Sunday, July 12, 2015

Software Security - Attack

1. VSFTPD forks a new process to handle each client connection. It could have, instead, spawned a thread within the main process to handle each connection, as is done in many servers. How would this alternative design compare to the original
  • It would be less secure because a compromise by a malicious client in one thread could (more easily) access data used by another client's thread, since they share the same address space

2. Which of the following vulnerabilities can VSFTPD's secure string library help protect against?
  • Integer overflow
  • Buffer overflow
3. Encrypting a password database is an example of what category of design principle
  • It is an example of defense in depth
4. Promoting privacy is a goal that follows from which category of secure design principle
  • It is an example of trusting with reluctance because promoting privacy means sharing private information with as few software components as possible, meaning that fewer need to be trusted to protect the information
5. Suppose you are implementing an extensible data management system. You want to accommodate plug-ins that can implement storage rules and query processing functionality for different data formats (e.g., relational data, object data, XML data, etc.). Which of the following designs most takes security into account?
  • The plug-ins are implemented as separate OS processes; these processes communicate to/from the main process to handle queries/updates for the data formats they support
6. Suppose you are implementing a graphical user interface for interacting with an implementation of the RSA cryptosystem, and you want to give users a way to generate new keys. Which of the following designs most takes security into account?
  • Allow the user to use a slider to choose the number of bits, setting slider initially to point at 2048 bits. As the user moves the slider to larger or smaller values, visualize the difference in relative protective power, e.g., using a meter.
7. We identified three categories of secure design principles: prevention, mitigation, and recovery. Running each browser tab in a separate OS process (as done by the Chrome browser) is an example of which category
  • Recovery: You could argue that isolating a tab makes it easier to recover from a breach: You can easily kill the tab's process with less effect on the rest of the system (Mitigation is also a correct answer)
8. Passwords, biometrics, and user-owned SMS-receiving mobile phones are useful for what security mechanism
  • Authentication

9. When talking about computer security, what do we mean by the term, principal?
  • An actor, or role, that is the subject of a security policy: Principals can be people, computer programs, or some other entity acting in a particular role, like manager or client
10. A denial of service attack violates what security policy/goal?
  • Availability
11. What is a good defense against powers that are particular to a snooping user?
  • Using encryption: Snooping users can view the network message traffic of others interacting with a site, so encrypting that traffic limits the negative effects of snooping

12. Suppose you design software for a bank and the bank's customers may remotely log into its site using commodity PCs. These PCs might have malware on them, which could log keystrokes or read files stored on the machine. Which threat model (using terms defined in the lectures) makes the most sense for you to consider, when designing the bank's site?
  • Co-located user
13. Which of the following is a reason to make an explicit threat model when designing a system?
  • So that you avoid an incoherent defense
  • So you can defend against the most likely/costly/important attacks
  • So you can explicitly list and challenge assumptions that underlie your design
14. What is an abuse case?
  • A scenario that illustrates a potential failure in security under relevant circumstances


  1. such a great blog , thanks to the author.We also provide training in networking please visit once

  2. Great job for publishing such a beneficial web site. Your web log isn’t only useful but it is additionally really creative too. There tend to be not many people who can certainly write not so simple posts that artistically. Continue the nice writing antivirus panda

  3. I have read a few of the articles on your now, and I really like your style of blogging. I added it to my favorites blog site list and will be checking back soon. Please check out my site as well and let me know what you iris software

  4. Thanks for the post. It was very interesting and meaningful.
    Keep it up.
    7 Stages of System Development Life Cycle

  5. Nice blog, very interesting to read
    I have bookmarked this article page as i received good information from this.

    ERP Software Company in Hyderabad | Best ERP Software in Hyderabad

    Customized ERP Software in Hyderabad | ERP Hyderabad

  6. I am really thankful to the admin for sharing such a lucrative and useful blog to enhance our knowledge. The IT Company and its services like website development, software development and many other services are in demand to increase the business area.
    Website Development Company in Lucknow | Software Company in Lucknow

  7. I passed Cisco 200-125 exam earlier this morning. You know what? I just use study materials from this dumpsForsure, no other books at all! It is really helpful if you do not get much time to prepare your 200-125 exam. You should have a try. It won't let you down. Why do you want to take roundabout ways if there is a shortcut? Trust me or not. You can get 100 % Valid 200-125 dumps just on one click...

  8. Nice blog, very interesting to read
    I have bookmarked this article page as i received good information from this.

    Best ERP Software in India | ERP Software in India

    Cloud Based ERP Software in India | Low Price ERP Software in India

  9. Thank you so much for sharing a nice information with us Daynil Group Solution
    is one of the leading international web and mobile application development companies with more than 10+ years of experience and expertise in JSF, Primefaces.
    The leading IT company in India.Our Services includes software development, Responsive web design Mob app Design, Web app development, Custom software development, Robotic automation process


  10. Thank you for your post. This is excellent information. It is amazing and wonderful to visit your site.
    mobile application training in hyd
    Apple iOS Training Institutes in Hyderabad

  11. It is very useful information at my studies time, i really very impressed very well articles and worth information, i can remember

    more days that articles.

    RPA Developers Chennai
    best erp software development company in chennai
    erp in india
    erp software solutions in chennai