Security Final
—Chapter 5— Exercise 20 from textbook -20. A flaw in the protection system of many operating systems is argument passing. Often a common shared stack is used by all nested routines for arguments as well as for the remainder of the context of each calling process. HELP
(a) Explain what vulnerabilities this flaw presents. A shared stack means that all the resources that are present for one are present for another. This means malicious code will have way more access than it should. You could potentially replace the content of other parameters for different routines and cause a buffer overflow or something (?) (b) Explain how the flaw can be controlled. The shared stack is still to be used for passing arguments and storing context. Partition the stack and allocate it to each process. Access restrictions can be applied to the process there cannot be other process stack contents.
—Section 8.1— Describe the cloud service models and their differences.
- SaaS: Software as a service. This basically gives users an application that runs in the cloud. They have no control over the infrastructure, just the end product. - PaaS: Platform as a service. Customers build their own applications but the cloud gives them the tools and resources to do so. No say in what tools, but say in configuration. - IaaS: Infrastructure as a service. Processing, storage, and networks components in the cloud. Customers can request operating systems, storage, some applications, and some network components.
—Section 5.2— Describe the Trusted Computed Base (TCB) functions and design.
1. TCB is the name given to everything in the trusted operating system that is necessary to enforce the security policy or depend on for correct enforcement policy. Divided into TCB and non TCB functions 2. Function: TCB monitors the following four : - Process activation - changing from one process to another, especially in multi user system, requires change in registers, relocation maps, file access lists - Execution domain switching - processes running in one domain often invoke processes in other domains to obtain more or less sensitive data - Memory protection - must monitor memory references to ensure secrecy and integrity of each domain - I/O operation - I.O crosses all domains from outermost SW to innermost HW 3. Design: Division into TCB and non TCB is convenient for designers. TCB must run in some protected state distinct from non TCB. Must be consciously structured. Allow all other code to change easily, TCB not so. Makes reviews easy.
—Chapter 8— Exercise 10 from textbook.
10. Why is it important to sign SAML Assertions? Why is it not important to sign OAuth Access Tokens? - This question is from our group discussions - It's important to sign SAML assertions because SAML is used for primarily authentication purposes. It's not important to sign OAuth Access Tokens because it aims to temporarily authorize your access to data from an already authenticated source (i.e. your google account) - OAuth doesn't use signatures because it then relies on TLS encryption for any communication, and tokens are used by third party providers to access specific resources from some other service the user requested (like the facebook apps). So the main concern for OAuth is eavesdroppers
—Chapter 8— Exercise 11 from textbook.HELP
11. In OAuth, what attack does the Client Secret mitigate? Why do you think the Client Secret is optional for Public Clients?
—Chapter 6— Exercise 48 from textbook.
48. Should a network administrator put a firewall in front of a honeypot (introduced in Chapter 5)? Why or why not? No! They should not. This would defeat the point of a honey pot because it wants to simulate valuable data that would attract malicious actors. The point of a honey pot is to be out in the open and putting it behind a firewall would defeat the purpose.
—Section 6.4— Describe how the SYN flood attack can be accomplished.
A SYN Attack takes advantage of TCP protocol. TCP requires a handshake between hosts and contains packets noted as SYN (synchronize) and ACK (acknowledge). These messages go back and forth and add on to each other so each host confirms the count is correct. It acts as a form of bit check. A SYN attack simply sends many SYN packets but not send the returning SYN-ACKs. They also spoof a nonexistent return address because their own return address can be traced back and it makes it harder to detect which sources are legitimate and which are not.
—Section 6.7— Describe a circuit-level gateway.
A circuit level gateway is a firewall that allows one network to be an extension of another. It is on the application layer (if using 5 layer OSI model). Circuit is a logical connection that is maintained for a period of time , then torn down or disconnected. That means that I will have access to that network for a certain period of time before the circuit must be renewed. Circuit is checked only the first time, then it is allowed to pass through. Can be used to implement a VPN.
—Section 6.4— Describe how the Smurf attack can be accomplished.
A smurf attack is a variation of a ping attack. A ping attack is just sending as many pings as possible to a victim (attacker needs greater BW than victim). Smurf attack using ping packet with 2 twists. It first sends pings to alternate targets and sets return source IP to the victim. It then sends a request to the network in broadcast mode, which distributes to all subnetworks, thus utilizing an entire network to attack a victim.
—Section 6.4— Describe how the Teardrop attack can be accomplished.
A teardrop attack takes advantage of datagrams being split up and reassembled together. The messages indicate how they are split up and reassembled. An attacker sends a series of datagrams that are not reconstructable and cause a denial of service. This is in the network layer.
—Section 3.2— In what way is a worm different than a virus? Describe a real cyberattack that was a worm and took advantage of a zero-day exploit.
A worm is a subset of viruses that spreads copies of itself through network vulnerabilities exclusively, and can replicate itself this way by sending itself to other computers on the network. Viruses typically attach themselves to files or programs and spread across memory, physical hardware, when a person emails the program, downloads files, etc. The IloveYou worm spread via email to over 100,000 servers (1 out of every 28 emails sent at the time) with the message "I love you" carrying a "LOVE-LETTER-FOR-YOU.txt.vbs" malware attachment.
—Section 6.5— How is a Distributed Denial of Service (DDoS) attack different from a DoS attack? Describe a typical botnet command and control structure and its role in a DDoS.
All the attacks described above are DoS attacks. The only difference is in a DDoS attack, the attacker enlists multiple computers, called zombies or botnets, to also participate in the attack. An attacker normally infects many computers through trojan viruses. These viruses lay dormant until the attacker sends a command to execute an attack against a victim. To maximize effectiveness and avoid detection. An attacker will layer a botnet structure to have master bots, command and control bots, and bots. Command and control bots are changed often to avoid detection as much as possible. Communication is also done between bots to coordinate and must be done so stealthily.
—Section 5.1— How does Paging work? What security advantages does it have?
Alternative form of organizing virtual memory to segmentation. Program divided into equal sized pieces called pages. Memory divided into equal sized units called page frames. A page translation table or a Translation lookaside buffer is created to match the program page number to an address in memory. All pages are the same size so fragmentation isn't a problem. Prevents the problem of addressing beyond the bound of memory. Only problem is that change in code can cause shift in memory and there is no necessary unity to items on a page, so you can't make all values on a page read only or write only
—Section 6.7— Describe the policy in TABLE 6-5.
Any inbound traffic to port 25 (mail) or port 69 (trivial file transfer) is allowed to or from any host on the 192.168.1 subnetwork. By rule 3 any host inside is allowed outbound anywhere on port 80. Rule 4 outside traffic to the internal host at destination address 192.168.1.18 is allowed. All other traffic to 192.168.1 network is denied
—Section 6.1— Suppose Alice in the US communicates over the Internet with Bob in Europe. What are three physical media that the signal carrying Alice's message is likely to go through?
Assuming the user is initially from a phone or laptop. There would be an LAN connection to a router, or a WLAN if on a larger network like 4G. This would be wireless communication the details vary by which network the user is on. From that access point (radio tower or router) a physical cable will take that data to the ISP and be routed through its network. This physical data cable is probably copper but may be fiber depending on the location Across the Atlantic, fiber optic cables would be used to carry the signal. These are lower power, and act as a series of mirrors bouncing light within a wire. There are thousands of undersea cables.
—Section 5.1— How does a Base/Bounds Registers architecture ensure memory protection? How does it compare to using a fence?
Base/Bounds Registers architecture provides segmented memory sections for multiple user processes by allocating each process a base register (address) and a bound register, or the size used by that process. Base/Bounds Registers can also be implemented so as to have separate segments with their own base/bounds for each process' data space and program space so that user processes can't access their own program space. A fence only provides a single boundary between the kernel and the rest of memory - it's the same as having only a single base register in the system. While this works fine for protecting core O/S code, it can't protect processes from each other
—Section 6.4— Describe how the DNS Cache Poisoning attack can be accomplished.
DNS cache poisoning is when a malicious actor requests a website domain name be addressed to a different address. This would normally happen if a website moved providers, but DNS requires strong authentication so this method is not likely. The end result would be all the requests intended for one domain, a popular website, going to a target system IP, overwhelming them. More likely, this attack would be obtained by exploiting an unknown website to a local DNS server. The DNS would ask the root server, and that root server would ask a Top-Level-Domain (TLD) server. These links are based on matching ID numbers. If an attacker can compromise that ID number, then an attacker can successfully fool a DNS into storing an address linked to a website as its victim.
—Section 8.3— Describe the Boxcryptor TNO implementation.
Encryption client that augments generic cloud storage providers such as Dropbox. The Boxcyptor client creates a unique AES key for each customer file, then encrypts the file key with the user's public RSA key. The user then decrypts the file key with their RSA private key. So there are two layers of encryption going on. Also allows sharing keys with others. Actually implemented for the malware Cryptolocker.
—Section 3.3— Describe the different types of testing. How does security testing differ from ordinary functionality testing?
General methods of testing include Integration testing means verifying that the system components work together as described Function testing evaluates the system to determine if functions described by requirements are actually performed by integrated system. Performance testing compares system with remainder of software and hardware requirements verifying that system is secure Developers and customers perform acceptance testing, with software installed on customer machines Security testing can have additional requirements, such as testing internal state with different inputs and triggers. Also, having independent white box testers can be helpful to prevent developers from manipulating tests or adding backdoors. Similarly, penetration testing or "tiger team analysis" involves having a team of white-hat hackers try to break the product.
—Section 8.4— Describe OpenID Connect Authentication based on Figure 8-6.
HELP User wants to connect to Instagram "Would you like to authorize instagram to connect to your facebook credentials" "Do you authorize instagram access to your contacts, etc." Either success or "enter the code we just texted you..."
—Section 6.6— How does onion routing work?
Honestly just watch this https://www.youtube.com/watch?v=QRYzre4bf7I
—Section 8.4— What are the main elements involved in Federated Identity Management (FIdM)? What are its benefits?
It enables identity information to be developed and shared among several entities and across trust domains, providing single sign on convenience and efficiencies to identify individuals, identify providers and relying parties. FIdM allows one org to attest to another user's identity and authority. FIdM allows one system to maintain a user's identity, and other systems to query what you need.
—Section 8.3— Compare the Lastpass and the Boxcryptor TNO implementations.
Lastpass may not be offered on all cloud storage services. Boxcryptor is decentralized. It can also be used to retrieve a single password rather than a whole database.
—Section 3.3— Describe the design principles of security. Provide an example for each of them.
Least Privilege means that users should only have access to what they absolutely need, and this should be enforced. In the access control article we read, the auditor doesn't need to have write access to files, only read access. Economy of mechanism means that the protection system should be small and simple, emphasizing understandability of code and modular design to maximize testing coverage and ease of analysis. An example would be bringing in external libraries or unnecessarily complex logic to perform calculation Open design means that the protection systems details should be publicly available, so that the security of the system isn't dependent on hackers not having access to implementation details. An example of this would be RSA, or Diffie-Hellman. It's clear to users and white-hat hackers where potentially vulnerabilities lie (i.e. in software used to execute key exchange protocol) but still almost impossible to crack. Complete mediation means that every access attempt is checked by the protection system, and cannot be bypassed. For example, a firewall blocking your network port. Permission based: The protection system should follow a conservative policy of denying access by default. For example, Windows Defender makes you affirm that you want to install an application, and automatically blocks unauthorized apps. Separation of privilege: Access to objects should require multi-factor authorization, to protect against vulnerabilities against one aspect of the system. For example, to log into my 401K, I have to enter my password and verify a code that gets texted to me. Least Common Mechanism: Limiting resources shared by users so that if unauthorized access is gained to the resource, damage is limited. I.e. don't store all client data in a single server/table. Instead spread it out. Ease of use: People won't bypass protection mechanism if its simple to use. If a password requires 15 characters with multiple uppercase and special characters, people will either write it down or use a password manager instead.
—Section 6.6— Compare Link to End-to-End encryption.
Link encryption only occurs on the first two layers of OSI (Link and Physical). E2EE is encryption of the actual message and done at the application level, making it encrypted for the entire duration. Link encryption helps prevent eavesdropping (whether that be on Wi-Fi or physical cable). Link encryption also happens without any knowledge of the user, and will obfuscate some of the header, which E2EE encryption does not. E2EE is better because it will hide the message to all nodes and not be compromised on an unsecure node, unless the key is stolen. Table below goes into more detail.
—Section 5.2— What is a reference monitor and what are its properties?
Most important part of the security kernel. It controls access to objects. Collection of access controls for devices, files, memory. It must be -Tamperproof - impossible to weaken or disable -Unbypassable - always invoked when access to any object is required -Analyzable - small enough to be subjected to analysis and testing, the completeness of which can be ensured
—Section 8.4— Describe OAuth Authorization based on Figure 8-6.
OAuth designed for API access of FIdM. HELP This is a helpful hgih level explanation https://www.youtube.com/watch?v=t18YB3xDfXI Figure is on page 578 (physical) or 598 (online) of the textbook.
—Section 6.2— What is port scanning? How is it performed? What are its advantages and disadvantages?
Port scanning is an initial probe to learn more about a target. Typically it acts against a single IP address, sending IP addresses to a variety of queries to that IP address but changing the port number in the network layer. Depending on the response from the target, information on vulnerabilities can be gained. Some advantages are that this technique is not necessarily malicious. System administrators would use it to explore networks. It could see what operating system and version the target runs, the connectivity. Some disadvantages are that this information does not offer too many details and does not always lead to an attack.
—Section 5.1— How can we combine Paging with Segmentation and why would that be desirable?
Programmers could divide a program into logical segments that were then broken into fixed page sizes. This allowed different protections for each segment, but added more overhead in terms of another layer to translate. Wasn't actually designed with security in mind, it was just a byproduct of more efficient memory allocation.
—Section 6.4— Describe how Rerouting Routing can be accomplished.
Rerouting routing is the process of routing of all network traffic through a single node, the attacker's. This node can monitor traffic to look for man in the middle opportunities. This can be accomplished by a router broadcasting incorrect information on its connectivity speed to other nodes. This is exploiting how routers trust each other and take each other at their word.
—Section 5.1— How does Segmentation work? What security advantages does it have?
Segmentation divides a program's address space into separate pieces, each containing logical units (like the code for a sub-procedure, library calls, arrays, local variables). While basic Base/Bounds register schemes separate user programs from each other, segmentation means splitting up each program into a given number of segments, which can be spread throughout memory. The O/S stores each segment's name and relative offset in a table. Segments typically vary in size to fit different sections of a program together. The security advantages of segmentation include that users can access parts of other processes' programs code/data without requiring full access to their program. Further classification of the components of programs also lends to a more modular approach allowing more precise access levels/classifications and address checking is more frequent (not just going above / below the data/code blocks)
—Section 6.4— Describe how a TCP Session Hijack can be accomplished.
TCP hijack session is done by a hijacker rewriting source and destination addresses. This can also be done by sending a reset to the receiver, ending the original connection and creating a new one with the attacker and the receiver.
—Section 8.3— Describe the Lastpass TNO implementation.
TNO: Trust no one. LastPass is a password manager. You only need to remember your login information to the password database. LasPtass never has users AES decryption keys. The master password is PBKDF2, salting, and hashing to obfuscate it and make it as complex as possible. Figure below explains it well
—Section 5.3— How does the rootkit described in subsection "Rootkit Evades Detection" manage to evade detection?
Talked about in an in-class activity. Rootkit program is given root privileges on the machine by an administrator or via setuid manipulation. Rootkit remains hidden by modifying operating system calls, return values and even fail to pass its own activities to be logged in the audit logging. A virus scanner is looking through the file system.The rootkit hijacks kernel native functions like NtQueryDirectoryObject. The virus scanner calls APIs that use this native function. The modified kernel native interface does not return the malicious files that would be normally displayed.
—Privacy— The Encryption Workarounds paper discusses six methods. Describe the "Compel the Key" workaround and its complications. How does it relate to the Fourth and Fifth Amendments?
The "compel the key" workaround is using physical, legal coercion to force a password from a suspect. If a suspect voluntarily provides the key, then officers may use it under the fourth amendment. The government can compel the key from the suspect or anyone who might know the key. What does compel mean in this case? That depends on the 4th and 5th amendments. Not yet well developed precedent. But the gov't can do 3 things. i. Goven't can seek an order requiring a person to disclose. the 5th amendment protects against this because you don't have to self incriminate. ii. Gov't can order a person to produce a decrypted device. Fifth amendment still probably provides protection bc of self-incrimination. Fisher vs. U.S. is a court case that says an act is testimonial for what it implicitly communicates about a person's state of mind. Courts are unsure about what facts must be established as known by the government to make the testimony implicit in decrypting a foregone conclusion. One view says the government must establish what files they expect to find on a device. Another view says the gov't must establish that it knows the suspect knows the password. iii. Third way is to compel a person to use biometrics. Not a problem bc suspect provides photos and fingerprints, other types of biometrics in 5th amendment without testimonial. But also the 4th amendment says the person must be seized for this to happen. 4th amendment & courts unclear on how fingerprints can be provided and if subjects on a scene can be compelled to use biometrics to unlock devices. But the government has no way to actually force a suspect to disclose a key or decrypt a device even if a court rules that no Fifth Amendment privilege applies.
—Section 6.6— How is a Virtual Private Network (VPN) accomplished? What are the benefits of a VPN?
This is achieved by applying link encryption over greater distances. I would set up a link encryption with a server at work. A firewall can set this up by creating a session encryption key with a client. All network traffic passes through the firewall and appears to come from one place. This can be used by 2 different offices wanting to have access to the same network or a telecommuter wanting to have access to an office network. It grants confidentiality of a user, privacy to browse the web.
—Section 6.2— Describe the problem depicted in Figure 6-7 of the textbook. What causes this problem?
This problem is known as unknown perimeter. This problem is when one node is on multiple overlapping networks at once. This occurs when new hosts are added to the network that are already connected to another network. In the figure, Network C has overlapping nodes with A, B, and D which can have different security rules.
—Section 3.2— Describe the various ways of transmission and propagation of a virus.
Transmission occurs when a virus attaches itself to a file or computer program that the user runs, embeds its code in documents (i.e. Word, Excel) which can run OS level commands, modifying startup files or registries listing files at startup, or finally through physical hardware (i.e. a flash drive, hard disk that contains other useful stuff on it). When the virus is executed, it can sometimes then attach itself to other more important files/hardware, Viruses can propagate themselves by appending themselves to the beginning of a program's instructions so that it gets run immediately, and then the program runs. The virus can also append part of its code to the beginning of the program, let the program run, then regain control at the end. The virus can also integrate itself into the program pieces (more targeted) or replace the entire program.
—Chapter 3— Exercise 12 from textbook.
You are writing a procedure to add a node to a doubly linked list. The system on which this procedure is to be run is subject to periodic hardware failures, and the list of your program is of great importance. Your program must ensure the integrity of the list, even if the machine fails in the middle of executing your procedure. Supply the individual statements you would use in your procedure to update the list. Explain the effect of a machine failure after each instruction. Describe how you would revise this procedure so that it would restore the integrity of the basic list after a machine failure. You can either prioritize preservation of the original list's state during a machine failure, or you can make sure that the new node is recoverable after a failure after each step in at least one direction. Suppose you want to add a new node C between nodes A and B in the list. Security of original list is preserved after each step: Create a forward link from C to B. If a machine failure occurs after the instruction, A and B are still doubly linked as originally, but C is lost Create a backward link from C to A. If a machine failure occurs after the instruction, A and B are still doubly linked as originally, but C is lost Create a backwards link from B to C. If a machine failure occurs after the instruction, original ordering is still accessible for forward traversal, but the new order can be traversed backwards Create a forward link from A to C. We can move swap instruction 1 with 3 or 4 to preserve both the new node's existence in one direction and the original list ordering in the other
—Privacy— What is the GDPR's "right to be forgotten"? How does it compare to the CCPA's "right to erasure"? Discuss both desired and undesired consequences of these rights. HELP
a. GDPR's right to be forgotten: Extends to data collected from a consumer and to data collected about the consumer from third party sources. b. CCPA's right to erasure - if a business has personal information about you, then you can request it be deleted full stop. Third parties can still keep it and there are plenty of exceptions including to complete transactions, legal records, and prevent malicious use. The main difference between CCPA and GDPR is that the CCPA has an exemption for requests if they interfere with a right to "exercise free speech" c. Unintended consequences of both "rights" is economic costs of small startups not having $$ to comply or losing all their data driven business, and in the case of the GDPR having wrongdoers being able to clear their name (i.e. sex offenders, malpractice doctors), expansion of govt power in cyberspace. d. Desired consequences to help consumers reclaim personal data, which is valuable and may be used to discriminate or otherwise price gouge
—Section 8.2— Discuss the pros and cons of public, community, private and hybrid cloud deployment models with respect to security - HELP
a. Public - best at scale, but depends on size of private/community, b. Community - more expensive, make more sense for strict confidentiality integrity bc cloud mitigates threat from sharing infrastructures. But you also give up some say because you are sharing the cloud with others, others may not want same security requirements as you. c. Private - more expensive, more BW, make more sense for strict confidentiality or integrity bc cloud mitigates threat from sharing infrastructures, d. Hybrid - Hybrid cloud services are more expensive than public because they allow the use of on-premise as well as cloud services, and this option is most likely more useful for a longer standing company that wants to integrate servers that it already maintains with cloud infrastructure. If the company is using Iaas then they would be able to configure the cloud infrastructure to be more secure by adding a VPN layer as well as the different options of federated identity management. This is growing because companies want to move their on-premise applications to cloud based ones.
—XINU System Calls— Discuss your observations from Homework 7. More specifically:
a. What did you observe when a System mode function (such as sv getcpuid() was called after the processor entered User mode? Why? - The program would hang as a precaution. In user mode, the command is not accessible and therefore cannot be run. b. What did you observe when a User function (such as getcpuid()) was called before the processor entered User mode? Why? - THe process would work just fine. The system mode, the program still has access to all user functions like getcpuID(). It also has access to the system functions like sv_cgetcpuID c. Explain what happened when you tried to compile your kernel in the following scenario: a User function (such as getcpuid()) was called after the processor entered User mode, but before you had created its API definition. - It wouldn't compile. This is because there are undefined references to those functions.
—Buffer Overflows— Share your screen and write in real time a Java method that copies n integers from one array into another. Do not use Java library methods that perform the same functionality. Your method should have the following parameters:
a. the source array a, b. a starting point i in the source array, c. the destination array b, d. a starting point j in the destination array, e. the number of integers to be copied n. f. If you could use a Java library method, which one would you choose? Which function would you choose in C? - Java - Arrays.copyOfRange , C - strcpy, strcat
—Reversing— Share your screen, open rachet.exe with IDA and describe to me the analysis you performed for Part 3 of Homework 10.
be ready for this