Transcript of cs146a: reading assignment 8.1
cs146a: reading assignment 8.1 As a warmup, for the TOCTTOU problem, please explain how a tool we have learned about earlier in the semester, could have helped to avoid the problem and how. Meanwhile... Adversary V.I.P Guard A guard is stationed outside a door to check the ID of V.I.P. trying to enter. While the Guard glances down at the ID, an Adversary slips through the open door The Problem is the door was left open while the guard is busy. We need a mechanism to make sure the Guard knows to lock the door while checking IDs. Meanwhile... Adversary V.I.P Guard Now, if we send in a safety committee, called ERASER, they will note that note that the Guard that he isn't shutting the door when checking IDs and that this is potentially a problem. The Guard, now knowing what the problem is, changes his algorithm to keep the door shut. explain whether the Slammer attack be possible if all the network listener programs (including the one you wrote for Project 2) would be implemented using Java language instead of C? I don't know why but here's why it couldn't be implemented in Prezi Answer Space: Grade space: 2 Brownies if you can read this and give me credit for the response: Please explain for each case study how the secure system design principles (from Section 1), identified by the analysis as being violated, could have averted the security problem. TOCTTOU Lesson: For complete mediation to be effective, one must also consider the dynamics of the system. If the user can change something after the guard checks for authenticity, integrity, and permission, all bets are off. Slammer Lessons: From this incident we can draw different lessons for different network participants: For users, the perennial but often-ignored advice to disable unused network ports does more than help a single computer resist attack, it helps protect the entire network. For vendors, shipping an operating system that by default activates a listener for a feature that the user does not explicitly request is hazardous to the health of the network (use failsafe defaults). For implementers, it emphasizes the importance of diligent care (and paranoid design) in network listener implementations, especially on widely activated UDP ports.* From Saltzer & Kaashoek Ch. 11 There is only one funny thing about that comic, and it is that the child's nickname is Little Bobby Tables. On http://xkcd.com/327/ : I didn't know Java, so I looked up Java Stack Smashing: http://c2.com/cgi/wiki?StackSmashingFull transcript
"(a) Java checks the bounds of array accesses (b) Java arrays are always allocated on the heap and (c) there is no way to write data of arbitrary length into primitive values on the Java stack"
This puts it pretty well. To answer your questions with a different question: What's the Capital of Thailand? The answer is a rather painful analogy to SQL Injection... Address each of these in their respective frames Isn't it Bangkok? Yes!
Yes it is! This is a race condition that can be easily fixed by providing locks to shared variables. In this algorithm the door is the filename of the file to be deleted. ERASER will note that the filename is a shared variable without a lock and will inform us that the filename needs to be locked down. See what I did? I first wrote a sentence in my answer space and then I overwrote it with another response that was longer than the "Answer Space, and ran over into the "Grade Space". So even if the length of the answer space was dynamically initialized, I could still sneak into the Grade Space, which is a restricted area. I'm going to choose to keep the graphic details of that analogy cryptic, but basically if one uses syntax that in itself signals code, then a user could use a non-sanitizing input to send commands to the program.
An input string ends with " '); " so anything after that is no longer a string but actual code. If these characters aren't filtered from the input, then there is no difference between code and string.