CS419 Exam 2
Spring 2018
Paul Krzyzanowski
March 26, 2018
Part I — 19 points
- 4 points
Explain why hypervisor rootkits are more difficult to detect than user-mode or kernel-mode rootkits. - 5 points
Explain why it is not feasible to use hash pointers in a doubly-linked list structure. - 5 points
How does a digital signature differ from a Message Authentication Code? - 5 points
What makes a digital certificate unforgeable?Part II — 81 points — 3 points each
For each statement, select the most appropriate answer.
- Which confinement technology would work best to restrict an application to only be able to open text files?
(a) Capabilities.
(b) Containers.
(c) Sandboxes.
(d) Virtual machines. - Unlike a virtual machine, multiple containers on one system:
(a) Cannot see each other.
(b) Share the same system hardware.
(c) Share the same operating system.
(d) Share the same set of libraries. - Application sandboxing primarily works by:
(a) Running code via an interpreter.
(b) Creating a virtual machine for each application.
(c) Requiring user authentication prior to running an application.
(d) Intercepting system calls. - A problem with running a sandbox at the user level, as Janus does, is:
(a) Keeping state synchronized with the operating system can be challenging.
(b) Security controls are limited to what the operating system offers.
(c) It is easy for a process to bypass the sandbox.
(d) A system cannot support multiple sandboxes concurrently. - A restriction with the Chromium Native Client (NaCl) is that applications:
(a) Run in an interpreted environment.
(b) Can only be written in JavaScript.
(c) Must interact with the system through NaCl libraries.
(d) Run within their own virtual machine. - The Java Virtual Machine (JVM):
(a) Uses a hypervisor.
(b) Virtualizes a processor architecture.
(c) Uses containers for isolation.
(d) Intercepts system calls made from Java programs. - In contrast to a native virtual machine, a hosted VM:
(a) Is cloud-based instead of local.
(b) Can emulate a non-local processor architecture.
(c) Runs within a container.
(d) Directs requests to an installed operating system that is not running under a hypervisor. - A virus differs from a worm in that:
(a) It is malicious while a worm is benign.
(b) It exists as part of some other software rather than a separate process.
(c) It is local while a worm is delivered via a network.
(d) It is designed to propagate. - A zero-day attack is:
(a) Based on a previously undisclosed vulnerability.
(b) An attack that takes place on the same day the software is released.
(c) An attack that takes place in the early morning hours when it is unlikely to be detected.
(d) A spontaneous attack that disappears quickly. - A macro virus:
(a) Takes advantage of scripting capabilities built into some programs.
(b) Combines a sequence of operations into one program.
(c) Refers to any attack that is deployed via social engineering.
(d) Targets the entire system, while a micro virus targets a single application. - A Trojan horse is:
(a) Malware that appears to come from someone you know.
(b) Software that runs undetected on your system but creates a backdoor for attackers.
(c) Software that disguises itself as a legitimate service.
(d) Any horse breeds that originated from the Balkan Pony. - Backdoors rely on:
(a) Social engineering.
(b) Malicious installation of hidden software.
(c) The ability to execute code from within documents (e.g., PDF files, Microsoft Office documents).
(d) Bypassing normal authentication checks. - Spear phishing refers to:
(a) An attack that is directed to specific targets, using information customized to those targets.
(b) An online attack that appears to come from a legitimate organization.
(c) Any email that contains URLs to malicious sites.
(d) A fraudulent website that attempts to extract personal information from users. - A virus signature is:
(a) A hash of a virus used by virus checkers to identify a virus.
(b) A sequence of bytes that a virus checker believes is unique to a virus.
(c) An encrypted hash of a virus used by malware to ensure it is not modified by virus eradication software.
(d) A digital signature attached to software to enable detection of whether it has been modified by a virus. - Kerckhoffs's Principle tells us that:
(a) Symmetric ciphers are more secure than public key ciphers.
(b) Longer keys provide exponentially greater security.
(c) Ciphertext should be indistinguishable from random data.
(d) The encryption algorithm does not need to be secret. - Suppose it takes you one hour to test all 4-byte keys. How long will it take you test all 5-byte keys?
(a) 1.25 hours.
(b) 2 hours.
(c) 8 hours.
(d) 256 hours. - Which ciphers are not vulnerable to frequency analysis attacks?
(a) Monoalphabetic substitution ciphers.
(b) Transposition ciphers.
(c) Polyalphabetic substitution ciphers.
(d) Shift ciphers. - One-time pads, created in 1882, are impractical because:
(a) Key distribution is difficult.
(b) They are not as secure as newer algorithms, such as AES or ECC.
(c) They are computationally inefficient.
(d) They do not work with binary data. - A Feistel cipher differs from a normal block cipher because:
(a) It goes through several rounds of substitutions and permutations.
(b) Each round only permutes half of the data in the block.
(c) It does not require multiple rounds.
(d) It supports different keys for encryption and decryption. - Cipher Block Chaining (CBC) is used to:
(a) Encrypt each block of data with a different key.
(b) Add a hash pointer to each successive block of cipher text.
(c) Allow a message stream to be encrypted with a series of encryptions for increased security.
(d) Make the ciphertext of one block a function of the ciphertext of the previous block. - A hybrid cryptosystem uses:
(a) A double layer of encryption for extra security.
(b) Multiple encryptions to support multiple recipients.
(c) A combination of message encryption and digital signatures.
(d) A combination of message encryption and key exchange. - To send a message securely to Alice, Bob would encrypt the message with:
(a) Alice's public key.
(b) Alice's private key.
(c) Bob's public key.
(d) Bob's private key. - Collision resistance in a hash function means:
(a) It is difficult to find two messages that hash to the same value.
(b) Two different messages can never hash to the same value.
(c) The hash value is recomputed with different parameters if it is found to hash to the same value as another message.
(d) Each hash pointer is distinct from every other one in a system. - Suppose you have a Merkle tree with 32 data blocks (leaf nodes). How many hashes need to be recomputed to modify the data in one leaf node?
(a) 5
(b) 6
(c) 31
(d) 32 - Which of these were not a modification to the Needham-Schroeder protocol designed to help avoid replay attacks?
(a) Timestamps.
(b) Digital signatures.
(c) Use of a trusted third party.
(d) Session IDs. - When Alice gets a Kerberos ticket to talk to Bob, it contains:
(a) Alice's public key.
(b) A shared session key.
(c) Signed authorization information from Kerberos.
(d) Bob's public key. - Kerberos avoids replay attacks via the use of:
(a) Timestamps.
(b) Digital signatures.
(c) A trusted third party.
(d) Session IDs.