(Spring 2012 - Wagner and Paxson): A. Consider a blogging site that allows users to post content they author and also make comments on each other's posts. 1. Discuss how a worm could propagate within such a site. What would you expect the progression of the infection to look like, in terms of infections present at a given time? 2. Suppose the goal is to make the blogging site immune to the problem of worms. Explain the steps you could take, and the benefits and costs of each. 3. Suppose the costs of prevention are viewed as too high, or its efficacy to uncertain. Sketch a detector for identifying that such a worm is spreading. 4. For your detection mechanism, qualitatively assess its properties in terms of false negatives and false positives. 5. Suppose you have concrete values for false positive and false negative rate. How does the Base Rate Fallacy come into consideration when interpreting these? 6. Suppose you have two mechanisms for detecting such a worm. The first analyzes the timing of the activity of individual users. The second assesses the prevalence of particular strings of content as seen globally across the site. Discuss the issues that arise when assessing which of these detectors works better. B. Google has a cluster of thousands of machines. They want to log security-relevant events that occur on those machines: e.g., each command that an operator types into a root shell, each time a user resets their Gmail password, and so on. 1. Describe a possible design to accomodate this -- it doesn't need to be fancy -- and describe what security properties it does and doesn't have. 2. Now let's say we want to store all those audit log entries in the cloud, on some server, but we don't want to trust that server in the cloud. What can we do? Suggest a scheme, and describe what security properties it does and doesn't provide.
(Fall 2011 - D. Song and Paxson): 1. Consider the problem of defending a web site from a DDoS attack. a) An attacker sends a stream of spoofed SYN packets to port 80 of the web server. Discuss two techniques that could be employed to find the hosts sending the flood. How effectively would they work in today's Internet? b) For the same attack, discuss techniques a site can use by itself (i.e., not requiring cooperation by the broader network) to defend against the attack. How well do these approaches work, and what are their drawbacks? c) Suppose that during the flood an ISP upstream of yours activates a monitoring box that inspects packets heading to your site and uses anomaly detection to identify and block likely spoofed packets. If they do this without your permission, have they violated the Wiretap Act? d) Now suppose that the attacker launches a DDoS attack using non-spoofed packets. To what degree does that change the opportunities available to the attacker? What about for the defenses you mentioned? 2. Sketch the problem of buffer overflow attacks. Discuss the range of defenses and their pros and cons. 3. This question concerns TLS. a) Sketch an attack on TLS. [ultimately, the examination for this sub-question drove towards the problem of stolen certs / compromised CAs.] b) How might we detect that a given TLS session is using a stolen certificate or stems from a compromised CA? c) How effective is such detection, in terms of false positives and false negatives? d) Sketch, to the degree that you can, how DNSSEC works. (NOTE: we recognize that DNSSEC was not on the syllabus, and sketch it for students as needed.) e) Suppose that instead of using CA's, clients retrieve public keys for use in TLS via DNSSEC queries. Compare the properties of this approach with how TLS works today.
(Fall 2008 - Tygar & Wagner): 1. Bounce message spam typically occurs when a spammer sends many spam emails with the From: line containing a forged email address -- say, to make it appear that the spam emails were from me. Many of those spam emails will be undeliverable or will be destined to an invalid email message, and thus a bounce message will be sent back to the email address listed in the From: line -- i.e., back to me. Consequently when a spammer sends one million spam emails with my email address in the From: line, my inbox may become clogged with thousands of bounce messages for emails I never sent. This is a nuisance. (a) Design a mechanism to protect me against bounce message spam. I don't want to see nuisance bounce messages, but I always want to see bounce messages for emails that I do send. (b) What are the privacy implications? (c) How can we minimize the storage requirements? (c) New requirement: I want to read and send email from several different email clients, such as my laptop and my cellphone. I want to configure them once, but I want to minimize the amount of state that they must save and avoid the need for my clients to exchange data. Augment your scheme to provide this property. 2. Name as many ways as you can think of that a user Alice on the Berkeley email system could prevent me from reading my email for the next 24 hours. 3. The FastTrack system is an automated system for toll payment. The authorities send you a battery-powered transponder that you put in the car; when you drive over the Bay bridge, their equipment interrogate your transponder wirelessly and then bill you monthly. (a) Describe the security goals that such a system ought to provide. (b) How well does the current system meet these goals? (c) Sketch how you would design the system, if you wanted to ensure that all of these goals were met.
June 2011