CEG 429/629:Internet Security
Final Exam // Spring 2008//120 minutes//100 points
This is a closed book, closed notes exam.  Do not give or take help during the exam.
  1. (6*5 points each) The following statements may or may not be (fully or partially) valid.  First, explain the term underlined in the statement.  Then, explain/ discuss/ dispute the statement.  It is possible to write no more than, say, ten, sentences each, and yet receive full score.
    1.  An IP filtering package must be run on a router.  It has no effect if run on a normal host with a single network card.
    2. Hackers, as distinct from attackers, do have ethics.
    3. TCP sequence numbers start out with a random number, and incremented randomly so that they are unpredictable.
    4. WEP of 802.11 uses SSID as the shared key.
    5. A rootkit is a collection of short programs used by super-users to repair the damage done by an intruder.
    6. For something to be called a virus, it must embed in such a way that it is executed only intermittently.
  2. (20 points) Describe, in detail,  the techniques used in  hijack.  Give technical details with  real or cooked-up but realistic numbers for the fields of relevant TCP segments.
  3. (40 points)
    1. (10 points) Describe how stack top randomization makes buffer overflow exploits difficult.
    2. (10 points) AlephOne describes the eggshell  program as "usage: eggshell [-a <alignment>] [-b <buffersize>] [-e <eggsize>] [-o <offset>]\n".  What are <alignment>, and <eggsize> and why do we need them?
    3. (10 points) Describe the Principles of Robust Programming of Matt Bishop's article.
    4. (2*5 points) Consider the routine shown below.  It reads a file name from the standard input and returns its protection mode. 
      short int protectionMode(void)
{	struct stat stbuf;
	char inbuf[100];
	gets(&inbuf);
	stat(inbuf, &stbuf);
	return stbuf.st_mode & 0777;
}
      1. Describe how to exploit its features.
      2. Write its pre- and post-conditions.

  4. (10 points)  It is well-known that a large percentage of systems remain vulnerable long after security patches have been issued because the patches have not been applied.  Mr. Means Well, a security expert, got tired of this situation, and wrote a worm-like system, MWP, that applies patches without engaging in a dialog with the sysadmin.  The MWP examines the system that it is currently on, fetches all relevant patches from reputable web sites, verifies their digital signatures, applies them to the current system, and mails a detailed log of what files were modified to the sysadmin.  It then spreads to other systems.  What are the ethical issues raised by MWP?  Would you support it?  Or would you take precautions to thwart it?  Discuss.
Copyright © 2008 pmateti@wright.edu June 12, 2008