cse543 - computer and network security module:...

CMPSC443 - Introduction to Computer and Network Security Page

CSE543 - Computer and Network SecurityModule: Firewalls

Professor Trent Jaeger

1Tuesday, October 30, 12


Exam• Three kinds of questions‣ 12 short answer• What (3pts each)

‣ 5 long answer• Why (6-7pts each)

‣ 3 constructions• How (10 pts each)



Short Answer• Three kinds of questions‣ 12 short answer• What (3pts each)

3

CSE543/Fall 2010 - MidtermTuesday, October 19, 2010 — Professor Trent Jaeger

Please read the instructions and questions carefully. You will be graded for clarity and correctness. Youhave 75 minutes to complete this exam, so focus on those questions whose subject matter you know well.Write legibly and check your answers before handing it in.Short Answer - some will be one or two words – no more than 3 sentences

1. (4pts) What is the di↵erence between protection and security?

answer: A system that provides security ensures the protection of its data (i.e., enforcement of itssecurity goals) even when a user may run code that has malicious intent. Systems that provideprotection enforce the specified policy only if the user runs trusted code.

2. (3pts) Define protection state.

answer: The permissions available to every system principal at a particular time – a snapshot of thesystem’s access matrix.

3. (3pts) How can you configure a file’s access control list in Windows to permit every subject but oneto access that file?

answer: Add a negative ACE at the beginning of the file’s ACL, give everyone access in next ACE.

4. (4pts) What is the purpose of a public key infrastructure? Why is there a risk for “who is using mykey?”

answer: Bind a public key to an identity securely on internet scale. System cannot protect privatekey from compromise.

5. (4pts) How would a server procedure be designed for a Hydra system to avoid the confused deputy

problem?

answer: Use capability templates to instantiate input capabilities for the server procedure from theclient and use only those capabilities to avoid using unauthorized rights.

6. (4pts) What mechanisms does Multics use to protect the secrecy of objects?

answer: Multics authorizes access to segments which represent memory and I/O (files). There are avariety of policies. Protection rings provide the mediation points for enforcing integrity. The accessand call bracket policies describe the integrity policy of a Multics system. MLS and ACLs too.

1

CSE543/Fall 2010 - MidtermTuesday, October 19, 2010 — Professor Trent Jaeger

Please read the instructions and questions carefully. You will be graded for clarity and correctness. Youhave 75 minutes to complete this exam, so focus on those questions whose subject matter you know well.Write legibly and check your answers before handing it in.Short Answer - some will be one or two words – no more than 3 sentences

1. (4pts) What is the di↵erence between protection and security?

answer: A system that provides security ensures the protection of its data (i.e., enforcement of itssecurity goals) even when a user may run code that has malicious intent. Systems that provideprotection enforce the specified policy only if the user runs trusted code.

2. (3pts) Define protection state.

answer: The permissions available to every system principal at a particular time – a snapshot of thesystem’s access matrix.

3. (3pts) How can you configure a file’s access control list in Windows to permit every subject but oneto access that file?

answer: Add a negative ACE at the beginning of the file’s ACL, give everyone access in next ACE.

4. (4pts) What is the purpose of a public key infrastructure? Why is there a risk for “who is using mykey?”

answer: Bind a public key to an identity securely on internet scale. System cannot protect privatekey from compromise.

5. (4pts) How would a server procedure be designed for a Hydra system to avoid the confused deputy

problem?

answer: Use capability templates to instantiate input capabilities for the server procedure from theclient and use only those capabilities to avoid using unauthorized rights.

6. (4pts) What mechanisms does Multics use to protect the secrecy of objects?

answer: Multics authorizes access to segments which represent memory and I/O (files). There are avariety of policies. Protection rings provide the mediation points for enforcing integrity. The accessand call bracket policies describe the integrity policy of a Multics system. MLS and ACLs too.

1

Tuesday, October 30, 12


Exam• Three kinds of questions‣ 5 long answer• Why (6-7pts each)• Longer what questions that want to know why and how

4

Long Answer - no more than 3 paragraphs

15. (7pts) Specify how domain transitions occur in UNIX, SELinux, and Multics. Just outline themechanisms – no specific rules are required. Indicate the security advantages of SELinux and Multicsover UNIX domain transitions in your description.

answer: UNIX transitions domains via setuid. The UID of the process changes to that of the ownerof the file.

SELinux defines rules to limit when domain transitions are permitted and what the destinationdomain will be. These rules constrain who can cause a transition (not every invocation gains privilege)and limits the privileges based on the caller (di↵erent callers get di↵erent privileges).

Multics defines domain transitions via call brackets that state when low privileged processes maytransition to higher and vice versa. Multics also defines gatekeepers to ensure that higher privilegedcode cannot be compromised by low integrity inputs. Multics defines multiple ring levels (not justroot) and protects inputs.

16. (7pts) What are the components that ensure integrity in a Clark-Wilson integrity system and a Bibaintegrity system (i.e., there are two di↵erent sets to be specified)? How do these components ensureintegrity in each system?

answer: Using Clark-Wilson, we need to add Integrity Verification Procedures to test integrity atthe outset, and verified Transformation Procedures to handle the high integrity data. TPs must beassured to operate on high integrity data correctly and protect themselves from low integrity inputs.

In Biba, we only add integrity guards to protect normal processes from low integrity inputs, andwe can proceed as long as no low integrity inputs reach the high integrity processes, defined by thepolicy.

17. (7pts) Why is it necessary to prevent forgery of capabilities in capability systems to meet referencemonitor guarantees? Specify the conditions under which it is necessary to weaken (reduce) thepermissions available to a capability.

answer: If a capability can be forged, then a process can create its own permissions to any objectthat it can name. This would circumvent the tamperproofing of system policies, and nothing wouldbe verifiable.

We must weaken a capability when a high secrecy subject fetches a capability from a low secrecymemory. Because this capability may have been created by a low secrecy subject, it may have writepermission to low secrecy objects. Since this would violate the *-property, such capabilities must beweakened to remove the write permission.

18. (7pts) What purpose does the ticket in a Kerberos message serve? Why can’t Mallory spoof Aliceto Bob by generating an authenticator claiming to be from Alice {Alice, timestamp}K

session

andreplaying a ticket for which she knows the session key from a previous session with Bob{Bob,Mallory, timestamp, lifetime, K

session

}KBob�TGS

?

answer: A ticket is used to securely provide the session key to the server. It includes the names ofthe client and server for which the session key applies, a freshness timestamp, the ticket’s lifetime,and the session key. Because the ticket is encrypted in a key known only to Bob and the TGS, andonly the format is well-defined, the ticket securely conveys the key.

If Mallory substitutes her ticket, Bob will be able to see that the ticket says that it is for a commu-nication from Mallory to Bob, so he will know it is not from Alice. Plus, the timestamp may haveexpired, but that is not guaranteed.

Word Problems - take your time and answer clearly and completely.

3



Exam• Three kinds of questions‣ 3 constructions• How (10 pts each)

5

Long Answer - no more than 2 paragraphs

15. (7pts) How does the trust model of a trusted platform module (TPM) impact the ability of a contentprovider to enforce digital rights management (DRM) on the user of the TPM-enabled device?

answer: A TPM is not tamperproof, so the user of the system is trusted in the model (e.g., not toextract the key from the hardware), and a core root of trust measurement (e.g., BIOS) is also trusted.

Since DRM is about controlling the rights of the user, perhaps in ways unacceptable to some users,the user is an adversary to the DRM system. As a result, there is a conflict between the trust andthreat models in a DRM environment.

16. (7pts) How does the trust placed in a CA of a PKI (assume there is no registration authority) compareto that of the authentication server in Kerberos?

answer: CA certfies a mapping between a set of identifying attributes (business, website URL, etc.)are correctly mapped to a private key corresponding to the public key in the CA-signed certificate.In Kerberos, the AS stores secret keys with each user in the system, so it must ensure the mappingfrom the key to the real user.

Both Kerberos AS and PKI CA have to identify the validity of the mapping between an entity and a

key, but the PKI CA has to ensure more attributes. However, a Kerberos AS stores a secret for each

user and must securely generate session keys, whereas a PKI CA must only protect its private key.

17. (7pts) What is the di↵erence between the representation of subjects (i.e., entities with access toobjects) in the Clark-Wilson Integrity Model and a typical access matrix (e.g., UNIX)? What impactdoes the definition of Clark-Wilson subjects have on improving integrity management?

answer: CW subjects consist of user and code (TP), UNIX is just user. By including the code aswell as the user, the CW model can limit the access of high integrity data (CDIs) to high integritycode (TPs) regardless of user.

18. (7pts) How is the achievement of reference monitor guarantees in HYDRA di↵erent from a conven-tional system (UNIX/Windows)?

answer: (1) Tamperproof: both reference monitors are in the kernel; (2) complete mediation: InHYDRA, every procedure and object access requires a capability check, but these can be imple-mented in a single mechanism for authorizing capability references versus more ad hoc system callauthorization of UNIX; (3) simplicity: HYDRA has a single, simple mechanism, but but verifyingthe policy is correct is harder than UNIX due to challenges in knowing who has which capabilities,due to delegation, and defining caller-dependent capabilities is complex and could be error-prone.

Word Problems - take your time and answer clearly and completely.

19. (10pts) Consider the Needham-Schroeder protocol for shared key distribution. Assume XOR forencryption/decryption.

In the NH protocol, the initiating party, we will call A, forwards the conversation key CK in amessage encrypted by the authentication server AS for the verifying party B.

Suppose A’s identity is represented by the 4-bit quantity 0001 and the key shared between B andthe AS is 0101.

(a) (2pts) If the message forwarded from A to B is 11010100, then what is the conversation key?(Hint: Use the format of the conversation key message in the NH protocol. Note that the key is 4bits long).

3



Topics• Cryptography‣ Encryption, Hashing, Signatures, HMACs‣ Cryptographic Notation for Protocols

• Symmetric key‣ Basic symmetric key operations (substitution, permutation)

• Hash Functions‣ Properties‣ Some things you can do

• Public key‣ RSA‣ Diffie-Hellman



Topics• Authentication‣ Basics ‣ Passwords‣ Protocols

• Authentication Protocols‣ Web ‣ Needham-Schroeder‣ Kerberos‣ PKI

• Differences between N-S and Kerberos• PKI (certificates, validation, issues)



Topics• System Security‣ Vulnerabilities

‣ Access Control

‣ OS Security

• Vulnerabilities‣ Overflows, etc

‣ Name Resolution

• Access Control‣ Concepts

‣ Models (matrix, RBAC, MLS, Clark-Wilson)

• OS‣ Multics, Capabilities, Sandboxes, UNIX/Windows



Topics• Network Security‣ Vulnerabilities

‣ DNSsec

‣ IPsec

• Vulnerabilities‣ TCP and other protocols

• DNSsec‣ Concepts

‣ Public key and symmetric key

• IPsec‣ Concepts (modes and protocols)‣ How it works, VPNs, VLANs



Firewalls• A firewall ... is a physical barrier inside a building or

vehicle, designed to limit the spread of fire, heat and structural collapse.



Filtering: Firewalls• Filtering traffic based on policy‣ Policy determines what is acceptable traffic‣ Access control over traffic‣ Accept or deny

• May perform other duties‣ Logging (forensics, SLA)‣ Flagging (intrusion detection)‣ QoS (differentiated services)

Application

Network

Link



IP Firewall Policy• Specifies what traffic is (not) allowed‣ Maps attributes to address and ports

‣ Example: HTTP should be allowed to any external host, but inbound only to web-server



X-Listing•Blacklisting - specifying specific connectivity that

is explicitly disallowed‣ E.g., prevent connections from badguys.com

•Whitelisting - specifying specific connectivity that explicitly allowed‣ E.g., allow connections from goodguys.com

• These is useful for IP filtering, SPAM mitigation, …• Q: What access control policies do these

represent?



Stateful, Proxy, and Transparent • Single packet contains insufficient data to make

access control decision‣ Stateful: allows historical context consideration

‣ Firewall collects data over time• e.g., TCP packet is part of established session

• Firewalls can affect network traffic‣ Transparent: appear as a single router (network)

‣ Proxy: receives, interprets, and reinitiates communication (application)

‣ Transparent good for speed (routers), proxies good for complex state (applications)



DMZ (De-militarized Zone)

(servers)

LANInternet LAN

• Zone between LAN and Internet (public facing)



Practical Issues and Limitations• Network layer firewalls are dominant‣ DMZs allow multi-tiered fire-walling‣ Tools are widely available and mature‣ Personal firewalls gaining popularity

• Issues‣ Network perimeters not quite as clear as before• E.g., telecommuters, VPNs, wireless, …

‣ Every access point must be protected• E.g., this is why war-dialing/driving is effective

‣ Hard to debug, maintain consistency and correctness‣ Often seen by non-security personnel as impediment• E.g., Just open port X so I can use my wonder widget …

• SOAP - why is this protocol an issue?16



The Wool firewall study ..• 12 error classes‣ No default policy, automatic broad tools

‣ NetBIOS (the very use of the Win protocol deemed error)

‣ Portmapper protocols

‣ Use of “any wildcards”

‣ Lack of egress rules

• Interesting questions:‣ Is the violation of Wool’s requirements really a problem?

‣ “DNS attack” comment?

‣ Why do you think more expensive firewalls had a higher occurrence of errors?

• Take away: configurations are bad17



Practical Firewall Implementations• Primary task is to filter packets‣ But systems and requirements are complex

• Consider‣ All the protocols and services‣ Stateless vs. stateful firewalls‣ Network function: NAT, forwarding, etc.

• Practical implementation: Linux iptables‣ http://www.netfilter.org/documentation/HOWTO/packet-

filtering-HOWTO.html‣ http://linux.web.cern.ch/linux/scientific3/docs/rhel-rg-en-3/ch-

iptables.html18


http://www.netfilter.org/documentation/HOWTO//packet-filtering-HOWTO.html




http://linux.web.cern.ch/linux/scientific3/docs/rhel-rg-en-3/ch-iptables.html





Netfilter hook• Series of hooks in Linux network protocol stack • An iptable rule set is evaluated at each‣ “PREROUTING”: before routing ‣ “INPUT”: inbound to local destination‣ “FORWARD”: inbound but routed off host‣ “OUTPUT”: outbound to remote destination‣ “POSTROUTING”: after routing

19

Preroute

Input

Forward PostrouteRouting

Output



iptables Concepts

• Table: all the firewall rules• Chain: list of rules associated with the chain identifier, e.g.,

hook name• Match: when all a rule’s field match the packet• Target: operation to execute on a packet given a match

20

The iptables firewall looks in the firewall table to seek if the chain associated with the current hook matches a packet, and executes the target if it does.



iptables Commands

• Commands‣ Append rule to end or specific location in chain‣ Delete a specific rule in a chain‣ Flush a chain‣ List a chain ‣ Create a new user-specified chain‣ Replace a rule

21

iptables [-t <table_name>] <cmd> <chain> <plist>



iptables Rule Parameters• Things you can match on ‣ Destination/Source• IP address range and netmask

‣ Protocol of packet• ICMP, TCP, etc

‣ Fragmented only‣ Incoming/outgoing interface‣ Target on rule match



Test it out• PING on localhost‣ ping -c 1 127.0.0.1

• Add iptables rule to block‣ iptables -A INPUT -s 127.0.0.1 -p icmp -j DROP

• Try ping• Delete the rule‣ iptables -D INPUT 1‣ iptables -D INPUT -s 127.0.0.1 -p icmp -j DROP‣ iptables -F INPUT



Testing• Use loopback to test the rules locally on your machine‣ IP address 127.0.0.1

• ICMP‣ submit ping requests to 127.0.0.1 as above

• TCP‣ submit requests to 127.0.0.1 at specific port‣ server • nc -l -p 3750• listen at port 3750

‣ client • nc -p 3000 localhost 3750• send from port 3000 to localhost at port 3750



Per Protocol Options• Specialized matching options for rules‣ Specific to protocol

• TCP‣ Source/destination ports‣ SYN‣ TCP flags



Targets• Define what to do with the packet at this time

• ACCEPT/DROP

• QUEUE for user-space application

• LOG any packet that matches

• REJECT drops and returns error packet

• RETURN enables packet to return to previous chain

• <user-specified> passes packet to that chain



Examples iptables -A INPUT -s 200.200.200.2 -j ACCEPT

iptables -A INPUT -s 200.200.200.1 -j DROP

iptables -A INPUT -s 200.200.200.1 -p tcp -j DROP

iptables -A INPUT -s 200.200.200.1 -p tcp --dport telnet -j DROP

iptables -A INPUT -p tcp --destination-port telnet -i ppp0 -j DROP



Deep Packet Inspection• Deep packet inspection looks into the internals of a pack

to look for some application/content context‣ e.g., inspect HTTP for URLs that point to malicious websites‣ Can have serious privacy issues if done by, say COMCAST

• To specify a match in iptables‣ iptables -A INPUT -p tcp -m string --algo bm --string ‘exe’ • matches to packet with content containing ‘exe’

‣ iptables -A INPUT -p tcp -m length --length 10:100 • matches to packet with length between 10 and 100 bytes• Also, can specify ‘greater than 10’ by 10:


cse543 - computer and network security module:...

Documents