MSc in Computer Security
MSc in Advanced Computer Science
Time allowed: 1.5 hours. Answer THREE out of the four questions.
One point is discretionary and will be given for particularly good answers.
Question 1
Suppose some programmers are writing code to control access to a computer system, as specified by some policy. The policies are expressed as Boolean expressions built up from logical operators and equality tests. Some of the information needs to be supplied by users. The system then constructs a string to represent the boolean expression for deciding access, and evaluates the string to true or false. If the string evaluates to true, access is granted; otherwise it is denied.
For example, the constructed string may be
foo = password AND (permission = writeable)
Here "foo" is a string supplied by the user.
(a) Explain what is bad security practice in this way of programming.
[9%]
(b) Give a malicious input to bypass the authorization in the example above, and describe how it works.
[8%]
(c) A different design for the same software works as follows: the Boolean expressions are represented in an object-oriented way. Specifically, each logical operator is represented as a Java object. When user input is supplied in the example above, one of the fields of the object for the operator AND is updated to hold the object-oriented representation of the input. The resulting data structure is then evaluated to true or false by interpreting the objects for the operators in the evident way. Explain how this change of design impacts the security of the application.
[8%]
(d) Explain to what extent the situation described above is similar to constructing SQL queries by programs. In particular, what programming technique in working with SQL has a similar effect to the approach in part (d) above?
[8%]
Question 2
Consider the following snippet of C code:
int f()
{
int r1;
char data[32];
int r2;
r1 = rand(); /* pick a random number */
r2 = r1;
gets(user_data);
if (r1 != r2)
exit(); /* terminate program */
else
/* proceed with the program */
...
}
(a) Explain exactly what in the above code snippet could pose a security risk.
[9%]
(b) The programmer has tried to mitigate the risk from part (a) by adding the conditional. Which real-world defence mechanism works similarly to the idea in the above code? (In reality, it would be added by the compiler rather than by hand.)
[8%]
(c) Explain to what extent this code could work as a defence against stack buffer overflows and arbitrary code execution. Draw the call stack as it looks during an attack.
[8%]
(d) Explain a better programming technique for defending against the vulnerability.
[8%]
Question 3
Edmund and Edgar both use a web application for managing documents. The application maintains a Unix directory tree for each user. Suppose Edmund logs in with his user name "edmund" and submits a document called "letter.pdf". The application then saves the file in
users/edmund/letter.pdf
(a) Edmund wants to forge an incriminating letter attributed to Edgar. He cannot guess Edgar's password, but he knows the document application was programmed carelessly and without regard to secure programming principles. Explain what attack Edmund may try in order to insert a malicious letter .
[9%]
(b) What is the standard technique for preventing the attack in part (a) above?
[8%]
(c) Edgar suspects that his documents can be tampered with. He lists the directory containing the letter, which shows that the letter was last modified exactly when he last submitted it. Edgar feels reassured and sends the letter as an email attachment to Mr Gloucester. Explain whether Edgar is justified in assuming the correct letter has been sent.
[8%]
(d) Describe the attack in part (a) in terms of changing the structure of parse trees. You should assume the following simplified grammar for Unix path names. The non-terminal F ranges over file or directory names consisting of letters.
P → G Q
Q → / G Q
Q →
G → F
G →..
[8%]
Question 4
Suppose you are consulting for the developers of some popular software that presents information from a database.
(a) The developers have thought about security and make the following points:
(i) If an attacker writing malicious input gets a little syntactic detail wrong, the result will not be parsed correctly, and an SQL injection cannot happen. At worst, we get a syntax error.
(ii) As our code is not open source, we are therefore safe from SQL injection attacks.
(iii) Even though we assume that there will be no such attacks, we still recommend not to give the application write access to databases.
Explain to what extent the above reasoning is justified and follows good security principles.
[9%]
(b) The developers argue that they have inspected their whole code base and made sure that only prepared statements are used for SQL. Explain whether that means they must be secure from SQL injection.
[8%]
(c) When you explain tautology SQL command injection attacks to the developers, they quickly propose to defend against them by adding parentheses. For instance, they rewrite this code snippet
"SELECT * FROM Table WHERE name = '" + username + "'"
as follows:
"SELECT * FROM Table WHERE name = ('" + username + "')"
Explain to what extent this defence works against the SQL command injection attack on the original code.
[8%]
(d) Explain how attackers can change their malicious input to defeat the proposed defence from part (c) above.
[8%]