Assignment 9, due Apr 22
the homework for 22C:169, Spring 2011
Always, on every assignment, please write your name legibly as it appears on your University ID and on the class list! All assignments will be due at the start of class on the day indicated (usually a Friday), and unless there is what insurance companies call "an act of God" - something outside your control; the only exceptions to this rule will be by advance arrangement.
Classic Unix systems handle passwords as follows: When a user enters a password, it is immediately hashed using a secure hash function (a one-way function). If the user is changing his password, the hash code is stored in that user's entry in the password file. If the password is being checked, it is compared with the entry in the password file. The password file, /etc/passwd can be read by the public. Each line of this file describes one user, for example:
Fields are separated by colons, the first field is the user name, the second field is the hashed password, the other fields are irrelevant to this question. As Unix has evolved, the particular hash function has changed, but it has always been public knowledge which function was being used. In the 1980's, DES was used as a hash function. Nowdays, SHA-1 woudld be a typical choice. This password file format continues in use today, but the hashed password field has been abandoned.
Your goal in this question is to work through an analysis of the threats to a classic Unix system. Specifically, the goal of your hypothetical attacker is to break into my account.
a) Construct a threat tree. Make sure to consider both technical threats and social engineering or other nontechnical threats. Keep in mind that, as a rule, whenever cryptographic technology is used to solve any problem, it is usually the strong link, and the non-cryptographic parts of the problem are likely to be the weak points. (1.0 point)
b) Identify an inexpensive attack in your threat tree and enumerate all of the resources required to undertake that attack. Keep in mind that the cost that matters is the expected cost of a successful attack, not the cost of one trial. The expected cost of an attack is the cost per trial divided by the likelihood of success. (1.0 point)
A Problem: Place these in a partial ordering, presented as a directed graph with numbered vertices and arrows pointing from more sensitive to less sensitive topics. Omit redundant links! That is, if A>B>C, there is no need to state, also, that A>C. (1.0 point)
a) Data Diodes were invented as an enforcement mechanism for the Bell-LaPadula model, with one computer (or network) used to hold data at each classification level and data diodes controlling the flow of information between levels. The physical system built using computers connected by data diodes does not fully enforce the Bell-LaPadula constraints. How does it fail? Hint: There is an inequality. (1.0 point)
b) Consider the relationship between the computer controlling the nuclear reactor in a power plant, the computer controlling the connection between the power plant and the electrical transmission network, and the power company web server that provides information to the police and the public. Is the Bell-LaPadula model applicable here? Is there some general principle involved? (1.0 point)