Consider the two interpretations of a time field that specifies “1 a.m.” One interpretation says that this means exactly 1:00 a.m. and no other time. The other says that this means any time during the 1 a.m. hour.
How would you express the time of “exactly 1 a.m.” in the second interpretation?
How would you express “any time during the 1 a.m. hour” in the first interpretation?
Which is more powerful? If they are equally powerful, which do you think is least astonishing? Why?
Verify that the modified version of Requirement 31.4 shown as Requirement 31.6 on page 1105 counters the appropriate threats.
Assume the alternative interpretation of Requirement 31.4 given in Section 18.104.22.168, so that access only is controlled by location and time, and that commands are restricted by role and user. This means that if a user is authorized to run a command, she can run it from any location he is authorized to use. How would you change the way information is stored in the access control file described in Section 22.214.171.124?
Currently, the program described in this chapter is to have setuid-to-root privileges. Someone observed that it could be equally well-implemented as a server, in which case the program would authenticate the user, connect to the server, send the command and role, and then let the server execute the command.
What are the advantages of using the server approach rather than the single program approach?
If the server responds only to clients on the local machine, using interprocess communication mechanisms on the local system, which approach would you use? Why?
If the server were listening for commands from the network, would that change your answer to the previous question? Why or why not?
If the client sent the password to the server, and the server authenticated, would your answers to any of the three previous parts change? Why or why not?
The little languages presented in Section 126.96.36.199 have ambiguous semantics. For example, in the location language, does “not host1 or host2” mean “neither at host1 nor at host2” or “at host2 or not at host1”?
Rewrite the BNF of the location language to make the semantics reflect the second meaning (i.e., the precedence of “not” is lower than that of “or”). Are the semantics unambiguous now? Why or why not?
Rewrite the BNF of the time language to make the semantics reflect the second meaning (i.e., the precedence of “not” is higher than that of “or”). Are the semantics unambiguous now? Why or why not?
Suppose an access control record is malformed (for example, it has a syntax error). Show that the access control module would deny access.
The canary for StackGuard simply detects overflow that might change the return address. This exercise asks you to extend the notion of a canary to detection of buffer overflow.
Assume that the canary is placed directly after the array, and that after every array, access is checked to see if it has changed. Would this detect a buffer overflow? If so, why do you think this is not suitable for use in practice? If not, describe an attack that could change a number beyond the buffer without affecting the canary.
Now suppose that the canary was placed directly after the buffer but— like the canary for StackGuard—was only checked just before a function return. How effective do you think this method would be?