Exercises 605 15.3 The list of all passwords is kept within the operating system. Thus, if a user manages to read this list, password protection is no longer provided. Suggest a scheme that will avoid this problem. (Hint: Use different internal and external representations.) 15.4 What is the purpose of using a "salt" along with the user-provided password? Where should the "salt" be stored, and how should it be used? 15.5 An experimental addition to UNIX allows a user to connect a watchdog program to a file. The watchdog is invoked whenever a program requests access to the file. The watchdog then either grants or denies access to the file. Discuss two pros and two cons of using watchdogs for security. 15.6 The UNIX program COPS scans a given system for possible security holes and alerts the user to possible problems. What are two potential hazards of using such a system for security? How can these problems be limited or eliminated? 15.7 Discuss a means by which managers of systems connected to the Internet could have designed their systems to limit or eliminate the damage done by a worm. What are the drawbacks of making the change that you suggest? 15.8 Argue for or against the judicial sentence handed down against Robert Morris / Jr., for his creation and execution of the Internet worm discussed in Section 15.3.1. 15.9 Make a list of six security concerns for a bank's computer system. For each item on your list, state whether this concern relates to physical, human, or operating-system security. 15.10 What are two advantages of encrypting data stored in the computer system? 15.11 What commonly used computer programs are prone to man-in-the- middle attacks? Discuss solutions for preventing this form of attack. 15.12 Compare symmetric and asymmetric encryption schemes, and discuss under what circumstances a distributed system would use one or the other. 15.13 Why doesn't D{k t ,, N)(E{k d . N)(m)) provide authentication of the sender? To what uses can such an encryption be put? 15.14 Discuss how the asymmetric encryption algorithm can be used to achieve the following goals. a. Authentication: the receiver knows that only the sender could have generated the message. b. Secrecy: only the receiver can decrypt the message. c. Authentication and secrecy: only the receiver can decrypt the message, and the receiver knows that only the sender could have generated the message. 606 Chapter 15 Security 15.15 Consider a system that generates 10 million audit records per day» Also assume that there are on average 10 attacks per day on this system and that each such attack is reflected in 20 records. If the intrusion-detection system has a true-alarm rate of 0.6 and a false-alarm rate of 0.0005, what percentage of alarms generated by the system correspond to real intrusions? Bibliographical Notes General discussions concerning security are given by Hsiao et al. [1979], Landwehr [1981], Denning [1982], Pfleeger and Pfleeger [2003], Tanenbaum 2003, and Russell and Gangemi [1991]. Also of general interest is the text by Lobel [1986]. Computer networking is discussed in Kurose and Ross [2005]. Issues concerning the design and verification of secure systems are dis- cussed by Rushby [1981] and by Silverman [1983]. A security kernel for a multiprocessor microcomputer is described by Schell [1983]. A distributed secure system is described by Rushby and Randell [1983]. Morris and Thompson [1979] discuss password security. Morshedian [1986] presents methods to fight password pirates. Password authentication with insecure communications is considered by Lamport [1981]. The issue of password cracking is examined by Seely [1989]. Computer break-ins are discussed by Lehmann [1987] and by Reid [1987]. Issues related to trusting computer programs are discussed in Thompson [1984]. Discussions concerning UNIX security are offered by Grampp and Morris [1984], Wood and Kochan [1985], Farrow J [1986b], Farrow [1986a], Filipski and Hanko [1986], Hecht et al. [1988], Kramer [1988], and Garfinkel et al. [2003]. Bershad and Pinkerton [1988] present the watchdog extension to BSD UNIX. The COPS security-scanning package for UNIX was written by Farmer at Purdue University. It is available to users on the Internet via the FTP program from host ftp.uu.net in directory /pub/security/cops. Spafford [1989] presents a detailed technical discussion of the Internet worm. The Spafford article appears with three others in a special section on the Morris Internet worm in Communications of the ACM (Volume 32, Number 6, June 1989). Security problems associated with the TCP/IP protocol suite are described in Bellovin [1989]. The mechanisms commonly used to prevent such attacks are discussed in Cheswick et al. [2003]. Another approach to protecting networks from insider attacks is to secure topology or route discovery. Kent et al. [2000], Hu et al. [2002], Zapata and Asokan [2002], and Hu and Perrig [2004] present solutions for secure routing. Savage et al. [2000] examine the distributed denial- of-service attack and propose IP trace-back solutions to address the problem. Perlman [1988] proposes an approach to diagnose faults when the network contains malicious routers. Information about viruses and worms can be found at http://www.viruslist.com, as well as in Ludwig [1998] and Ludwig [2002]. Other web sites containing up-to-date security information include http://www.trusecure.com and httpd://www.eeye.com. A paper on the dangers of a computer monoculture can be found at http://www.ccianet.org/papers/cyberinsecurity.pdf. Bibliographical Notes 607 Diffie and Hellman [1976] and Diffie and Hellman [1979] were tl^e first researchers to propose the use of the public-key encryption scheme. The algo- rithm presented in Section 15.4.1 is based on the public-key encryption scheme; it was developed by Rivest et al. [1978]. Lempel [1979], Simmons [1979], Denning and Denning [1979], Gifford [1982], Denning [1982], Ahituv et al. [1987], Schneier [1996], and Stallings [2003] explore the use of cryptography in computer systems. Discussions concerning protection of digital signatures are offered by Akl [1983], Davies [1983], Denning [1983], and Denning [1984]. The U.S. government is, of course, concerned about security. The Depart- ment of Defense Trusted Computer System Evaluation Criteria (DoD [1985]), known also as the Orange Book, describes a set of security levels and the features that an operating system must have to qualify for each security rating. Reading it is a good starting point for understanding security concerns. The Microsoft Windows NT Workstation Resource Kit (Microsoft [1996]) describes the security model of NT and how to use that model. The RSA algorithm is presented in Rivest et al. [1978]. Information about NIST's AES activities can be found at http://www.nist.gov/aes/; informa- tion about other cryptographic standards for the United States can also be found at that site. More complete coverage of SSL 3.0 can be found at http://home.netscape.com/eng/ssl3/. In 1999, SSL 3.0 was modified slightly and presented in an IETF Request for Comments (RFC) under the name TLS. The example in Section 15.6.3 illustrating the impact of false-alarm rate on the effectiveness of IDSs is based on Axelsson [1999]. A more complete description of the swatch program and its use with syslog can be found in Hansen and Atkins [1993]. The description of Tripwire in Section 15.6.5 is based on Kim and Spafford [1993]. Research into system-call-based anomaly detection is described in Forrest et al. [1996]. [...]... [1997] and Stevens [19 98] Discussions concerning distributed operating-system structures have been offered by Coulouris et al [2001] and Tanenbaum and van Steen [2002] Load balancing and load sharing were discussed by Harchol-Balter and Downey [1997] and Vee and Hsu [2000], Harish and Owens [1999] described load-balancing DNS servers Process migration was discussed by Jul et al [1 988 ], Douglis and Ousterhout... 1 281 483 1100 Names are convenient for humans to use, but computers prefer numbers for speed and simplicity For this reason, there must be a mechanism to resolve the host name into a host-id that describes the destination system to the networking hardware This resolve mechanism is similar to the nameto-address binding that occurs during program compilation, linking, loading, and execution (Chapter 8) ... this address and asks abovit cs.brown.edu, 4 An address is returned; and a request to that address for bob.cs.brozon.edu now, finally, returns an Internet address host-id for that host (for example, 1 28. 1 48. 3L100) 624 Chapter 16 Distributed System Structures This protocol may seem inefficient, but local caches are usually kept at? each name server to speed the process For example, the edu name server... defined by the IEEE 80 2.3 standard 16.3.2 j ] i J \ • j 5 * • : • 3 Wide-Area Networks Wide-area networks emerged in the late 1960s, mainly as an academic research project to provide efficient communication among sites, allowing hardware and software to be shared conveniently and economically by a wide community of visers The first WAN to be designed and developed was the Arpanet Begun in 19 68, the Arpanet... megabits per second over a leased line For sites requiring faster Internet access, Tls are collected into multiple-Tl units that work in parallel to provide more throughput For instance, a T3 is composed of 28 Tl connections and has a transfer rate of 45 megabits per second The routers control the path each message takes through the net This routing may be either dynamic, to increase communication efficiency,... types of networks: local-area networks (LAN) and wide-area networks (WAN) The main difference between the two is the way in which they are geographically distributed Local-area networks are composed 6 18 Chapter 16 Distributed System Structures of processors distributed over small areas (such as a single building? or a number of adjacent buildings), whereas wide-area networks are composed of a number... distributed over a large area (such as the United States) These differences imply major variations in the speed and reliability of the communications network, and they are reflected in the distributed operating-system design 16.3.1 Local-Area Networks Local-area networks emerged in the early 1970s as a substitute for large mainframe computer systems For many enterprises, it is more economical to have... until the link is free If two or more sites begin transmitting at exactly the same time (each thinking that no other site is using the link), then they will register a collision detection (CD) and will 6 28 Chapter 16 Distributed System Structures stop transmitting Each site will try again after some random time interval The main problem with this approach is that, when the system is very busy, many collisions... token gets lost, the system must then detect the loss and generate a new token It usually does that by declaring an election to choose a unique site where a new token will be generated Later, in Section 18. 6, we present one election algorithm A token-passing scheme has been adopted by the IBM and HP/ Apollo systems The benefit of a token-passing network is that performance is constant Adding new sites... modify the message and include message-header data for the equivalent layer on the receiving side Ultimately, the message reaches the data-network layer and is transferred as one or more packets (Figure 16 .8) The data-link layer of the target system receives these data, and the message is moved up through the protocol stack; it is analyzed, modified, and stripped of headers as it progresses It finally reaches . Morris [1 984 ], Wood and Kochan [1 985 ], Farrow J [1 986 b], Farrow [1 986 a], Filipski and Hanko [1 986 ], Hecht et al. [1 988 ], Kramer [1 988 ], and Garfinkel et al. [2003]. Bershad and Pinkerton [1 988 ]. examined by Seely [1 989 ]. Computer break-ins are discussed by Lehmann [1 987 ] and by Reid [1 987 ]. Issues related to trusting computer programs are discussed in Thompson [1 984 ]. Discussions concerning. Rushby [1 981 ] and by Silverman [1 983 ]. A security kernel for a multiprocessor microcomputer is described by Schell [1 983 ]. A distributed secure system is described by Rushby and Randell [1 983 ]. Morris