary network of IP address that range from 192.168.1.0 to 192.168.1.254. Describe the effect of each rule.
Questions
1. What types of programming languages are vulnerable to buffer overflows?
2. What are the two broad categories of defenses against buffer overflows?
Problems
1. Rewrite the function shown in Figure 10.7a so that it is no longer vulnerable to a stack buffer overflow.
Questions
1. State the similarities and differences between command injection and SQL injection attacks.
2. List several software security concerns associated writing safe program code.
Problems
3. Examine the current values of all environment variables on a system you use. If possible,determine the use for some of these values. Determine how to change the values both temporarily for a single process and its children and permanently for all subsequent logins on the system.
Questions
1. What is the point of removing unnecessary services, applications, and protocols?
2. What type of access control model do Unix and Linux systems implement?
Problems
Consider an automated audit log analysis tool (e.g., swatch). Can you propose some rules which could be used to distinguish "suspicious activities" from normal user behavior on a system for some organization?
Questions
1 What is the principal difference between the BLP model and the Biba model?
2 What properties are required of a reference monitor?
3. The *-property requirement for append access fc(Si) ... fo(Oj) is looser than for write access fc(Si) = fo(Oj) . Explain the reason for this.
3. Practical Assignment:
This practical assignment is intended for you to get familiar with some of the current security tools. These tools are powerful and are widely used in the security community. You may find some of the tools useful in protecting your own computer as well as computing resources within your organization. Special attention should be paid in choosing some of the tools and instructions should be followed.
1) Select a tool from "Top 125 Network Security Tools" (http://sectools.org/). The use of an open-source tool is highly encouraged.
2) It is required that you install and run the tool in an enclosed network environment or use it on your personal computer ONLY. An enclosed network environment means a non-operational networked system without any physical connection to other working computing environments (e.g., the Internet). Special attention should be paid when you use network scanners, sniffers, hacking tools or password crackers because their usage may violate an organization's security policies or compromise other computing resources. It is therefore your own responsibility to guarantee that the running of security tool(s) does not violate your organization's regulations, procedures, policies, and/or local, state and federal laws.
3) Follow the instructions to configure and run the tool you chose.
4) Write a brief report (2-3 pages, single-spaced, not counting figures/tables or quotations used). In your report, answer the following questions in your own words (please do not copy/paste from a tutorial or other online materials). In APA style with at least 3 references.
a) What is the functionality of the tool?
b) What is the actual running environment (software and hardware) of the tool?
c) How will you evaluate the tool based on your own experience?
d) In what aspects could the tool be improved?
5) Take a screenshot (usually by pressing Shift + PrintScreen) during the running of the tool and paste it in your lab report. In your lab report you can provide as many screenshots as you want and/or other output to show you have actually run the tool.
Your report will be evaluated based on its technical depth, critical thinking, and comprehensiveness/soundness of the discussion. You may reference publications from the academia or the industry to expand the discussion.
Secunia PSI (Personal Software Inspector) is a free security tool designed to detect vulnerable and out-dated programs and plug-ins that expose your PC to attacks. Attacks exploiting vulnerable programs and plug-ins are rarely blocked by traditional anti-virus programs. Secunia PSI checks only the machine it is running on, while its commercial sibling Secunia CSI (Corporate Software Inspector) scans multiple machines on a network. For downloads and more information, visit the Secunia PSI homepage.