Midterm - CH 1,3,4,5,6,7, 10, 11, 12

Question 1

Defensive or Secure Programming

Answer 1

the process of designing and implementing software so that it continues to function even when under attack

Question 2

injection attack

Answer 2

wide variety of program flaws related to invalid handling of input data

This problem occurs when program input data can accidentally or deliberately influence the flow of execution of the program

Question 3

command injection

Answer 3

the input is used in the construction of a command that is subsequently executed by the system with the privileges of the Web server

Question 4

SQL injection

Answer 4

The user-supplied input is used to construct a SQL request to retrieve information from a database

Question 5

code injection

Answer 5

the input includes code that is then executed by the attacked system

Question 6

cross-site scripting (XSS) attacks

Answer 6

concerns input provided to a program by one user that is subsequently output to another user.

Question 7

XSS reflection vulnerability

Answer 7

The attacker includes the malicious script content in data supplied to a site

Question 8

Malware propagation mechanisms include those used by…(3)

Answer 8

viruses, worms and Trojans

Question 9

The principal objectives of computer security are to

Answer 9

prevent unauthorized users from gaining access to resources,
to prevent legitimate users from accessing resources in an unauthorized manner,
and to enable legitimate users to access resources in an authorized manner

Question 10

A consequence of a buffer overflow error is

Answer 10

corruption data used by the program,
unexpected transfer of control in the program,
possible memory access violation

Question 11

To defend against database inference attacks we can apply

Answer 11

perturbation, de-identification, anonymization

Question 12

Presenting or generating authentication information that corroborates the binding between the entity and the identifier is the

Answer 12

verification step

Question 13

‘No write down’ is also referred to as the

Answer 13

‘*-property’

Question 14

_____ is a process that ensures a system is developed and operated as intended by the system’s security policy

Answer 14

Assurance

Question 15

____ data are data that may be derived from corporate data but that cannot be used to discover the corporation’s identity

Answer 15

Sanitized

Question 16

Presenting or generating authentication information that corroborates the binding between the entity and the identifier is the

Answer 16

verification step

Question 17

The most important changes needed to improve system security are to ____

Answer 17

disable remotely accessible services that are not required,
ensure that applications and services that are needed are appropriately configured,
disable services and applications that are not required

Question 18

The following steps should be used to secure an OS:

Answer 18

test the security of the basic OS,
remove unnecessary services,
install and patch the OS

Question 19

form of buffer overflow attack

Answer 19

heap overflows, return to system call, replacement stack frame

Question 20

a set of automated tools designed to detect unauthorized access to a host system

Answer 20

intrusion detection system (IDS)

Question 21

A multilevel secure system for confidentiality must enforce:

Answer 21

No read up: A subject can only read an object of less or equal security level. This is referred to in the literature as the simple security property (ss-property).
No write down: A subject can only write into an object of greater or equal security level. This is referred to in the literature as the *-property1 (pronounced star property).

Question 22

_____ will integrate with the operating system of a host computer and monitor program behavior in real-time for malicious action

Answer 22

behavior blocking software

Question 23

intrusion management encompasses

Answer 23

intrusion detection, prevention and response

Question 24

Which of the following need to be taken into consideration during the system security planning process

Answer 24

how users are authenticated, the categories of users of the system, what access the system has to information

Question 25

______ include system corruption, bots, phishing, spyware, and rootkits.

Answer 25

Payloads

Question 26

Virus Propagation Phase

Answer 26

The virus places a copy of itself into other programs or

into certain system areas on the disk.

Question 27

Virus Triggering Phase

Answer 27

The virus is activated to perform the function for which it was intended.

Question 28

Virus Execution Phase

Answer 28

The function is performed. The function may be harmless, such as a message on the screen, or damaging, such as the destruction of
programs and data files.

Question 29

Infects files that the operating system or shell consider to be executable.

Answer 29

File Infector Virus

Question 30

An attack, that exploits social engineering to leverage user’s trust by masquerading as communications from a trusted source

Answer 30

Phishing Attack

Question 31

Is a set of programs installed on a system to maintain covert access to that
system with administrator (or root) privileges, while hiding evidence of its presence
to the greatest extent possible.

Answer 31

Rootkit

Question 32

An attempt to compromise availability

by hindering or blocking completely the provision of some service.

Answer 32

Denial-of-service (DoS) attack

Question 33

DDoS Flooding attack targets…(3)

Answer 33

Network BW, System resources, Application resources

Question 34

The ICMP echo response

packets generated in response to a ping flood using randomly spoofed source addresses is a good example.

Answer 34

Backscatter traffic

Question 35

This attacks the ability of a network server to respond to TCP connection requests by overflowing the tables used to manage such connections.

Answer 35

DoS attach, SYN Spoofing Attack

Question 36

The attacker sends packets to a known service on the intermediary with a spoofed source address
of the actual target system. When the intermediary responds, the response is sent to
the target.

Answer 36

Reflection Attack

Question 37

Involve sending a<br></br>packet with a spoofed source address for the target system to intermediaries. They<br></br>differ in generating multiple response packets for each original packet sent. This can<br></br>be achieved by directing the original request to the broadcast address for some network.

Answer 37

Amplification Attacks

Question 38

Can be deployed as operating systems updates to provide some protection for existing vulnerable programs. These defenses involve changes to the memory management of the virtual address space of processes.

Answer 38

Run_time Defenses

Question 39

Most commonly<br></br>the address of a standard library function is chosen, such as the system() function. The attacker specifies an overflow that fills the buffer, replaces the saved<br></br>frame pointer with a suitable address, replaces the return address with the address of the desired library function, writes a placeholder value that the library function will believe is a return address, and then writes the values of one (or more) parameters to this library function.

Answer 39

return to system call attack

Question 40

If the allocated space includes a pointer to a
function, which the code then subsequently calls, an attacker can arrange for this address to be modified to point to shellcode in the overwritten buffer.

Answer 40

Heap Buffer Overflow

Question 41

The process of designing and implementing
software so that it continues to function even when under attack. Software written using this process is able to detect erroneous conditions resulting from
some attack, and to either continue executing safely, or to fail gracefully.

Answer 41

Defensive Programming

Question 42

This problem occurs when program input data can accidentally or deliberately influence the flow of execution of the program.

Answer 42

Injection Attack

Question 43

When the input is used in the
construction of a command that is subsequently executed by the system with the
privileges of the Web server.

Answer 43

Command Injection Attack

Question 44

In this attack, the user-supplied input is used to construct a SQL request to retrieve information
from a database.

Answer 44

SQL Injection Attack

Question 45

This is a software testing technique that uses randomly generated data as inputs to a program. The intent is to determine whether the program or function
correctly handles all such abnormal inputs or whether it crashes or otherwise fails to respond appropriately.

Answer 45

Input Fuzzing

Question 46

This strongly suggests that programs should execute with the least amount of privileges needed to complete their function.

Answer 46

Principle of Least Privilege

Question 47

A process that includes planning, installation, configuration, update, and maintenance
of the operating system and the key applications in use,

Answer 47

Hardening a System

Question 48

3 Steps to hardening a base OS

Answer 48

• Removing unnecessary services, applications, and protocols.
• Configuring users, groups, and permissions.
• Configuring resource controls.

Question 49

Which restricts the server’s view of the file system to just a specified portion. Files in directories
outside the __________ are not visible or reachable at all.

Answer 49

Chroot Jail

Question 50

Refers to a technology that provides an abstraction of the computing resources used by some software, which thus runs in a simulated environment
called a virtual machine (VM).

Answer 50

Virtualization

Question 51

A bot is a computer compromised by malware and under the control of a bot master (attacker).

Answer 51

TRUE

Question 52

Characteristics of APT include _(3)_____.

Advanced Persistent Threats

Answer 52

A. Using zero-day exploit
B. Low-and-slow
C. Targeting high-value data

Question 53

The best defense against being an unwitting participant in a DDoS attack

Answer 53

prevent your systems from being compromised

Question 54

Both static and dynamic analyses are needed in order to fully understand malware behaviors

Answer 54

True

Question 55

A Botnet can use _______ for command-and-control.

Answer 55

A. Email
B. HTTP
C. IRC

Question 56

In a ______ attack the attacker creates a series of DNS requests containing the spoofed source address for the target system.

Answer 56

DNS amplification

Question 57

APT attacks

Answer 57

Boy in the middle–covertly changes a computer’s network routing
Clickjacking–web users unknowingly click on something that is not as it is portrayed.
Man in the Browser–Modifies web pages covertly
Man in the middle–Eavesdrops
Keyloggers–covertly records keystrokes

Question 58

Takes advantage of a previously unknown weakness or vulnerability in a system.

Answer 58

Zero-Day Exploit

Question 59

APT Lifecycle

Answer 59

• -Define target
• -Research target infrastructure/employees
• -Test for detection
• -deployment
• -establish outbound connections
• -exfiltrate data
• -remain undetected
• -Repeat

Question 60

Advanced Persistent Threat (APT)

Answer 60

Advanced: Use special malware
Persistent: Long-term presence, multi-step, low-and-slow
Threat: Data targeted is high value

Tend to target specific organizations

Question 61

Examples of Attacks/Frauds by botnets

Answer 61

• -Spam
• -DDOS
• -Click fraud
• -Phishing and Pharming
• -Keylogging and data/ID theft
• -Key/password cracking
• -Anonymized terrorist and criminal communication
• -Cheat in online games and polls

Question 62

Why DDoS attack?

Answer 62

Why DDoS attack?

• -Attacker does not need to use his own computer
• -So many computers involved in the attack, it is difficult to distinguish legitimate from malicious traffic

Question 63

C&C design

Answer 63

• -Must be efficient and reliable
• -Stealthy
• -Resilient

Question 64

T/F: The botmasters prefer dynamic DNS servers

Answer 64

True: Because of the frequent change between domain name and IP address.

Question 65

Anomaly detection

Answer 65

The way the bots look up a domain suggest the domain is most likely used for C&C.

Question 66

What can be done when the anomaly is detected?

Answer 66

Map the domain name to a sinkhole

Question 67

What is the advantage of the sinkhole?

Answer 67

Researchers can discover where the bots are in the net.

Question 68

Malware analysis: Static Analysis

Answer 68

Attempts to understand what a malware instance would do if executed.

Question 69

Malware analysis: Dynamic Analysis

Answer 69

Attempts to understand what a program does when executed.

Question 70

Different granularities of analysis

Answer 70

Fine-grained: Looking at instruction by instruction

Coarse-grained: looking at function calls

Question 71

Malware Obfuscation: Packing

Answer 71

A technique whereby parts or all of an executable file are compressed, encrypted or transformed in some fashion.

Question 72

T/F: Can use signatures to detect packing.

Answer 72

False: A number of legitimate programs use packing/unpacking

Question 73

Types of malware: Needs a Host

Answer 73

trap doors, logic bombs, trojan horses, viruses, browser plug-ins, extensions, scripts

Question 74

Types of malware: Independent

Answer 74

Worms, botnets, APT

Question 75

Trojan Horses

Answer 75

Hidden in an apparently useful host program

Question 76

Virus

Answer 76

Infect a program by modifying it. Can self copy

Question 77

4 Stages of a Virus

Answer 77

• -Dormant phase: Program infected, but virus has not been triggered
• -Propagation phase: Virus is being spread
• -Triggering phase: When the host program is run, the virus is run.
• -Execution phase: When the virus runs and performs malicious activities. (also looks to spread)

Question 78

Email attachment that when opened will be sent to all people in address book

Answer 78

virus

Question 79

Keyboard app that logs user input and sends it to the attacker

Answer 79

trojan horse

Question 80

Virus Structure

Answer 80

Virus code has to be physically inserted into the program code. The virus code runs first, then the original program. virus code may run last, too, to do any clean up. Program needs to run cleanly to avoid detection.

Question 81

Types of viruses

Answer 81

Parasitic virus: scan/infect programs
Memory-resident virus: infect running programs
Boot sector virus: Runs when the system is booted
Macro virus: executable program embedded in a word processing document; triggered when doc opened
Polymorphic virus: encrypt part of the virus program using randomly generated key

Question 82

Rootkit

Answer 82

Resides in OS. Modifies OS code and data structure. Can hide itself by manipulating functions that list directory contents.

Question 83

T/F: Linux, iOS, Windows, and Android have all been infected by rootkits

Answer 83

True

Question 84

Rootkit facts

Answer 84

• -All OSes can be affected
• -Can modify hidden and read-only files
• -Can spread in any form
• -Cannot remain in memory after reboot, but since it is a part of the OS, it will return with the OS is restarted
• -Rootkits cannot affect HW that does not have FW
• -Rootkits are always malevolent

Question 85

Worms

Answer 85

Use network connections to spread from system to system.

Question 86

Malware Prevention and Detection

Answer 86

Prevention: Limit contact to outside world
Detection/Identification
Removal
Prevention hampers productivity, so detection is preferred.

Question 87

4 Generations of anti-virus software

Answer 87

Simple scanners–use signatures of known viruses. not effective against polymorphic viruses
Heuristic scanners–Integrity checking (checksum). Can be defeated by compressing file to have the same size as the pre-infection file.
Activity traps: Look for specific activities that malware performs. Not effective against newer malware.
Full-featured analysis: State of the art. Host-based, network-based, and sandbox-based.

Question 88

Why are signature-based anti-virus solutions still used?

Answer 88

• -Efficient
• -Effective against known malware
• -good first line of defense

Question 89

Importance of DB security

Answer 89

• -Databases store massive amounts of sensitive data
• -Data has structure that influences how it is accessed
• -Accessed via queries or programs written in languages like SQL
• -Transactional nature of queries (done completely or not done at all)
• -Derived data or database views

Question 90

Who are the biggest threats to DB?

Answer 90

Insiders and unauthorized users

Question 91

Databases are attractive to users because

Answer 91

• -they store info that is easily monetized
• -they store info about a lot of users
• -query languages used to access data can be abused

Question 92

RDBS table

Answer 92

RDBS table

A table is defined by a schema and consists of tuples

Question 93

DB Access Control

Answer 93

GRANT or REVOKE

Question 94

Privileges

Answer 94

SELECT, INSERT, UPDATE, or DELETE

Question 95

Defenses against inference attacks

Answer 95

• -Do not allow aggregate query results when the set of tuples selected is either too small or too large (Perturbation)
• -De-identification: transform data by removing identifying info.
• -Anonymization: replace exact values with a more general values

Question 96

Mandatory Access Control (MAC)

Answer 96

Is not at the user discretion. Solves the problem of information control. Company decides who has access to data.

Question 97

What is needed to implement MAC?

Answer 97

Labels are a key requirement. They indicate sensitivity and/or category of data. Indicate clearance/need-to-know requirements

Question 98

Labels also have a _______

Answer 98

Compartment.

Question 99

T/F
L1 = (TS, {A,B,C})
L2=(S,{B,C})
L3=(S,{B,C,D})
L1 > L3

Answer 99

False
L1 > L2
L2 < L1
L1 and L3 are not comparable.

Question 100

Bell and La Padua (BLP) Model

Answer 100

Developed by the DoD

Assumes classification of data and clearances for subjects

Question 101

BLP Read/Write rules

Answer 101

Read-down rule (ss-property): user with label L1 can read the document with L2 only when L1 dominates L2
Write-up rule (*-property): User with label L1 can write document with label L2 when L1 is dominated by L2.

Question 102

Tranquility Principle

Answer 102

States that classification of a subject or object does not change during a session.

Question 103

Clark-Wilson Policy

Answer 103

Users should be able to access certain programs

usser -> program -> obj

Question 104

T/F: RBAC is an example of MAC

Answer 104

True. Only the company can decide roles of its employees.

Question 105

BLP-like models

Answer 105

SELinux and SCOMP

Question 106

problems with DAC

Answer 106

• information flow problem (cannot control that if someone has access to a file would further share the contain of it)
• in many organizations, the user does not get to decide how/who to share

Question 107

label in MAC

Answer 107

• indicate sensitivity/category/clearance/need-to-know
• TCB associates labels with object/user
• exact nature of label depends on model/policy

Question 108

biba vs BLP

Answer 108

• biba focuses on integrity while BLP focuses on confidentiality
• biba read up, write down

Question 109

trusting software

Answer 109

• functional correctness
• maintain data integrity
• protect disclosure of sensitive data
• confidence

Question 110

TCB design principles (6)

Answer 110

• least privilege for users/programs
• economy: keep trusted code as small as possible
• open design: obscurity doesn’t work
• complete mediation
• fail safe default
• easy of use

Question 111

how to build a TCB

Answer 111

• authentication

- access control (MAC & DAC)

Question 112

how to protect data in OS

Answer 112

it needs to protect itself (tamperproof)

Question 113

data protection security features of trusted OS

Answer 113

• object reuse protection
• disk blocks, mem reuse
• allocate disk or mem, then look to see what’s left behind
• zero out objs before use
• secure file deletion
• secure disk destruction

Question 114

kernel design requirements

Answer 114

• enforce all sec mechanisms
• good isolation, small size
• reference monitor controls access to objects
• tamperproof
• un-bypassable
• analyzable

Question 115

use of testing

Answer 115

• demonstrate the existence of problem

Question 116

testing challenge

Answer 116

• test case generation
• code coverage
• exponential number of different executions
• different execution environments

Question 117

formal verification

Answer 117

• checking a mathematical specification of a program
• model checking, automated theorem proving
• exponential time & space complexity

Question 118

T/F: model checking can show absence of a problem

Answer 118

True. Model checking is a form of formal verification.

Question 119

Two parts to Access Control

Answer 119

1. Decide who should have access to certain resources. An access control policy.
2. Enforcement–only accesses defined by the access control policy are granted

Question 120

Access Control Matrix (ACM)

Answer 120

• abstract state: rows-users, column-resources
• ACM[U,O] defines what access right user U have on object O

Rows correspond to sources of the request (users/subjects/groups)
Columns correspond to the resources that need protected

Question 121

Discretionary Access Control

Answer 121

Access is at the discretion of its owner. Owner can grant access to other users and also allow or not allow the other users to propagate this access.

Question 122

Access Control List (ACL)

Answer 122

Columns for an object that define each users rights of that object.

handle access to object Oi (column wise)

Question 123

Capability List (C-List)

Answer 123

Capability List (C-List)
Rows for a user that define that user's rights for each object.

• handle right of user Ui (row wise)

Question 124

Where should ACL be stored?

Answer 124

• -In trusted part of system
• -Consists of access control entries
• -Should be stored along with other object meta-data
• -Checking requires traversal of the ACL

Question 125

Where should C-List be stored?

Answer 125

• -It is per user
• -A capability is an unforgeable reference/handle for a resource
• -User catalogue of capabilities defines what a certain user can access
• -Can be stored in objects/resources themselves

Question 126

ACL vs C-List

Answer 126

Efficiency–ACL are not as efficient as C-List
Accountability–Can be found easily in ACL. With C-List, each user’s catalog must be checked to see if access ok.
Revocation–Revoking access in ACL is easy

Most OS uses ACL

Question 127

How does OS implement ACL?

Answer 127

The OS keeps track of info about each file and its metadata, called an i-node. Open files are stored in the meta-data table. The file must be active.

Question 128

Role Based Access Control (RBAC)

Answer 128

The access rights are associated by roles/jobs. Users can have more than one role.

Question 129

RBAC benefits

Answer 129

• -Policy need not be updated when a certain person leaves
• -new employee should be able to activate the desired role.
• -Start with minimum access

SELinux supports RBAC

Question 130

Fail-safe defaults

Answer 130

mplies that when an access control policy is silent about access to a certain user, that access must be denied.

Question 131

a capability in C-list

Answer 131

• unforgeable reference/handle for a resource

- user catalog of capabilities define defines what a certain user can access.

Question 132

hydra

Answer 132

store c-list in objs, resources themselves

Question 133

how sharing happens?

Answer 133

create new ACE, and add access right to that

Question 134

most OS use ACL or C-list? why?

Answer 134

ACL, which is good for accountability and revocation. C-list is only good for efficiency

Question 135

a movie ticket is a capability or access control entry?

Answer 135

capability (holder get access)

Question 136

when does access check for ACE stop?

Answer 136

neg/deny found or transverse the whole list

Question 137

how is access control implemented in unix

Answer 137

• each resource look like a file
• each file has an owner
• each file can possibly be accessed by owner, group or everyone
• permission r,w,x
• ACL implemented using bitmap, 9 bits

Question 138

how does OS implement ACL?

Answer 138

• process call open file
• openfile table get i (index) from i-node table and return to the process
• ACL bit is stored at the same location on i-node table. This will grant access and point to the file data.

Question 139

TOCTOU (time to check time to use) vulnerability

Answer 139

permission changed between checking and using

Question 140

in unix, you can share the file by sharing the file descriptor

Answer 140

false

Question 141

setuid bit set

Answer 141

the uid of the process will be the owner

Question 142

Botnet command-and-control must be centralized, i.e., all bots communicate with a central server(s).

Answer 142

False “Distributed control mechanisms, using peer-to-peer protocols, are also used, to avoid a single point of failure.”

Question 143

what is authentication?

Answer 143

• who are you? prove it!
• the process making the request does it on behalf of a certain user, subject, or principal.
• claims & verification about the identity.

Question 144

what is authorization?

Answer 144

Does this requester have permission to access this resource?

Question 145

Authentication goals

Answer 145

Availability: When the correct credentials are presented, the resources should be made available.
No false negatives: A false negative is when a process presents the correct credentials, but access is denied.
No false positives: A false positive is if the incorrect credentials are presented, but access is given.

Question 146

How is authentication implemented?

Answer 146

Something only the user knows: password, pin
Something the user has: token, smart card, etc.
Something the user is: fingerprint, iris scan, etc.

Question 147

To authenticate

Answer 147

1. capture evidence
2. compare it
3. authenticate it

Question 148

Examples of threats to authentication system

Answer 148

• -guessing PW
• -impersonating a real login program (ie a trojan horse)
• -keylogging: grabs keystrokes to record password

Question 149

Trusted Path

Answer 149

Connection between the user and the TCB. Should be provided by the OS and hardware.

Question 150

Trusted Login Path

Answer 150

Keyboard and display must have trusted paths to OS

Question 151

Hash function threats

Answer 151

• if we know the common passwords, we can figure out their hash
• for dictionary and offline attacks, we have the dict and plenty of time (online system can stop the attack after a certain amount of trials)

Question 152

false negative

Answer 152

negative outcome was generated falsely

Question 153

how to reduce work for brute force attack?

Answer 153

• try popular password first

- rainbow table lookup

Question 154

problem with tokens

Answer 154

• must have them
• may require additional hardware
• need user to confirm identity (challenge/response)
• cost & misplaced trust

Question 155

Operating Systems Definition

Answer 155

Hardware: I/o…Memory….CPU
Operating Systems: Windows or Android, etc
Applications run on operating system

Question 156

Operating Systems’ uses

Answer 156

• Makes it easier to use resources. Allows for high-level abstractions ­like files
  ­- Hardware is controlled by the OS
  ­- Provides isolation ­(each process believes it is the only one running on the system)

Question 157

TCB

Answer 157

trusted computing base/kernel

• The operating system has direct control of the hardware resources.
• The OS must determine who is an authorized user of the resources.

Question 158

TCB (trusted computing base) Requirements

Answer 158

• Complete mediation ­: the OS comes between the hardware resources and applications. The OS must make sure the application has the necessary authorizations.
• The OS must be tamperproof.
• The OS must be correct­­: the protected resources are used properly.

Question 159

OS controls access to protected resources by?

Answer 159

­- Establish the source of the request (authentication - who?)
­- Authorization or access control ­ does the source of the request have the right to access the resource.
- The OS follows the policies for authorization and authentication

Question 160

what is a system call?

Answer 160

• ask the OS for (access to) resources.
• is often called protected procedure call
• go through call gates (controlled/defined fashion)

Question 161

why does system call have higher cost?

Answer 161

• user domain to OS domain (control transfer)

Question 162

How can we trust OS?

Answer 162

• hardware support memory protection

- processor execution modes/rings (system & user)

Question 163

what is system call instruction in x86

Answer 163

sysenter/sysexit

Question 164

how does TCB ensure complete mediation?

Answer 164

• make sure no protected resources could be accessed w/o going through the TCB
• TCB acts as a reference monitor that cannot be bypass

Question 165

how does the OS ensure complete mediation?

Answer 165

• virtualizes physical resources and provides API
• file for storing persistent data on disk
• virtual resources must be translated to physical resource handle

Question 166

how does TCB ensure correctness?

Answer 166

• secure coding with type safe language

Question 167

Virtualization helps with limiting the damage caused by a compromised OS by…

Answer 167

• -Using a hypervisor between OS and hardware

- -VMs on top of hypervisor have their own OS and apps (isolation)

Question 168

Logical addresses are stored on ____

Physical addresses are stored on _____

Answer 168

pages

frames