CSM27 Exercises
Hans Georg Schaathun
November 30, 2007
1 Week 1
1.1 In session
• Security problems brain storming
• Classication of brain stormed problems.
1.2 Weekly Exercises
1.2.1 Current Security Problems
• Find at least 5 news articles (printed press or WWW) about security issues, prob-
lems, or incidents.
• From the articles, select two separate incidents or issues to analyse.
• For each incident/issue
1. classify the problem (condentiality, integrity, availability)
2. identify the threat and the vulnerability.
3. identify any useability or reliability issues.
• Remember that each instance may represent more than one class, threat, and
vulnerability.
• Give reasons for your answers
• Expected length about 2 pages, plus copies of the ve news articles.
exercise.tex,v 1.37 2007/11/26 11:11:05 css1hs Exp

2 Week 2
2.1 In session
2.1.1 Gollmann 1.6
• Consider the theft of a central server from the university or faculty.
• Write down all the assets which could be jeopardised by such a theft.
• Construct an attack tree for this threat.
This is an open question, and many dierent solutions may be right. The following is
mainly Dieter Gollmann's suggestions, with some additions. The solution presented
is not complete, and a thorough analysis would extend the tree in many directions.
At the rst level of the tree, Gollmann suggests to separate data and services. Data
could then be divided into administration, teaching, and research. Services might
include email, Internet access, and software systems for student labs.
The tree could then be further extended along the lines of the example in Figure 1
(and even further), and one might then compare the compromise (of condentiality)
and loss (of availability) of the various categories of data and services. For example, if
published research papers are on the stolen server (and if there is no backup), the loss
of the electronic records would be an inconvenience (if necessary, one could re-type
the papers).
The loss of data from recent experiments is at best an inconvenience (one has to repeat
the experiments), and potentially the loss of an opportunity because the attackers
might publish your results rst. When the department is collaborating with external
parties and stores data from partners on its servers, it might become liable for any
losses incurred by its partners.
In other categories, the compromise of sta and student records may raise privacy
issues, and the loss of examination records (a possible further sub-division of student
data) might make it impossible for the university to graduate students.
If the the server includes password les, that is a threat which makes other servers
and other resources vulnerable. Hence the password le node in the tree should be
extended to a large tree in itself.
The tree could then be used to evaluate the impact of the various threats, and the
impact of potential countermeasures (such as backups).
2.1.2 Gollmann 2.7
Discuss: is a good graphical user interface an appropriate criterion for purchasing a
security product?
exercise.tex,v 1.37 2007/11/26 11:11:05 css1hs Exp

Server theft
Data
Teaching
Exam Papers
Password les
Admin
Marks
Sta
Internal
Services
Email
Student
PR
Web
Sta info
Research
Partners
Project data Patent ideas
Figure 1: Attack tree for Exercise 1.6.
There are arguments both ways.
• A good user interface is essential to avoid human errors.
• A good user interface can make the operator or administrator more eective.
Save time.
Support methodological and systematic work.
• What actually constitutes a good user interface depends on the people who will
be operating it.
Graphical user interfaces work best for occasional users.
Non-graphical user interfaces are often more ecient for expert users, using
the interface frequently.
Regardless of whether it is graphical or not, it needs to be good, and work
for the people using it.
• The user interface is not sucient.
The user interface in itself does not buy any security.
The underlying product must be eective.
exercise.tex,v 1.37 2007/11/26 11:11:05 css1hs Exp

2.2 Weekly Exercises
2.2.1 Gollmann
2.4 Medical records pose particular security problems. Assume that your medical
records can be accessed on-line. On one hand, this information is sensitive and
should be protected from disclosure. On the other hand, in an emergency it is
highly desirable that whoever treats you has access to your record.
• How would you use prevention, detection, and recovery to secure your records?
• Give reasons for your answers.
The answers are open to personal preferences.
Prevention may be the most obvious approach, but there is a strong case that detection
may be eective. If abuse can be detected, typically abuse by medical personnel, then
both disciplinary and judicial actions can be made. Medical personnel abusing their
access, could at the very least lose their licence to practice. This would deter most of
them from abuse. More severe punishment or demands for compensation would deter
more potential abusers.
Although prevention may look like the natural choice, it is potentially harmful, as too
restrictive policies can prevent access in an emergency. One could, however, look for
solutions where access depends on two keys, such as one smart card carried by the
patient, and one key available to registered health personnel. But would every patient
always carry their card?
Access should obviously be restricted to health personnel, so it should depend on a
token (smart card) issued to registered medical professionals. If that token is personal, identifying the user, each on-line access can be logged to provide an audit trail.
The patients could then be allowed to inspect who have viewed their data, and be
allowed to report any suspicious access. Reported incidents would then be subject to
appropriate disciplinary and judicial actions.
2.9 Identify the security perimeters that may be applicable when analyzing personal
computer (PC) security. In your analysis, consider when it is appropriate to assume
that the room the PC is placed in, the PC itself, or some security module within
the PC lies within the security perimeter.
With respect to some threats, the perimeter is probably always the room. At the very
least, access to the room would normally allow an attacker to pull the power, making
the service unavailable.
With respect to condentiality and integrity, the physical PC itself could only be outside the security perimeter if either the critical contents on the harddrive is encrypted
or some tamper proof security modules prevents connecting the drive to another box.
Otherwise, the disk could be removed to be copied or modied.
exercise.tex,v 1.37 2007/11/26 11:11:05 css1hs Exp

If physical access is controlled, such as by guarding the room, the perimeter does
become the room. Similarly, if the PC is portable, it becomes the interior security
modules (which probably have to be tamper-resistant) because the user can take the
box home and pick it to pieces,
The following is Gollmann's solution:
I have the following scenarios in mind: PC with/without network connectivity, PC in a protected room; PC that cannot be removed from the oce,
PC with limited input facilities (e.g. only keyboard, so it is really dicult
to add software manually), PC (laptop) users can take home so that they
have access to the hardware, PC with a tamper resistant security module
inside.
2.3 Extra Exercises
2.5 Draft a security policy for protecting examination results kept on a computer sys-
tem. Your policy should at least consider the access requirements of students,
lecturers, and administrators.
• Students would probably be limited to reading their own results. Privacy re-
quirements dictate that they should not have read access to other students' les.
Integrity and preventing forgery of results dictate that they should not be given
any write access.
• Lecturers probably need read and write access for the modules they teach. There
is no obvious reason to give them write access to other modules. They might be
given read access to the les of their personal tutees.
• Administrators (exams and U/G oce) need complete probably read access to
prepare letters to students and protocols for Exam Boards. They might be given
write access if they need to enter data on behalf of lecturers. It may be necessary
to have someone with write privileges in the case of lecturers on sick leave.
• Administrators monitoring teaching quality should probably be limited to reading statistical summaries.
2.8 Look for further examples where a security mechanism in one layer can be bypassed
by an attacker who has access to a layer below.
Open question [Gollmann]: a device that can be booted with two dierent operating
systems might serve as another example. The access control data set by one operating
system will not be understood by the other operating system; access to data that has
been protected at a logical level thus can be circumvented by changing the underlying
operating system.
exercise.tex,v 1.37 2007/11/26 11:11:05 css1hs Exp

3 Week 3
3.1 In session
3.1.1 Gollmann 3.7
If you are required to use several passwords at a time, you may consider keeping them
in a `password book'. A password book is a protected le containing your passwords.
Access to the password book can again be controlled through a master password.
• What are the advantages of such a scheme?
• What are the disadvantages of such a scheme?
• Overall, do you think it is a good idea or not?
Again, there is no one correct answer. The advantages and disadvantages depend a
lot on what the alternative is.
Against such a solution, a password book gives a single point of failure, and if the
master key is compromised, everything is compromised. Furthermore, accessing the
password le, sometimes means showing several passwords in cleartext on the screen,
vulnerable to spying and surveillance.
On the other hand, good routines can reduce the risk of jeopardising the master key
or key le considerably.
Remembering all the individual passwords is often humanly infeasible. Forgetting
passwords is unacceptable due to the loss of availability, and the solutions to recover
forgotten passwords risk introducing additional Thus, a password book may be a
necessary `evil'.
3.2 Weekly Exercises
3.2.1 Gollmann 3.2
1. Assume that you are only allowed to use the 26 characters from the alphabet to
construct passwords. How many dierent passwords are possible if a password is
at most n, n = 4, 6, 8, characters long and there is no distinction between upper
case and lower case characters?
The number of passwords of lenth n is 26n , so the number of passwords of length at
most n is 26n + 26n−1 + . . . + 261 + 260 .
exercise.tex,v 1.37 2007/11/26 11:11:05 css1hs Exp

2. How many dierent passwords are possible if a password is at most n, n = 4, 6, 8,
characters long and passwords are case sensitive?
We have doubled the alphabet from 26 to 52 characters, so the number of passwords
of length exactly n is now 52n = (26n )(2n ).
3.2.2 Security policy
• Draft a security policy for password management for student accounts at a uni-
versity.
• Include security policy objective, and mechanisms for issuing new accounts/pass-
words and for reissuing passwords when one is forgotten.
• Give reasons for your choices.
The security policy have to state conditions for issuing a new account, and for resetting/recovering a forgotten password. It will also have to dene any limitations on
acceptable passwords.
All students shall have access to university computers with as few
and as short interruptions as possible. No unauthorised users are allowed access.
Sample Objective:
This is an example. The student may have to meet in
person, bringing some sort of identication (campus card), to be given a username
and pseudo-random (computer generated password). This ensures identication and
authentication.
Issuing a new password:
The pseudo-random password should only be valid for one login; the user has to
change it. Otherwise there is a risk of password slips lying about.
This face-to-face procedure also allows a requirement to sign terms and conditions.
The most secure alternative in terms of condentiality and
integrity is probably to require the student to meet in person, following the procedure
for issuing a new password. This may or may not be an unacceptable delay in restoring
availability for the individual student.
Reissuing a password:
A couple of questions will have to be answered. May students need a new password
outside oce hours? Do students need a new password o-campus? Only if both
answers are no, is the face-to-face solution sucient.
The students could be required to give a mobile phone number when they rst receive
their account. This would then provide an authorised channel; it could be used to
issue new one-time computer-generated passwords by SMS upon request (by phone,
or by web form). This does, however, require the students to have a mobile phone
and avoid losing it. In practice, on a campus, it is probablty easy to steal a mobile
phone and nd the name/username of the owner.
exercise.tex,v 1.37 2007/11/26 11:11:05 css1hs Exp

It is hard to think of another alternative which does not require the agreement of an
alternative secret. Using mother's maiden name is common in this country, but this
is not exactly classied information, and can probably be found in public records.
It may be suciently secure to use a combination of dierent quasi-secrets, like student
number (URN), date of birth, et c. None of this is impossible to nd, but it is timeconsuming to get all.
Password limitations The policy would probably specify that the password has to
include a certain number of special characters, both upper- and lower-case letters,
and possibly also digits. It may ban sequences from consecutive keyboard keys, and
certainly should ban words and names.
3.3 Extra Exercises
The following exercises will not be assessed or discussed in session, but they are good,
exam-relevant training.
3.3.1 From Gollmann Chapter 3
3.3 Assume that passwords have length six and all alphanumerical characters, upper
and lower case, can be used in their construction. How long will a brute force
attack take on average if it takes one tenth of a second to check a password? it
takes a microsecond to check a password?
There are 62 symbols and 626 possible password. In the rst case the search takes 90
years; in the second it taks 8h. The purpose of the exercise is to demonstrate that
speed-ups in password checking are not relevant to individual end users but help an
attacker. (Gollmann)
3.4 Assume that you are only allowed to use the 26 characters from the alphabet to
construct passwords of length n. Assume further that you are using the same
password in two systems where one accepts case sensitive passwords but the other
does not. Give an upper bound at the number of attempts required to guess the
case sensitive version of a password.
You should search rst for the case-insensitive password, using 26n checks. Having
found this, there are 2n possible combinations of upper/lower case. The total number
of checks needed is then 26n + 2n .
3.3.2 Your own system
• Consider the system on your laptops.
exercise.tex,v 1.37 2007/11/26 11:11:05 css1hs Exp

How are the passwords stored?
Can the adminstrator read user passwords?
In what way is the choice of password restricted?
Compare your system against the principles and suggestions in Gollmann,
Section 3.3.
4 Week 4
4.1 In session
• [Gollmann 4.3] Discuss: What are the dierences between groups and roles, if there
are any dierences at all?
• [Gollmann 4.9] You are given a set of categories. Implement a lattice-based need-
to-withhold policy where you selectively withdraw access rights from subjects.
4.2 Weekly Exercises
• Suppose you have M users on a system, each of whom has 50 les. You distinguish
between alter, observe, and execute for each le. How many bytes do you need to
store the access control matrix for these users and les when M = 10, M = 100,
M = 500, M = 4415?
We have 50M les and M users, so the access matrix has 50M 2 entries. Each entry
is 3 bits (for three access modes), so we need 150M 2 bits to store it. Use a calculator
to calculate the exact size for dierent M .
• [Gollmann 4.6] Let (L, ≤) be a lattice of security levels where L is a nite set.
Show that unique elements System Low and System High must exist in such a
lattice.
By system low we mean a security level which is dominated by every other security
level. Similarly, system high is level dominating every other security level.
(This proof is simpler than the one attempted in class.) Assume that there is no
element System High. Then there must be two elements A and B such that there is
no element X ∈ L with A < X or B < X . (That is, two elements A and B which are
not dominated by a common element dierent from A and B .) Since A and B have
a least upper bound by denition, we get A = lub(A, B) = B .
Assume than that System High is not unique, so that A and B are both System High.
Then we have A ≤ B and B ≤ A, implying A = B by the denition of a partial
ordering.
exercise.tex,v 1.37 2007/11/26 11:11:05 css1hs Exp

It follows by contradiction that there be a unique System High. The proof for System
Low is similar.
• Consider the graf of user and group privileges in the slide on Group-based access
control.
Explain why the graf is not a lattice.
What change would you have to make to turn it into a lattice?
The graf does not have a largest lower bound (System Low). To turn it into a lattice,
System Low would have to be added, e.g. as a nobody user dominated by every le.
4.3 Extra Exercises
4.3.1 Gollmann 4.5
You are given a security policy stating that a subject has access to an object if and only
if the security level of the subject dominates the security level of the object. What is
root
uid1 uid2 uid3
the eect of using this lattice with this policy?
guest
Users (uid1, uid2, uid3) have access to their own le as well as those of guest. Guest
has only to her own les and nothing else. Root has access to everything.
4.3.2 Gollmann 4.7
Construct the lattice of security labels for the security levels `public', `condential', and
`strictly condential', and for the categories ADMIN, LECTURERS, and STUDENTS.
Which objects are visible to a subject with security label (condential,STUDENTS) in
a need-to-know policy? How many labels can be constructed from n security levels and
m categories? For illustration, consider the values n=16 and m=64.
Draw the lattice following the model from the slides.
A subject with (condential,{students}) can see objects with (condential,{students}), (public,{students}), (condential,∅), or (public,∅).
You have n security levels and m categories. Because each category can be either
present or not, we get 2m combinations of categories. Any combination of categories
can be combined with any security level, giving n2m security labels.
For n = 16 = 24 and m = 64, we get 26 4 security labels.
exercise.tex,v 1.37 2007/11/26 11:11:05 css1hs Exp

5 Week 5
5.1 In session
5.1.1 Gollmann 5.1
Microprocessors on smart cards used to have their entire card operating system in ROM.
Currently, there are moves towards microprocessors where part of the operating system
can be downloaded into EEPROM. What are the advantages and disadvantages of keeping the operating system in ROM? What are the security implications of moving parts
of the operating system into EEPROM?
If the OS is in ROM, it cannot be changed, thus ensuring the integrity of the system.
You save the worry about attackers modifying the system. However, it is bad for
exibility; you cannot make changes for yourself, including upgrading the system.
Using EEPROM adds a feature, namely the possibility of changing the system, and
this feature can be used or abused. Other precautions will be needed to prevent the
abuse.
5.2 Weekly Exercises
5.2.1 Gollmann 5.2
Can you have security without security kernels?
Discuss the advantages and disadvantages of having a security kernel built into the
Operating System Kernel (as opposed to the Application Layer) to form the trusted
computing base (TCB).
Yet another example of the usual trade-o between exibility and simplicity. The
TCB oers centralised, systematic control of privileges, and it is feasible to make it
small, simple, and analyseable.
However, some applications may need a more ne-grained control, using additional
information and details not available during the design of the TCB. The disadvantage
is that security is suddenly enforced in `bits and pieces' and it is much more dicult
to validate an organisational security policy.
5.2.2 Gollmann 5.5
Some buer overrun attacks put the code they want to be executed on the call stack. How
can the ability to distinguish between programs and data help to construct a defence
against this particular type of buer overrun attacks? Briey describe a protection
mechanism based on this distinction.
exercise.tex,v 1.37 2007/11/26 11:11:05 css1hs Exp

5.2.3 P&P 5.9
Consider time-sharing on the CPU. Explain what is necessary to provide temporal separation (with proper security). Your answer can take one of two approaches
• Describe the (formal) conditions which must be met in order for two processes to
be adequately separated.
• Describe each action which must be taken by the CPU and OS during a context
switch (i.e. when one process is swapped out and a new one in)?
Give rationale for each condition/action.
Firstly, during the switch, the data and the state (CPU registers) of the old process
have to be copied and stored such that the new process cannot access it.
Secondly, the registers and all other state information and memory which the new
process will be able to access have to be blanked out to ensure condentiality.
5.3 Extra Exercises
5.3.1 P&P 5.16 rephrased
Consider the le tree in Unix. Each le is at a leaf of the tree, identied by a unique path
from the root to the leaf [P&P]. (This is not entirely true, as one le can be linked into
several directories using hardlinks. Hence the path is not necessarily unique, and the graf
is not a tree. Subdirectories cannot be hardlinked consistently though.) Each interior
node is a subdirectory. A user can block access through a node by restricting (execute)
access to the subdirectry. Devise a method that uses this structure to implement a
discretionary access policy.
6 Week 6
6.1 Weekly Exercises
• Write a short essay stating your position in the Bell vs McLean debate.
It is helpful to address as many of the strengths and weeknesses of BLP as possible, in
order to build an argument for your view.
Suggested length 12 -2 pages. Longer is not always better.
exercise.tex,v 1.37 2007/11/26 11:11:05 css1hs Exp

7 Week 7
7.1 Weekly Exercises
7.1.1
In a medical information system that controls access to patient records and prescriptions,
doctors may read and write patient records and prescriptions, nurses may read and write
prescriptions only but should learn nothing about the contents of patient records.
1. How can you capture this policy in a lattice model that prevents information ow
from patient records to prescriptions?
2. In your opinion, which security model is most appropriate for this policy? (Why?)
Sketch a security model capturing the requirement.
3. A doctor should not be allowed to make a prescription for herself. How can you
augment your model above to prevent this kind of prescription abuse?
I am very skeptical that lattice models are meaningful because information between
doctors and nurses can ow in both directions. I have seen suggestions that doctors
could have two dierent accounts, one to work on patient records, the other to write
prescriptions and that they should log in and out between these two activities. This
sounds very unrealistic and I would use Clark-Wilson as the basis for formulating this
policy.
7.1.2
Is it possible to support Bell-LaPadula in an implementation of Chinese Wall? Make
a design of a Bell-LaPadula system based on a Chinese Wall system, and address any
limitations of the design.
8 Week 8
8.1 In session
• Compare
Evaluation
and Consultancy
• Consultants advise clients on suitable solutions for their applications (including
security requirements).
• Where would you draw the boundary between evaluation and consultancy?
exercise.tex,v 1.37 2007/11/26 11:11:05 css1hs Exp

What do consultants do?
What does an evaluation do?
• Are there any situations where you would clearly choose one over the other?
8.2 Weekly Exercises
8.2.1 Bishop 21.5
Refer to the Common Criteria portal http://www.commoncriteriaportal.org/. Choose
one protection prole (PP) which interests you, and the security targets (ST) of a product implementing this PP.
• Compare the PP and the ST and identify any dierences.
• Based on this comparison, what is your opinion of the product?
• For which applications is the product suitable?
9 Week 9
9.1 Weekly Exercises
9.1.1
Consider the following piece of code from Section 14.2.2 in Gollmann's book, i.e.
char buf [ 1 2 8 ] ;
combine ( char ∗ s1 , s i z e _ t len1 , char ∗ s2 , s i z e _ t l e n 2 )
{
i f ( l e n 1+l e n 2+1 <= s i z e o f ( buf ) ) {
s t r n c p y ( buf , s1 , l e n 1 ) ;
s t r n c a t ( buf , s2 , l e n 1 ) ;
}
}
• Why is the code unsafe? (This question is answered in the book.)
• Suggest a x to the aw in the code above. (This question is asked (but not
answered) in the book.)
exercise.tex,v 1.37 2007/11/26 11:11:05 css1hs Exp

The check if (len1 + len2 + 1 <= sizeof(buf)) could, for example, be changed
to if (len1 + len2 + 1 <= sizeof(buf) || len1 < len1 + len2).
For an n bit unsigned integer, the maximal value for len2 is 2n-1 , and len1 + 2n˘1
(mod 2n) = len1˘1; if there is an integer overow, the result will be smaller than
len1. (No claim that this is the optimal solution.)
9.1.2 Peeger & Peeger 3.13 (rephrased)
Consider a data structure for a doubly linked list. The data structure is of critical
importance, but will run on a system subject to periodical (irregular) hardware failures.
In other words, the system can go down without warning in the middle of a the execution
of a method.
You are to implement the insert method (as well as any required auxiliary methods,
such as error-recovery to be run after an accidental crash) for this data structure. Give
an outline of the algorithm in pseudo-code (or any programming language you like).
Write a short reasoning for key statements in the algorithm.
10 Week ?
2.2 Examine the relationship between unlinkability and anonymity.
exercise.tex,v 1.37 2007/11/26 11:11:05 css1hs Exp
