Test 1 - Final Prep Flashcards
Defensive or Secure Programming
the process of designing and implementing software so that it continues to function even when under attack
injection attack
wide variety of program flaws related to invalid handling of input dataThis problem occurs when program input data can accidentally or deliberately influence the flow of execution of the program
command injection
the input is used in the construction of a command that is subsequently executed by the system with the privileges of the Web server
SQL injection
The user-supplied input is used to construct a SQL request to retrieve information from a database
code injection
the input includes code that is then executed by the attacked system
cross-site scripting (XSS) attacks
concerns input provided to a program by one user that is subsequently output to another user.
XSS reflection vulnerability
The attacker includes the malicious script content in data supplied to a site
Malware propagation mechanisms include those used by…(3)
viruses, worms and Trojans
The principal objectives of computer security are to
prevent unauthorized users from gaining access to resources, to prevent legitimate users from accessing resources in an unauthorized manner, and to enable legitimate users to access resources in an authorized manner
A consequence of a buffer overflow error is
corruption data used by the program, unexpected transfer of control in the program, possible memory access violation
To defend against database inference attacks we can apply
perturbation, de-identification, anonymization
Presenting or generating authentication information that corroborates the binding between the entity and the identifier is the
verification step
‘No write down’ is also referred to as the
‘*-property’
_____ is a process that ensures a system is developed and operated as intended by the system’s security policy
Assurance
____ data are data that may be derived from corporate data but that cannot be used to discover the corporation’s identity
Sanitized
Presenting or generating authentication information that corroborates the binding between the entity and the identifier is the
verification step
The most important changes needed to improve system security are to ____
disable remotely accessible services that are not required, ensure that applications and services that are needed are appropriately configured, disable services and applications that are not required
The following steps should be used to secure an OS:
test the security of the basic OS, remove unnecessary services, install and patch the OS
form of buffer overflow attack
heap overflows, return to system call, replacement stack frame
a set of automated tools designed to detect unauthorized access to a host system
intrusion detection system (IDS)
A multilevel secure system for confidentiality must enforce:
No read up: A subject can only read an object of less or equal security level. This is referred to in the literature as the simple security property (ss-property). No write down: A subject can only write into an object of greater or equal security level. This is referred to in the literature as the *-property1 (pronounced star property).
_____ will integrate with the operating system of a host computer and monitor program behavior in real-time for malicious action
behavior blocking software
intrusion management encompasses
intrusion detection, prevention and response
Which of the following need to be taken into consideration during the system security planning process
how users are authenticated, the categories of users of the system, what access the system has to information
______ include system corruption, bots, phishing, spyware, and rootkits.
Payloads
Virus Propagation Phase
The virus places a copy of itself into other programs orinto certain system areas on the disk.
Virus Triggering Phase
The virus is activated to perform the function for which it was intended.
Virus Execution Phase
The function is performed. The function may be harmless, such as a message on the screen, or damaging, such as the destruction ofprograms and data files.
Infects files that the operating system or shell consider to be executable.
File Infector Virus
An attack, that exploits social engineering to leverage user’s trust by masquerading as communications from a trusted source
Phishing Attack
Is a set of programs installed on a system to maintain covert access to thatsystem with administrator (or root) privileges, while hiding evidence of its presenceto the greatest extent possible.
Rootkit
An attempt to compromise availabilityby hindering or blocking completely the provision of some service.
Denial-of-service (DoS) attack
DDoS Flooding attack targets…(3)
Network BW, System resources, Application resources
The ICMP echo responsepackets generated in response to a ping flood using randomly spoofed source addresses is a good example.
Backscatter traffic
This attacks the ability of a network server to respond to TCP connection requests by overflowing the tables used to manage such connections.
DoS attach, SYN Spoofing Attack
The attacker sends packets to a known service on the intermediary with a spoofed source addressof the actual target system. When the intermediary responds, the response is sent tothe target.
Reflection Attack
Involve sending apacket with a spoofed source address for the target system to intermediaries. Theydiffer in generating multiple response packets for each original packet sent. This canbe achieved by directing the original request to the broadcast address for some network.
Amplification Attacks
Can be deployed as operating systems updates to provide some protection for existing vulnerable programs. These defenses involve changes to the memory management of the virtual address space of processes.
Run_time Defenses
Most commonlythe address of a standard library function is chosen, such as the system() function. The attacker specifies an overflow that fills the buffer, replaces the savedframe pointer with a suitable address, replaces the return address with the address of the desired library function, writes a placeholder value that the library function will believe is a return address, and then writes the values of one (or more) parameters to this library function.
return to system call attack
If the allocated space includes a pointer to afunction, which the code then subsequently calls, an attacker can arrange for this address to be modified to point to shellcode in the overwritten buffer.
Heap Buffer Overflow
The process of designing and implementingsoftware so that it continues to function even when under attack. Software written using this process is able to detect erroneous conditions resulting fromsome attack, and to either continue executing safely, or to fail gracefully.
Defensive Programming
This problem occurs when program input data can accidentally or deliberately influence the flow of execution of the program.
Injection Attack
When the input is used in theconstruction of a command that is subsequently executed by the system with theprivileges of the Web server.
Command Injection Attack
In this attack, the user-supplied input is used to construct a SQL request to retrieve informationfrom a database.
SQL Injection Attack
This is a software testing technique that uses randomly generated data as inputs to a program. The intent is to determine whether the program or functioncorrectly handles all such abnormal inputs or whether it crashes or otherwise fails to respond appropriately.
Input Fuzzing
This strongly suggests that programs should execute with the least amount of privileges needed to complete their function.
Principle of Least Privilege
A process that includes planning, installation, configuration, update, and maintenanceof the operating system and the key applications in use,
Hardening a System
3 Steps to hardening a base OS
• Removing unnecessary services, applications, and protocols.• Configuring users, groups, and permissions.• Configuring resource controls.
Which restricts the server’s view of the file system to just a specified portion. Files in directoriesoutside the __________ are not visible or reachable at all.
Chroot Jail
Refers to a technology that provides an abstraction of the computing resources used by some software, which thus runs in a simulated environmentcalled a virtual machine (VM).
Virtualization
A bot is a computer compromised by malware and under the control of a bot master (attacker).
TRUE
Characteristics of APT include _(3)_____.(Advanced Persistent Threats)
A. Using zero-day exploitB. Low-and-slowC. Targeting high-value data
The best defense against being an unwitting participant in a DDoS attack
prevent your systems from being compromised
Both static and dynamic analyses are needed in order to fully understand malware behaviors
True
A Botnet can use _______ for command-and-control.
A. EmailB. HTTPC. IRC
In a ______ attack the attacker creates a series of DNS requests containing the spoofed source address for the target system.
DNS amplification
APT attacks
Boy in the middle–covertly changes a computer’s network routingClickjacking–web users unknowingly click on something that is not as it is portrayed.Man in the Browser–Modifies web pages covertlyMan in the middle–EavesdropsKeyloggers–covertly records keystrokes
Takes advantage of a previously unknown weakness or vulnerability in a system.
Zero-Day Exploit
APT Lifecycle
–Define target–Research target infrastructure/employees–Test for detection–deployment–establish outbound connections–exfiltrate data–remain undetected–Repeat
Advanced Persistent Threat (APT)
Advanced: Use special malwarePersistent: Long-term presence, multi-step, low-and-slowThreat: Data targeted is high valueTend to target specific organizations
Examples of Attacks/Frauds by botnets
–Spam–DDOS–Click fraud–Phishing and Pharming–Keylogging and data/ID theft–Key/password cracking–Anonymized terrorist and criminal communication–Cheat in online games and polls
Why DDoS attack?
Why DDoS attack?–Attacker does not need to use his own computer–So many computers involved in the attack, it is difficult to distinguish legitimate from malicious traffic
C&C design
–Must be efficient and reliable–Stealthy–Resilient
T/F: The botmasters prefer dynamic DNS servers
True: Because of the frequent change between domain name and IP address.
Anomaly detection
The way the bots look up a domain suggest the domain is most likely used for C&C.
What can be done when the anomaly is detected?
Map the domain name to a sinkhole
What is the advantage of the sinkhole?
Researchers can discover where the bots are in the net.
Malware analysis: Static Analysis
Attempts to understand what a malware instance would do if executed.
Malware analysis: Dynamic Analysis
Attempts to understand what a program does when executed.
Different granularities of analysis
Fine-grained: Looking at instruction by instructionCoarse-grained: looking at function calls
Malware Obfuscation: Packing
A technique whereby parts or all of an executable file are compressed, encrypted or transformed in some fashion.
T/F: Can use signatures to detect packing.
False: A number of legitimate programs use packing/unpacking
Types of malware: Needs a Host
trap doors, logic bombs, trojan horses, viruses, browser plug-ins, extensions, scripts
Types of malware: Independent
Worms, botnets, APT
Trojan Horses
Hidden in an apparently useful host program
Virus
Infect a program by modifying it. Can self copy
4 Stages of a Virus
–Dormant phase: Program infected, but virus has not been triggered–Propagation phase: Virus is being spread–Triggering phase: When the host program is run, the virus is run.–Execution phase: When the virus runs and performs malicious activities. (also looks to spread)
Email attachment that when opened will be sent to all people in address book
virus
Keyboard app that logs user input and sends it to the attacker
trojan horse
Virus Structure
Virus code has to be physically inserted into the program code. The virus code runs first, then the original program. virus code may run last, too, to do any clean up. Program needs to run cleanly to avoid detection.
Types of viruses
Parasitic virus: scan/infect programsMemory-resident virus: infect running programsBoot sector virus: Runs when the system is bootedMacro virus: executable program embedded in a word processing document; triggered when doc openedPolymorphic virus: encrypt part of the virus program using randomly generated key
Rootkit
Resides in OS. Modifies OS code and data structure. Can hide itself by manipulating functions that list directory contents.
T/F: Linux, iOS, Windows, and Android have all been infected by rootkits
True
Rootkit facts
–All OSes can be affected–Can modify hidden and read-only files–Can spread in any form–Cannot remain in memory after reboot, but since it is a part of the OS, it will return with the OS is restarted–Rootkits cannot affect HW that does not have FW–Rootkits are always malevolent
Worms
Use network connections to spread from system to system.
Malware Prevention and Detection
Prevention: Limit contact to outside worldDetection/IdentificationRemovalPrevention hampers productivity, so detection is preferred.
4 Generations of anti-virus software
Simple scanners–use signatures of known viruses. not effective against polymorphic virusesHeuristic scanners–Integrity checking (checksum). Can be defeated by compressing file to have the same size as the pre-infection file.Activity traps: Look for specific activities that malware performs. Not effective against newer malware.Full-featured analysis: State of the art. Host-based, network-based, and sandbox-based.
Why are signature-based anti-virus solutions still used?
–Efficient–Effective against known malware–good first line of defense
Importance of DB security
–Databases store massive amounts of sensitive data–Data has structure that influences how it is accessed–Accessed via queries or programs written in languages like SQL–Transactional nature of queries (done completely or not done at all)–Derived data or database views
Who are the biggest threats to DB?
Insiders and unauthorized users
Databases are attractive to users because
–they store info that is easily monetized–they store info about a lot of users–query languages used to access data can be abused
RDBS table
RDBS tableA table is defined by a schema and consists of tuples
DB Access Control
GRANT or REVOKE
Privileges
SELECT, INSERT, UPDATE, or DELETE
Defenses against inference attacks
–Do not allow aggregate query results when the set of tuples selected is either too small or too large (Perturbation)–De-identification: transform data by removing identifying info.–Anonymization: replace exact values with a more general values
Mandatory Access Control (MAC)
Is not at the user discretion. Solves the problem of information control. Company decides who has access to data.
What is needed to implement MAC?
Labels are a key requirement. They indicate sensitivity and/or category of data. Indicate clearance/need-to-know requirements
Labels also have a _______
Compartment.
T/FL1 = (TS, {A,B,C})L2=(S,{B,C})L3=(S,{B,C,D})L1 > L3
FalseL1 > L2L2 < L1L1 and L3 are not comparable.
Bell and La Padua (BLP) Model
Developed by the DoDAssumes classification of data and clearances for subjects
BLP Read/Write rules
Read-down rule (ss-property): user with label L1 can read the document with L2 only when L1 dominates L2Write-up rule (*-property): User with label L1 can write document with label L2 when L1 is dominated by L2.
Tranquility Principle
States that classification of a subject or object does not change during a session.
Clark-Wilson Policy
Users should be able to access certain programs usser -> program -> obj
T/F: RBAC is an example of MAC
True. Only the company can decide roles of its employees.
BLP-like models
SELinux and SCOMP
problems with DAC
- information flow problem (cannot control that if someone has access to a file would further share the contain of it)- in many organizations, the user does not get to decide how/who to share
label in MAC
- indicate sensitivity/category/clearance/need-to-know- TCB associates labels with object/user- exact nature of label depends on model/policy
biba vs BLP
- biba focuses on integrity while BLP focuses on confidentiality- biba read up, write down
trusting software
- functional correctness- maintain data integrity- protect disclosure of sensitive data- confidence
TCB design principle
- least privilege for users/programs- economy: keep trusted code as small as possible- open design: obscurity doesn’t work- complete mediation- fail safe default- easy of use
how to build a TCB
- authentication- access control (MAC & DAC)
how to protect data in OS
it needs to protect itself (tamperproof)
data protection security features of trusted OS
- object reuse protection- disk blocks, mem reuse- allocate disk or mem, then look to see what’s left behind- zero out objs before use- secure file deletion- secure disk destruction
kernel design requirements
- enforce all sec mechanisms- good isolation, small size- reference monitor controls access to objects- tamperproof- un-bypassable- analyzable
use of testing
- demonstrate the existence of problem
testing challenge
- test case generation- code coverage- exponential number of different executions- different execution environments
formal verification
- checking a mathematical specification of a program- model checking, automated theorem proving- exponential time & space complexity
T/F: model checking can show absence of a problem
True. Model checking is a form of formal verification.
Two parts to Access Control
- Decide who should have access to certain resources. An access control policy.2. Enforcement–only accesses defined by the access control policy are granted
Access Control Matrix (ACM)
- abstract state: rows-users, column-resources- ACM[U,O] defines what access right user U have on object O Rows correspond to sources of the request (users/subjects/groups)Columns correspond to the resources that need protected
Discretionary Access Control
Access is at the discretion of its owner. Owner can grant access to other users and also allow or not allow the other users to propagate this access.
Access Control List (ACL)
Columns for an object that define each users rights of that object. handle access to object Oi (column wise)
Capability List (C-List)
Capability List (C-List)Rows for a user that define that user’s rights for each object. - handle right of user Ui (row wise)
Where should ACL be stored?
–In trusted part of system–Consists of access control entries–Should be stored along with other object meta-data–Checking requires traversal of the ACL
Where should C-List be stored?
–It is per user–A capability is an unforgeable reference/handle for a resource–User catalogue of capabilities defines what a certain user can access–Can be stored in objects/resources themselves
ACL vs C-List
Efficiency–ACL are not as efficient as C-ListAccountability–Can be found easily in ACL. With C-List, each user’s catalog must be checked to see if access ok.Revocation–Revoking access in ACL is easyMost OS uses ACL
How does OS implement ACL?
The OS keeps track of info about each file and its metadata, called an i-node. Open files are stored in the meta-data table. The file must be active.
Role Based Access Control (RBAC)
The access rights are associated by roles/jobs. Users can have more than one role.
RBAC benefits
–Policy need not be updated when a certain person leaves–new employee should be able to activate the desired role.–Start with minimum accessSELinux supports RBAC
Fail-safe defaults
mplies that when an access control policy is silent about access to a certain user, that access must be denied.
a capability in C-list
- unforgeable reference/handle for a resource- user catalog of capabilities define defines what a certain user can access.
hydra
store c-list in objs, resources themselves
how sharing happens?
create new ACE, and add access right to that
most OS use ACL or C-list? why?
ACL, which is good for accountability and revocation. C-list is only good for efficiency
a movie ticket is a capability or access control entry?
capability (holder get access)
when does access check for ACE stop?
neg/deny found or transverse the whole list
how is access control implemented in unix
- each resource look like a file- each file has an owner- each file can possibly be accessed by owner, group or everyone-permission r,w,x- ACL implemented using bitmap, 9 bits
how does OS implement ACL?
- process call open file- openfile table get i (index) from i-node table and return to the process- ACL bit is stored at the same location on i-node table. This will grant access and point to the file data.
TOCTOU (time to check time to use) vulnerability
permission changed between checking and using
in unix, you can share the file by sharing the file descriptor
false
setuid bit set
the uid of the process will be the owner
Botnet command-and-control must be centralized, i.e., all bots communicate with a central server(s).
False “Distributed control mechanisms, using peer-to-peer protocols, are also used, to avoid a single point of failure.”
what is authentication?
- who are you? prove it!- the process making the request does it on behalf of a certain user, subject, or principal.- claims & verification about the identity.
what is authorization?
Does this requester have permission to access this resource?
Authentication goals
Availability: When the correct credentials are presented, the resources should be made available.No false negatives: A false negative is when a process presents the correct credentials, but access is denied.No false positives: A false positive is if the incorrect credentials are presented, but access is given.
How is authentication implemented?
Something only the user knows: password, pinSomething the user has: token, smart card, etc.Something the user is: fingerprint, iris scan, etc.
To authenticate
- capture evidence2. compare it3. authenticate it
Examples of threats to authentication system
–guessing PW–impersonating a real login program (ie a trojan horse)–keylogging: grabs keystrokes to record password
Trusted Path
Connection between the user and the TCB. Should be provided by the OS and hardware.
Trusted Login Path
Keyboard and display must have trusted paths to OS
Hash function threats
- if we know the common passwords, we can figure out their hash- for dictionary and offline attacks, we have the dict and plenty of time (online system can stop the attack after a certain amount of trials)
false negative
negative outcome was generated falsely
how to reduce work for brute force attack?
- try popular password first- rainbow table lookup
problem with tokens
- must have them- may require additional hardware- need user to confirm identity (challenge/response)- cost & misplaced trust
Operating Systems Definition
Hardware: I/o…Memory….CPUOperating Systems: Windows or Android, etcApplications run on operating system
Operating Systems’ uses
- Makes it easier to use resources. Allows for high-level abstractions like files- Hardware is controlled by the OS- Provides isolation (each process believes it is the only one running on the system)
TCB
trusted computing base/kernel- The operating system has direct control of the hardware resources.- The OS must determine who is an authorized user of the resources.
TCB (trusted computing base) Requirements
- Complete mediation : the OS comes between the hardware resources and applications. The OS must make sure the application has the necessary authorizations.- The OS must be tamperproof.- The OS must be correct: the protected resources are used properly.
OS controls access to protected resources by?
- Establish the source of the request (authentication - who?)- Authorization or access control does the source of the request have the right to access the resource.- The OS follows the policies for authorization and authentication
what is a system call?
- ask the OS for (access to) resources.- is often called protected procedure call- go through call gates (controlled/defined fashion)
why does system call have higher cost?
- user domain to OS domain (control transfer)
How can we trust OS?
- hardware support memory protection- processor execution modes/rings (system & user)
what is system call instruction in x86
sysenter/sysexit
how does TCB ensure complete mediation?
- make sure no protected resources could be accessed w/o going through the TCB- TCB acts as a reference monitor that cannot be bypass
how does the OS ensure complete mediation?
- virtualizes physical resources and provides API- file for storing persistent data on disk- virtual resources must be translated to physical resource handle
how does TCB ensure correctness?
- secure coding with type safe language
Virtualization helps with limiting the damage caused by a compromised OS by…
–Using a hypervisor between OS and hardware–VMs on top of hypervisor have their own OS and apps (isolation)
Logical addresses are stored on ____Physical addresses are stored on _____
pagesframes
