Take Home Final Exam CSE 227 Winter 2003 The answers to this final exam are due midnight, Friday Mar 21st, 2003. You should email the answers to me at bsy+cse227.w03@cs.ucsd.edu. Make sure that your email works! You can cc to yourself, and on Unix systems use the mailq command to see if the mail is actually getting delivered. 1. In cryptography, protocol designers assume that the cryptographic algorithm and protocol are known to the attacker, and the security analysis attempts to bound the success probability of the attacker as a function of expended effort, with no other assumptions / constraints on the attacker (i.e., the attacker can use the best available attack techniques) except perhaps that the attacker only utilize a polynomial amount of resources. The security assumptions are often simpler (e.g., eavesdropping only, or eavesdropping plus network packet injection). Good systems security mechanisms must also make it less likely for an attacker to succeed. However, systems being complex entities, there will be multiple points of vulnerability, and attackers will penetrate the systems at their weakest link. Discuss StackGuard, RaceGuard, and AEGIS in this context, addressing: A. What are their threat models? What do their threat models leave out? B. How hard would it be for an attacker to bypass their security mechanism(s)? Discuss possible ways of doing so. C. Do these mechanisms reduce the (unconstrained) attackers' success probabilities? Are they worthwhile? D. Is reasoning about system security using a probabilistic model the correct approach? Explain why or why not. 2. Read the pre-print of a paper at ftp://www.cs.ucsd.edu/pub/bsy/pub/monotonicity-preprint.ps Discuss: A. What is the threat model? What does the threat model leave out? B. How different is the state transition inconsistency detection from an intrusion detection system? Discuss similarities and differences. C. Does this scheme work synergistically/antagonistically with the ideas in the Authentication and State Appraisal paper? Assuming you need to use mobile agents, do these schemes reduce the (unconstrained) attackers' success probabilities? Would these schemes be worthwhile?