Security Fall 2002 Qualifier

Information Security Fall 2002 Qualifier Exam

ANSWER ANY SIX QUESTIONS FROM THE FOLLOWING EIGHT QUESTIONS

1. There has been much discussion about inappropriate content on the Internet and how it should not be possible for certain group of users to access such content. The Platform for Internet Content Selection (PICS) initiative has attempted to address this problem by proposing labels that could be associated with content. Such labels can then be used to filter out content that is deemed inappropriate for certain users. The concept of labels that can be attached to users and information objects has been explored in the secure computer systems literature. These include labels such as secret and classified in multi-level security and ownership/access related labels in information flow systems. In the latter, a label may contain the owner of an object and the set of subjects that are allowed to read the document.

2. In the Internet and PICS context, it is expected that publishers of content will attach labels to documents that they create. If the content of a document depends on the contents of other documents, its label should reflect their labels. Describe what kind of labels may be appropriate in this environment and how such labels will be associated with documents. Clearly, such labels must be securely bound with the documents and a trusted component must use them to determine if access to a document should be allowed or it should be denied. Discuss a trusted computing base that will be needed to enforce access to documents based on their labels. Do you think such a trusted base is feasible in the context of the Internet?

3. In current monolithic operating systems (OS), the entire OS runs in kernel or system mode and hence a bug or an error in one module of the system can propagate to any other part of the operating system. Systems like Multics tried to avoid such problems by executing different modules in different rings such that protection across rings is enforced by the underlying hardware. Recently, there has been much interest in extensible operating systems, which permit applications to download extensions into the kernel. Clearly, the kernel and other extensions must be protected from errors that may be present in one extension. Several approaches have been explored to protect kernel resources from untrusted extensions. Briefly discuss these approaches and discuss which one(s) is (are) the most promising. One such approach makes use of segment/page protection bits to isolate extensions from the kernel. Compare this approach with Multics rings.

4. A certain secure distributed file system controls access to files using capabilities. A user must authenticate himself/herself to the system and must obtain a set of capabilities that are presented to the file system. These capabilities must contain any access rights that the user possesses for the files named in the capabilities. Furthermore, capability lifetime must be limited to minimize chances of unauthorized access. Clearly, capabilities must be unforgeable and it should be possible to revoke them when a user no longer should have access to a certain file.

Describe a distributed security architecture that can be used to implement such a capability based secure file system. Describe the various services, their APIs and protocols that are used by them to securely communicate and access file data.

5. Assume an Internet Voting protocol in which:

a) Each voter uses a smart card for casting their vote.

b) Before every election the voter goes to a registration place, where a symmetric key is loaded secretly (confidentiality and integrity are protected) to the voter's smart card.

c) A different symmetric key is used for each election. This means that the same key will be loaded to every smart card that is registering for the same election.

d) A voter casts his vote using the Internet and SSL. The vote is encrypted by the smart card using DES in CBC mode. The protocol uses a random number at the beginning of the vote to make each encrypted vote different.

e) The vote is sent to a collection agency, which hashes the voter ID, given by a user's input to the Internet application, with the hash of the encrypted vote and return this signed value to the voter as a proof of vote.

f) The collection agency forwards the votes (without any voter identification) to a central authority, which has the symmetric key for that election. The central authority decrypts the vote, count it and publishes the hash of the encrypted vote.

g) The published hashes can be used to prove a vote has been counted (and has been counted only once), and that a voter has voted. A system can look all hashes and a specific user ID to find a match with the user's receipt of vote for this purpose.

Analyze the strengths and weaknesses of this protocol and suggest improvements that may make it stronger or more efficient.

6. Discuss the use of biometrics. In particular give specific examples of when they are useful, when they do not add anything, and when they cannot be used for securing a system. Can biometrics be combined with tamper resistant devices to provide secure protocols? Design a protocol that uses biometrics. Describe what is the contribution of using biometrics in your protocol, including how necessary biometrics is (could you do in a different way that does not use biometrics?). Discuss strengths and weaknesses of your protocol.

7. There are several ways to deploy IDSs for enterprise networks. For example, one is to run a centralized IDS at the network gateway, and another is to run a separate IDS on each end-host. Discuss the pros and cons of these deployment strategies. How would you design your own deployment scheme?

8. It has been shown that system call data can be used to model a program's behavior and detect some anomalies (see paper #17 in http://www.cc.gatech.edu/~wenke/ids-readings.html).

Explain why this approach can detect these anomalies? Can you think of ways to evade this detection approach (i.e., can you design attacks that exploit a program but will not be detected by this approach)?

9. In many applications, organizations need to quickly to disseminate new data to a large number of employees. Such data may be produced at unpredictable intervals and may have confidentiality requirements. The employees may only be accessible via the wider Internet. Furthermore, new employees may join the organization and existing ones may leave the organization (or worse fired). Discuss how a cryptographic protocol can be designed to securely transmit the updates that need to be sent to the employees. If you make any assumptions, state them clearly.