Homework 3

IS511: Information Security, Spring 2019

May 25, 2019

• Due: May 14, 11:59 PM

• Corresponding TA: Seongil Wi

• You should submit a single PDF file through KLMS.

• Please type your answer in English.

• Write in detail. Feel free to ask question, if the problems are not clear.

1 Secure Coding (5 pts.)

수업시간에 배운 시큐어코딩에 대한 이해를 바탕으로 github.com 에 공개된 소스코드에서 취약

점을 찾으시오. 대상 프로그램은 제약이 없으며 (유명하지 않아도 상관 없음), 사용된 프로그래밍언어의 제약은 없음 (물론 수업시간에 배운 C/C++ 언어를 사용하면 더욱 좋음). 취약점을 찾고그에 대한 설명을 코드와 함께 작성하여 제출하시오. 제출시 사용된 코드의 주소를 명시할 것.

Hint 1 star의 수가 적을수록 취약점을 찾는 것이 수월할 수 있음

Hint 2 C/C++언어로 작성된 코드일수록 취약점이 많이 발견될 확률이 높음

Hint 3 Lint 등의 공개된 static analyzer를 사용하면 보다 빨리 취약점을 찾을 수 있음

Solution: It depends on you.Grading Criteria:

• 취약점에 대한 설명이 타당하지 않은 경우 (-2)

• 코드의 주소가 명시되어 있지 않은 경우 (-2)

Problem 1.1

A Unix process may call another process without fully trusting it. In this situation, the callermay want called process to have access only the objects that the caller explicitly passes to it,and not to arbitrary files owned by the caller. One possible solution is to create a restricted userID, and execute the called process under this restricted UID.

(a) Every Unix process has a Real UID (RUID) and an Effective UID (EUID). What is thedifference between the RUID and the EUID? How is each one used by OS? (1 pts.)

1

(b) In some flavors of UNIX, any process can use setuid() to set its EUID to RUID. Arethere any security implication for the situation above, where one process calls anotherunder a restricted UID? Assume that either the caller, or the callee may be malicious. (1pts.)

Solution & Grading Criteria:

(a) • RUID is same as the user ID (+0.25) of parent (unless changed). It is usedto determine which user started the process (+0.25).

• EUID is determined from set user ID bit on the file being executed, orsys call (+0.25). It Determines the permissions for process (+0.25).

(b) It depends on you. One possible solution is that malicious callee can controller thefiles under caller by changing its EUID to RUID.

Problem 1.2

Describe what is the “confused deputy” problem (Give an example and explain why it happens).Discuss how to solve the problem by give an example. (2 pts.)

Solution: Confused Deputy problem is a specific type of privilege escalation. A moreprivileged program (e.g. compiler service) that is deceived by less privileged anotherprogram or user (e.g. Alice) into misusing its capability on the system (e.g. read or writearbitrary file under compiler service).We can solve the aforementioned problem by introducing capabilities. By specifying andpassing the capabilities of the Alice, it can easily maintain association between authorityand intended purpose. Since Alice lacks a capability to the file under compiler service, itcannot read or write that file.Grading Criteria:

• Confused Deputy problem에 대한 설명 (+0.5)

• Confused Deputy problem에 대한 예시 (+0.5)

• 해결책에 대한 설명 (+0.5)

• 해결책에 대한 예시 (+0.5)

2

Problem 1.3

• Consider the following lattice of security labels (the higher labels, the more confidentialthe information):

TopSecret

Classified Secret

Public

• Consider the following pseudocode:

– Variables

∗ Public: w

∗ Classified: x

∗ Secret: y

∗ TopSecret: z

– Code

1 p = w - x

2 if (y != 0) then

3 q = 1

4 if (p == 0) then

5 r = 0

6 endif

7 else

8 s = 1

9 endif

10

11 t = z - z

For each of the variables p, q, r, s, t, write the “minimal” security label that it can be given sothat the above code is secure according to the Bell-LaPadula Model. (2 pts.)

Solution & Grading Criteria:

• p: Classified (+0.4)Variable p should read both w (Public) and x (Classified).

• q: Secret (+0.4)Variable q should read y (Secret).

• r: TopSecret (+0.4)Variable r should read both y (Secret) and p Classified (Classified).

• s: Secret (+0.4)Variable s should read y (Secret).

• t: TopSecret (+0.4)Variable s should read z (TopSecret).

3

Problem 1.4

Integrity is an important element of an information flow policy. Suppose there are two levels ofintegrity. t for trusted and u for untrusted. Intuitively, untrusted data should not be allowed tocorrupt trusted data. That is, data from untrusted variables should not be allowed to flow totrusted variables.

Examine the follow four statements, which have integrity labels as subscripts on variables.Explain which statements are secure, which are insecure and why. (2 pts.)

(a) X t = Y t + Z u

(b) V u = Y t + Z u

(c) if T t then Y t = X t else V u = Z u

(d) if V u then Y t = X t else V u = Z u

Solution & Grading Criteria: Because untrusted data (u) should not be allowed tocorrupt trusted data (t), the two labels should have a t v u relationship.

(a) Insecure (+0.5)L(Y t, Z u) 6v L(X t)

(b) Secure (+0.5)L(Y t, Z u) v L(V u)

(c) Secure (+0.5)L(X t, T t) v L(Y t) ∧ L(Z u, T t) v L(V u)

(d) Insecure (+0.5)L(X t, V u) 6v L(Y t)

4