Security

Question 1

What is security?

Answer 1

Maintaining desired properties in the presence of adversaries

Question 2

What does the CIA Model stand for?

Answer 2

Confidentiality - Info is only disclosed to authorized people
Integrity - Info is modified in allowed ways by authorized parties & do what is expected
Availability - Those authorized for access are not prevented from it

Question 3

What is an example of each issue in CIA?

Answer 3

C - information leaks
I - Data Corruption
A - Denial of service
CIA - Remote execution

Question 4

What are some attack vectors in buggy software?

Answer 4

XSS
SQL Injection
Buffer Overflow
Path Replacement
Integer Overflow
Race Conditions
Unsanitized Format Strings

Question 5

Why do security issues slip through despite our testing? What can we do about it?

Answer 5

We cannot test everything
Concessions form part of an attack surface

We need additional policies and testing methods specifically for security

Question 6

What are 3 groups of attacks?

Answer 6

Insecure Interaction
Risky Resource management
Porous Defenses

Question 7

In regards to unsafe memory, what can a dangling or out of bounds pointer cause?

Answer 7

Code corruption due to change in code
Control Flow Hijack due to change in code pointer
Data Only Attack due to change in data
Info Leak by just outputting data

Question 8

How can we prevent code corruption? What problems could this create?

Answer 8

Use the NX bit to make something executable not writeable and vice versa.
This could be incompatible with JITs or JavaScript on the web

Question 9

How can we prevent control flow hijacking? What are the issues for these methods?

Answer 9

Include a stack canary in your stack. If it is modified, abort immediately. Issue: Hacker could leak canary before hijacking
Data Execution Prevention (DEP). If the injected code is above the return address in the stack, abort execution because it’s writeable, but not executable. Issue: Can be turned off and hijacker can use existing code

Question 10

What is return oriented programming?

Answer 10

Build new functionality from pieces of existing functions

Question 11

What is address space layout randomization? Why is it easily broken?

Answer 11

Randomizing locations of certain addresses in the stack.

Leaking a single address of libc, for example, means everything in libc can be used

Question 12

What is control flow integrity?

Answer 12

Restricting indirect control flow to needed targets. Say it’s valid to only go to certain locations by analysing the source code.
“if this is a function pointer, here are the functions it can point to”
This is a defense analogous to stack canaries

Question 13

Vulnerabilities mostly come from ______, ______, and _______

Answer 13

reading, writing, freeing

Question 14

In Java, memory vulnerabilities are not a big issue due to what? However, you can still execute unsafe code since most code today is not written in a single language.

Answer 14

Managed memory + bounds checking on pointers

Question 15

What is a SQL injection?

Answer 15

Injecting executable SQL when a program prompts you for values that will be put into a table

Question 16

How can we prevent SQL injections?

Answer 16

By sanitizing inputs:
Sanitizing APIs
ORMs
Using abstractions that design error away (when you generate code in another language)

Question 17

What is a side channel attack?

Answer 17

Inferring secret information about a system based on implementation details

Question 18

In side channel attacks, where can leaks come from?

Answer 18

output
timing
power
sound
light

Question 19

Why does the following code expose a side channel attack?

def still_bad(greeting, sensitive):
if sensitive:
log_to_nonsensitive(greeting)

Answer 19

The value of the sensitive info can be inferred by the existence of the nonsensitive information

Question 20

Why does the following code expose a side channel attack?

def subtly_bad(greeting, sensitive):
if sensitive:
expensive_computation()
log_to_nonsensitive(greeting)

Answer 20

The difference in execution time can be used to infer the existence of sensitive information

Question 21

What was the fundamental premise behind Spectre?

Answer 21

Side channel attacks. Specifically, timing the difference in misspeculations

Question 22

What is access control policy?

Answer 22

Rules put in place to enforce who can read.write what things

Question 23

What is the difference between discretionary and mandatory access control?

Answer 23

Discretionary: Owner determines access
Mandatory: Clearance determines access

Question 24

How can we assure security?

Answer 24

• Make risky operations someone else’s job (google pay, paypal, etc)
• Define rigorous security policies based on CIA
• Follow secure design and coding policies and include them in your review criteria
• Get formal certification

Question 25

What are some proactive approaches to security?

Answer 25

Security must be a part of design
Regular security audits
Penetration testing

Question 26

What should someone do when they find a vulnerability?

Answer 26

• Report them to the developer/organization, not to the public immediately
• Time should be given for the devs to fix an issue, but should also be reported to the public eventually