College of Engineering & CS Wright State University Dayton, Ohio 45435-0001

CEG 499/699: Internet Security Final Exam 100 points max   120 minutes Prabhaker Mateti, Winter Quarter 2000

This is a closed book/notes/... exam, except for the three papers by

• A Simple Active Attack Against TCP (PostScript file)
• Security Problems in the TCP/IP Protocol Suite
• Using Domain Name System for System Break-ins (PostScript file)

You are free to refer to copies of the above papers, but be careful that you do not use up your time.  It is hard to answer all the questions in 120 minutes.

1. (20 points, 5 points each) Explain/Discuss/Dispute/Answer, in a few lines, the following.
   1. An application-level gateway can be configured to prevent IP spoofing.
   2. An IP filtering package must be run on a router.  It has no effect if run on a normal host with a single network card.
   3. In the public-key encryption scheme, there is one key that must be kept secret, and another that is published.
   4. If remote login programs used SSL, passwords cannot be sniffed.
2. (10 points) Explain fully the "no read up" and "no write down" rules.
3. (10 points) Summarize in technical terms one of the three papers above.  Do not use their abstract.

4. (10+10 points) The following routine reads a file name from the standard input and returns its protection mode. It treats the argument as a file name, and returns the protection mode of the file as a short integer. Identify and explain, in detail, its exploitable features.

   short int protectionMode(void)
   {
   	struct stat stbuf;
   	char inbuf[100];
   	
   	gets(&inbuf);
   	stat(inbuf, &stbuf);
   	return(stbuf.st_mode & 0777);
   }
   

5. (30 points) Give (10+10 points) Pre- Post- conditions for the routine shown here.  (10 points) Comment,  on each line of the code, regarding how you can make it more robust.

6. (10 points) You discover a security flaw in the operating system on your company's computer. The flaw enables any user to read any other user's files, regardless of their protection. You have several choices: (a) you can keep quiet and hope no-one else discovers the flaw, or (b) tell the company, or (c) tell the system vendor, or (d) announce it on the Internet.  In each of the following scenarios, describe which of the above courses of action would you take, and why?

   1. Suppose an exploitation of the vulnerability could be prevented by proper system configuration.
   2. Suppose an exploitation of the vulnerability could be detected (but not prevented) by system administrators.
   3. Suppose no exploitation of the vulnerability can be detected or prevented.