Security Flashcards
What is security?
Maintaining desired properties in the presence of adversaries
What does the CIA Model stand for?
Confidentiality - Info is only disclosed to authorized people
Integrity - Info is modified in allowed ways by authorized parties & do what is expected
Availability - Those authorized for access are not prevented from it
What is an example of each issue in CIA?
C - information leaks
I - Data Corruption
A - Denial of service
CIA - Remote execution
What are some attack vectors in buggy software?
XSS SQL Injection Buffer Overflow Path Replacement Integer Overflow Race Conditions Unsanitized Format Strings
Why do security issues slip through despite our testing? What can we do about it?
We cannot test everything
Concessions form part of an attack surface
We need additional policies and testing methods specifically for security
What are 3 groups of attacks?
Insecure Interaction
Risky Resource management
Porous Defenses
In regards to unsafe memory, what can a dangling or out of bounds pointer cause?
Code corruption due to change in code
Control Flow Hijack due to change in code pointer
Data Only Attack due to change in data
Info Leak by just outputting data
How can we prevent code corruption? What problems could this create?
Use the NX bit to make something executable not writeable and vice versa.
This could be incompatible with JITs or JavaScript on the web
How can we prevent control flow hijacking? What are the issues for these methods?
Include a stack canary in your stack. If it is modified, abort immediately. Issue: Hacker could leak canary before hijacking
Data Execution Prevention (DEP). If the injected code is above the return address in the stack, abort execution because it’s writeable, but not executable. Issue: Can be turned off and hijacker can use existing code
What is return oriented programming?
Build new functionality from pieces of existing functions
What is address space layout randomization? Why is it easily broken?
Randomizing locations of certain addresses in the stack.
Leaking a single address of libc, for example, means everything in libc can be used
What is control flow integrity?
Restricting indirect control flow to needed targets. Say it’s valid to only go to certain locations by analysing the source code.
“if this is a function pointer, here are the functions it can point to”
This is a defense analogous to stack canaries
Vulnerabilities mostly come from ______, ______, and _______
reading, writing, freeing
In Java, memory vulnerabilities are not a big issue due to what? However, you can still execute unsafe code since most code today is not written in a single language.
Managed memory + bounds checking on pointers
What is a SQL injection?
Injecting executable SQL when a program prompts you for values that will be put into a table
How can we prevent SQL injections?
By sanitizing inputs:
Sanitizing APIs
ORMs
Using abstractions that design error away (when you generate code in another language)
What is a side channel attack?
Inferring secret information about a system based on implementation details
In side channel attacks, where can leaks come from?
output timing power sound light
Why does the following code expose a side channel attack?
def still_bad(greeting, sensitive):
if sensitive:
log_to_nonsensitive(greeting)
The value of the sensitive info can be inferred by the existence of the nonsensitive information
Why does the following code expose a side channel attack?
def subtly_bad(greeting, sensitive):
if sensitive:
expensive_computation()
log_to_nonsensitive(greeting)
The difference in execution time can be used to infer the existence of sensitive information
What was the fundamental premise behind Spectre?
Side channel attacks. Specifically, timing the difference in misspeculations
What is access control policy?
Rules put in place to enforce who can read.write what things
What is the difference between discretionary and mandatory access control?
Discretionary: Owner determines access
Mandatory: Clearance determines access
How can we assure security?
- Make risky operations someone else’s job (google pay, paypal, etc)
- Define rigorous security policies based on CIA
- Follow secure design and coding policies and include them in your review criteria
- Get formal certification
What are some proactive approaches to security?
Security must be a part of design
Regular security audits
Penetration testing
What should someone do when they find a vulnerability?
- Report them to the developer/organization, not to the public immediately
- Time should be given for the devs to fix an issue, but should also be reported to the public eventually
