This problem set is due Thursday, November 6th.
You may work together and discuss the questions on this homework with others, but the writeup you turn in must be your own, and you should list anyone who you collaborated with. You may use any source you like (including other papers or textbooks), but if you use any source not discussed in class, you must cite it.
A Stanford student has heard that there are lots of hackers out there probing web servers and send them malicious requests. So, as an experiment he decides to set up a simple server running on his desktop machine that listens on TCP port 80 and records all data sent to it (the HTTP request, HTTP headers, etc.). Moreover he sets it up so that the entire log of this data is automatically published on his personal web page, so that any member of his research group can check out the latest set of requests to his web server.
You can assume that he regularly logs onto Stanford web sites, does e-banking at Wells Fargo, and generally surfs the web from his desktop machine.
What could go wrong? List a security risk introduced by this experiment, i.e., describe a way that a hacker might be able to take advantage of this experimental setup to compromise the Stanford student's security. You can assume that the software is free of implementation flaws: it works as described, and has no bugs.
(Hint: Try looking up the DNS record for
localhost.stanford.edu
. Does
it give you any ideas?)
Many versions of the Internet Explorer browser do "MIME content-type
sniffing", which is intended so that IE can still display websites
that serve content labelled with the wrong MIME type. The way this
works is that IE scans the first 512 bytes of all the content it
receives (e.g., documents, images, etc.), looking for character-sequences
that tend to be representative of HTML (e.g., <HTML
,
<BODY
, <BR
, <TITLE
, and
so on). It keeps a count of the number of matches, and if the number
of matches is high enough, it ignores the MIME type provided by the web
server and instead treats the content as HTML.
(a) Explain the security implications of this for a site like MySpace, which allows users to upload an image of themselves onto their page, or Flickr, which allows users to upload photo albums. In other words, describe an attack that is enabled by IE's content-type sniffing.
(a) Suggest a robust defense that MySpace could use to protect themselves. (Keep in mind that the details of IE's content-type sniffing heuristic are not clearly documented by Microsoft, and might even change in future versions of IE. For robustness, you probably ought to assume that hackers may know more about how content-type sniffing works than you do; and ideally your defense would remain secure even if Microsoft makes minor changes to IE's content-type sniffing heuristic in the future.)
This question asks you to explore some of the consequences of active networks, where packets can contain mobile code that is executed by the routers along the path.
For concreteness, we can think of 'adaptive routing' as a sample application: if your TCP connection to France is too slow because of poor bandwidth on the transatlantic link and for some reason you happen to know that there is a much faster route to France via China, you might wish to adaptively update the route your TCP packets take. In this case, you would "push" some mobile code into each router along the way; the mobile code would run at each router before the packet is forwarded and select which interface to send it out over.
We describe below a series of extensions to the IP protocol suite which allows for progressively more sophisticated active networks applications. For each of the four parts below, first list the security threats that might arise for that extension; then explain how those threats could be addressed/mitigated. The purpose of this question is to study issues that are inherent in the functionality; you may ignore the risk of implementation bugs such as buffer overruns.
Don't forget: In each part, you should list security threats, and also propose a way that those threats could be addressed (e.g., propose a fix).