Application and OS Security

Question 1

What is the main function of an OS from a bottom up view?

Answer 1

A collection of computer programs that manage the computer’s resources, such as the CPU , memory, disk drives.

Question 2

What is the main function of an OS from a top-down review?

Answer 2

A collection of computer programs that provide an interface between a user and the hardware

Question 3

What does each device have connected to the bus?

Answer 3

a device controller

Question 4

What does a device driver do?

Answer 4

• communicates with the device controller

- enables data to be transferred between buffer and main memory

Question 5

What must a CPU be able to do?

Answer 5

• distinguish between OS and application programs

- prevent application programs from executing privileged instructions

Question 6

When is a bootstrap program loaded?

Answer 6

at power up or reboot

Question 7

What is a bootstrap?

Answer 7

a technique of loading a program into a computer by means of a few initial instructions which enable the introduction of the rest of the program from an input device.

Question 8

What is firmware?

Answer 8

a combination of a hardware device and computer instructions or computer data that reside as read-only software on the hardware device.

Question 9

What does BIOS mean?

Answer 9

Basic Input/output System

Question 10

What is the primary role of the BIOS?

Answer 10

to initialise and test hardware components and load the OS

Question 11

What could malicious BIOS modification lead to?

Answer 11

• a permanent denial of service

- a persistent malware presence

Question 12

What are the 5 steps of booting?

Answer 12

1. execute BIOS boot block
2. initialise and test low-level hardware
3. load additional firmware modules
4. select boot device
5. use boot loader to load OS and run it

Question 13

what does UEFI stand for?

Answer 13

Unified Extensible Firmware Interface

Question 14

What do UEFI specs define?

Answer 14

interface between OS and firmware

Question 15

What are 3 ways the bootloaders can be attacked?

Answer 15

• user-initiated installation of new BIOS code (most difficult to address)
• malware could re-flash the system BIOS
• network-based system management tools could cause an organisation-wide BIOS update attack

Question 16

What is SMM?

Answer 16

System Management Mode - an operating mode of x86 CPU

Question 17

What rootkits are in ring 3?

Answer 17

Usermode rootkits

Question 18

What rootkits are in ring 0?

Answer 18

Kernelmode rootkits

Question 19

What rootkits are in ring -1?

Answer 19

Hypervisor rootkits (bluepill)

Question 20

What rootkits are in ring -2?

Answer 20

SMM rootkits

Question 21

What does TPM stand for?

Answer 21

Trusted platform module

Question 22

What is a TPM designed for?

Answer 22

• a chip with low cost
• embedded in a computing platform
• TPM is an international standard for a secure cryptoprocessor

Question 23

What is a cryptoprocessor?

Answer 23

a dedicated microcontroller designed to secure hardware through integrated cryptographic keys

Question 24

What does the TPM provide?

Answer 24

• a random number generator
• facilities for the generation of cryptographic keys
• remote attestation to create a nearly unforgeable hash key summary of the hardware and software configuration
• binding: encrypts data using the TPM bind key
• sealing: specifies the TPM state for the data to be decrypted

Question 25

What types of TPM are there?

Answer 25

• Discrete
• Integrated
• Firmware
• Software
• Virtual

Question 26

What are the 2 main application attacks?

Answer 26

“user provided input” and “interactions with other systems”

Question 27

What is a symlink attack?

Answer 27

attacker creates symlink to file accessible only to the superuser

Question 28

What are command line attacks?

Answer 28

directory traversal in path names, command injection attacks, buffer overflows

Question 29

what assumption do buffer overflow attacks make?

Answer 29

inputs will be smaller than a certain size and the buffer is created to be that size.

Question 30

What is the problem with buffer overflow attacks?

Answer 30

detectability

Question 31

What happens in a remote attack?

Answer 31

the attacker manipulates the behaviour of applications over a network connection

Question 32

What is the goal of a remote attack?

Answer 32

execute operations on attacked host

Question 33

What happens in a local attack?

Answer 33

the attacker manipulates the behaviour of applications through local injection

Question 34

What does a local attack assume?

Answer 34

there’s a previously established presence on the machine

Question 35

what is the goal of a local attack?

Answer 35

to execute operations with different/superior privileges