This chapter is from the book
This chapter is from the book
This chapter is from the book
13.6 Exercises
The PostScript language [11] describes page layout for printers. Among its features is the ability to request that the interpreter execute commands on the host system.
Describe a danger that this feature presents when the language interpreter is running with administrative or root privileges.
Explain how the principle of least privilege could be used to ameliorate this danger.
A common technique for inhibiting password guessing is to disable an account after three consecutive failed login attempts.
Discuss how this technique might prevent legitimate users from accessing the system. Why is this action a violation of the principle of least common mechanism?
One can argue that this is an example of fail-safe defaults, because by blocking access to an account under attack, the system is defaulting to a known, safe state. Do you agree or disagree with this argument? Justify your answer.
Kernighan and Plauger [565] argue a minimalist philosophy of tool building. Their thesis is that each program should perform exactly one task, and more complex programs should be formed by combining simpler programs. Discuss how this philosophy fits in with the principle of economy of mechanism. In particular, how does the advantage of the simplicity of each component of a software system offset the disadvantage of a multiplicity of interfaces among the various components?
Design an experiment to determine the performance impact of checking access permissions for each file access (as opposed to once at the file's opening). If you have access to a system on which you can modify the file access mechanism, run your experiment and determine the impact.
A company publishes the design of its security software product in a manual that accompanies the executable software.
In what ways does this satisfy the principle of open design? In what ways does it not?
Given that the design is known, what advantages does keeping the source code unavailable give the company and those who purchase the software? What disadvantages does it cause?
Assume that processes on a system share no resources. Is it possible for one process to block another process' access to a resource? Why or why not? From your answer, argue that denial of service attacks are possible or impossible.
Given that the Internet is a shared network, discuss whether preventing denial of service attacks is inherently possible or not possible. Do systems connected to the Internet violate the principle of least common mechanism?
A program called lsu [111] gives access to role accounts. The user's access rights are checked, and the user is required to enter her password. If access rules allow the change and the user's password is correct, lsu allows the change. Given that Mary uses lsu from her account, why does lsu require her to enter her password? Name the principles involved, and why they require this.
Recall the S/Key one-time password algorithm discussed in Section 12.3.2. When a user prints a list of S/Key passwords for future use, the system encodes each hash value as a set of six short words and prints them. Why does it not merely print out the hash values?
The program su enables a UNIX user to access another user's account. Unless the first user is the superuser, su requires that the password of the second user be given. A (possibly apocryphal) version of su would ask for the user's password and, if it could not determine if the password was correct because the password file could not be opened, immediately grant superuser access so that the user could fix the problem. Discuss which of the design principles this approach meets, and which ones it violates.