Homework #4

CMPS 122, Winter 2005

Assigned: Feb 22nd
Due: Tuesday, March 1st at noon

Please read the homework guidelines for information about how to work on the assignment and how to submit it.

  1. Some large web sites use devices called "load balancers" to distribute traffic evenly among several equivalent servers. In such a system, the servers that handle Web requests are all "equal," and sufficient state is shared to allow any request to go to any server in the cluster. What is the security advantage to this configuration? Are there any disadvantages?
  2. It has been claimed that lack of diversity in the Internet is a major vulnerability for modern computer systems. Why does the predominance of a single operating system pose a threat? Does the predominance of a few browsers pose a threat as well? How might any threat be countered?
  3. I have a high-speed network connections coming into my home, and I also have a wireless network access point. Like most people, I don't use most of my bandwidth—my long-term average usage is under 1KB/sec over a week out of a maximum of about 150 KB/sec. List three distinct reasons why I might still want to prevent an outsider from obtaining free network access by intruding into my wireless network.
  4. Should a network administrator put a firewall in front of a honeypot? Why or why not?
  5. Write a simple version of TripWire. This program should be able to compute the MD5 hash of each file in a directory subtree and write the result to standard output. It should also be able to verify the hash value of the files in the tree, with the original hash values provided via a file named by the -v argument. The -s (summary) option should generate or test a single MD5 hash value by hashing the individual file hash values together (without the file names). A summary of the options is:
    -v <arg>: verify the hash value(s) (default is to create the file). If doing a "full" verification, the argument is the file that contains the hash values (see below for format). If doing a summary, the argument is the MD5 hash value to match.
    -s: use a summary hash value rather than a hash value for each file
    The input or output file should look like this:
    0123456789abcdef0123456789abcdef foo/bar/baz
    23456789abcdef0123456789abcdef01 foo/bar/blah
    Note that ordering is important—in particular, you should ensure that the directory tree is always traversed in the same order so that summary hashes work correctly. A sample program, tripwire.pyo, is available online (run it using python tripwire.pyo <args> rather than tripwire <args>). You may use any language you like to implement your program, but its output should be identical to that of the sample program. If you need it, you can generate the MD5 hash of a file using the command md5sum or any MD5 code library you like.
    Sample command line usage includes:
    tripwire foo (Prints the MD5 of every file in the foo directory. If foo is a file, the output has one line in it.)
    tripwire foo bar (Prints the MD5 of every file in the foo and bar directories. Again, files are simply directory trees with one file in them.)
    tripwire -s foo (Calculates the MD5 of every file in the foo directory, takes those MD5 values, and calculates the MD5 of a "file" containing them.)
    tripwire -v values foo (Calculates the MD5 of every file in the foo directory and compares them against the values in file values.)
    tripwire -s -v 23456789abcdef0123456789abcdef01 foo (Calculates the MD5 as for the -s option, and compares it against the value 23456789abcdef0123456789abcdef01.)

NOTE: some of these questions are derived from a computer security text by Pfleeger & Pfleeger.

Last updated 22 Feb 2005 by Ethan L. Miller (elm at ucsc d0t edu)