CS419 Exam 1
Spring 2018
Paul Krzyzanowski
February 20, 2018
Part I — 16 Points
- 12 points
Briefly explain how each of these three mechanisms helped to make buffer overflow attacks more difficult:
a. Data Execution Protection (DEP)
b. Address Space Layout Randomization (ASLR)
c. Stack canaries - 4 points
How do POSIX (Linux) capabilities help implement the principle of least privilege better than using a setuid mechanism? - Usurpation is a great vocabulary word. It primarily refers to:
(a) Taking control of part of a system without permission.
(b) Disrupting the service that a system is providing.
(c) Injecting or modifying data in a network or file system.
(d) Accessing data without authorization. - Snooping is a form of:
(a) Disclosure.
(b) Disruption.
(c) Usurpation.
(d) Repudiation of origin. - An important security-relevant aspect of an operating system's use of hardware timers is:
(a) Waking the system up from sleep to ensure availability.
(b) Measuring the amount of time various processes use.
(c) Measuring the latency of system calls to look for evidence of tampering.
(d) Ensuring that the operating system can always regain control. - Protection Rings in the Intel architecture are designed to:
(a) Allow each process to occupy a unique privilege level.
(b) Protect the processor itself from malicious attacks.
(c) Provide multiple layers of checks when a process requests access to resources.
(d) Provide well-defined mechanisms for a process to switch between privilege levels. - Why did Unix systems adopt a limited file access control model?
(a) The Unix OS was designed as a single user system, so detailed per-user controls were not needed.
(b) The model is sufficient since it fully implements an access control matrix.
(c) It made the commands to set permissions a lot simpler.
(d) The limited set of permissions fit within a fixed set of bits in the file's inode. - Why is a compromise of the trusted computing base (TCB) particularly dangerous?
(a) It makes it easy to perform code injection attacks on applications.
(b) You can no longer trust that the system is enforcing security policies correctly.
(c) Malware can easily spread to other less-trusted systems.
(d) One process can freely read another process's memory. - Each access control list (ACL) allows one to specify which:
(a) Programs can access a specific file.
(b) Files can be accessed by a specific user.
(c) Users can see access a specific file.
(d) Users have administrative privileges. - A program with the setuid bit set:
(a) Runs with permissions of the logged-in user instead of the file owner.
(b) Runs with permissions of the file owner instead of the logged-in user.
(c) Runs with administrative privileges.
(d) Runs the process in kernel mode instead of user mode. - Privilege separation is the principle where:
(a) Different users are granted different access rights.
(b) The system has different classes of administrators (e.g., network, storage, users).
(c) A process is split into multiple parts, each running at different privilege levels.
(d) A process may request special privileges to do specific operations. - Mandatory Access Control (MAC):
(a) Is a set of access rights that the kernel enforces while Discretionary Access Control defines only advisory permissions.
(b) Defines access rights that the object owner cannot change.
(c) Is a policy that states all objects must have a set of access rights associated with them.
(d) Is an operating system mode that forces the checking of access permissions to each object. - The main problem with a program that creates a file and then sets access permissions so that the file is not readable by anyone other than the user is:
(a) The user might be an imposter.
(b) There is a race condition in the logic.
(c) The user account might be deleted, making the file unreadable by anyone.
(d) Either of the operations may fail. - A drawback of the Bell-LaPadula model when strictly implemented is:
(a) A user at a low classification level can read files from higher classification levels.
(b) A user at a low classification level may overwrite a file at a higher classification level.
(c) A user at a high classification level can freely read files from lower classification levels.
(d) A user at a high classification level may overwrite files at lower classification levels. - One way that role-based access control differs from the Bell-LaPadula model in that:
(a) It focuses on preserving integrity rather than confidentiality.
(b) It manages permissions on a functional basis rather than controlling object access.
(c) It is mandatory rather than discretionary.
(d) Users can be assigned to different classification levels. - The Biba model differs from Bell-LaPadula in that:
(a) Users are not classified into levels.
(b) It implements a no write up policy instead of no read up.
(c) It allows reading across any levels but restricts writing since it is concerned only with controlling data corruption.
(d) It is a discretionary model rather than a mandatory model. - Multilateral security enhances the Bell-LaPadula model in that it:
(a) Restricts what information users can access even at the same classification level.
(b) Applies the same policy uniformly to all users of the system.
(c) Supports discretionary access control within a security level.
(d) Manages integrity as well as confidentiality. - The key idea in the Chinese Wall model is:
(a) Groups of users may be partitioned so they cannot communicate.
(b) Access may be disallowed based on what objects were previously accessed by the user.
(c) Groups of users may be defined so that information can flow only in one direction from one group to the other.
(d) It preserves integrity by disallowing a user in one group from modifying data in another. - How come buffer overflow vulnerabilities practically don't exist in Java?
(a) Java is not a stack-based language.
(b) The Java runtime environment employs stack canaries.
(c) Java implements bounds checking for all array operations.
(d) Java objects use memory protection to isolate themselves. - A landing zone is:
(a) The address of the start of injected code that is written to the stack.
(b) An indirect jump in a buffer overflow exploit to enable the injection of larger chunks of code.
(c) A region of memory that is vulnerable to heap overflow attacks.
(d) A sequence of no-op instructions to account for the fact that we might not know the exact address of a buffer. - The printf function is a potential attack vector if:
(a) The attacker provides data that exceed the sizes specified in the format string.
(b) The program uses the wrong number of arguments to printf.
(c) The attacker can specify the format string.
(d) The size of the output buffer is not specified. - Fuzzing is a technique that:
(a) Obfuscates compiled code to make it difficult to disassemble.
(b) Provides barriers between buffers to ensure that buffer overflow cannot occur.
(c) Scrambles addresses on the stack to make it difficult for attackers to inject valid addresses.
(d) Overflows a buffer to crash a program and then searches for the location of the data that was input. - Return-oriented programming (ROP) was created to:
(a) Enable code injection without buffer overflows.
(b) Make buffer overflows impossible.
(c) Enable code injection with data execute protection in place.
(d) Bypass the protections of stack canaries. - What would most likely cause a compiled program to behave differently from the way it was designed?
(a) A change to the shared library path (LD_LIBRARY_PATH).
(b) A change to the shell's search path (PATH).
(c) A change to the environment variable that redefines the shell's field separator characters (IFS).
(d) A change to the current directory before the command is run (cd). - A possible security problem with closing the standard output or standard error stream when running a command is:
(a) The program will not be able to write messages to the user.
(b) The program will crash as soon as it writes to the console, resulting in an availability attack.
(c) If the program opens another file, any attempts to write to the standard output may corrupt that file.
(d) The program will be blocked indefinitely waiting for the output stream to open. - The Unicode bug that Microsoft had in their IIS (Internet Information Services) server manifested itself because:
(a) Many Unicode characters looks the same.
(b) They processed Unicode characters after validating the pathname.
(c) There was no reliable way of checking whether a URL specifies a path above a base directory.
(d) A buffer overflow attack enabled Unicode characters to be treated as executable code. - Homograph (homoglyph) attacks work because:
(a) Some different characters look the same across multiple international scripts.
(b) Different multi-byte Unicode encodings may ultimately map to the same character.
(c) Systems sometimes validate input before parsing multi-byte characters.
(d) Text may contain a mixture of scripts from different languages. - Which is not a problem with the chroot mechanism? A process running with administrative privileges can:
(a) Reset the root back to its original value.
(b) Create a device file to access the root file system.
(c) Invoke privileged system calls.
(d) View and kill other processes. - FreeBSD Jails improved the chroot concept by:
(a) Restricting the operations that a process can perform in a jail.
(b) Managing the amount of resources that a process can consume.
(c) Disallowing processes from resetting the root of the file system.
(d) Logging all activity to an audit file. - Linux control groups (cgroups):
(a) Monitor and restrict the use of various computing resources for processes.
(b) Allow an administrator to start and stop a collection of processes as one group.
(c) Restrict the administrative functions that processes can perform.
(d) Restrict the part of the file system that is visible to a process.