Software Security - Attack

1. VSFTPD forks a new process to handle each client connection. It could have, instead, spawned a thread within the main process to handle each connection, as is done in many servers. How would this alternative design compare to the original

• It would be less secure because a compromise by a malicious client in one thread could (more easily) access data used by another client's thread, since they share the same address space

2. Which of the following vulnerabilities can VSFTPD's secure string library help protect against?

• Integer overflow
• Buffer overflow

3. Encrypting a password database is an example of what category of design principle

• It is an example of defense in depth

4. Promoting privacy is a goal that follows from which category of secure design principle

• It is an example of trusting with reluctance because promoting privacy means sharing private information with as few software components as possible, meaning that fewer need to be trusted to protect the information

5. Suppose you are implementing an extensible data management system. You want to accommodate plug-ins that can implement storage rules and query processing functionality for different data formats (e.g., relational data, object data, XML data, etc.). Which of the following designs most takes security into account?

• The plug-ins are implemented as separate OS processes; these processes communicate to/from the main process to handle queries/updates for the data formats they support

6. Suppose you are implementing a graphical user interface for interacting with an implementation of the RSA cryptosystem, and you want to give users a way to generate new keys. Which of the following designs most takes security into account?

• Allow the user to use a slider to choose the number of bits, setting slider initially to point at 2048 bits. As the user moves the slider to larger or smaller values, visualize the difference in relative protective power, e.g., using a meter.

7. We identified three categories of secure design principles: prevention, mitigation, and recovery. Running each browser tab in a separate OS process (as done by the Chrome browser) is an example of which category

• Recovery: You could argue that isolating a tab makes it easier to recover from a breach: You can easily kill the tab's process with less effect on the rest of the system (Mitigation is also a correct answer)

8. Passwords, biometrics, and user-owned SMS-receiving mobile phones are useful for what security mechanism

• Authentication

9. When talking about computer security, what do we mean by the term, principal?

• An actor, or role, that is the subject of a security policy: Principals can be people, computer programs, or some other entity acting in a particular role, like manager or client

10. A denial of service attack violates what security policy/goal?

• Availability

11. What is a good defense against powers that are particular to a snooping user?

• Using encryption: Snooping users can view the network message traffic of others interacting with a site, so encrypting that traffic limits the negative effects of snooping

 

12. Suppose you design software for a bank and the bank's customers may remotely log into its site using commodity PCs. These PCs might have malware on them, which could log keystrokes or read files stored on the machine. Which threat model (using terms defined in the lectures) makes the most sense for you to consider, when designing the bank's site?

• Co-located user

13. Which of the following is a reason to make an explicit threat model when designing a system?

• So that you avoid an incoherent defense
• So you can defend against the most likely/costly/important attacks
• So you can explicitly list and challenge assumptions that underlie your design

14. What is an abuse case?

• A scenario that illustrates a potential failure in security under relevant circumstances