Difference between revisions of "Computer Systems Security: Winter 2018 Assignment 3"

Due: March 26, 2018 by the start of class.

Questions

1. [2] How can you check the integrity and authenticity of a downloaded ISO image of a Linux distribution? Explain what you must assume for both integrity and authenticity to be assured.
2. [2] Describe an attack (and associated context) that could be detected using an anomaly-based intrusion detection system but would normally be missed by both specification and signature-based intrusion detection systems.
3. [2] How are intrusion detection system similar to anti-malware systems? How can they be different?
4. [1] What is one significant reason that most currently used intrusion detection systems use signatures rather than other approaches?
5. [2] Why are insider attacks potentially more damaging than outsider attacks? Explain using a simple example.
6. [1] What is a concept from this class that you find confusing or hard to understand? Please explain briefly the difficulty you are having.

Solutions

1. Download the ISO (say, from a distribution mirror) and compute its hash using SHA-1 or SHA-256. Then compare it to the hash available from the main distribution website. To get a further guarantee, verify the hash file using a digital signature. (Normally, wherever you have the list of hashes, you also have a detached signature for the hash list file.) For example, see [1] for the Ubuntu server hashes. The Ubuntu Verify ISO Howto explains the process in some detail. Note for this to work, we have to assume that 1) the obtained hash is authentic (either because we downloaded it from a trusted source or because it was signed by a trusted key) and 2) the hash function has not been compromised. #2 is a pretty safe bet nowadays for SHA256, is probably okay for SHA1 (because breaks have been found but they are still very computationally expensive), and is highly suspect for MD5 (as MD5 collisions are trivial to create).
2. There are many possible answers for this question. Correct answers should focus on the limitations of signature and specification-based intrusion detection, specifically how signatures are a black list and specifications are a white list. Anomaly detection can detect attacks that wouldn't be listed on a black list and would be included on a white list. For example, an HR employee may be authorized to look at the address and tax identification number of specific individuals as part mailing tax forms. That same employee is not authorized to access addresses and tax identification numbers for other purposes (e.g., to commit identity theft). With standard intrusion detection or access control, the employee would be allowed to access this sensitive information at any time. An anomaly-based intrusion detection system, however, could detect that this information is being access at an unusual time or in an unusual way (e.g., from an unusual location).
3. Both intrusion detection systems and anti-malware systems can detect malware. IDSs detect them by observing the signatures of malware (e.g, patterns in network packets) or by noting the deviations in behavior they cause (violating either specification or learned models of behavior). Anti-malware systems use code and behavioral signatures analogous to the signatures of anti-malware systems; however, anti-malware systems generally apply these rules after unpacking and de-obfuscating code. They also can apply the signatures to behavior observed in sandboxed environments.
4. The key reasons for sticking with signature-based IDSs are 1) no training time (unlike anomaly detection) 2) minimal setup time (unlike specifcation-based systems) 3) can be tuned to work well in standardized benchmarks 4) clear business model (subscriptions for signature updates) 5) reputation for low false positives (although this is often not true in practice unless you tune the signature set).
5. Insider attacks are potentially more damaging because insiders have access and understand the systems. Thus, they know what steps to take in order to achieve their objectives. For example, it would be much easier for a rogue system administrator to delete all data and corrupt all backups than it would be for an outsider.
6. As long as it is an honest answer you should get full marks for this one!