# Assignment 10, due Apr 26

Always, on every assignment, please write your name legibly as it appears on your University ID and on the class list! All assignments will be due at the start of class on the day indicated (usually a Friday), and unless there is what insurance companies call "an act of God" - something outside your control; the only exceptions to this rule will be by advance arrangement.

1. Background: Consider the problem of doing a threat analysis for a college student's priceless collectable coffee mug. The student lives in the dorms, with a roommate, and keeps the mug on the bookshelf over the desk when not in use. The dorm room is on the second floor of an older brick building. Each room has a sash window and hard-wired internet service. It is a large dorm. The front door is not locked when there is a work-study student on duty at the front desk, but it is locked at other times. The front desk has a master key, with a strict policy to log all use of the key in a logbook. All the other doors to the dorm are locked at all times. The keys to each dorm room also work the outside doors.

a) Briefly describe 3 different ways someone could burgle the mug (note: burglary, not robbery). (0.5 points)

b) Create an attack tree that compactly covers all of your alternatives for part a. Don't forget to document the distinction between and and or nodes in the tree (that is, where the subtrees below a node are all required for an attack, versus where the subtrees below are alternatives for accomplishing an attack.) Estimate costs for each node in the tree, in terms of man-hours of labor needed for that goal. Note that the cost of an and node is at least the sum of the costs of its children, while the cost of an or node is at least the minimum of the costs of its children. (Suggestion: If a tree diagram gets messy, consider using outline format, with the subtrees under each node indented below the description of that node.) (1.0 points)

c) From the tree with cost estimates, derive a description of the least-cost attack. (0.5 points)

2. Background: A data diode is a device that permits data to flow one direction, while preventing the flow in the opposite direction. The classic data diode consists of a photcell to receive data and a modulated light source to transmit data, connected by fiber optics to prevent data leakage.

Consider the problem of connecting the computers controlling the sluice gates of a flood-control dam to the Internet. These computers must be protected from attack from the Internet, but the stream of flood forecast data they generate is of vital importance to all downstream property owners.

a) Explain how a data diode can be useful in the context of the Bell-LaPadula security model. (0.5 points)

b) Is the Bell-LaPadula model applicable to the flood-control reservoir control system? Explain your answer. (0.5 points)

c) How are data diodes applicable to protecting the flood-control reservoir control computer? (0.5 points)

3. Background: Suppose a user is using the TCP protocol, which uses the TCP header documented in
-- http://www.networksorcery.com/enp/protocol/tcp.htm

a) How many bits of covert data can you include in a TCP header? (0.5 points)

b) How can you include covert data in the Options and Padding field of a TCP packet? (0.5 points)

c) If you were writing a firewall that was supposed to block covert channels, how would you block the use of the channels you have described above? (0.5 points)