Homework 1
Due Date: January 19, 1999
Points: 200
- (20 points) Pfleeger's book Security in Computing states the
basic goals of security as "preventing interruption, interception,
modification, and fabrication."
Please compare and contrast these four goals
with the three goals discussed in class (which were to provide confidentiality,
integrity, and availability).
- (20 points) In class, someone pointed out that a denial of service
may differ from a very long delay, because a request may need to be answered
within a short period of time. Hence delaying for even a short period of time
may have the same effect as a denial of service. Please give an example of a
request that must be satisfied within a short period of time (say, one hour).
Please give another example of a request that can be satisfied at any time.
- (40 points) The entropy function
H(p1, ..., pn)
must satisfy several properties, including the following (for which we assume
p1 + ... + pn = 1):
- H(p1, ..., pn) max when
p1 = ... = pn = 1/n;
- For any permutation pi of (1, ..., n),
H(p[[pi]](1), ..., p[[pi]](n))
= H(p1, ..., pn);
- H(p1, ..., pn) >= 0;
it is 0 if all pi are 0 except for
one, which is 1;
- H(p1, ..., pn, 0) =
H(p1, ..., pn);
- H(1/n, ..., 1/n) < H(1/(n+1), ...,
1/(n+1));
- H(1/mn, ..., 1/mn) =
H(1/n, ..., 1/n) +
H(1/m, ..., 1/m);
- H is continuous in its arguments; and
- p = [[Sigma]]pi,
q = [[Sigma]]qi, p > 0, q > 0,
p + q = 1 implies
H(p1, ..., pm,
q1, ..., qn) =
H(p, q) +
pH(p1/p, ..., pm/p) +
qH(q1/q, ..., qn/q).
Please show that the function H(p1, ..., pn) =
-[[lambda]][[Sigma]]kpk lg pk
(where the sum is over those
k for which pk > 0) meets these conditions.
- (20 points)Let X be an integer variable represented with 32
bits. Suppose that the probability is 1/2 that X lies in the range [0,
28-1] with all such values being equally likely,
and 1/2 that X lies in
the range [28, 232-1],
with all such values being equally likely. Please compute H(X).
- (40 points) The following was enciphered with a Vigènere
cipher. Please break it.
TSMVM MPPCW CZUGX HPECP RFAUE IOBQW PPIMS FXIPC TSQPK SZNUL OPACR DDPKT
SLVFW ELTKR GHIZS FNIDF ARMUE NOSKR GDIPH WSGVL EDMCM SMWKP IYOJS TLVFA
HPBJI RAQIW HLDGA IYOUX
- (60 points) The host lassen.cs.ucdavis.edu is a Data
General Aviion system that is rated as fairly secure (B2 in the TCSEC). We will
be conducting a penetration test as a class experiment throughout this term.
The goal is to acquire access to the system as a user (root or
otherwise). The first step in a penetration test is to hypothesize flaws, or
potential vulnerabilities. For this exercise, you must assume you are analyzing
the system as though you have no access to it other than from the network. You
will hypothesize potential flaws, but not test them yet.
- Determine what network servers lassen is running.
(Hint: find the program strobe, download it and use it.)
- Please devise three possible network-based vulnerabilities on the system
using your knowledge of the servers and of potential vulnerabilities in them.
Your description should have the following format:
- your name;
- server with the vulnerability;
- possible vulnerability being exploited (you need not verify that the Data
General has the flaw, but you must describe the flaw you are hypothesizing);
- how to veritfy the vulnerability in the absense of source code (if an
"attack program" is required, you may use pseudocode to describe the attack
program).
- expected result of exploiting the vulnerability;
- why you think it is there (for example,
other systems with the same flaw, use
of servers implementing know, buggy protocols, etc.)
- source (if you get the idea for an attack from a book or an Internet site,
say where)
Please post your descrription to the newsgroup ucd.class.ecs253.d. As
part of the requirement for this answer, each student must submit 3
different potential vulnerabilities; the first poster of each vulnerability
gets credit for it. So be sure your vulnerabilities are different than your
classmates'!
You can get this document in
ASCII text,
Framemaker+SGML version 5.5,
PDF (for Acrobat 3.0 or later),
or
Postscript.
Send email to
[email protected].
Department of Computer Science
University of California at Davis
Davis, CA 95616-8562
Page last modified on 1/18/98