CS 261 Homework 2


This problem set is due Friday, 12 October.

You may work together and discuss the questions on this homework with others, but the writeup you turn in must be your own. You may use any source you like (including other papers or textbooks), but if you use any source not discussed in class, you must cite it.

Question 1

A diligent reader of the paper on privilege-separated OpenSSH notices that close to half of the code of the privileged process comes from the third-party OpenSSL cryptographic library. Therefore, he proposes the following new architecture: The privileged parent will fork() a second child (the "crypto slave process"). The crypto slave process will be used to perform all cryptographic operations that currently are performed in the privileged parent, and all of that OpenSSL code will be transferred into the crypto slave process. Whenever the privileged parent wants to perform a cryptographic operation, it will send all of the inputs to that operation to the crypto slave process (over a pre-established socket); the crypto slave process will perform the cryptographic computation, and send the result back to the privileged parent over the same socket. The crypto slave process will be run without privilege, using Linux seccomp mode as a sandbox to prevent it from executing any system call other than read(), write(), or exit().

Suppose the author of the OpenSSL library was malicious. Name different two ways that a backdoor in OpenSSL could leak the OpenSSH server's private key to a co-conspirator elsewhere on the Internet.

Assumptions: You may assume that nobody reviews the OpenSSL source code (you don't have to hide the backdoor in any way); that the rest of the OpenSSH code has no bugs or security holes; that the OpenSSH server is running on a publicly accessible port, at an IP address known to the co-conspirator (in particular, it isn't behind a firewall); that the co-conspirator does not have an account on the OpenSSH server and doesn't know the passwords of anyone who does have an account; that the privileged parent needs to send its private key to the crypto slave process at one time or another (e.g., to compute the OpenSSH server's RSA signature on the key exchange).

Question 2

Consider a imperative programming language that is designed to prevent inadvertent disclosure of confidential information by assigning a sensitivity label at compile-time to all values that the program handles. In this hypothetical language: the programmer must label every variable as either SECRET or PUBLIC; program inputs are labelled SECRET; all outputs must be labelled PUBLIC; and, constants are considered both SECRET or PUBLIC (i.e., they can be labelled either SECRET or PUBLIC, according to whichever is more convenient). The compiler requires that, for each expression E in the program, all subexpressions of E must have the same label as the label on E. Also, the compiler forbids assigning a SECRET value to a PUBLIC variable. This is the core language. Assume that the core language has no support for I/O, other than for reading inputs or writing outputs.

(a) Suppose the core language is extended with if-then-else statements. Give an example of a program where information can flow from a SECRET input to a PUBLIC output.

(b) Suppose the core language is extended with pointer types. The compiler's checks are extended so that &x is considered to have the same label as x, and so that *p has the same label as p. Pointer arithmetic and type-casts to/from pointer types are forbidden, all pointer dereferences are automatically bounds-checked by the compiler, and pointers must be used in a type- and memory-safe way. Give an example of a program where information can flow from a SECRET input to a PUBLIC output.

Question 3

You've been assigned two implementations of htmlfilter (see HW 1) that were submitted to me in HW1. Your goal will be assess how well those implementations meet the security goals set out in HW1 (you may want to refer to the HW1 assignment if you've forgotten the problem specification). You do not need to review how well they meet the functionality requirements.

To begin, I will email you your assigned implementations. Implementations are identified by a two-digit code (e.g., 17.tar); I will assign you two of those implementations. Download those two implementations from this directory. Do a security audit of both.

  1. What is the two-digit ID number of your first assigned implementation? What are its main security weaknesses or most plausible security failure mode?
  2. What is the two-digit ID number of your second assigned implementation? What are its main security weaknesses or most plausible security failure mode?
  3. If you were forced to choose between these two implementations, which one would you judge to be more likely to meet its security goals (i.e., less likely to have its security penetrated)? Why?

Promise: Your answers on this homework will not affect the grades of anyone else. You can feel free to critique an implementation honestly and frankly without fearing that your comments will have any negative effect on that person's grade. Grades for HW1 will have already been assigned by the time I see your solution. I will not show your evaluation to the authors of your assigned implementations.