&nbs=
p; =
; =20
=20
Solutions - I &nbs=
p; =
; =
=20
&n=
bsp; =20
10/9/07
CS =
G254/U645=20
Network Security
1) =20
Architecture
a) =20
Layering=20
is the design principle in which a system is designed as a sequence of =
layers=20
built on top of the underlying hardware. Each layer is implemented in =
terms of=20
the service provided by the layer below and provides services to the =
layer=20
above. An advantage of layering is that it provides a modular design =
with the=20
design of the whole network being decomposed into small manageable =
components or=20
modules.
b) =20
The=20
service interface is the interface that a layer provides to the layer =
above,=20
e.g. the physical service interface is the interface that the physical =
layer=20
provides to the link layer above it in the same network=20
stack.
The =
peer-to-peer=20
interface is the interface provided by a layer to its counterpart in a =
communicating stack. For =
example=20
the network peer-to-peer interface of a browser is the interface provided =
by the=20
network layer of the browser=92s stack to the network layer of=20
the =20
server=92s stack. =20
c) =20
Examples=20
for different layers:
=
Physical=20
layer: electrical wire =
lines,=20
optical fibers, and wireless connections
&n=
bsp; =20
Data link layer: Ethernet
&n=
bsp; =20
Network layer: IP, =
&n=
bsp; =20
Transport layer: TCP/UDP
d) =20
According=20
to the end-to-end principle, the functionalities of a network are based =
in the=20
end-hosts, and the core of the Internet is kept very simple. This =
technique=20
makes the Internet ecosystem dynamic and supportive of new applications. =
The=20
core of the Internet stays the same, while new applications are =
developed at the=20
end points.
2) =20
Internet=20
=96 transport layer
a) =20
Each=20
IP packet has a TTL =96 time to live. At each router the TTL is =
decremented. When=20
it reaches 0 the packet is discarded. Hence the initial TTL is the =
maximum=20
number of router hops the packet can travel in the network.=20
b) =20
Transferring=20
large files is better over TCP. TCP guarantees reliable transmission =96 =
in-order=20
one-time delivery. Thus TCP guarantees that all the packets will arrive =
at the=20
destination allowing the file to be assembled on the receiver side. In =
contrast=20
UDP by itself does not have any mechanisms for recovering from packet=20
loss.
c) =20
ICMP=20
echo requests are packets sent to the host or device to determine if it =
is=20
alive. The reply expected is ICMP echo-reply packet. ICMP echo-request =
packets=20
are used by ping utility to see whether a host or device is up and =
running on a=20
network.
d) =20
Traceroute=20
is a utility that traces the path to a destination, router-hop by =
router-hop.=20
Initially it sends a packet to the destination with a TTL of 1. This =
causes the=20
packet to die at the first router and the router sends an ICMP time =
exceeded=20
message back to the sender. This enables the sender to determine the IP =
address=20
of the first router. Next, a packet is sent with TTL of 2 to the =
destination,=20
enabling the identification of the second hop, and so on with increasing =
TTLs=20
until the destination is reached.
(Additional=20
details at http://www.freesoft.or=
g/CIE/Topics/54.htm)
3) =20
Learning=20
by doing =96 IP/BGP/DNS
a) =20
129.10.0.0/16
155.33.0.0/16
4.21.160.128/25
204.167.52.0/24
b) =20
156;=20
rwhelan@neu.edu
c) =20
129.10.116.80=20
d) =20
156=20
Northeastern University. 1239 Sprint. =
=
e) =
traceroute from=20
www.net.berkeley.edu to www.ccs.neu.edu
1 vlan206.inr-203-eva.Berkeley.EDU (128.32.206.2) 0.525 ms 0.424 ms 0.348 =
ms
2 g3-1.inr-202-reccev.Berkeley.EDU (128.32.255.9) 0.328 ms 0.338 ms 0.349 =
ms
3 ge-1-3-0.inr-002-reccev.Berkeley.EDU =
(128.32.0.38) 0.454 =
ms 0.465 ms 0.598 =
ms
4 hpr-oak-hpr--ucb-ge.cenic.net (137.164.27.129) 0.831 ms 0.588 ms =
*
5 svl-hpr--oak-hpr-10ge.cenic.net (137.164.25.8) 1.714 ms 1.825 ms =
*
6 lax-hpr--svl-hpr-10ge.cenic.net (137.164.25.12) 9.282 ms 9.439 ms 9.344 =
ms
7 hpr-i2-newnet--lax-hpr.cenic.net =
(137.164.26.133) 9.314 =
ms 20.326 ms 9.344 =
ms
8 so-0-0-0.0.rtr.hous.net.internet2.edu =
(64.57.28.45) 49.677 =
ms 41.438 ms 41.324 =
ms
9 64.57.28.42 (64.57.28.42) 64.791 ms =
64.798 ms 64.686 =
ms
10 ge-0-1-0.10.nycmng.abilene.ucaid.edu =
(64.57.28.7) 78.286 =
ms 78.293 ms 78.179 =
ms
11 so-0-0-0.0.rtr.newy.net.internet2.edu =
(64.57.28.10) 83.406 =
ms 90.537 ms 83.425 =
ms
12 nox300gw1-Vl-110-NoX-INTERNET2.nox.org =
(192.5.89.221) 88.156 =
ms 88.160 ms 88.173 =
ms
13 nox230gw1-Vl-802-NoX.nox.org (192.5.89.254) 88.277 ms 88.340 ms 88.272 =
ms
14 nox230gw1-PEER-NoX-NEU-192-5-89-18.nox.org =
(192.5.89.18) 88.527 =
ms 88.497 ms 88.507 =
ms
15 * * *
16 129.10.6.11 (129.10.6.11) 89.160 ms 90.045 ms 89.030 =
ms
17 155.33.24.29 (155.33.24.29) 104.050 ms 89.060 ms 89.121 =
ms
18 129.10.24.101 (129.10.24.101) 88.734 ms 98.820 ms 89.676 =
ms
19 alderaan.ccs.neu.edu (129.10.116.80) 88.588 ms 88.961 ms 88.841 ms
f) PING alderaan.ccs.neu.edu =
(129.10.116.80): 56 data bytes
64 bytes =
from 129.10.116.80: icmp_seq=3D0 ttl=3D237 time=3D13.188 =
ms
64 bytes from 129.10.116.80: =
icmp_seq=3D1 ttl=3D237 time=3D13.698 ms
64 bytes from 129.10.116.80: icmp_seq=3D2 ttl=3D237 =
time=3D13.536 ms
No=20
results for RSA because RSA does not allow ping
PING=20
www.rsa.com: 56 data bytes
----www.rsa.com=20
PING=20
Statistics----
5=20
packets transmitted, 0 packets received, 100% packet =
loss
4) =20
Buffer=20
Overflow
a) =20
Line-by-line comments below
#include=20
<string.h> // header file =
for string=20
operations
#include=20
<ctype.h> =20
// header file for character types/operations
int=20
main(int argc, char *argv[]) { =20
//the=20
main program
char buf[512]; =20
// internal buffer declared,=20
space allocated
int i; &nbs=
p; =
; =20
// integer=20
declares, space allocated
setuid(0); &nbs=
p; =
;=20
// no check for error
&nbs=
p; =
; =
=20
// only root can run this.
&nbs=
p; =
; =
=20
// If=20
compiled=20
by root and
&nbs=
p; =
; =
=20
//=20
user=20
executable bit set
&nbs=
p; =
; =
=20
// to=20
s, then=20
any user
&nbs=
p; =
; =
=20
// can execute=20
this=20
program
&nbs=
p; =
; =
=20
// with root privileges.
if (argc > 1) { &nbs=
p; =20
// checks for command line argument
=20
for (i=3D0; i<strlen(argv[1]); i++) =20
// no check for input length
&nbs=
p; =20
argv[1][i] =3D tolower(argv[1][i]); =20
&n=
bsp; &nb=
sp; =20
//=20
no check for legal chars
=20
strcpy(buf, argv[1]); //argv[1] =
could be=20
larger than
&nbs=
p; =
; =
=20
// buf and cause an overflow
=20
printf("%s\n", buf); // =
prints the=20
contents of buffer
}
}
b) =20
The program =
converts a=20
string to all lowercase letters. The major flaw of the program is that =
it does=20
not check for input string length and does not check that the string =
actually=20
consists of printable characters. Depending on how the program is =
compiled and=20
on which system it runs, it might be possible to overflow program=92s=20
buffer.
c) =20
The program =
could be=20
used to do a buffer overflow and obtain a root shell. The basic idea is =
to call=20
the program as a subroutine with a special string that is longer than =
the length=20
of the buffer. The string is chosen to be long enough to overwrite the =
return=20
address on the stack with an address that points inside the string. This =
causes=20
control to be transferred to that point inside the string which may be =
set up to=20
exec a root shell.