Docsity
Log inSign up
Docsity
Prepare for your exams
Prepare for your exams

Study with the several resources on Docsity

Earn points to download
Earn points to download

Earn points by helping other students or get them with a premium plan

Guidelines and tips
Guidelines and tips
Sell on Docsity
Sell on Docsity
Log inSign up

Prepare for your exams

Study with the several resources on Docsity

Find documents

Prepare for your exams with the study notes shared by other students like you on Docsity

Search Store documents

The best documents sold by students who completed their studies

Search through all study resources
Docsity AINEW

Summarize your documents, ask them questions, convert them into quizzes and concept maps

Explore questions

Clear up your doubts by reading the answers to questions asked by your fellow students

Earn points to download

Earn points by helping other students or get them with a premium plan

Share documents
download point icon20 Points

For each uploaded document

Answer questions
download point icon5 Points

For each given answer (max 1 per day)

All the ways to get free points
Get points immediately

Choose a premium plan with all the points you need

Study Opportunities

Choose your next study program

Get in touch with the best universities in the world. Search through thousands of universities and official partners

Community

Ask the community

Ask the community for help and clear up your study doubts

University Rankings

Discover the best universities in your country according to Docsity users

Free resources

Our save-the-student-ebooks!

Download our free guides on studying techniques, anxiety management strategies, and thesis advice from Docsity tutors

From our blog

Exams and Study
Go to the blog

21 Questions with Answer Computer Security - Mid-Term | CSE 543, Exams of Computer Science

Pennsylvania State University - AbingtonComputer Science

Material Type: Exam; Class: Computer Security; Subject: Computer Science and Engineering; University: Penn State - Main Campus; Term: Fall 2007;

Typology: Exams

Pre 2010

Uploaded on 09/24/2009

koofers-user-zlq
koofers-user-zlq 🇺🇸

10 documents

1 / 7

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
CSE543/Fall 2007 - Midterm
Thursday, November 1, 2007 Professor Trent Jaeger
Please read the instructions and questions carefully. You will be graded for clarity and correctness. You
have 75 minutes to complete this exam, so focus on those questions whose subject matter you know well.
Write legibly and check your answers before handing it in.
Short Answer (Answer 12 of 14) - some will be one or two words no more than 3 sentences
1. (3pts) What is the difference between protection and security?
answer: A system that provides security ensures the protection of its data (i.e., enforcement of its
security goals) even when a user may run code that has malicious intent. Systems that provide
protection enforce the specified policy only if the user runs trusted code.
2. (3pts) Define protection system.
answer: A protection system consists of a protection state describing the current access policy, a refer-
ence monitor to enforce the protection state, and administrative operations to modify the protection
state.
3. (3pts) How can you configure the Windows access control model to ensure that a particular subject
only has access to one file?
answer: Restricted context is easiest. Add a negative ACE at the beginning of all other object ACLs,
except the one being permitted. Grant rights for that one.
4. (3pts) What are the guarantees that a UNIX sandbox (e.g., Janus) must provide in order to ensure
that the process cannot escape the limited permissions defined?
answer: Basically, reference monitor guarantees. It must provide a tamperproof implementation that
enforces a mandatory access control policy (also tamperproof ) that mediates all security sensitive
operations, and the policy must ensure that the process does not gain unauthorized access (i.e.,
verifiably enforce security goals).
5. (3pts) What is the confused deputy problem?
answer: That a multi-client server may be spoofed into granting one client unauthorized rights to
another client’s objects because it must have the permissions for all the clients to run in an ACL
system.
6. (3pts) What mechanisms does Multics use to protect the integrity of objects?
answer: Protection rings provide the mediation points for enforcing integrity. The access and call
bracket policies describe the integrity policy of a Multics system. A tamperproof kernel enforces the
policy.
7. (3pts) Define the two fundamental properties of the Bell-LaPadula model (i.e., multilevel security
model).
answer: Simple-security property no read up, and ?-security property no write down.
8. (3pts) What does the extend operation of the Trusted Platform Module do (be precise)?
answer: It extends a hash value in a particular TPM register (PCR) by taking the current register
value and hashing it concatenated with the input value to the extend operation.
1
pf3
pf4
pf5

Partial preview of the text

Download 21 Questions with Answer Computer Security - Mid-Term | CSE 543 and more Exams Computer Science in PDF only on Docsity!

CSE543/Fall 2007 - Midterm

Thursday, November 1, 2007 — Professor Trent Jaeger

Please read the instructions and questions carefully. You will be graded for clarity and correctness. You have 75 minutes to complete this exam, so focus on those questions whose subject matter you know well. Write legibly and check your answers before handing it in. Short Answer (Answer 12 of 14) - some will be one or two words – no more than 3 sentences

  1. (3pts) What is the difference between protection and security? answer: A system that provides security ensures the protection of its data (i.e., enforcement of its security goals) even when a user may run code that has malicious intent. Systems that provide protection enforce the specified policy only if the user runs trusted code.
  2. (3pts) Define protection system. answer: A protection system consists of a protection state describing the current access policy, a refer- ence monitor to enforce the protection state, and administrative operations to modify the protection state.
  3. (3pts) How can you configure the Windows access control model to ensure that a particular subject only has access to one file? answer: Restricted context is easiest. Add a negative ACE at the beginning of all other object ACLs, except the one being permitted. Grant rights for that one.
  4. (3pts) What are the guarantees that a UNIX sandbox (e.g., Janus) must provide in order to ensure that the process cannot escape the limited permissions defined? answer: Basically, reference monitor guarantees. It must provide a tamperproof implementation that enforces a mandatory access control policy (also tamperproof) that mediates all security sensitive operations, and the policy must ensure that the process does not gain unauthorized access (i.e., verifiably enforce security goals).
  5. (3pts) What is the confused deputy problem? answer: That a multi-client server may be spoofed into granting one client unauthorized rights to another client’s objects because it must have the permissions for all the clients to run in an ACL system.
  6. (3pts) What mechanisms does Multics use to protect the integrity of objects? answer: Protection rings provide the mediation points for enforcing integrity. The access and call bracket policies describe the integrity policy of a Multics system. A tamperproof kernel enforces the policy.
  7. (3pts) Define the two fundamental properties of the Bell-LaPadula model (i.e., multilevel security model). answer: Simple-security property – no read up, and ?-security property – no write down.
  8. (3pts) What does the extend operation of the Trusted Platform Module do (be precise)? answer: It extends a hash value in a particular TPM register (PCR) by taking the current register value and hashing it concatenated with the input value to the extend operation.
  1. (3pts) Why is it more secure to implement a reference monitor inside the kernel (as in LSM), rather than to use system call interposition (as in Janus)? answer: Time-of-check-to-time-of-use attacks. In interposition, the mapping between names and actual objects is computed separately from the kernel, so it may be possible for a concurrent process to change the mapping (e.g., changing a local file to be a link to /etc/shadow). That is, the label-file mapping is not tamperproof in Janus.
  2. (3pts) What are buffer overflow, heap overflow, and integer overflow vulnerabilities?

answer: A buffer overflow occurs on the stack by overwriting the return address. A heap overflow occurs on the heap by overwriting a key pointer, such as a function pointer. An integer overflow occurs on signed integers, when the maximum value is reached, computer integer operations differ from true integer operations.

  1. (3pts) When a cryptographic construction provides message non-repudiation, what can the receiver prove? answer: The receiver can prove that the message originated from a single principal, the holder of the associated private key. This can even be proven to third parties.
  2. (3pts) What impact does the birthday paradox have on the security of a 90-bit hash function?

answer: Due to the birthday paradox, the probability of finding a collision in a 90 bit hash is only one in 2^45.

  1. (3pts) How does the use of a Kerberos authenticator replace function of the last two messages in the Needham-Schroeder symmetric key protocol? answer: An authenticator aims to prove that Alice’s message with the corresponding ticket (and the new session key) has been freshly created by Alice by using a timestamp. This replaces the need for a challenge-response provided in the last two messages. (Bob still proves ownership of the corresponding TGS-Bob key through use of the session key, but this is done later – not required in the answer).
  2. (3pts) Identify the conditions when you would want to add an HMAC to a secure communication.

answer: HMAC is used to justify the integrity and authenticity of a message under a shared key. Should a shared key be available, already distributed, and should there be integrity requirements on the message, you almost always want to HMAC. A rare exception is when the message has a well-known format, so that the receiver could check based on the content of the message – Kerberos is an example.

  1. (10pts) Suppose that Alice uses a capability system that uses cryptography to protect its capabilities from forgery. She has an object obj and rw (read and write) rights to that object. The kernel builds capabilities for its users, and authorizes access by verifying the integrity and authenticity of the capabilities (generated by kernel only) and the checking the rights included in the capability correspond to those requested. The kernel has a symmetric key K and a private key pair K−^ and K+. NOTE: Users must be able to see the target of the capability in order to use it in this system. That is, the capability data is not secret (unlike the notes).

(a) (2pts) Using the symmetric key cryptography, design a capability to give to Alice for obj with the rights specified above.

(b) (2pts) Using the public key cryptography, design a capability to give to Alice for obj with the rights specified above (equivalent function as (a)).

(c) (2pts) Suppose the kernel wants to track the distribution of capabilities in a manner that is secret to the users. For example, the kernel adds Alice’s name to capabilities created for her, so that it can track how they are distributed. Using the symmetric key cryptography, design a capability to give to Alice for obj (as in (a)) that includes her name, in secret.

(d) (2pts) Using public key cryptography, generate a capability that meets the requirements of (c).

(e) (2pts) Suppose that the kernel has a mechanism to collect all capabilities to a specific object (i.e., one object at a time) and revoke those that no longer satisfy the current policy. The kernel stores a revocation time with each object that indicates the last time such a revocation was performed. Write a capability, using symmetric key cryptography, that the holder can prove is fresh since the last revocation for that object. answer: Suppose base capability is C = {obj, rw}.

(a) C + HM AC(K, C) (b) C + S(K−, C) (c) C + E(K, A) + HM AC(K, C + A) (d) C + E(K+, A) + S(K−, C + A) (e) C + timestamp + E(K, A) + HM AC(K, C + A + timestamp)

  1. (10pts) Answer the questions below regarding the security-typed, key generation code for Diffie- Hellman.

int {secret} key; /* global */

int{public} DHgen(int n, addr dest) { int{public} p = 3, g = 4; int{secret} x = n; int{public} y, y’; int z;

y = ???; // (see part a)

send(y, dest); recv(y’, dest);

z = ???; // (see part a)

if (z <= 1) return -1;

key = z; return 0; }

(a) (2pts) Write the Diffie-Hellman equations to compute y and z.

(b) (2pts) Suppose n is 5 and y’ is 2. What is your shared DH key?

(c) (2pts) From a security-typed language perspective, what is the problem with sending y to the destination in this code via send(y, dest)?

(d) (2pts) What is the inferred security type (label) of z?

(e) (2pts) If the password process runs at system secret, which files can it write?

answer:

(a) Only the shadow file has secrets

  • Password executable file: public
  • Password file: system secret in this case (not in UNIX)
  • Shadow file: system secret
  • User shell process: ambiguous so either is accepted

(b) Must be higher than the admin shell. Script must be higher than the web server.

  • Password process: 1, 2, or 3
  • User shell > password process and admin

(c) Suppose password process runs at 3

  • Password executable file: passwd can read, admin can write – (2, 3)
  • Password file: passwd can read and write, but no higher can read or write – (3, 3)
  • Shadow file: passwd can read and write, but no higher can read or write – (3, 3)

(d)

  • Password Executable: Anyone can execute – (3, 7)

(e) Shadow and password file.