Homework 1

Due Mon. Apr. 24, 2006 before midnight. Email the answers to my Helios account.

Part 1 - Questions from the Books (20pts)

  1. Pfleeger 1.19 - Consider a program to accept and tabulate votes in an election. Who might want to attack the program? What types of harm might they wish to cause? What kinds of vulnerabilities might they exploit to cause harm?
  2. Bishop 1.19 - Argue for or against the following proposition. Ciphers that the government cannot cryptanalyze should be outlawed. How would your argument change if such ciphers could be used provided that the users registered the keys with the government?
  3. Bishop 8.3 - If one-time pads are provably secure, why are they so rarely used in practice?
  4. Pfleeger 2.15 - Explain why the product of two relatively simple ciphers, such as a substitution and a transposition, can achieve a high degree of security.
  5. Pfleeger 2.29 - If the useful life of DES was about 20 years (1977-1999), how long do you predict the useful life of AES to be? Justify your answer.
  6. Bishop 20.4 - A common error on UNIX systems occurs during the configuration of BIND, a directory name server. The time-to-expire field is set to 0.5 because the administrator believes that this field's unit is minutes (and wishes to set the value to 30 seconds). However, BIND expects the field to be in seconds and reads the value as 0 - meaning no data is ever expired.
    Classify this using the following vulnerability models. Justify your answer.
    1. RISOS
    2. PA
    3. Aslam's
  7. Bishop 20.6 - An attacker breaks into a Web server running on a Windows 2000-based system. Based on the ease with which he broke in, he concludes that Windows 2000 is an operating system with very poor security features. Is his conclusion reasonable? Why or why not?
  8. Bishop 20.9 - Why might an analyst care how similar two vulnerabilities are?
  9. Bishop 20.10 - One expert noted that the PA model and the RISOS model are isomorphic. Show that the PA vulnerability classifications correspond to the RISOS vulnerability classes and vis versa.
  10. Pfleeger 3.8 - The distinction between a covert storage channel and a covert timing channel is not clear-cut. Every timing channel can be transformed into an equivalent storage channel. Explain how this transformation could be done.

Part 2 - Project Milestone (10pts)

Write a brief summary of the research you have done so far for your project topic. Include several references to papers, articles, proceedings, etc. on your topic. Describe what steps still remain to finish your project if it is not a survey paper project and your basic timeline for completion.