Assignment 10 Solutions

Part of the homework for 22C:169, Spring 2011
by Douglas W. Jones
THE UNIVERSITY OF IOWA Department of Computer Science

  1. Background: Consider an Internet router. It's job is to serve as a gateway between any of several network links. On receipt of a message with the ultimate address X, the routing tables are searched for advice about where to forward that message to get it closer to X.

    Some routers have static routing tables, typically forwarding all difficult routing problems to other routers they have been configured to use. Many routers are more dynamic, communicating with other routers to learn about changes in the network. The Internet is so big that links and machines, including routers, are constantly being added and subtracted. Without dynamic routing tables, this would never work.

    Most routers can not only forward messages but also apply rewrite rules top addresses. Such a rule might read "if you see a message addressed to X, send it to Y instead." Such a router allows the addressing scheme used in some local subnet to be different from the addressing scheme used elsewhere.

    a) Suppose an attacker was able to hack into the router connecting your local subnet to the rest of th Internet. The only thing the hacker can do is change the routing table. Your router has a static routing table with no rewrite rules. What damage could the hacker do? (0.5 points)

    The attacker could misroute messages, so outgoing messages intended for some other machine get routed, for example, to the attacker's machine. The attacker could also block incoming messages from some sources by routing them elsewhere. Even if the data is securely encrypted, the attacker's ability to route messages to his own machine allows traffic analysis and rewriting at the attacker's machine, so saying that the hacked router could not do rewriting on message addresses is misleading.

    b) How could you, a user of the local subnet, detect the damage discussed in part a? (0.5 points)

    If the normal message delivery time is known, timing can be a give-away. Routing messages through the attacker's machine should delay the average message transit time.

    Another tool to try would be routine test messages sent from various routine correspondants. If these are not delivered or if they are corrupted, the presence of an attacker can be inferred.

    c) Now suppose the router that the hacker attacks one that other routers consult to dynamically update their routing tables. Does this change the nature of the attacks or just the scale of their effects. (0.5 points)

    If a message passes through multiple routers and only one of them is dishonest, the other routers will limit the damage. The corrupt router may try to deliver the message to the attacker's machine, but other routers will direct it back on routes to the intended machines. In contrast, if the attacker can hack into routing information that is spread to other routers, the attacker can prevent other routers from repairing the damage.

  2. Background: The RIES (Rijnland Internet Voting System) was designed to allow expatriate voters to vote by internet in Dutch national eletions. In order to stand up to attack, it had two separate web servers attached, and every hour during the election, test ballots were voted by Internet. Test ballots ended up in the regular ballot box, but they were "pre invalidated" so that, when it came time to count the votes, they would not be counted. The list of invalidated ballots was a closely held secret until after the polls closed, so attackers could not detect which ballots were test ballots and which were not. After the polls closed, the ballot box was inspected to make sure that all of the voted test ballots were in fact deposited in the ballot box.

    a) What kinds of attacks could test ballots detect? (0.5 points)

    This could detect if an attacker had managed to impersonate one of the electronic ballot boxes, so that ballots were delivered to the attacker's machine instead of the real ballot box. In this case, the test ballots would not be found in the ballot box.

    It also, somewhat trivially, detects denial of service attacks, because the user attempting to cast a test ballot would notice that the web page for the voting system does not load.

    b) In the 2006 Dutch Parliamentary elections, all of the test ballots were cast from the same PC in the offices used by the election administration. What vulnerability results from this? (0.5 points)

    If a router on the gateway between a foreign country and the Netherlands was misrouting or blocking voting transactions, the test ballots would never detect this because they only pass through the network within the Netherlands.

    c) For maximum effectiveness, how should the test ballots have been cast? (0.5 points)

    It would have been better if test ballots had been cast from around the world using local public Internet connections. Embassy employees could have done something like this.

  3. Background: Many operating systems these days include the option of installing a firewall on the end-user's machine. Most of our discussion of firewalls focused on firewalls that were parts of routers, where the firewall function was an add-on to the routing function.

    It has been argued that such a firewall is unnecessary, as network services you don't want to offer to the world should simply be disabled. Nowdays, many systems come, out of the box, with all these services enabled, and it is easier to block them with a firewall than it is to properly disable the services you don't want to offer.

    Note that the "network stack" was presented as if all messages had to be pushed down to the physical layer for transport from sender to receiver. This is not really true. The exception occurs when the sender and receiver are on the same machine. In this case, the transport layer is likely to complete the message delivery without using any services from lower level layers. In the X-windows system (the public-domain window manager used by Linux), the window manager is a separate process, and all communication from application to window manager is done using the TCP/IP protocol stack. This allows use of remote window applications to be as efficient or even more efficient than local windows. Opening a window is done by making a network connection to the window manager. Drawing on a window involves using that connection, and closing a window involves breaking the network connection.

    a) Suppose you were running Linux with the X window manager. What security threat is posed by running on a machine with no local firewall. (0.5 points)

    Someone on a remote machine could open a window on your display.

    b) Give other examples of local applications where the easy way to support them involves use of network protocols. (Hint: Consider any application that is useful over the network but where it might also be useful between local processes or between local users, even on a machine with just one keyboard and display.) (0.5 points)

    Local e-mail would be useful on a shared machine such as a home computer. If the application you are running was developed so that it could run on a multicomputer using the IP protocol stack, it might be that the application itself also uses the IP protocol stack for internal communication even when it is running on a uniprocessor.

  4. Background: Disaster planning involves several components, including threat assessment for predictable disasters, and general preparedness for the unexpected. Here in Iowa City, we have had major floods in 1993 and 2008. The 1993 flood was comparable to the 1947 flood. We had hurricane-force straight-line winds in 1998 that knocked out all power to Johnson County and knocked over enough trees to block almost all of the roads in town. Power was not restored to many buildings for a week, although some lucky few had power within the first day. An F4 tornado hit Iowa City 2006, causing major damage on a path through downtown. The New Madrid seismic zone stretches is well south of St. Louis but it is likely that some people in this area felt the 1811-1812 New Madrid super-quakes as distant jolts. Many of Iowa City's taller buildings and church steeples are hit by lightning many times a year. MacLean Hall suffered one serious lightning strike a decade ago that destroyed many computers that were plugged directly into the wall without benefit of surge protectors. In 1985, a fire at the old sewage treatment plant in Cedar Rapids released a plume of hydrogen chloride gas that forced the evacuation of much of Cedar Rapids. This was the largest urban evacuation in US history. The Duane Arnold nuclear plant is in Palo, just west of Cedar Rapids.

    Assume you are involved in the design of a new data center in the Iowa City area.

    a) What threats would you treat as serious predictable risks and what defensive measures would you take to deal with those risks. (0.5 points)

    Floods are possible, so I would look at the flood hazard maps and build with a saftey margin outside the floodplain and above the flood level. Tornados are possible, so I would locate servers away from windows and exterior walls. Power failures and lightning strikes are possible, so I would use an uninterruptable power supply and appropriate surge protectors. The risk of evacuation is predictable even when the cause of that evacuation is unpredictable, so I would plan on having off-site backups, "go packs" and a recovery plan in place in case an evacuation is ever required.

    b) What defensive measures would you recommend as generally useful for a broad range of unpredictable disasters. For each, give examples of unpredictable disasters where they might prove useful. Some of your defenses may be listed in both a) and b). (0.5 points)

    Off-site backups, "go packs" and a recovery plan are generally applicable to a broad range of unanticipated events.