SFL Prof. Dr. C. Rossow / S. Hausotte TU Dortmund WS 2021/2022 Exercise 4 (System Security)
In the lectures, some types of covert channels have been introduced.
(a) What differentiates covert channels from normal communication channels? Why and how could they cause problems?
(b) Why is it harder to secure an environment against covert channels than it is agains most other types of unwanted communication?
Copyright By PowCoder代写 加微信 powcoder
(c) Is it feasible to run real-world attacks based on covert channels? Do some online research and try to find out if there are recent cases.
(d) Assume two processes are running on the same physical computer. Choose an arbitrary form of covert channel communication which can be prevented by one of the process isolation measures from the lectures and explain the case.
Also give an example for a covert channel which can not be prevented by these measures.
4.2 File Permissions
(a) Which three permissions can be specified for UNIX files?
Solution: Read (r), Write (w) and Execute (x)
(b) Who can be granted these privileges? Hint: There are three levels of granularity.
Solution: The user, the group and others
(c) In the home directory ”top-secret” on the server of the German parliament, you type ls -l
and get the following output:
-rw-rw-r– schlz ampel coalition.pptx
drwx—— mrkl mrkl g8-topics
-rw-r—– sphn ministry-health ffp2-invoice.pdf
-rwsr-xr-x root root omicron.sh
What do you learn about the files from this information? 1/4
Solution: While other communication channels are mostly intended, covert channels work across boundaries that are designed to stop communication from happening. That’s obviously a problem in terms of isolation: If undesired communication channels exist, software that should run isolated can instead interact with other components, unveiling sensible data for example.
Solution: The main reason is that covert channels are hard to detect in the first place, because they escape the boundaries of traditional concepts. Oftentimes, possible channels remain undetected for decades, before being discovered.
Solution: Yes, there are various cases for real world attacks based on caching (Meltdown and Spectre, 2017) or hardware effects (Rowhammer, 2015) for example.
Solution: The file locking covert channel from the lecture can only occur if both processes are able to access the same file. Once we isolate the processes in the sense that each one accesses its own file system, the channel is closed.
In contrast, channels which exploit physical effects are still possible abuse. These include for example CPU timing attacks and caching effects.
SFL Prof. Dr. C. Rossow / S. Hausotte TU Dortmund WS 2021/2022 Exercise 4 (System Security)
• The user schlz owns the file coalition.pptx, the group ampel can read and write it and everyone else can read it.
• g8-topics is a directory and only the user mrkl has (full) access.
• The user sphn can read and write the file ffp2-invoice.pdf and the group
ministry-health can also read it.
• The file omicron.sh can only be written by root but everyone can read it and execute it with the rights of root.
4.3 Bell-LaPadula/Biba Model
(a) Where lies the difference between the Bell-LaPadula model and the Biba model and what are their goals?
Solution: Bell-LaPadula aims for secrecy while Biba aims for integrity.
(b) We define a notation a →r b for level a wants to read from level b and a →w b for level a wants to write to level b. 0 is the most and 3 the least privileged/authorative level. Which of the following access requests are permitted by which model?
0 →r 0 1 →r 3 0 →w 2 1 →w 1 3 →w 2 3 →r 2
Bell-La Bell-LaPadula & Biba
0→r0 1→r3 0→w2 1→w1 3→w2 3→r2
Bell-La Bell-LaPadula & Biba
(c) What is the problem when using both Bell-LaPadula and Biba at the same time?
Solution: Both models serve complementary purposes. If applied at the same time, all communication between levels is prohibited and data may only be exchanged within the same level.
SFL Prof. Dr. C. Rossow / S. Hausotte TU Dortmund WS 2021/2022 Exercise 4 (System Security)
4.4 Special registers
(a) Flags: The {R|E}FLAGS register contains certain processor state, most interestingly during normal operation, the carry flag CF at index 0 (least significant bit), the zero flag ZF at index 6, the sign flag SF at index 7, and the overflow flag OF at index 11.
The carry flag applies to unsigned operation, while the sign and overflow flags apply to signed operation.
These flags generally refer to the result of the most recent arithmetic operation and control most conditional branches. Importantly, since comparisons (via the cmp instruction) are just subtractions under the hood, certain conditional instructions are functionally equivalent, such as je (jump if equal) and jz (jump if zero) for example, as subtracting a number from itself will always return zero.
For the following snippet, decide whether or not the branches would be taken and explain why.
mov eax, 0 mov ebx , 1234 cmp eax , ebx
I je: Jump if equal
Solution: No, as 0 ̸= 1234, and therefore ZF = 0.
II jz: Jump if zero Solution: Same as je.
III jb: Jump if below (unsigned less-than)
Solution: Yes, as 0 < 1234, and therefore the carry flag will be set.
IV jl: Jump if lesser (signed)
Solution: Same as jb, since both operands are positive, although the flags inspected are different. While jb just looks at the carry flag, jl checks for the exclusive-or of the sign flag and the overflow flag. The reasoning behind this is as follows:
If the first operand is positive and the second is negative, the subtraction becomes an addition of two positive values, meaning the result can be negative if and only if the calculation overflows. Therefore, SF = OF in all cases and the branch is not taken.
In the inverse case, i.e. first operand negative and second positive, the situation regarding overflows is also exactly inverse: since we’re subtracting a positive value from an already negative one, the result with either be negative or overflow back into positive. In both cases, exactly one of SF or OF will be set and the branch is taken.
If both operands are positive, a subtraction can never overflow, meaning OF is unset in all cases, but the result will be negative if the first operand is smaller than the second. A negative result will cause SF to be set and the branch will be taken.
If both operands are negative, a subtraction can also never overflow, as it is effectively an addition of a positive and a negative value. Therefore, once again, the only flag that matters is SF. The difference between two negative values is negative if and only if the first operand is more negative than the second. In that case, SF will be set and the branch will be taken.
You can do even more fun things with the flags, although this is probably not something you should do in an actual application: while they cannot be accessed directly, you can store flags to the stack using pushf and load them from there using popf.
TU Dortmund WS 2021/2022
and ax, 0xFFFE or ax, 0x00C0 and ax, 0xF7FF push ax
Prof. Dr. C. Rossow / S. Hausotte
Exercise 4 (System Security)
After this code executes, what are the values of each of the flags mentioned at the start of this question? NB: The previous values are not relevant; all relevant bits are written to.
Solution: The code first pushes the current flags to the stack, then uses pop to move them to ax. There the flags are modified and then pushed back to the stack, after which popf is used to put them back into the flags register.
• CF: cleared by the first and. 0xFFFE equals 1111 1111 1111 1110 in binary, meaning only the least significant bit is cleared and all others are left untouched.
• ZF and SF: set by the or. 0x00C0 equals 0000 0000 1100 0000 in binary, meaning bits 6 and 7 are set and all others are left untouched.
• OF: cleared by the second and. 0xF7FF equals 1111 0111 1111 1111 in binary, meaning only bit 11 is cleared and all others remain the same.
(b) Instruction pointer: the rip register contains the address of the next instruction to execute.
1 2 3 4 5 6 7 8 9
The call instruction pushes the address of the first instruction after it onto the stack, and then jumps to the address passed in its argument. The ret instruction inverses this by popping the value at the top of the stack into the instruction pointer register.
In the following snippet, assume the line numbers are addresses. This is for the sake of simplicity, as real x86 instructions don’t always have the same length.
mov rbx, 5 call double mov rbx , rax jmp 1234
mov rax , rbx add rax , rax ret
What are the values of the rip register after
I the first mov, II the call,
III the ret,
IV and the jmp?
I First mov: 2
II call: 7, the address of the first instruction in double
III ret: 3
IV jmp: 1234
程序代写 CS代考 加微信: powcoder QQ: 1823890830 Email: powcoder@163.com