UNIVERSITY OF LONDON BSc EXAMINATION 2019 For Internal Students of Royal Holloway DO NOT TURN OVER UNTIL TOLD TO BEGIN IY2840: Computer and Network Security IY2840R: Computer and Network Security – PAPER FOR RESIT CANDIDATES Time Allowed: TWO hours Answer ALL questions Calculators are NOT permitted c©Royal Holloway, University of London 2019 Page 1 of 5 2018/19 IY2840/IY2840R 1. MECHANISMS FOR ACCESS CONTROL (a) Anderson proposed the concept of a Reference Monitor in 1972. i. Describe what is meant by the concept of a Reference Monitor. [6 marks] ii. List three properties that a Reference Monitor must have. [3 marks] iii. For each of the three properties above, explain why the Reference Mon- itor would not work if it did not have this property. [6 marks] (b) In the MULTICS hardware security architecture, the Reference Monitor was implemented by means of a protection ring architecture. What is a protection ring architecture and how does it provide access control? [6 marks] (c) Call gates allow controlled access between protection rings. In the following diagram, arrows 1 and 2 illustrate attempts by a piece of code to access a piece of data, and arrows 3 and 4 illustrate attempts to transfer control via a call gate. Ring 0 Ring 1 Ring 2 Ring 3 D DATA C CODE G CALL GATE C D 2 C D 1 C G C 4 4 C G C 33 Which of the four attempts to access data or transfer control are allowed? Which ones are not allowed? (No explanation necessary.) [4 marks] 2. HARDWARE ACCESS CONTROL The Intel 80386 architecture implements concepts from the MULTICS protection ring architecture. Page 2 of 5 NEXT PAGE IY2840/IY2840R (a) This question is on the technical realization of protection rings on the 80386. Describe details specific to the 80386 (that is, details that could be different for other CPUs) that are related to protection rings. You can base your description on the following topics (other topics are also possible): How and where are ring numbers encoded? Which technical component makes the access control decision? Which operation is required to make such a decision? How is the controlled invocation mechanism im- plemented? [8 marks] (b) Many modern CPUs offer four protection rings, but most current operating systems, including Windows and Linux, only use two. Why do you think this is the case? [4 marks] 3. UNIX ACCESS CONTROL Assume Alice, Bob, and Charlie have accounts on the same UNIX system. Their usernames are alice, bob and charlie, respectively. • Alice is a member of groups staff and cdrom. • Alice is not a member of group admin. • Charlie is a member of group admin. • Charlie is not a member of groups staff and cdrom. Assume a directory on the system that contains six files (file1–file6) with file mode and ownership displayed as follows: $ stat –format=”%a %A %U/%G %n” file[1-6] 0466 -r–rw-rw- alice/staff file1 0442 -r–r—w- root/cdrom file2 0777 -rwxrwxrwx root/admin file3 0044 —-r–r– alice/staff file4 0424 -r—w-r– root/cdrom file5 0204 –w—-r– root/admin file6 Here, the left-most column (%a) lists the file mode in octal, the second column (%A) lists the file mode in ASCII, the third column (%U/%G) shows the user identifier and the group identifier of the file owner in combined form (in UID/GID format), and the right-most column shows the name of the file. (a) List all files that . . . Page 3 of 5 NEXT PAGE IY2840/IY2840R i. user alice can open for writing. [2 marks] ii. user alice can open for reading. [2 marks] iii. user root (with UID = 0) can open for reading. [2 marks] iv. user charlie can open for writing. [2 marks] (b) Which of the six files has the set-user-id (SUID) bit set? [2 marks] (c) The directory in which the six files reside has the sticky bit set. More pre- cisely, the file mode is as follows: $ stat –format=”%a %A %U/%G %n” . 1777 drwxrwxrwt root/root . Which two users can delete file1? [2 marks] 4. SOFTWARE SECURITY and SHELLCODE The following assembly listing shows a shellcode that is functional for Linux on the Intel 80386. It is similar to the ones that were considered in the IY2840 lectures and labs. 1 jmp ahead 2 3 back: 4 popl %ebx 5 movl $0x0, %eax 6 movl %ebx, 0x8(%ebx) 7 leal 0x8(%ebx), %ecx 8 movb %al, 0x7(%ebx) 9 movl %eax, %edx 10 movl %eax, 0xc(%ebx) 11 movb $0xb, %al 12 int $0x80 13 14 ahead: 15 call back 16 .string “/bin/sh” (a) If a shellcode is executed by the CPU (starting with the instruction in line 1), what do you expect to happen? [2 marks] Page 4 of 5 NEXT PAGE IY2840/IY2840R (b) What is the number of the execve system call in Linux? You can answer in decimal or hexadecimal, but please indicate which one you use. [2 marks] (c) What is the effect of line 8? (That is, what is its function in the shellcode?) [2 marks] (d) What purpose do the call (line 15) and pop (line 4) instructions serve? (That is, what is their function in the shellcode?) [4 marks] (e) The shellcode would stop working if line 1 was replaced by call back (that is, a call to line 3). However it could be repaired by inserting an additional instruction between lines 4 and 5. Which instruction would that be, and which registers would it affect? (No need to be precise with the quantities, and no need to avoid null bytes in the opcodes.) [4 marks] (f) A shellcode can be augmented by a so-called NOP sled. Explain the NOP sled concept. Explain in particular: What does it consist of, where is it placed in relation to the shellcode, what is its purpose, and how large would it opti- mally be. [5 marks] 5. OPERATING SYSTEM SECURITY In a UNIX environment, applications might be vulnerable to one or more of the following attacks: (1) attack via environment variable, (2) attack via symlink, (3) at- tack by exploiting a race condition (‘TOCTOU’), (4) attack by command injection. Pick one of the four attacks (indicate which one) and give a concrete example for how it could be conducted. Likely your attack applies only in specific cases or as- sumes specific programming errors; say which conditions these are. Which prop- erty of the UNIX environment is relevant and exploited? Also mention what the outcome of the attack is: What did the attacker gain from conducting it? [14 marks] 6. WEB SECURITY Cross-Site Scripting (XSS) is a widespread problem affecting a number of web services. (a) State the main vulnerability that leads to XSS attacks. [2 marks] (b) Briefly describe the general principle of XSS attacks. Which security policy is both evaded and exploited in such attacks. [8 marks] (c) Describe the difference between a Stored XSS attack and a Reflected XSS attack. [8 marks] END Page 5 of 5 BP
