4. A program is written to compute the sum of the integers from 1 to 10.

The programmer, well

trained in reusability and maintainability, writes the program so that it computes the sum of the
numbers from k to n. However, a team of security specialists scrutinizes the code. The team
certifies that this program properly sets k to 1 and n to 10; therefore, the program is certified as
being properly restricted in that it always operates on precisely the range 1 to 10. List different
ways that this program can be sabotaged so that during execution it computes a different sum, for
example, 3 to 20.

(a) Someone changes the source code before its compilation. (b) Someone patches (i.e.,
modifies) the binary object code while it is stored on disk before execution. (c) During
execution, an outside process patches the object code.

6. List three controls that could be applied to detect or prevent off-by-one errors.

Examples of controls: (a) program development controls, in which the code of a program is rigorously
scrutinized for improper behavior; (b) rigorous testing of edge cases that would reveal such errors, and (c)
through use of a proof-of-program correctness.

9. An electronic mail system could be used to leak information. First, explain how the leakage
could occur. Then, identify controls that could be applied to detect or prevent the leakage.

The electronic mail system could leak information in the number of messages sent, the kinds of
messages, the sizes, the destination addresses, the number of characters in a message, the number
of odd-length or even-length messages, the contents of various header fields, and so forth.

The control most frequently used is human review of the content of the message, followed by
manual paraphrasing and rekeying of the message (so that header modifications, message length,
message parity, and the like would be distorted). This is obviously a slow and expensive
solution.

Another approach is the use of various guards, which are programs that look for specific patterns
in the message. One pattern is the “dirty word search” that scans a message for any of a finite list
of unacceptable, sensitive words (for example, bomb, uranium, plutonium, fission). The major
limitations of this approach are that the dirty word list is seldom complete (so the sender could
get away by substituting “explosive device” for “bomb”), and the sender can always encode the
dirty word (for example, representing “bomb” by four consecutive innocuous words, beginning
with the letters B-O-M-B).

19. (a) You receive an email message that purports to come from your bank. It asks you to click
a link for some reasonable-sounding administrative purpose. How can you verify that the
message did come from your bank?
(b) Now play the role of an attacker. How could you intercept the message described in part
(a) and convert it to your purposes while still making both the bank and the customer think the
message is authentic and trustworthy?

Some possible answers are (a) Confirm that both the “from” address and the link provided in the
email precisely match the domain belonging to the bank. (b) By changing something minor with
the domain (e.g., .co instead of .com) or intercepting the DNS request from the customer (via a
man-in-the-middle-attack). The link will then redirect to the legitimate page while allowing the
attacker to perform whatever malicious behavior is desired.