Egna frågor 2 (tekniska termer)

Question 1

Explain what a flooding attack is

Answer 1

An Internet Control Message Protocol (ICMP) flood attack, also known as a Ping flood attack, is a common Denial-of-Service (DoS) attack in which an attacker attempts to overwhelm a targeted device with ICMP echo-requests (pings). Normally, ICMP echo-request and echo-reply messages are used to ping a network device in order to diagnose the health and connectivity of the device and the connection between the sender and the device. By flooding the target with request packets, the network is forced to respond with an equal number of reply packets. This causes the target to become inaccessible to normal traffic.

Question 2

Explain a reflective attack

Answer 2

Reflection Denial of Service attacks makes use of a potentially legitimate third party component to send the attack traffic to a victim, ultimately hiding the attackers’ own identity. The attackers send packets to the reflector servers with a source IP address set to their victim’s IP therefore indirectly overwhelming the victim with the response packets.
The reflector servers used for this purpose could be ordinary servers not obviously compromised, which makes this kind of attack particularly difficult to mitigate. A common example for this type of attack is Reflective DNS Response attack.

Question 3

Explain what a amplification attack is

Answer 3

DNS amplification is a Distributed Denial of Service (DDoS) attack in which the attacker exploits vulnerabilities in domain name system (DNS) servers to turn initially small queries into much larger payloads, which are used to bring down the victim’s servers.

Question 4

What are the capabilities of a firewall

Answer 4

Defines a single choke point. Provides a location for monitoring security events.
Convenient platform for some Internet functions such as NAT, usage monitoring, IPSEC VPNs

Question 5

What are the limitations of a firewall

Answer 5

cannot protect against attacks bypassing firewall
may not protect fully against internal threats
improperly secure wireless LAN
laptop, PDA, portable storage device infected outside then used inside

Question 6

What are the two default firewall policies?

Answer 6

Whitelisting (Discard)- prohibit unless expressly permitted
more conservative, controlled, visible to users:

Blacklisting (Forward) - permit unless expressly prohibited:
easier to manage/use but less secure

Question 7

What is a Bastion host?

Answer 7

A bastion host is a special-purpose computer on a network specifically designed and configured to withstand attacks. The computer generally hosts a single application, for example a proxy server, and all other services are removed or limited to reduce the threat to the computer. It is hardened in this manner primarily due to its location and purpose, which is either on the outside of a firewall or in a demilitarized zone (DMZ) and usually involves access from untrusted networks or computers.

Question 8

What are the two intrusion detection systems?

Answer 8

Host-based IDS: monitor single host activity

Network-based IDS: monitor network traffic

Question 9

What is the IDS principle?

Answer 9

assume intruder behavior differs from legitimate users

expect overlap

Question 10

What are the two main approaches to host based IDS?

Answer 10

Anomaly detection - defines normal/ expected behaviour
-Threshold
-Profile
Signature detection - defines proper behaviour

Question 11

What are the limitations of IDS?

Answer 11

Detecting viruses as hard as the halting problem
2-types of intrusion: error causing or not
encrypted traffic hard to analyze
internet too noisy, leads to false positives

Question 12

How does buffer overflow work?

Answer 12

The attacker must first identify somehow (e.g. tracing, fuzzing tools) the buffer overflow vulnerability in a program. The idea is to input more data to the buffer than it is supposed to handle. By overwriting the return address in the stack frame, one can get a segmentation fault or an illegal instruction error. This happens when the function returns and tries to execute instructions at the location pointed by the return address. There is a very high chance that the overwritten return address will not point to a valid address inside the process address space or the instruction be valid if the attacker used some random input, and the program will crash.

Question 13

How do you run arbitrary code in a buffer overflow attack?

Answer 13

To run arbitrary code, an attacker should put executable code in the buffer that is being overflowed and overwrite the return pointer to point to the buffer. The attacker has to guess the address of the buffer to succeed. The attacker can add NOP instructions at the beginning of the buffer, then add the executable code, and then the return address. This greatly increases the chances of guessing the address, because even if the pointer does not point precisely to the beginning of the injected code but points instead to one of the NOP instructions, the NOP instructions will be executed and eventually the injected code will be executed after them.

Question 14

Explain how safe libraries work

Answer 14

Well-written and tested abstract data type libraries which centralize and automatically perform buffer management, including bounds checking, can reduce the occurrence and impact of buffer overflows. The two main building-block data types in these languages in which buffer overflows commonly occur are strings and arrays; thus, libraries preventing buffer overflows in these data types can provide the vast majority of the necessary coverage. Still, failure to use these safe libraries correctly can result in buffer overflows and other vulnerabilities; and naturally, any bug in the library itself is a potential vulnerability.

Question 15

How does a guard-page work?

Answer 15

A guard page provides a one-shot alarm for memory page access. This can be useful for an application that needs to monitor the growth of large dynamic data structures. For example, there are operating systems that use guard pages to implement automatic stack checking.

Question 16

What is stack protection?

Answer 16

Add entry and exit code to check stack for signs of corruption
Check for overwrite between local variables and saved frame pointer and return address

Question 17

What is executable address space protection?

Answer 17

In computer security, executable-space protection marks memory regions as non-executable, such that an attempt to execute machine code in these regions will cause an exception. If an operating system can mark some or all writable regions of memory as non-executable, it may be able to prevent the stack and heap memory areas from being executable. This helps to prevent certain buffer-overflow exploits from succeeding, particularly those that inject and execute code, such as the Sasser and Blaster worms. These attacks rely on some part of memory, usually the stack, being both writeable and executable; if it is not, the attack fails.

Question 18

What is address space randomization?

Answer 18

Address space layout randomization (ASLR) is a memory-protection process for operating systems (OSes) that guards against buffer-overflow attacks by randomizing the location where system executables are loaded into memory.
The success of many cyberattacks, particularly zero-day exploits, relies on the hacker’s ability to know or guess the position of processes and functions in memory. ASLR is able to put address space targets in unpredictable locations. If an attacker attempts to exploit an incorrect address space location, the target application will crash, stopping the attack and alerting the system.

Question 19

How can you prevent cross-site scripting?

Answer 19

Escape untrusted data based on output context

Question 20

How can you prevent CSRF?

Answer 20

Use CSRF tokens to prevent.

Question 21

How can you prevent SQL injection?

Answer 21

Use parameterized queries or an object-relational mapping.

Question 22

What are the top ten OWASPs?

Answer 22

Cross-site scripting
SQL injection
Broken Authentication and Session Management
XML External Entity
Sensitive data exposure
Broken access control
Security misconfiguration
Insecure deserialization
Using components with known vulnerabilities
Insufficient logging and monitoring

Question 23

How is malware classified?

Answer 23

By either propagation or payload

Question 24

What is the difference between a worm and a virus?

Answer 24

A worm replicates itself to a system, could be an email, USB stick, computer etc. The propagation phase: searches for a new system, connects to it and replicates itself to it, then runs.

A virus infects existing program in order to spread. It executes secretly when host program is run.

Question 25

What are the components of a virus?

Answer 25

infection mechanism - enables replication
modification engine - for disguise
trigger - event that makes payload active
payload - what it does, malicious or benign

Question 26

What is a Trojan horse?

Answer 26

A program has two purposes, one obvious to the victim and one hidden.
Can be built from existing programs using wrappers or buildt from scratch.

Question 27

What is a logic bomb?

Answer 27

A small bit of code that triggers on a specific condition, typically with malicious results. No vector for spreading and installed directly.

Question 28

What is a trace driven side channel attack?

Answer 28

Profile the cache activities during the execution of the victim. Thus observe the cache effects of a particular operation.

Question 29

What is a access driven side channel attack?

Answer 29

Attacker determines the cache lines accessed by the victim: By observing cache side effects of victim’s computation on the behaviour of the attacker.

Question 30

What are some practical problems for a side channel attacker?

Answer 30

Noise: Other processes may interfere
Ability to probe: The probing process can interfere
Multiple accesses make difficult to extract secrets from eviction patterns

Question 31

What is cache partitioning good for and what problems come with it?

Answer 31

For access and trace driven attacks. Attacker can’t monitor cache access. Problems: Under-utilization of caches, Difficult for several processes.

Question 32

What is cache flushing good for and what are the problems with it?

Answer 32

Only for access driven attacks: Flush at beginning and flush at end. Problems: Attacker could prime the cache and measure execution time of the victim. Attacker could measure if something is in the cache after the execution of the victim.

Question 33

How can you introduce noice for different side channel attacks?

Answer 33

Trace and access driven; Access random data. Timing; Add random computations

Question 34

What are the requirements for constant time programming?

Answer 34

Never branch on conditions that depend on High data

Never use High-dependent array indexes

Question 35

What is identity management?

Answer 35

Identity management (IdM), also known as identity and access management (IAM or IdAM), is a framework of policies and technologies for ensuring that the proper people in an enterprise have the appropriate access to technology resources. IdM systems fall under the overarching umbrellas of IT security and Data Management. Identity and access management systems not only identify, authenticate and authorize individuals who will be utilizing IT resources, but also the hardware and applications employees need to access[1]. Identity and Access Management solutions have become more prevalent and critical in recent years as regulatory compliance requirements have become increasingly more rigorous and complex.[2] It addresses the need to ensure appropriate access to resources across increasingly heterogeneous technology environments and to meet increasingly rigorous compliance requirements.

Question 36

What is risk based security?

Answer 36

Risk-based security strategy, or RBSS, is a broad term that’s often used to describe efforts to implement a practical approach to protecting assets that really matter while avoiding spending budget on assets that don’t matter.

Question 37

What does SDCVX stand for in buffer overflow attacks?

Answer 37

[S] Access to Secret data
[D] Corruption of program Data
[C] Unexpected transfer of Control
[V] Memory access Violation
[X] EXecution of code chosen by attacker

Question 38

What does return oriented programming mean?

Answer 38

Attacker gains control of the call stack. Hijacks control flow.

Return-oriented programming (ROP) is a computer security exploit technique that allows an attacker to execute code in the presence of security defenses such as executable space protection and code signing. In this technique, an attacker gains control of the call stack to hijack program control flow and then executes carefully chosen machine instruction sequences that are already present in the machine’s memory, called “gadgets”.[3] Each gadget typically ends in a return instruction and is located in a subroutine within the existing program and/or shared library code.

Question 39

What is a code-reuse attack?

Answer 39

In computer security code-reuse is employed as a software exploit method. When an attacker is not able to directly input code to modify the control flow of a program, for example in presence of code injection defenses such as W⊕X, he or she can redirect the control flow to code sequences existing in memory.
Examples of code-reuse attacks are return-to-libc attack, return-oriented programming, and jump-oriented programming.

Question 40

What is instruction set randomization?

Answer 40

The idea of instruction randomization is to avoid code injection attacks. Say for example there is some vulnerable code that the attacker wishes to execute and all s/he has to do is to transfer the program control to the beginning of that code block. In a non-protected environment once the control is transferred, the CPU will begin the execution of the code as it cannot distinguish the proper code from the vulnerable code. One “simple” thing you can do to prevent such attacks is to use some encryption (with a key) to the proper machine code which the attacker has no idea of. So in the decode stage, the proper code will first get decrypted and then decoded. Since the attacker does not know the key that is used to encrypt the proper code, their code wont succeed the decryption stage, hence wont get executed.

Question 41

What does the polymorphic technique do to countermeasure buffer overflows?

Answer 41

Every instance of the program is different:
different order of arguments.
different number/order of local variables
different alignment of data-structures
different number of instructions
A buffer overflow in one instance can’t be used in another
Makes it difficult to predict position of functions and gadgets

Question 42

What is the goal of risk-based security?

Answer 42

To be free from unacceptable risk

Key points: Not absolute, define what this means to you and your system.

Question 43

Summarize what Access security means in tearms of 5G/4G networks.

Answer 43

Summary

• Two levels of security: Core Network and Radio Access Network
• Compartmentalize Damage
• Separate Core Network from Radio Access Network
• Separate User Plane from Control Plane
• Separate Integrity protection from Encryption
• Refresh keys when transferring security termination points

Question 44

How can you summarize identity management in two sentences?

Answer 44

Summary from slides:

• Global Identity Management
• Privacy protection in form of temporary identifiers and encryption of long-term identifiers

Question 45

Describe what the user plane and control plane does in a networking context?

Answer 45

The User Plane, also called the Data Plane, carries the network user traffic. A plane, in a networking context, is one of three integral components of a telecommunications architecture. These three elements are the data plane, the control plane, and the management plane. The user plane protocol stack between the e-Node B, and UE consists of the following sub-layers: PDCP (Packet Data Convergence Protocol), RLC (radio Link Control), and Medium Access Control (MAC). The control plane includes the Radio Resource Control layer (RRC) which is responsible for configuring the lower layers. The management plane of a networking device is the element within a system that configures, monitors, and provides management, monitoring and configuration services to, all layers of the network stack and other parts of the system.