DOC PREVIEW
PSU CSE 543 - CSE 543 MIDTERM

This preview shows page 1-2 out of 7 pages.

Save
View full document
View full document
Premium Document
Do you want full access? Go Premium and unlock all 7 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 7 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 7 pages.
Access to all documents
Download any document
Ad free experience

Unformatted text preview:

CSE543/Fall 2007 - MidtermThursday, November 1, 2007 — Professor Trent JaegerPlease read the instructions and questions carefully. You will be graded for clarity and correctness. Youhave 75 minutes to complete this exam, so focus on those questions whose subject matter you know well.Write legibly and check your answers before handing it in.Short Answer (Answer 12 of 14) - some will be one or two words – no more than 3 sentences1. (3pts) What is the difference between protection and security?answer: A system that provides security ensures the protection of its data (i.e., enforcement of itssecurity goals) even when a user may run code that has malicious intent. Systems that provideprotection enforce the specified policy only if the user runs trusted code.2. (3pts) Define protection system.answer: A protection system consists of a protection state describing the current access policy, a refer-ence monitor to enforce the protection state, and administrative operations to modify the protectionstate.3. (3pts) How can you configure the Windows access control model to ensure that a particular subjectonly has access to one file?answer: Restricted context is easiest. Add a negative ACE at the beginning of all other object ACLs,except the one being pe rmitted. Grant rights for that one.4. (3pts) What are the guarantees that a UNIX s andbox (e.g., Janus) must provide in order to e nsurethat the process cannot escape the limited permissions defined?answer: Basically, reference monitor guarantees. It must provide a tamperproof implementation thatenforces a mandatory access control policy (also tamperproof) that mediates all security sensitiveoperations, and the policy must ensure that the process does not gain unauthorized access (i.e.,verifiably enforce security goals).5. (3pts) What is the confused deputy problem?answer: That a multi-client server may be spo ofed into granting one client unauthorized rights toanother client’s objects because it must have the permissions for all the clients to run in an ACLsystem.6. (3pts) What mechanisms does Multics use to protect the integrity of objects?answer: Protection rings provide the mediation points for enforcing integrity. The access and callbracket policies describe the integrity policy of a Multics system. A tamperproof kernel e nforces thepolicy.7. (3pts) Define the two fundamental properties of the Bell-LaPadula model (i.e., multilevel securitymodel).answer: Simple-security property – no read up, and ?-security property – no write down.8. (3pts) What does the extend ope ration of the Trusted Platform Module do (be precise)?answer: It extends a hash value in a particular TPM register (PCR) by taking the current registervalue and hashing it concatenated with the input value to the extend operation.19. (3pts) Why is it more secure to implement a reference monitor inside the kernel (as in LSM), ratherthan to use system call interposition (as in Janus)?answer: Time-of-check-to-time-of-use attacks. In interposition, the mapping between names andactual objects is computed separately from the kernel, so it may be possible for a concurrent processto change the mapping (e.g., changing a local file to b e a link to /etc/shadow). That is, the label-filemapping is not tamperproof in Janus.10. (3pts) What are buffer o verflow, heap overflow, and integer overflow vulnerabilities?answer: A buffer overflow occurs on the stack by overwriting the return address. A heap overflowoccurs on the heap by overwriting a key pointer, such as a function pointer. An integer overflowoccurs on signed integers, when the maximum value is reached, computer integer operations differfrom true integer operations.11. (3pts) When a cryptographic construction provides message non-repudiation, what can the receiverprove?answer: The receiver can prove that the message originated from a single principal, the holder of theassociated private key. This can even be prove n to third parties.12. (3pts) What impact does the birthday paradox have on the security of a 90-bit hash function?answer: Due to the birthday paradox, the probability of finding a collision in a 90 bit hash is onlyone in 245.13. (3pts) How does the use of a Kerberos authenticator replace function of the last two messages in theNeedham-Schroeder symmetric key protocol?answer: An authenticator aims to prove that Alice’s mess age with the corresponding ticket (andthe new session key) has been freshly created by Alice by using a timestamp. This replaces theneed for a challenge-response provided in the last two messages. (Bob still proves ownership of thecorresponding TGS-Bob key through use of the session key, but this is done later – not required inthe answer).14. (3pts) Identify the conditions when you would want to add an HMAC to a secure communication.answer: HMAC is used to justify the integrity and authenticity of a message under a shared key.Should a shared key be available, already distributed, and should there be integrity requirementson the message, you almost always want to HMAC. A rare exception is when the message has awell-known format, so that the receiver could check based on the content of the message – Kerberosis an example.2Long Answer - no more than 3 paragraphs15. (7pts) Sp ec ify how domain transitions occur in UNIX, SELinux, and Multics. Just outline themechanisms – no specific rules are required. Indicate the security advantages of SELinux and Multicsover UNIX domain transitions in your description.answer: UNIX transitions domains via setuid. The UID of the process changes to that of the ownerof the file.SELinux defines rules to limit when domain transitions are permitted and what the destinationdomain will be. These rules constrain who can cause a transition (not every invocation gains privilege)and limits the privileges based on the caller (different callers get different privileges).Multics defines domain transitions via call brackets that state when low privileged processes maytransition to higher and vice versa. Multics also defines gate keepers to ensure that higher privilegedcode cannot be compromised by low integrity inputs. Multics defines multiple ring levels (not justroot) and protects inputs.16. (7pts) What are the components that ensure integrity in a Clark-Wilson integrity system and a Bibaintegrity system (i.e., there are two different sets to be specified)? How do these components ensureintegrity in each system?answer: Using Clark-Wilson, we need to add Integrity


View Full Document

PSU CSE 543 - CSE 543 MIDTERM

Documents in this Course
Agenda

Agenda

14 pages

HYDRA

HYDRA

11 pages

PRIMA

PRIMA

15 pages

CLIMATE

CLIMATE

15 pages

Load more
Download CSE 543 MIDTERM
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view CSE 543 MIDTERM and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view CSE 543 MIDTERM 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?