CS9224 INFORMATION SECURITY
PART-A
1.
|
Short
note on confidentiality and integrity.
|
Confidentiality is the concealment of information or resources.
The need for keeping information secret arises from the use of computers in
sensitive fields such as government and industry.
Integrity refers to the trustworthiness of data or resources, and
it is usually phrased in terms of preventing improper or unauthorized change.
Integrity mechanisms fall into
two classes: prevention mechanisms and detection mechanisms.
|
|
2.
|
Differentiate
Denial of receipt and Denial of service.
|
Denial of receipt, a false denial that an entity
received some information or message, is a form of deception. Suppose a
customer orders an expensive product, but the vendor demands payment before
shipment.
Denial of service, a long-term inhibition of service,
is a form of usurpation, although it is often used with other mechanisms to
deceive. The attacker prevents a server from providing a service.
|
|
3.
|
Write
the trusting that mechanisms work requires several assumptions.
|
Trusting that mechanisms work requires
several assumptions.
·
Each
mechanism is designed to implement one or more parts of the security policy.
·
The
union of the mechanisms implements all aspects of the security policy.
·
The
mechanisms are implemented correctly.
·
The
mechanisms are installed and administered correctly.
|
|
4.
|
Short
note on Protection State.
|
The state
of a system is the collection of the current values of all memory locations,
all secondary storage, and all registers and other components of the system.
The subset of this collection that deals with protection is the protection state of the system. An access control matrix is one tool that can describe
the current protection state.
|
|
5.
|
Write
about Principle of Attenuation of Privilege.
|
Principle of Attenuation of Privilege. A subject may not give rights it
does not possess to another.
|
|
6.
|
Write
the types of Security Policies.
|
|
|
7.
|
List
out the Types of Access Control.
|
|
|
8.
|
Define
interchange key and session key.
|
|
|
9.
|
Short
note on cryptographic checksum function.
|
The initial phase of session setup
uses a public key cryptosystem to exchange keys. The messages are enciphered
using a classical cipher and are checksummed using a cryptographic checksum.
|
|
10.
|
What
is RSA and HMAC?
|
|
PART-B
7.
|
Write
an Overview of Computer Security with neat examples.
Computer security rests on
confidentiality, integrity, and availability.
Confidentiality is the concealment of information or
resources. The need for keeping information secret arises from the use of
computers in sensitive fields such as government and industry.
Integrity refers to the
trustworthiness of data or resources, and it is usually phrased in terms of
preventing improper or unauthorized change. Integrity includes data integrity
(the content of the information) and origin integrity (the source of the
data, often called authentication).
Availability refers to the ability to
use the information or resource desired. Availability is an important aspect
of reliability as well as of system design because an unavailable system is
at least as bad as no system at all.
|
8.
|
Write about the following
An information transfer path is a sequence of objects o1, ..., on+1
and a corresponding
sequence of subjects s1, ..., sn such that si
r oi
and si w
oi+1 for all i, 1 i n.
If there is an
information transfer path from object o1
O to object on+1 O, then
enforcement of the low-water-mark policy requires that i(on+1)
i(o1) for all n
> 1.
The
ring policy ignores the issue of indirect modification and focuses on direct
modification only. This solves the problems described above. The rules are as
follows.
1.
Any
subject may read any object, regardless of integrity levels.
2.
s S can write
to o O if and
only if i(o) i(s).
3.
s1 S can
execute s2 S if and
only if i(s2)
i(s1).
This
model is the dual of the
Bell-LaPadula Model, and
is most commonly called "Biba's model." Its rules are as follows.
1.
s S can read o O if and
only if i(s) i(o).
2.
s S can write
to o O if and
only if i(o) i(s).
3.
s1 S can
execute s2 S if and
only if i(s2)
i(s1).
Lipner's
Use of the Bell-LaPadula Model
Lipner
provides two security levels, in the following order (higher to lower):
He similarly
defined five categories:
|
9.
|
Write
about the Key Exchange and key generation.
The
goal of key exchange is to enable Alice to communicate secretly to Bob, and
vice versa, using a shared cryptographic key. Solutions to this problem must
meet the following criteria.
1.
The
key that Alice and Bob are to share cannot be transmitted in the clear.
Either it must be enciphered when sent, or Alice and Bob must derive it
without an exhange of data from which the key can be derived. (Alice and Bob
can exchange data, but a third party cannot derive the key from the data
exchanged.)
2.
Alice
and Bob may decide to trust a third party (called "Cathy" here).
3.
The
cryptosystems and protocols are publicly known. The only secret data is to be
the cryptographic keys involved.
Key Generation
The
secrecy that cryptosystems provide resides in the selection of the
cryptographic key.
|
10.
|
Explain
the following
Key Generation
The
secrecy that cryptosystems provide resides in the selection of the
cryptographic key.
A strong mixing function is a function of two or more
inputs that produces an output each bit of
·
An
interchange key is a cryptographic key
associated with a principal to a communication.
·
A
session key is a cryptographic key associated
with the communication itself.
|
PART-A
1.
|
List
out the authentication system consisting of five components.
|
1.
The
set A of authentication
information is the set of specific information with which entities
prove their identities.
2.
The
set C of complementary
information is the set of information that the system stores and uses
to validate the authentication information.
3.
The
set F of complementation
functions that generate the complementary information from the
authentication information. That is, for f F, f: A C.
4.
The
set L of authentication
functions that verify identity. That is, for l
L, l: A x C{ true, false }.
5. The set S
of selection functions that enable an entity
to create or alter the authentication and complementary information.
|
|
2.
|
What
is proactive password checker?
|
A proactive password checker
is software that enforces specific restrictions on the selection of new passwords.
|
|
3.
|
Distinguish
between the authentication policy and issuance
policy.
|
·
A
CA authentication policy describes the level of
authentication required to identify the principal to whom the certificate is
to be issued.
·
A
CA issuance
policy describes the principals to whom the CA will issue
certificates.
|
|
4.
|
Define
the State and Cookies
A message given to a Web browser
by a Web server. The browser stores the message in
a text file. The message is then sent back to
the server each time the browser requests a page from the server.
|
5.
|
Explaion
about the locks and keys technique.
The locks and keys technique combines features of access control lists and
capabilities. A piece of information (the lock) is associated with the object and a second
piece of information (the key)
is associated with those subjects authorized to access the object and the
manner in which they are allowed to access the object.
|
6.
|
Write
about the Confinement Flow Model
|
The confinement
flow model is a 4-tuple (I, O, confine, ) in which I
= (SCI, I,
joinI) is a lattice-based
information flow policy; O is a set of
entities; : O x O is a relation with (a,
b) if and only if information can flow from a to b; and, for each
a O, confine(a) is a pair (aL, aU) SCI
x SCI, with aL IaU, and the
interpretation that for a O, if x aU, information can flow from x to a, and if aL x, information
can flow from a to x.
|
|
7.
|
Draw
the use of an SPI to check for corrupted files.
|
Use of an SPI to check for corrupted files.
|
|
8.
|
Write
the covert channel
|
A covert
storage channel uses an attribute of the shared resource. A covert timing channel uses a temporal or ordering
relationship among accesses to a shared resource.
|
|
9.
|
Define
noiseless covert channel
|
A noiseless
covert channel is a covert channel that uses a resource available to
the sender and receiver only. A noisy covert channel
is a covert channel that uses a resource available to subjects other than the
sender and receiver, as well as to the sender and receiver.
|
|
10.
|
Short
note on Copying and Amplifying Capabilities
|
The ability to copy capabilities implies the
ability to give rights. To prevent processes from indiscriminately giving
away rights, a copy flag is associated with capabilities. A process
cannot copy a capability
to another process unless the copy
flag is set. If the process does copy
the capability, the copy
flag may be turned off (at the discretion of either the process or the
kernel).
|
PART-A
(3 x 10 = 30 MARKS)
ANSWER
THE ANY THREE
ANSWER
KEY
PART-A
1.
|
Explain
about State and Cookies
A message given to a Web browser
by a Web server. The browser stores the message in
a text file. The message is then sent back to
the server each time the browser requests a page from the server.
|
2.
|
What
is security pipeline interface (SPI)?
Hoffman and Davis propose
adding a processor, called a security pipeline interface (SPI), between a
host and a destination. Data that the host writes to the destination first
goes through the SPI, which can analyze the data, alter it, or delete it. But
the SPI does not have access to the host's internal memory; it can only
operate on the data being output. Furthermore, the host has no control over
the SPI.
Figure: Use of an SPI to check for corrupted files.
|
3.
|
Write
about rule of transitive confinement and virtual
machine.
A virtual machine is a
program that simulates the hardware of a (possibly abstract) computer system.
|
4.
|
Differentiate
between covert storage channel and noiseless covert
channel.
·
A covert storage channel
uses an attribute of the shared resource. A covert timing channel uses a temporal
or ordering relationship among accesses to a shared resource.
·
A noiseless covert channel
is a covert channel that uses a resource available to the sender and receiver
only. A noisy covert channel is a covert
channel that uses a resource available to subjects other than the sender and
receiver, as well as to the sender and receiver.
|
5.
|
Draw
the Secure Network Server Mail Guard diagram.
|
6.
|
What
are the types of computer viruses.
·
A boot
sector infector is a virus that inserts itself into the boot sector of a
disk.
·
An executable infector is a virus that infects executable programs.
·
A multipartite
virus is one that can infect either boot sectors or applications.
·
A terminate
and stay resident (TSR) virus is one that stays active (resident) in
memory after the application (or bootstrapping, or disk mounting) has
terminated.
·
Stealth
viruses are viruses that conceal the infection of files.
·
A polymorphic
virus is a virus that changes its form each time it inserts itself into
another program.
|
7.
|
Define
Malicious logic
Malicious logic is a set of instructions that cause
a site's security policy to be violated.
|
8.
|
Differentiate
Trojan horse and propagating Trojan horse
·
A Trojan horse
is a program with an overt (documented or known) effect and a covert (undocumented or unexpected) effect.
·
A propagating
Trojan horse (also called a replicating Trojan
horse) is a Trojan horse that creates a copy of itself.
|
9.
|
What
is computer worm and boot sector infector?
·
A computer worm is a program
that copies itself from one computer to another.
·
A boot sector infector is a virus that inserts itself into
the boot sector of a
disk.
|
10.
|
List
out the four steps for Flaw Hypothesis Methodology.
1. Information
gathering. In
this step, the testers become familiar with the system's functioning. They
examine the system's design, its implementation, its operating procedures,
and its use. The testers become as familiar with the system as possible.
2.
Flaw hypothesis. Drawing on the knowledge gained in
the first step, and on knowledge of vulnerabilities in other systems, the
testers hypothesize flaws of the system under study.
3.
Flaw testing. The testers test their
hypothesized flaws. If a flaw does not exist (or cannot be exploited), the
testers go back to step 2. If the flaw is exploited, they proceed to the next
step.
4. Flaw
generalization.
Once a flaw has been successfully exploited, the testers attempt to
generalize the vulnerability and find others similar to it. They feed their
new understanding (or new hypothesis) back into step 2 and iterate until the
test is concluded.
|
PART-B
7.
|
Explain
about the Nonlattice Information Flow Policies
·
Denning identifies two requirements
for information flow policies. Both are intuitive. Information should be able
to flow freely among members of a single class, providing reflexivity.
·
The confinement flow model is a
4-tuple (I, O, confine, ) in which I = (SCI, I, joinI) is a lattice-based
information flow policy; O is a set of entities; : O x O is a relation with
(a, b) if and only if information can
flow from a to b; and, for each a O,
confine(a) is a pair (aL, aU) SCI x
SCI, with aL IaU, and the
interpretation that for a O, if x aU, information can flow from x to a, and
if aL x, information can flow from a
to x.
·
Transitive Nonlattice Information Flow
Policies - A quasi-ordered set Q = (SQ, Q) is a set SQ and a relation Q
defined on SQ such that the relation is both reflexive and transitive.
·
Nontransitive Information Flow
Policies - Let R = (SCR, R, joinR) represent a reflexive information flow
policy. A dual mapping (lR(x), hR(x)) maps R to an ordered set P = (SP , P):
·
A dual mapping from a reflexive
information flow policy R to an ordered set P is order-preserving.
·
Nonlattice policies can be embedded
into lattices. Hence, analysis of information flows may proceed without loss
of generality under the assumption that the information flow model is a
lattice.
|
8.
|
Overview
about Covert Channels in confinement problems.
·
A covert storage channel uses an
attribute of the shared resource. A covert timing channel uses a temporal or
ordering relationship among accesses to a shared resource.
·
A covert timing channel is usually
defined in terms of a real-time clock or a timer, but temporal relationships
sometimes use neither. An ordering of events implies a time-based
relationship that involves neither a real-time clock nor a timer.
·
A noiseless covert channel is a covert
channel that uses a resource available to the sender and receiver only. A
noisy covert channel is a covert channel that uses a resource available to
subjects other than the sender and receiver, as well as to the sender and
receiver.
Detection
of Covert Channels
- Covert channels require sharing. The manner in which the resource is shared
controls which subjects can send and receive information using that shared
resource. Detection methods begin with this observation.
·
The next step is to determine whether
any of these shared resources provide covert channels. The following
properties must hold for a covert storage channel to exist.
·
Both the sending and receiving
processes must have access to the same attribute of a shared object.
·
The sending process must be able to
modify that attribute of the shared object.
·
The receiving process must be able to
reference that attribute of the shared object.
·
A mechanism for initiating both
processes, and properly sequencing their respective accesses to the shared
resource, must exist.
·
The requirements for covert timing
channels are similar to those for covert storage channels.
·
Both the sending and receiving
processes must have access to the same attribute of a shared object.
·
Both the sending and receiving
processes must have access to a time reference, such as a real-time clock, a
timer, or the ordering of events.
·
The sending process must be able to
control the timing of the detection of a change in the attribute by the
receiving process.
·
A mechanism for initiating both
processes, and properly sequencing their respective accesses to the shared
resource, must exist.
The
specific criteria are as follows.
·
The value of a variable is obtained
from a system call.
·
A calling process can detect at least
two different states of that variable.
|
9.
|
Explain about the
vulnerability frameworks with neat examples.
The goals of a framework dictate the
framework's structure. For example, if the framework is to guide the
development of an attack detection tool, the focus of the framework will be
on the steps needed to exploit vulnerabilities. If the framework is intended
to aid the software development process, it will emphasize programming and
design errors that cause vulnerabilities. Each of the following
classification schemes was designed with a specific goal in mind.
The investigators classified flaws
into seven general classes.
·
Incomplete parameter validation
·
Inconsistent parameter validation
·
Implicit sharing of privileged/confidential data
·
Asynchronous validation/inadequate serialization
·
Inadequate identification/authentication/authorization
·
Violable prohibition/limit
·
Exploitable logic error
The
Flaw Classes -
·
Incomplete parameter validation occurs
when a parameter is not checked before use.
·
Inconsistent parameter validation is a
design flaw in which each individual routine using data checks that the data
is in the proper format for that routine, but the routines require different
formats.
·
Inadequate
identification/authorization/authentication flaws arise when a system allows
a user to be erroneously identified, when one user can assume another's
privilege, or when a user can trick the system (or another user) into
executing a program without authorization.
·
Exploitable logic error flaws
encompass problems not falling into any of the other classes; examples
include incorrect error handling, unexpected side effects of instructions,
and incorrect allocation of resources.
Aslam's
Model
-The Flaw Classes
-Legacy
Comparison
and Analysis
-The xterm Log File Flaw
-The fingerd Buffer Overflow Flaw
|
10.
|
Explain about the
Gupta and Gligor's Theory of Penetration Analysis.
Gupta
and Gligor make two hypotheses.
·
Hypothesis of Penetration Patterns.
"[S]ystem flaws that cause a large class of penetration patterns can be
identified in system (i.e., TCB) source code as incorrect/absent condition
checks or integrated flows that violate the intentions of the system
designers
·
Hypothesis of Penetration-Resistant
Systems. "[A] system (i.e., TCB) is largely resistant to penetration if
it adheres to a specific set of design properties."
Gupta and Gligor select and
formalize several properties, and from those properties derive checks to
determine if the system correctly obeys them.
·
System isolation or tamperproofness,
which states that users must not be able to tamper with the system. This
encompasses parameter checking at the system boundary, separation of user and
system addresses, and allowing entry to the system only at well-defined gates
at which parameters and privileges can be validated.
·
System noncircumventability, which
states that the system must check all references to objects.
·
Consistency of global objects
belonging to the system, with respect to both timing and storage.
·
Elimination of undesirable system and
user dependencies, which usually refers to prevention of denial-of-service
attacks.
|
ANSWER
KEY
PART-A
1.
|
Differentiate
between authentication policy and issuance policy.
·
A CA authentication policy describes
the level of authentication required to identify the principal to whom the
certificate is to be issued.
·
A CA issuance policy describes the
principals to whom the CA will issue certificates.
|
2.
|
What
is threshhold scheme?
A (t, n)-threshhold scheme is a
cryptographic scheme in which a datum is divided into n parts, any t of which
are sufficient to determine the original datum. The n parts are called
shadows.
|
3.
|
Write
about confinement problem and covert channel.
Access control affects the function
of the server in two ways.
·
The server must ensure that the resources
it accesses on behalf of the client include only those resources that the
client is authorized to access.
·
The server must ensure that it does
not reveal the client's data to any other entity not authorized to see the
client's data.
A covert channel is a path of
communication that was not designed to be used for communication.
|
4.
|
What
is sandbox?
A sandbox is an environment in which
the actions of a process are restricted according to a security policy.
|
5.
|
Write
the concept of Fenton's Data Mark Machine.
·
Fenton created an abstract machine
called the Data Mark Machine to study handling of implicit flows at execution
time. Each variable in this machine had an associated security class, or tag.
Fenton also included a tag for the program counter (PC).
·
Fenton defined five instructions. The
relationships between execution of the instructions and the classes of the
variables are as follows.
The
increment instruction
x := x + 1
is equivalent to
if PC x then x := x + 1; else skip
|
6.
|
Differentiate
between Trojan horse and propagating Trojan horse.
·
A Trojan horse
is a program with an overt (documented or known) effect and a covert (undocumented or unexpected) effect.
·
A
propagating Trojan horse (also called a replicating Trojan horse) is a Trojan horse that creates a
copy of itself.
|
7.
|
Define the logging and
auditing.
·
Logging is the recording of events or
statistics to provide information about system use and performance.
·
Auditing is the analysis of log
records to present information about the system in a clear and understandable
manner.
|
8.
|
Short note on
intrusion principles.
Computer systems that are not under
attack exhibit several characteristics.
·
The actions of users and processes
generally conform to a statistically predictable pattern. A user who does
only word processing when using the computer is unlikely to perform a system
maintenance function.
·
The actions of users and processes do
not include sequences of commands to subvert the security policy of the
system. In theory, any such sequence is excluded; in practice, only sequences
known to subvert the system can be detected.
·
The actions of processes conform to a
set of specifications describing actions that the processes are allowed to do
(or not allowed to do).
|
9.
|
Write about the
Autonomous Agents: AAFID
·
An autonomous
agent is a process that can act independently of the system of which
it is a part.
|
10.
|
List
out the suggests a layering model for a penetration study.
·
External attacker with no knowledge of
the system. At this level, the testers know that the target system exists and
have enough information to identify it once they reach it.
·
External attacker with access to the
system. At this level, the testers have access to the system and can proceed
to log in or to invoke network services available to all hosts on the network
(such as electronic mail).
·
Internal attacker with access to the
system. At this level, the testers have an account on the system and can act
as authorized users of the system.
|
PART-B
7.
|
Overviews
about the principles of secure design write with examples.
·
The principle of least privilege
states that a subject should be given only those privileges that it needs in
order to complete its task.
·
The principle of fail-safe defaults
states that, unless a subject is given explicit access to an object, it
should be denied access to that object.
·
The principle of economy of mechanism
states that security mechanisms should be as simple as possible.
·
The principle of complete mediation
requires that all accesses to objects be checked to ensure that they are
allowed.
·
The principle of open design states
that the security of a mechanism should not depend on the secrecy of its
design or implementation.
·
The principle of separation of
privilege states that a system should not grant permission based on a single
condition.
·
The principle of least common
mechanism states that mechanisms used to access resources should not be
shared.
·
The principle of psychological acceptability
states that security mechanisms should not make the resource more difficult
to access than if the security mechanisms were not present.
|
8.
|
Explain
about the Compiler-Based Mechanisms
·
A set of statements is certified with
respect to an information flow policy if the information flow within that set
of statements does not violate the policy.
For example,
x: integer class { A, B }
Program
Statements
A program consists of several types
of statements. Typically, they are
·
Assignment statements
·
Compound statements
·
Conditional statements
·
Iterative statements
·
Goto statements
·
Procedure calls
·
Function calls
·
Input/output statements.
Assignment
Statements
An assignment statement has the form
y := f(x1, ..., xn)
where y and x1, ..., xn
are variables and f is some function of those variables. Information flows
from each of the xi's to y. Hence, the requirement for the information flow
to be secure is
lub{x1, ..., xn} y
Compound
Statements
A compound statement has the form
begin
S1;
...
Sn;
end;
|
9.
|
Write
about the computer viruses and several types of computer viruses.
A computer virus is a program that inserts itself into one or more
files and then performs some (possibly null) action.
• A boot sector
infector is a virus that inserts itself into the boot sector of a disk.
• An
executable infector is a virus
that infects executable programs.
• A
multipartite virus is one that can
infect either boot sectors or applications.
• A
terminate and stay resident (TSR)
virus is one that stays active (resident) in memory after the application (or
bootstrapping, or disk mounting) has terminated.
• Stealth viruses are viruses that
conceal the infection of files.
• A
polymorphic virus is a virus that
changes its form each time it inserts itself into another program.
|
10.
|
Explain the following
a)
Anatomy of an Auditing System. (5)
·
Logging is the recording of events or
statistics to provide information about system use and performance.
·
Auditing is the analysis of log
records to present information about the system in a clear and understandable
manner.
·
Logger
·
Logging mechanisms record information.
The type and quantity of information are dictated by system or program
configuration parameters. The mechanisms may record information in binary or
human-readable form or transmit it directly to an analysis mechanism.
·
Analyzer
·
An analyzer takes a log as input and
analyzes it. The results of the analysis may lead to changes in the data
being recorded, to detection of some event or problem, or both.
·
Notifier
·
The analyzer passes the results of the
analysis to the notifier. The notifier informs the analyst, and other
entities, of the results of the audit. The entities may take some action in
response to these results.
·
An anonymizing sanitizer deletes
information in such a way that it cannot be reconstructed by either the
recipient or the originator of the data in the log. A pseudonymizing
sanitizer deletes information in such a way that the originator of the log
can reconstruct the deleted information.
·
A state-based logging mechanism
records information about a system's state. A state-based auditing mechanism
determines whether or not a state of the system is unauthorized.
·
A transition-based logging mechanism
records information about an action on a system. A transition-based auditing
mechanism examines the current state of the system and the proposed
transition (command) to determine if the result will place the system in an
unauthorized state.
b)
Intrusion detection architecture. (5)
Architecture of an intrusion
detection system.
Agent
An agent obtains information
from a data source (or set of data sources).
Host-Based
Information Gathering
Host-based agents usually
use system and application logs to obtain records of events, and analyze them
to determine what to pass to the director. The events to look for, and to
analyze, are determined by the goals of the intrusion detection mechanism.
Combining
Sources
The goal of an agent is to
provide the director with information so that the director can report
possible violations of the security policy (intrusions). An aggregate of
information is needed. However, the information can be viewed at several
levels.
Director
The director itself
reduces the incoming log entries to eliminate unnecessary and redundant
records. It then uses an analysis engine to determine if an attack (or the
precursor to an attack) is underway. The analysis engine may use any of, or a
mixture of, several techniques to perform its analysis.
Notifier
The notifier accepts
information from the director and takes the appropriate action. In some
cases, this is simply a notification to the system security officer that an attack
is believed to be underway. In other cases, the notifier may take some action
to respond to the attack.
|
No comments:
Post a Comment