Midterm Flashcards
Access Control Policies
- Discretionary Access Control
- Mandatory Access Control
- Role based (RBAC)
- Attribute based (ABAC)
Example of DAC
Unix file mode (read, write, execute)
Subject
an entity capable of accessing objects
Object
a resource to which access is controlled
MAC
Access is granted based on comparing subject security clearances to security labels on objects
DAC
Allows user to access a resource as well as by own volition enable another entity to access the same resource
Access Control Matrix
Objects vs Subjects (each box contains permissions like own, read, write, etc…)
RBAC
Access is granted based on what roles users have inside the system and what permissions those roles carry
ABAC
Controls access based on user attributes, resource to be accessed, and environmental conditions
Permitted Set
Limiting superset of a thread’s effective capabilities (capabilities a thread MAY assume)
Inheritable Set
Set of capabilities preserved across an execve
Effective Set
This is the set of capabilities used by the kernel to perform permission checks for the thread.
Weird machine
Computational artifact where additional code execution can happen outside the specification of the program
Three malware propagation techniques
- Infection of an existing executable or interpreted content by viruses
- exploit of software vulnerabilities either locally or over a network by worms or drive-by-downloads
- social engineering attacks that convince users to bypass security mechanisms to install trojans or respond to phishing attacks.
Virus
Malware that tries to replicate itself into other executable code
Worms
Independent program that propagates itself onto hosts through a network
Trojan Horse
A program that appears to have a useful function, but has a hidden malicious function
Bots
malware that subverts the computational and network resources of the infected system for the use of the attacker
Spyware
General monitoring of a system to gain useful knowledge
Rootkits
Set of programs installed on a system to maintain covert access to system with root privileges, while hiding evidence of its presence
Non executable memory
Marks memory regions as non-executable
Return to LibC Attack
Inserting an existing binary’s address into the return address (don’t need to inject own code)
Reverse engineering
Reverse engineering is the process of extracting the knowledge or design blueprints
from anything man-made
White box analysis
Looking at source code for vulnerability or algorithm details
Grey box analysis
Looking at low-level implementation with inferred abstractions
Black box analysis
Using only input and output relations, make conclusion about how system behaves
Static analysis
Looking at the code without executing program
Dynamic analysis
Looking at what code does by stepping through its execution
Static analysis example
Sign analysis to check for division by zero (among others)
Dynamic analysis example
Assertions to check for conditions that halt execution if not met
Economy of Mechanism
Security mechanisms should be as simple as possible
Fail-safe defaults
Base access decisions based on permission rather than exclusion
Complete mediation
Every access to every object must be checked for authority
Open Design
The design should not be a secret
Separation of Privilege
Divide a program into parts that are given necessary privileges only when needed
Least privilege
Give user least privileges necessary to do the job
Least Common Mechanism
Minimize the amount of mechanism common to more than one user and depended on by all users
Psychological Acceptability
It is essential that the human interface be designed for ease of use, so that users routinely and automatically apply the protection mechanisms correctly.
Least Astonishment
Users should not be astonished at the way a feature behaves
Security Implementation Strategy
- Identify
- Prevent
- Detect
- Respond
- Recover
Why were setuid and setgid deemed necessary?
To allow users to execute files with temporarily elevated rights.
How to find set-uid programs
$ find /usr/bin /usr/lib -perm /4000 -user root
How is Malware classified?
1) Propagation method
2) Payload type
Why was Slammer’s propagation so fast?
It used UDP (no handshakes)
Anomaly-based Intrusion Detection
Detects both network and computer intrusions and misuse by monitoring system activity and classifying it as either normal or anomalous
Signature-based Intrusion Detection
Scans files for known malware “signatures” (most anti-virus today)
Advantages of Anomaly-based Intrusion Detection
Good for unknown attacks
Advantages of Signature-Based Intrusion Detection
- Few false positives
- Model construction
Disadvantages of Anomaly-based Intrusion Detection
- Higher false positives
- Model construction
Disadvantages of Signature-Based Intrusion Detection
- Hard to defend against unknown attacks
- Polymorphic attacks
Intrusion Detection Approaches
- Host-based
- Network-based
- Hybrid
Host-based IDS
- OS Audits
- Program execution monitoring
- Memory evaluation
Network-based IDS
- Deploy strategic network sensors
- Inspect network traffic
- Monitor user activities
Confidentiality
Preserving authorized restrictions on information access and disclosure
Integrity
Guard against improper data modification
Availability
Ensuring timely, reliable access to information
Bug
A flaw in code
Vulnerability
Exploitable bug
Exposure
Bug that reveals info that can then be used to penetrate system
Threat
Potential security harm
Exploit
A threat that uses a vulnerability/exposure to violate system security
Security Implementation: Identify
Develop institutional understanding to manage cybersecurity risk to systems, assets, data, etc…
What data is stored in the iNode?
All data about a file except name and and actual data (owner, permissions, size, date, etc…)
Common characteristic of memory corruption exploits
Inserting crafted address into EIP
Main bug allowing memory corruption exploits
No range checking on inputs
Stack Guard
Inserts canaries to verify integrity
Data Execution Prevention (DEP)
Kernel enforces that no data can be executed as code
ASLR stands for
Address Space Layout Randomization
What does ASLR do?
Randomly re-arranges address space positions of key process data regions
ASLR Entropy
19 bits
How to execute a return-to-libc
- Overwrite return addr to “system()”
- Overwrite next 4-bytes with “exit()”
- Overwrite next 4-bytes with “/bin/sh”
4 authentication methods:
Something a user:
1) Knows
2) Has
3) Is
4) Does
2-Step Verification is an example of
Have
In Linux, user account data is stored in
/etc/passwd
In Linux, hashed passwords are stored in
/etc/shadow
2^10
1024
2^20
1M
2^30
1B
Rainbow Table
Precomputes H(Dictionary) to speed up comparisons
How to defeat rainbow table attack
Use a salt
What’s in the shadow file
UserID :: Password(alg, salt, hash) :: other shit
