CEG 429/629:Internet Security

Mid Term Exam//Spring  2009//100 points max   75 minutes
Fine Print:  This is a closed notes exam.  Do not give or take help during the exam.
  1. (5*5 points each) The following statements may or may not be (fully or partially) valid.   Explain the underlined technical term occurring in each statement.    Explain/ discuss/ dispute the statement.  It is possible to write no more than, say, ten, sentences each, and yet receive full score.
    1. It is possible to setup a Linux/ Unix system without a single suid program.
    2. A rootkit is a collection of short programs used by super-users to repair the damage done by an intruder.
    3. In a TCP segment with SYN=1, the SEQ number must be non-zero.
    4. An IP filtering package has no effect if run on a normal host with a single network card.
    5. It is possible to determine the local gateway of an unknown network via passive sniffing.
  2. (3*15 points)
    1. Suppose that an attacker has acquired privileges to read/write/execute any file on a Unix system.   Suppose his/her goal is to obtain one hundred userid-password combinations, and replace what ever changes he/she may have made with their originals so that this activity has a greater chance of going unnoticed.  Describe what files are changed where and how.
    2. Describe, in detail, the techniques used in hijack.
    3. Consider the following ten significant events that occur, perhaps not in the order listed here, in the rebooting of a Linux/Unix machine from currently running (power on, duh) to login prompt.  E1: Root volume is mounted by the kernel; E2: Process init is created;  E3: inetd daemon is started; E4. OS Boot loader invokes the kernel;  E5getty processes are started.  E6: The run level changes from 3 to 5.  E7: BIOS finds the boot device. E8:  run level changes to 0, E9:  All file volumes are unmounted.  E10: Networking is shutdown. Explain E1 and E2 steps further (5 points), and  describe how security may have been breeched (10 points) in the two steps.

  3. (3*10 points)  The context of this question is the paper by Aleph One.  
    bottom of  DDDDDDDDEEEEEEEEEEEE  EEEE  FFFF  FFFF  FFFF  FFFF     top of
memory     89ABCDEF0123456789AB  CDEF  0123  4567  89AB  CDEF     memory
           buffer                sfp   ret   a     b     c
<------   [JJSSSSSSSSSSSSSSCCss][ssss][0xD8][0x01][0x02][0x03]
           ^|^             ^|            |
           |||_____________||____________| (1)
       (2)  ||_____________||
             |______________| (3)
top of                                                          bottom of
stack                                                               stack
    1. Explain fully the arrow labeled (2).
    2. How does exploit3.c from the paper by Aleph One differ from exploit4.c?
    3. Describe an alternate but equivalent version of get_sp() without using any assembly code.
    4. Copyright ©  2009 Prabhaker Mateti ; May 06, 2009