InfoSec Qualification Exam. Fall 2008

advertisement
InfoSec Qualification Exam. Fall 2008
The exam is 90 points total. The passing score is about 60 points (partial credit counts).
You have to acceptably solve at least one problem in each of the following sets: system
security (problems 1-3), network security (problems 4-6), cryptography (problems 7-9).
1. (10 points) Access control mechanisms and policies form a critical part of a system that wants
to limit access to protected resources to authorized users. The access control matrix
abstraction captures how access control can be specified and several implementations exist for
this abstraction in various operating systems (access control lists, capabilities etc.). Attribute
based access control has recently become popular and it is based on the observation that to
access a resource, the source of a request must be able to demonstrate that several attributes
about it hold. For example, access can be limited to students at Georgia Tech who are in a
certain school and are currently enrolled in a class.
a. Choose an operating system and discuss how attribute based access control can be
implemented by it using the underlying access control mechanisms that are provided
by the system. Provide details of your implementation. If you think this cannot be
done, discuss the reasons why this is not possible. (1/3 credit)
b. Is there any relationship between attribute based access control and role based access
control? Sketch scenarios where it may be better to use one over the other. (1/3 credit)
c. Attributes can be associated with sources of requests for resources but resources may
have attributes as well. For example, files may have public or sensitive data or other
kinds of attributes may be possible similar to labels in multi-level security systems.
Would you advocate attributes for both users and resources? If your answer is yes,
justify it and outline example access control models where this could be used.
Otherwise, discuss why this is not useful. (1/3 credit)
2. (10 points) Virtualization is viewed as an important technology and there are claims about the
benefits it could offer for systems security. However, virtualization presents several
challenges as well.
a. The x86 architecture presented problems for virtualization and techniques like paravirtualization had to be developed. What were the problems with the x86 architecture?
Give examples of x86 instructions and discuss why they presented problems for
virtualization. How does Intel virtualization technology (VT) address this? (1/3 credit)
b. A system that employs multiple virtual machines can potentially provide better
security because a compromise of one virtual machine does not impact others.
However, application or guest OS could still have vulnerabilities and the possibility of
a compromise always exists. Thus, it is useful to monitor virtual machines even in
virtualization based systems. The monitoring could be implemented in each guest
virtual machine, a trusted virtual machine (e.g., service domain in Xen based systems)
or in the hypervisor. Discuss the pros and cons of each of these and outline the
approach that you think is the best. (2/3 credit)
3. (10 points) At the recent GTISC Security Summit, one of the panelists said that he is still
hoping for the day when we will have multi-level security. Also, leakage of sensitive data is a
serious problem that many enterprises face.
a. Would the data leakage problem go away if we could develop viable multi-level
security implementations of systems and services that are widely deployed over the
Internet today? (1/3 credit)
b. Can one adapt the old models like Bell and La Padula in the web setting of today for
accessing remote services? (1/3 credit)
c. If you believe in the feasibility of this approach, discuss some of the challenges we
will face in implementing it. (1/3 credit)
4. (10 points) A number of different techniques have been proposed to combat Denial of
Service (DoS) attacks. Most prominent among these solutions are traceback and pushback.
a. What is traceback and how does it work? How can it be implemented in
real networks? Name two assumptions that must hold true in order for
traceback to work. (3pts)
b. What is pushback and how does it work? How can it be implemented in
real networks? (2pts)
c. Why has neither scheme been implemented in real networks? (5pts)
5. (10 points) An unsavory guest staying at a hotel using traditional mechanical keys may create
a copy of the key so that she can later reenter the room for burglary. To eliminate this threat,
the hotel has asked you to design an electronic keycard system to replace the traditional keys
and locks. A reader at each guestroom door reads a keycard issued by the hotel to guests
staying in the room and unlocks the door only for authentic, current keycards. The readers are
simple, battery-powered devices that do not support public-key cryptographic operations.
They are not tamper-proof in that you cannot assume the data they store cannot be read. The
protocol by which the door reader verifies the authenticity of a keycard must satisfy the
following properties:
- A current keycard will repeatedly unlock the door.
- Once a new guest unlocks the door, all keycards for previous guests of that room will no
longer unlock the door. (This prevents a thief who copied her keycard from reentering the
room once new guests arrive.)
- There is no network connection between the front desk, where keycards are programmed,
and the door reader. The hotel staff should not need to manually reprogram the reader for each
new guest.
- Both the door readers and the keycards can store only 20 bytes of data in non-volatile
storage.
- The door reader must
before requiring reprogramming.
authenticate
keycards
for
at
least
Design
a
keycard
authentication
protocol
satisfying
the
above. What 20 bytes of data do you initially program into
Why does your protocol prevent reuse of old keycards?
three
years
requirements
the reader?
6. (10 points) What is DNS cache poisoning? Please provide two alternatives to defend against
DNS cache poisoning attacks.
7. (9 points) Why is it important that hash functions are collision-resistant and one-way? Are
these orthogonal properties or one property implies another?
8. (9 points) Instead of the standard IND-CPA security for symmetric encryption schemes one
could have an alternative definition asking that it be hard to distinguish between random
strings and ciphertexts of messages of the adversary’s choice (having the random strings of
the corresponding length, of course). What do you think about this definition? Why isn’t it
widely used?
9. (12 points) Assume a public-key encryption scheme for single-bit messages. Show that, given
pk and a ciphertext c computed by encrypting a random message m under pk, it is possible for
an unbounded adversary to determine m with probability 1. (That shows that perfectly-secure
public-key encryption is impossible.)
Download