COMP 424 Test
Select one which is NOT a security goal or property?
Efficiency
What access control principle does the following sentences describe? "Every access to every object must be checked for authority" It forces a system-wide view of access control, which in addition to normal operation includes initialization, recovery, shutdown, and maintenance. It implies that a foolproof method of identifying the source of every request must be devised. It also requires that proposals to gain performance by remembering the result of an authority check be examined skeptically. If a change in authority occurs, such remembered results must be systematically updated."
Complete Mediation
Select correct statement about Steganography and Cryptography
Cryptography depends on secrecy of a short key but not method
When the system uses 1024 bits of hash output for collision resistance, how long AES key for block cipher do you require to satisfy the Weakest Link Principle?
512 Bits
What access control principle does the following sentences describe? "The access decisions of this principle are based on permission rather than exclusion. Default situation is lack of access. Protection scheme identifies conditions under which access is permitted. A conservative design must be based on arguments why objects should be accessible, rather than why they should not. Examples of this principle is 'whitelisting' instead of blacklisting for anti-virus products and 'Firewall policies' that use default deny"
Fail-Safe Defaults
Diffie Hellman Key exchange protocol is based on the hardness of factoring large numbers
False
Digital Signatures does NOT provide 'non-repudiation'
False
In Linux, when you change the file permissions with chmod 755 a.txt, it modifies the file to -rwxr--r--.
False
In access control model in Linux, usually subjects are passive such as file, directory, and memory set while objects are programs executing on behalf of some principal(s).
False
SQL injection can occur when the attacker transmits unauthorized commands from a user who has logged in to a website, to that website with valid cookie
False
Given a function h: X -> Y, then we say that h is _____ if given y E Y, it is computationally infeasible to find a value x EX such that h(x) = y
Hash Function: Preimage Resistant
What access control principle does the following sentences describe? "Every program and every user of the system should operate using the least set of privileges necessary to complete the job. Primarily, this principle limits the damage that can result from an accident or error. It also reduces the number or potential interactions among privileged programs to the minimum to the minimum for correct operation, so that unintentional, unwanted, or improper uses of privilege are less likely to occur.
Least Privilege
What is the following scheme describing about? This is to authenticate the message (M) using hashing (H). The sender and the receiver share a secret key (k). After sending a pair, { M, Hk ( M ) }, the receiver receives { X, Y } and verifies that Hk ( X ) = Y to accept the message from the sender. To be secure, an adversary should not be able to come up with ( X', Y' ) such that Hk ( X' ) = Y'.
Message Authentication Code (MAC)
Select one that correctly describes about Electronic Code Book (ECB) encryption mode?
Reveals patterns of data when a data block repeats
Select one that correctly describes about the Stream ciphers
Stream cipher is symmetric key cipher
What do the following sentences describe? "Guarded gates from user mode (space land) into kernel mode (space, land). They change processor state from user mode to kernel mode so that CPU can access protected kernel memory"
System Calls
Select one which is NOT required to make the One-Time Pad ubbreakable
The key is chosen from very long texts such as book
Select one that does NOT correctly describe about the Mono-Alphabetic Substitution Cipher
The key space is 26 which is the number of alphabets
Choose the wrong description about UNIX access control
There should be a one-to-many mapping from principals to users
Cross Site Scripting (XSS) would occur when the web applications often take user inputs and use them as part of webpage
True
If the vim.basic program is set as a `setuid program` by a root administrator, the malicious user can ass his/her user id on the sudoers list with NOPASSWD option. As a result, the attacker can be a root by executing sudo su command.
True
The Kasisky test for finding key length in Vigenère cipher is based on the observation that two identical segments of plaintext, will be encrypted to the same ciphertext, if they occur in the text at a distance (delta) such that (delta) is a multiple of m, the key length
True
The basic idea of perfect secrecy is 'Ciphertext should reveal no information about plaintext' represented as "( for all message m, for all ciphertext c, P[PT=m ^ CT=c] = P{PT=m] P[CT=c] where PT is Plain Text, CT is Cipher Text, and P is the Probability".
True
Select one that does NOT correctly describe about the possible prevention methods against SQL injection attacks
Use both cookie and hidden fields to authenticate a web form by checking whether they match in server side