CSCI 430 – Sample Final Exam
1. Authorization and policy
An organization is using Bell LaPadula model for authorization. Alice has top
secret clearance, Bob has secret clearance and Charlie has classified clearance.
There are three files: “network organization” file, which is classified as top-secret,
“work schedule”, which is classified and “welcome notes”, which is unclassified.
The ACM shows that Alice can write to “work schedule”, Bob can write to
“network organization” and everyone can read all files.
Answer the following questions:
a) Who can write network organization file?
b) Who can read work schedule?
c) Who can write welcome notes?
d) Who can read welcome notes?
Alice – top secret
Bob – secret
Charlie – unclassified
Network organization – top-secret
Work schedule – classified
Welcome notes – unclassified
a)
Network organization is top-secret. Based on mandatory access control anyone
can write.
Based on discretionary access control only Bob can write.
So finally only Bob can write.
b) Work schedule is classified. Mandatory: Alice and Bob. Discretionary: Anyone
can read. Finally – Alice and Bob can read.
c) Welcome notes are unclassified. Mandatory: Charlie. Discretionary: No one.
Finally – no one.
d) Mandatory: Anyone. Discretionary: Anyone. Finally – anyone can read.
2. Intrusions
Explain how split-horizon DNS works and how it helps protect a network from
DNS reconnaissance.
There are two DNS servers – one public one private. Public one knows only IPs
of public servers. Private knows IPs of internal servers. External clients learn only
IP of public DNS. All internal clients use private DNS.
If a server needs to be accessed by both internal and external clients it has two
IPs, one public one private. External attackers can only learn about public
servers but not about internal ones.
3.
DDoS
I propose a DDoS defense in which the victim server under attack instructs all its
clients to send a lot of traffic to the server. The server then flags those clients that
did send required (high) traffic volume as legitimate. The assumption here is that
attackers already send at max capacity and cannot increase their sending rate so
the server will easily flag them as malicious.
a) What are the advantages of this approach?
Simple and easy to implement.
Works if assumption is correct.
b) What are the disadvantages of this approach?
If assumption is not correct it doesn’t help.
Creates even more congestion.
c) If you were the attacker how would you trick this defense into flagging you as
a legitimate client? Assume you have unlimited resources at your disposal.
Send at a low rate and then increase when the victim asks you to increase rate –
get flagged as legitimate client.
d) Imagine that instead of instructing clients to send lot of traffic the server sent
them a computational puzzle to solve. Does this solve any of the
disadvantages you listed? Does it introduce any new disadvantages?
It helps with congestion.
It helps even if attacker is not sending at peak rate or if legitimate users are
sending at their peak rate.
Slows down legitimate traffic. CPU power differs a lot between machines so it’s
hard to generate puzzles that are equally difficult for everyone.
4. Worms
In a paper we covered in class authors discuss how quickly global worm
defense would have to work, where should it be deployed and they
measure two types of defenses.
a) Which defenses they considered and which one was better?
Address blacklisting (if a machine is proven to be infected blacklist it
and drop all its traffic)
Worm signatures (use a signature to drop all worm scans)
Worm signatures performed better.
b) How quickly should defenses work to stop the worm
Address blacklisting within seconds.
Worm signatures within minutes.
c) Where should they be deployed
At big ISPs
5. Botnets
There are two ways to enumerate botnets: passive observation of traffic (e.g.,
infiltrate and then observe all reports passing through the node) and active
traversal of P2P structure (e.g. querying each node for its peers and then
repeating this for each peer).
a) Which approach gives higher counts and why?
Passive was better – it can see traffic from firewalled hosts
b) Both approaches may miscount since they assume that one IP = one bot.
Explain why this assumption is not true (multiple reasons exist) and how it
reflects on a total count (does it make it smaller or larger than the true
count).
DHCP – higher (one machine can get multiple IPs) and lower (same IP
can be owned by multiple hosts at multiple times)
NATs – lower (one IP per network)
Churn – higher (machines can be cleaned or disconnected)
6. Privacy
Alice configures Tor to use 4 Tor routers for her route: T1, T2, T3, T4. Alice's
outgoing connection goes through these Tor routers in order of lowest to highest
(Alice->T1->T2->T3->T4->Destination).
a) If we represent the layers of Tor encryption with parenthesis, Alice's encrypted
message looks like this: ((((message)K_a)K_b)K_c)K_d
where K_x is the public key for Tor router "x".
For Alice's outgoing path (T1->T2->T3->T4), replace a, b, c and d with the
appropriate number (1-4) to show how Alice's message is encrypted.
((((message)K_4)K_3)K_2)K_1
b) Normally Tor routes only "bounce" through three Tor routers. What is the
downside of Alice using four?
It takes longer because it’s a longer route and because of encryption
c) If Eve can only see TCP/IP headers (ie. no application payload) which go
between T4 and Alice's final destination, does Eve know which connection is
Alice's? Justify your answer.
No, she only sees that packets go from T4 to Bob
d) If Eve can see full packets (headers + payload) which go between T4 and
Alice's final destination, does Eve know which connection is Alice's? Justify your
answer.
No, because Alice should encrypt her traffic so payload is encrypted (with Bob’s
public key)