CS513 Homework 4

General Instructions.You are expected to work alone on this assignment.

Due Dec. 2 at 11:59pm. Assignments may be submitted via CMS. See class information for policies on grading and late assignments.

To facilitate grading, format your solutions as follows.

Solutions that do not satisfy the formatting guidelines may be returned ungraded.

Problem 1

(a) Somebody (XYZ) proposes the following defense against buffer overflow exploits. All code pages, including system library routines, should be mapped to low memory address (e.g. from 00000000 to 000FFFFF on X86 machines), and the rest of the pages should be marked as non-executable. Would this technique prevent buffer overflow exploits? What about return-to-libc exploits? Explain.

(b) Program Shepherding is a method for monitoring control flow transfer during program execution to enforce a security policy. The idea is that instead of focusing on preventing memory corruption; it prevents the final step of an attack, the transfer of control to malevolent code. Program shepherding prevents execution of data or modified code and ensures that libraries are entered only through exported entry points (for details, check out http://www.usenix.org/events/sec02/full_papers/kiriansky/kiriansky_html/index.html). Would program shepherding prevent return-to-libc exploits?

(c) Consider the following simple C function:

void do_authentication() {
int authenticated = 0;
char userid[64];
char passwd[64];
while (!authenticated) {
     printf("login as: ");
     printf("password: ");
     if (check_password(userid, passwd)) {
         authenticated = 1;
     } /* Authentication succeeds, continue… */

Describe a possible attack to the above function. Would program shepherding prevent this type of attack? Explain.

Problem 2

(a) Given the security levels TOPSECRET, SECRET, CONFIDENTIAL, and UNCLASSIFIED (ordered from highest to lowest), and the categories A, B, and C, say what type of access (read, write, or both) is allowed according to the Bell-La Padula model in the following situations. Assume discretionary access controls allow anyone access unless otherwise specified.

  1. Paul, cleared for (TOPSECRET, { A, C }), wants to access a document classified (SECRET, { C }).

  2. Anna, cleared for (CONFIDENTIAL, { C }), wants to access a document classified (CONFIDENTIAL, { B }).

  3. Jesse, cleared for (SECRET, { C }), wants to access a document classified (CONFIDENTIAL, { C }).

  4. Sammi, cleared for (TOPSECRET, { A, C }), wants to access a document classified (CONFIDENTIAL, { A }).

  5. Robin, who has no clearances (and so works at the UNCLASSIFIED level), wants to access a document classified (CONFIDENTIAL, { B }).

(b) Suppose a system implementing Biba’s model used the same labels for integrity levels and categories as for security levels and categories. Under what conditions could one subject read an object? Write to an object?

Problem 3

(a)  Integrity is an important element of an information flow policy. Suppose there are two levels of integrity, T for Trusted and U for Untrusted. Intuitively, untrusted data should not be allowed to corrupt trusted data. That is, data from untrusted variables should not be allowed to flow to trusted variables. Examine the following statements, which have integrity labels as subscripts on variables. Explain which statements are secure, which are insecure, and why.

         i.            XT := YT + ZU;

       ii.            VU := YT + ZU;

      iii.            if XT then YT := XT else VU := ZU;

     iv.            if VU then YT := XT else VU := ZU;

(b) Semaphores are used for synchronization in concurrent programs. A semaphore is an integer variable whose value is always at least zero. Two operations can be performed on a semaphore s: wait(s) and signal(s). wait(s) causes the process executing it to block until s can be decremented and still leave s >= 0, and signal(s) causes s to be incremented. Suppose that concurrent execution of processes S1, ..., Sn is written as:

cobegin S1 || ... || Sn coend

Discuss whether the following two program fragments are secure or insecure, based on information flows. The variables in these programs are subscripted with confidentiality labels. You may assume a synchronous execution model in which observers have access to a clock (as was discussed Notes). These are program fragments, so all variables receive values elsewhere before the fragment starts executing.


sH := 0;
tH := 0;
xL := -1;
    if yH then signal(sH);
          else signal(tH);
    if xL = -1 then xL := 1;
    if xL = -1 then xL := 0;


sH := 0;
xL := 0;
    if yH then signal(sH);
    xL := 1;