CS 261 Homework 2
Briefly sketch answers to each of the following problems.
Two or three short sentences should be
enough for nearly all of the questions.
Feel free to use incomplete sentences if you like.
This problem set is due Thursday, 3 October.
Turn in your answers, in paper, at the beginning of class that Thursday.
You may discuss the questions on this homework with others,
but the writeup you turn in must be your own.
You may use any source you like (including other papers or textbooks),
but if you use any source not discussed in class,
you must cite it.
authentication for access to web pages. When you initially log in
to the webserver, it generates a random cookie (a secret, unguessable
string of bits) and sends it to your browser, which will re-send it back
to the webserver whenever you re-visit that web page again to prove that
you are an authorized viewer.
What are the weaknesses of this scheme?
- Another mechanism in
the standard uses challenge-response authentication.
You and the webserver share a secret passphrase; when you want to view
the web page, the webserver sends you a random challenge (which is different
every time), and you compute a cryptographic checksum of the passphrase and
challenge and send the result back to the webserver.
This allows the webserver to
check whether you know the passphrase by verifying whether your response is
Assume the crypto algorithm is perfect (there are no mathematical
shortcut attacks against it).
What attacks are there on this scheme?
For this question, you will practice doing a security audit of
some interesting program.
Pick any open-source application where security is relevant.
The only requirement is that it must consist of at least 2000 lines of code.
If you're at a loss for a program to audit, you can check out
web site's list of suggestions.
Or, you can pick one yourself. Good choices might include network
daemons, standard Unix utilities, setuid programs, or clients that
process data that came from the network (mailers, browsers, MP3 players, etc.).
Then, do the following.
- What application did you pick? Which version? Give the URL where
I can download the source. How many lines of code is it?
(One simple way to count the number of lines is using
"find . -name '*.[ch]' -print | xargs wc -l"
from within the source directory.)
- Briefly describe the threat model and security goals for your program.
- Spend 1-2 hours to understand the organization, structure, and
goals of your program. (You'll probably have to browse source code
for this, because it is often not documented.) Draw a diagram depicting
the program architecture at a high level. Probably your diagram will
show a few key components and how they interact.
Include your diagram with the solution you turn in to this homework.
- Based on the diagram you drew, what portions of the program are
most likely to have the highest risk of security holes?
- Spend 1-2 hours reading code from the high-risk portions you named
above, looking to see whether the program meets its security goals.
This should include an intensive review of the source code, looking
for common implementation errors. You don't have to audit all the
high-risk pieces you named above;
instead, stop after 1-2 hours, and describe which pieces you did audit.
- Next, download RATS
and run it on the source code. It will warn you about potential trouble
spots that could use manual inspection, prioritized according to the risk
of security hole. Each such warning will name a describe a type of
implementation error that could be present there, and it is up to you
to inspect that segment of code and decide whether it is ok or not (you
are much smarter than RATS).
Spend 1-2 hours examining the warnings it gives you by
hand to see whether they correspond to security holes or not.
You don't have to inspect all the RATS warnings; look at them in priority
order, and stop after 1-2 hours. Print out the output from RATS, and
circle the warnings that you did inspect.
Hint: If you use vim, redirect the output from RATS into a file
"rats.out", run "vim -q rats.out", and type ":cn"
repeatedly to cycle through the lines identified by RATS.
I mapped function key F3 to the next-warning functionality by adding
map #3 :cn^V^M
to my ~/.vimrc file (here "^X" represents
a control-X character, which can be entered in vi by typing
Type ":h quickfix" within a vi window for more on the
If you use emacs, I believe you can run
"emacs rats.out" and type "C-x `" (control-X backtick)
repeatedly to get a similar effect.
- Write a lucid summary of the results of your audit.
Did you find any security holes or fishy-looking code? Could the code
have been structured better for security? Describe your findings.
To get the idea of what an audit summary might look like, you can refer to
audit I entered on the Sardonix web site (sadly, my formatting sucks;
you could use HTML tags a bit better than I did).
Submit your audit summary to the
Sardonix audit portal
(you'll need to
as an auditor first; use your real name to make my life easier),
filling out all fields.
(The Sardonix web site is a forum for those who have done security audits
to report on their findings.)
Also, print out and attach to your homework your audit summary.
If you found any potential security holes, email the code maintainer as well.