CS9224 INFORMATION SECURITY IMPORTANT QUESTIONS WITH ANSWERS

        CS9224 INFORMATION SECURITY                                                                                       

 

PART-A

1.	Short note on confidentiality and integrity.
	Confidentiality is the concealment of information or resources. The need for keeping information secret arises from the use of computers in sensitive fields such as government and industry.              Integrity refers to the trustworthiness of data or resources, and it is usually phrased in terms of preventing improper or unauthorized change.              Integrity mechanisms fall into two classes: prevention mechanisms and detection mechanisms.
2.	Differentiate Denial of receipt and Denial of service.
	Denial of receipt, a false denial that an entity received some information or message, is a form of deception. Suppose a customer orders an expensive product, but the vendor demands payment before shipment.             Denial of service, a long-term inhibition of service, is a form of usurpation, although it is often used with other mechanisms to deceive. The attacker prevents a server from providing a service.
3.	Write the trusting that mechanisms work requires several assumptions.
	Trusting that mechanisms work requires several assumptions. ·         Each mechanism is designed to implement one or more parts of the security policy. ·         The union of the mechanisms implements all aspects of the security policy. ·         The mechanisms are implemented correctly. ·         The mechanisms are installed and administered correctly.
4.	Short note on Protection State.
	The state of a system is the collection of the current values of all memory locations, all secondary storage, and all registers and other components of the system. The subset of this collection that deals with protection is the protection state of the system. An access control matrix is one tool that can describe the current protection state.
5.	Write about Principle of Attenuation of Privilege.
	Principle of Attenuation of Privilege. A subject may not give rights it does not possess to another.
6.	Write the types of Security Policies.
	A military security policy (also called a governmental security policy) is a security policy developed primarily to provide confidentiality. A commercial security policy is a security policy developed primarily to provide integrity. A confidentiality policy is a security policy dealing only with confidentiality. An integrity policy is a security policy dealing only with integrity.
7.	List out the Types of Access Control.
	If an individual user can set an access control mechanism to allow or deny access to an object, that mechanism is a discretionary access control (DAC), also called an identity-based access control (IBAC). When a system mechanism controls access to an object and an individual user cannot alter that access, the control is a mandatory access control (MAC), occasionally called a rule-based access control. An originator controlled access control (ORCON or ORGCON) bases access on the creator of an object (or the information it contains).
8.	Define interchange key and session key.
	An interchange key is a cryptographic key associated with a principal to a communication. A session key is a cryptographic key associated with the communication itself.
9.	Short note on cryptographic checksum function.
	The initial phase of session setup uses a public key cryptosystem to exchange keys. The messages are enciphered using a classical cipher and are checksummed using a cryptographic checksum.
10.	What is RSA and HMAC?
	RSA is an exponentiation cipher. Choose two large prime numbers p and q, and let n = pq. The totient f(n) of n is the number of numbers less than n with no factors in common with n. HMAC is a generic term for an algorithm that uses a keyless hash function and a cryptographic key to produce a keyed hash function. This mechanism enables Alice to validate that data Bob sent to her is unchanged in transit.

PART-B

7.	Write an Overview of Computer Security with neat examples.         Computer security rests on confidentiality, integrity, and availability.         Confidentiality is the concealment of information or resources. The need for keeping information secret arises from the use of computers in sensitive fields such as government and industry.          Integrity refers to the trustworthiness of data or resources, and it is usually phrased in terms of preventing improper or unauthorized change. Integrity includes data integrity (the content of the information) and origin integrity (the source of the data, often called authentication).         Availability refers to the ability to use the information or resource desired. Availability is an important aspect of reliability as well as of system design because an unavailable system is at least as bad as no system at all.
8.	Write  about the following Biba Integrity Model. Lipner's Integrity Matrix Model. An information transfer path is a sequence of objects o1, ..., on+1 and a corresponding sequence of subjects s1, ..., sn such that si r oi and si w oi+1 for all i, 1 i n. If there is an information transfer path from object o1 O to object on+1 O, then enforcement of the low-water-mark policy requires that i(on+1) i(o1) for all n > 1. The ring policy ignores the issue of indirect modification and focuses on direct modification only. This solves the problems described above. The rules are as follows. 1.    Any subject may read any object, regardless of integrity levels. 2.    s S can write to o O if and only if i(o) i(s). 3.    s1 S can execute s2 S if and only if i(s2) i(s1). This model is the dual of the Bell-LaPadula Model, and is most commonly called "Biba's model." Its rules are as follows. 1.    s S can read o O if and only if i(s) i(o). 2.    s S can write to o O if and only if i(o) i(s). 3.    s1 S can execute s2 S if and only if i(s2) i(s1). Lipner's Use of the Bell-LaPadula Model Lipner provides two security levels, in the following order (higher to lower): Audit Manager (AM): system audit and management functions are at this level. System Low (SL): any process can read information at this level. He similarly defined five categories: Development (D): production programs under development and testing, but not yet in production use Production Code (PC): production processes and programs Production Data (PD): data covered by the integrity policy System Development (SD): system programs under development, but not yet in production use Software Tools (T): programs provided on the production system not related to the sensitive or protected data
9.	Write about the Key Exchange and key generation. The goal of key exchange is to enable Alice to communicate secretly to Bob, and vice versa, using a shared cryptographic key. Solutions to this problem must meet the following criteria. 1.    The key that Alice and Bob are to share cannot be transmitted in the clear. Either it must be enciphered when sent, or Alice and Bob must derive it without an exhange of data from which the key can be derived. (Alice and Bob can exchange data, but a third party cannot derive the key from the data exchanged.) 2.    Alice and Bob may decide to trust a third party (called "Cathy" here). 3.    The cryptosystems and protocols are publicly known. The only secret data is to be the cryptographic keys involved. Key Generation The secrecy that cryptosystems provide resides in the selection of the cryptographic key. A sequence of cryptographically random numbers is a sequence of numbers n1, n2, ... such that for any positive integer k, an observer cannot predict nk even if n1, ..., nk–1 are known. A sequence of cryptographically pseudorandom numbers is a sequence of numbers intended to simulate a sequence of cryptographically random numbers but generated by an algorithm. A strong mixing function is a function of two or more inputs that produces an output each bit of which depends on some nonlinear function of all the bits of the input.
10.	Explain the following Key Generation. Key Generation The secrecy that cryptosystems provide resides in the selection of the cryptographic key. A sequence of cryptographically random numbers is a sequence of numbers n1, n2, ... such that for any positive integer k, an observer cannot predict nk even if n1, ..., nk–1 are known. A sequence of cryptographically pseudorandom numbers is a sequence of numbers intended to simulate a sequence of cryptographically random numbers but generated by an algorithm. A strong mixing function is a function of two or more inputs that produces an output each bit of Session and Interchange Keys. ·         An interchange key is a cryptographic key associated with a principal to a communication. ·         A session key is a cryptographic key associated with the communication itself.

                                                                                                 

PART-A

1.	List out the authentication system consisting of five components.
	1.    The set A of authentication information is the set of specific information with which entities prove their identities. 2.    The set C of complementary information is the set of information that the system stores and uses to validate the authentication information. 3.    The set F of complementation functions that generate the complementary information from the authentication information. That is, for f F, f: A C. 4.    The set L of authentication functions that verify identity. That is, for l L, l: A x C{ true, false }. 5.    The set S of selection functions that enable an entity to create or alter the authentication and complementary information.
2.	What is proactive password checker?
	A proactive password checker is software that enforces specific restrictions on the selection of new passwords.
3.	Distinguish between the authentication policy and issuance policy.
	·         A CA authentication policy describes the level of authentication required to identify the principal to whom the certificate is to be issued. ·         A CA issuance policy describes the principals to whom the CA will issue certificates.
4.	Define the State and Cookies         A message given to a Web browser by a Web server. The browser stores the message in a text file. The message is then sent back to the server each time the browser requests a page from the server.
5.	Explaion about the locks and keys technique. The locks and keys technique combines features of access control lists and capabilities. A piece of information (the lock) is associated with the object and a second piece of information (the key) is associated with those subjects authorized to access the object and the manner in which they are allowed to access the object.
6.	Write about the Confinement Flow Model
	The confinement flow model is a 4-tuple (I, O, confine, ) in which I = (SCI, I, joinI) is a lattice-based information flow policy; O is a set of entities; : O x O is a relation with (a, b) if and only if information can flow from a to b; and, for each a O, confine(a) is a pair (aL, aU) SCI x SCI, with aL IaU, and the interpretation that for a O, if x aU, information can flow from x to a, and if aL x, information can flow from a to x.
7.	Draw the use of an SPI to check for corrupted files.
	Use of an SPI to check for corrupted files.
8.	Write the covert channel
	A covert storage channel uses an attribute of the shared resource. A covert timing channel uses a temporal or ordering relationship among accesses to a shared resource.
9.	Define noiseless covert channel
	A noiseless covert channel is a covert channel that uses a resource available to the sender and receiver only. A noisy covert channel is a covert channel that uses a resource available to subjects other than the sender and receiver, as well as to the sender and receiver.
10.	Short note on Copying and Amplifying Capabilities
	The ability to copy capabilities implies the ability to give rights. To prevent processes from indiscriminately giving away rights, a copy flag is associated with capabilities. A process cannot copy a capability to another process unless the copy flag is set. If the process does copy the capability, the copy flag may be turned off (at the discretion of either the process or the kernel).

PART-A (3 x 10 = 30 MARKS)

ANSWER THE ANY THREE

7.	Brief the Biometrics common charecteristics.        Biometrics is the automated measurement of biological or behavioral features that identify a person .When a user is given an account, the system administration takes a set of measurements that identify that user to an acceptable degree of error. Whenever the user accesses the system, Fingerprints - Fingerprints can be scanned optically, but the cameras needed are bulky.  Voices - Authentication by voice, also called speaker verification or speaker recognition, involves recognition of a speaker's voice characteristics or verbal information verification.  Eyes - Authentication by eye characteristics uses the iris and the retina. Patterns within the iris are unique for each person. Faces - Face recognition consists of several steps. First, the face is located. If the user places her face in a predetermined position (for example, by resting her chin on a support), the problem becomes somewhat easier. Keystrokes - Keystroke dynamics requires a signature based on keystroke intervals, keystroke pressure, keystroke duration, and where the key is struck (on the edge or in the middle). This signature is believed to be unique in the same way that written signatures are unique Caution - Because biometrics measures characteristics of the individual, people are tempted to believe that attackers cannot pose as authorized users on systems that use biometrics. Two assumptions underlie this belief.
8.	Explain about the Representing Identity
	The theme of identity runs throughout humanity's experience, and computers are no exception. In computer science, an identity is the basis for assignment of privileges and is integral in the designation of a protection domain. What Is Identity? - A principal is a unique entity. An identity specifies a principal. The identity of a file or other entity (here called an "object") depends on the system that contains the object. user is an identity tied to a single entity. Specific systems may add additional constraints. Systems represent user identity in a number of different ways. Indeed, the same system may use different representations of identity in different contexts. Groups and Roles The "entity" may be a set of entities referred to by a single identifier. The members of the set must be distinguishable, but the set may have an identity separate from any of its elements. A CA authentication policy describes the level of authentication required to identify the principal to whom the certificate is to be issued. A CA issuance policy describes the principals to whom the CA will issue certificates. The Internet infrastructure handles these conflicts with a Distinguished Name conflict detection database. Before a PCA may issue a certificate to a CA, it must determine if a conflict exists. It sends a query to the database containing the following information. 1.    A hash value computed on a canonical representation of the CA's Distinguished Name 2.    The CA's public key in the certificate 3.    The Distinguished Name of the PCA Identity on the Web - Certificates are not ubiquitous on the Internet. Several other means attach identity to information, even though the binding may be very transient.
9.	Overview the Information Flow.
	Although access controls can constrain the rights of a user, they cannot constrain the flow of information about a system. Entropy-Based Analysis  - The command sequence c causes a flow of information from x to y if H(xs | yt) < H(xs | ys). If y does not exist in s, then H(xs | ys) = H(xs).           An implicit flow of information occurs when information flows from x to y without an explicit assignment of the form y := f(x), where f(x) is an arithmetic expression with the variable x.           The confinement flow model is a 4-tuple (I, O, confine,) in which I = (SCI, I, joinI) is a lattice-based information flow policy; O is a set of entities;: O x O is a relation with (a, b) if and only if information can flow from a to b; and, for each a O, confine(a) is a pair (aL, aU) SCI x SCI, with aL IaU, and the interpretation that for a , if x aU, information can flow from x to a, and if aL x, information can flow from a to x. A set of statements is certified with respect to an information flow policy if the information flow within that set of statements does not violate the policy. Program Statements A program consists of several types of statements. Typically, they are 1.    Assignment statements 2.    Compound statements 3.    Conditional statements 4.    Iterative statements 5.    Goto statements 6.    Procedure calls 7.    Function calls 8.    Input/output statements. Execution-Based Mechanisms The goal of an execution-based mechanism is to prevent an information flow that violates policy. Checking the flow requirements of explicit flows achieves this result for statements involving explicit flows. Before the assignment y = f(x1, ..., xn) is executed, the execution-based mechanism verifies that lub(x1, ..., xn) y If the condition is true, the assignment proceeds. If not, it fails. A naïve approach, then, is to check information flow conditions whenever an explicit flow occurs. Implicit flows complicate checking.
10.	Brief the Compiler-Based Mechanisms. Compiler-based mechanisms check that information flows throughout a program are authorized. The mechanisms determine if the information flows in a program could violate a given information flow policy. This determination is not precise, in that secure paths of information flow may be marked as violating the policy; but it is secure, in that no unauthorized path along which information may flow will be undetected. A set of statements is certified with respect to an information flow policy if the information flow within that set of statements does not violate the policy. We opt for a more liberal approach, in which the language constructs specify the set of classes from which information may flow into the variable. For example, x: integer class { A, B } states that x is an integer variable and that data from security classes A and B may flow into x. Note that the classes are statically, not dynamically, assigned. Viewing the security classes as a lattice, this means that x's class must be at least the least upper bound of classes A and B—that is, lub{A, B} x. Assignment Statements An assignment statement has the form y := f(x1, ..., xn) Compound Statements A compound statement has the form begin      S1;      ...      Sn; end; where each of the Si's is a statement. If the information flow in each of the statements is secure, then the information flow in the compound statement is secure. Hence, the requirements for the information flow to be secure are ·         S1 secure ·         ... ·         Sn secure A basic block is a sequence of statements in a program that has one entry point and one exit point. wait(x): if x = 0 then block until x > 0; x := x - 1; signal(x): x := x + 1;

                                                             

 

ANSWER KEY

PART-A

1.	Explain about State and Cookies             A message given to a Web browser by a Web server. The browser stores the message in a text file. The message is then sent back to the server each time the browser requests a page from the server.
2.	What is security pipeline interface (SPI)?               Hoffman and Davis propose adding a processor, called a security pipeline interface (SPI), between a host and a destination. Data that the host writes to the destination first goes through the SPI, which can analyze the data, alter it, or delete it. But the SPI does not have access to the host's internal memory; it can only operate on the data being output. Furthermore, the host has no control over the SPI. Figure: Use of an SPI to check for corrupted files.
3.	Write about rule of transitive confinement and virtual machine.             A virtual machine is a program that simulates the hardware of a (possibly abstract) computer system.
4.	Differentiate between covert storage channel and noiseless covert channel. ·         A covert storage channel uses an attribute of the shared resource. A covert timing channel uses a temporal or ordering relationship among accesses to a shared resource. ·         A noiseless covert channel is a covert channel that uses a resource available to the sender and receiver only. A noisy covert channel is a covert channel that uses a resource available to subjects other than the sender and receiver, as well as to the sender and receiver.
5.	Draw the Secure Network Server Mail Guard diagram.
6.	What are the types of computer viruses. ·         A boot sector infector is a virus that inserts itself into the boot sector of a disk. ·         An executable infector is a virus that infects executable programs. ·         A multipartite virus is one that can infect either boot sectors or applications. ·         A terminate and stay resident (TSR) virus is one that stays active (resident) in memory after the application (or bootstrapping, or disk mounting) has terminated. ·         Stealth viruses are viruses that conceal the infection of files. ·         A polymorphic virus is a virus that changes its form each time it inserts itself into another program.
7.	Define Malicious logic              Malicious logic is a set of instructions that cause a site's security policy to be violated.
8.	Differentiate Trojan horse and propagating Trojan horse ·         A Trojan horse is a program with an overt (documented or known) effect and a covert (undocumented or unexpected) effect. ·         A propagating Trojan horse (also called a replicating Trojan horse) is a Trojan horse that creates a copy of itself.
9.	What is computer worm and boot sector infector? ·         A computer worm is a program that copies itself from one computer to another. ·         A boot sector infector is a virus that inserts itself into the boot sector of a disk.
10.	List out the four steps for Flaw Hypothesis Methodology. 1.    Information gathering. In this step, the testers become familiar with the system's functioning. They examine the system's design, its implementation, its operating procedures, and its use. The testers become as familiar with the system as possible. 2.    Flaw hypothesis. Drawing on the knowledge gained in the first step, and on knowledge of vulnerabilities in other systems, the testers hypothesize flaws of the system under study. 3.    Flaw testing. The testers test their hypothesized flaws. If a flaw does not exist (or cannot be exploited), the testers go back to step 2. If the flaw is exploited, they proceed to the next step. 4.    Flaw generalization. Once a flaw has been successfully exploited, the testers attempt to generalize the vulnerability and find others similar to it. They feed their new understanding (or new hypothesis) back into step 2 and iterate until the test is concluded.

PART-B

7.	Explain about the Nonlattice Information Flow Policies ·         Denning identifies two requirements for information flow policies. Both are intuitive. Information should be able to flow freely among members of a single class, providing reflexivity. ·         The confinement flow model is a 4-tuple (I, O, confine, ) in which I = (SCI, I, joinI) is a lattice-based information flow policy; O is a set of entities; : O x O is a relation with (a, b)   if and only if information can flow from a to b; and, for each a  O, confine(a) is a pair (aL, aU)  SCI x SCI, with aL  IaU, and the interpretation that for a  O, if x  aU, information can flow from x to a, and if aL  x, information can flow from a to x. ·         Transitive Nonlattice Information Flow Policies - A quasi-ordered set Q = (SQ, Q) is a set SQ and a relation Q defined on SQ such that the relation is both reflexive and transitive. ·         Nontransitive Information Flow Policies - Let R = (SCR, R, joinR) represent a reflexive information flow policy. A dual mapping (lR(x), hR(x)) maps R to an ordered set P = (SP , P): ·         A dual mapping from a reflexive information flow policy R to an ordered set P is order-preserving. ·         Nonlattice policies can be embedded into lattices. Hence, analysis of information flows may proceed without loss of generality under the assumption that the information flow model is a lattice.
8.	Overview about Covert Channels in confinement problems. ·         A covert storage channel uses an attribute of the shared resource. A covert timing channel uses a temporal or ordering relationship among accesses to a shared resource. ·         A covert timing channel is usually defined in terms of a real-time clock or a timer, but temporal relationships sometimes use neither. An ordering of events implies a time-based relationship that involves neither a real-time clock nor a timer. ·         A noiseless covert channel is a covert channel that uses a resource available to the sender and receiver only. A noisy covert channel is a covert channel that uses a resource available to subjects other than the sender and receiver, as well as to the sender and receiver. Detection of Covert Channels - Covert channels require sharing. The manner in which the resource is shared controls which subjects can send and receive information using that shared resource. Detection methods begin with this observation. ·         The next step is to determine whether any of these shared resources provide covert channels. The following properties must hold for a covert storage channel to exist. ·         Both the sending and receiving processes must have access to the same attribute of a shared object. ·         The sending process must be able to modify that attribute of the shared object. ·         The receiving process must be able to reference that attribute of the shared object. ·         A mechanism for initiating both processes, and properly sequencing their respective accesses to the shared resource, must exist. ·         The requirements for covert timing channels are similar to those for covert storage channels. ·         Both the sending and receiving processes must have access to the same attribute of a shared object. ·         Both the sending and receiving processes must have access to a time reference, such as a real-time clock, a timer, or the ordering of events. ·         The sending process must be able to control the timing of the detection of a change in the attribute by the receiving process. ·         A mechanism for initiating both processes, and properly sequencing their respective accesses to the shared resource, must exist. The specific criteria are as follows. ·         The value of a variable is obtained from a system call. ·         A calling process can detect at least two different states of that variable.
9.	Explain about the vulnerability frameworks with neat examples. The goals of a framework dictate the framework's structure. For example, if the framework is to guide the development of an attack detection tool, the focus of the framework will be on the steps needed to exploit vulnerabilities. If the framework is intended to aid the software development process, it will emphasize programming and design errors that cause vulnerabilities. Each of the following classification schemes was designed with a specific goal in mind. The investigators classified flaws into seven general classes. ·         Incomplete parameter validation ·         Inconsistent parameter validation ·         Implicit sharing of privileged/confidential data ·         Asynchronous validation/inadequate serialization ·         Inadequate identification/authentication/authorization ·         Violable prohibition/limit ·         Exploitable logic error The Flaw Classes - ·         Incomplete parameter validation occurs when a parameter is not checked before use. ·         Inconsistent parameter validation is a design flaw in which each individual routine using data checks that the data is in the proper format for that routine, but the routines require different formats. ·         Inadequate identification/authorization/authentication flaws arise when a system allows a user to be erroneously identified, when one user can assume another's privilege, or when a user can trick the system (or another user) into executing a program without authorization. ·         Exploitable logic error flaws encompass problems not falling into any of the other classes; examples include incorrect error handling, unexpected side effects of instructions, and incorrect allocation of resources. Aslam's Model -The Flaw Classes -Legacy Comparison and Analysis -The xterm Log File Flaw -The fingerd Buffer Overflow Flaw
10.	Explain about the Gupta and Gligor's Theory of Penetration Analysis. Gupta and Gligor make two hypotheses. ·         Hypothesis of Penetration Patterns. "[S]ystem flaws that cause a large class of penetration patterns can be identified in system (i.e., TCB) source code as incorrect/absent condition checks or integrated flows that violate the intentions of the system designers ·         Hypothesis of Penetration-Resistant Systems. "[A] system (i.e., TCB) is largely resistant to penetration if it adheres to a specific set of design properties." Gupta and Gligor select and formalize several properties, and from those properties derive checks to determine if the system correctly obeys them. ·         System isolation or tamperproofness, which states that users must not be able to tamper with the system. This encompasses parameter checking at the system boundary, separation of user and system addresses, and allowing entry to the system only at well-defined gates at which parameters and privileges can be validated. ·         System noncircumventability, which states that the system must check all references to objects. ·         Consistency of global objects belonging to the system, with respect to both timing and storage. ·         Elimination of undesirable system and user dependencies, which usually refers to prevention of denial-of-service attacks.

       

ANSWER KEY

PART-A

1.	Differentiate between authentication policy and issuance policy. ·         A CA authentication policy describes the level of authentication required to identify the principal to whom the certificate is to be issued. ·         A CA issuance policy describes the principals to whom the CA will issue certificates.
2.	What is threshhold scheme?            A (t, n)-threshhold scheme is a cryptographic scheme in which a datum is divided into n parts, any t of which are sufficient to determine the original datum. The n parts are called shadows.
3.	Write about confinement problem and covert channel. Access control affects the function of the server in two ways. ·         The server must ensure that the resources it accesses on behalf of the client include only those resources that the client is authorized to access. ·         The server must ensure that it does not reveal the client's data to any other entity not authorized to see the client's data. A covert channel is a path of communication that was not designed to be used for communication.
4.	What is sandbox? A sandbox is an environment in which the actions of a process are restricted according to a security policy.
5.	Write the concept of Fenton's Data Mark Machine. ·         Fenton created an abstract machine called the Data Mark Machine to study handling of implicit flows at execution time. Each variable in this machine had an associated security class, or tag. Fenton also included a tag for the program counter (PC). ·         Fenton defined five instructions. The relationships between execution of the instructions and the classes of the variables are as follows. The increment instruction x := x + 1 is equivalent to if PC  x then x := x + 1; else skip
6.	Differentiate between Trojan horse and propagating Trojan horse. ·         A Trojan horse is a program with an overt (documented or known) effect and a covert (undocumented or unexpected) effect. ·         A propagating Trojan horse (also called a replicating Trojan horse) is a Trojan horse that creates a copy of itself.
7.	Define the logging and auditing. ·         Logging is the recording of events or statistics to provide information about system use and performance. ·         Auditing is the analysis of log records to present information about the system in a clear and understandable manner.
8.	Short note on intrusion principles. Computer systems that are not under attack exhibit several characteristics. ·         The actions of users and processes generally conform to a statistically predictable pattern. A user who does only word processing when using the computer is unlikely to perform a system maintenance function. ·         The actions of users and processes do not include sequences of commands to subvert the security policy of the system. In theory, any such sequence is excluded; in practice, only sequences known to subvert the system can be detected. ·         The actions of processes conform to a set of specifications describing actions that the processes are allowed to do (or not allowed to do).
9.	Write about the Autonomous Agents: AAFID ·         An autonomous agent is a process that can act independently of the system of which it is a part.
10.	List out the suggests a layering model for a penetration study. ·         External attacker with no knowledge of the system. At this level, the testers know that the target system exists and have enough information to identify it once they reach it. ·         External attacker with access to the system. At this level, the testers have access to the system and can proceed to log in or to invoke network services available to all hosts on the network (such as electronic mail). ·         Internal attacker with access to the system. At this level, the testers have an account on the system and can act as authorized users of the system.

PART-B

7.	Overviews about the principles of secure design write with examples. ·         The principle of least privilege states that a subject should be given only those privileges that it needs in order to complete its task. ·         The principle of fail-safe defaults states that, unless a subject is given explicit access to an object, it should be denied access to that object. ·         The principle of economy of mechanism states that security mechanisms should be as simple as possible. ·         The principle of complete mediation requires that all accesses to objects be checked to ensure that they are allowed. ·         The principle of open design states that the security of a mechanism should not depend on the secrecy of its design or implementation. ·         The principle of separation of privilege states that a system should not grant permission based on a single condition. ·         The principle of least common mechanism states that mechanisms used to access resources should not be shared. ·         The principle of psychological acceptability states that security mechanisms should not make the resource more difficult to access than if the security mechanisms were not present.
8.	Explain about the Compiler-Based Mechanisms ·         A set of statements is certified with respect to an information flow policy if the information flow within that set of statements does not violate the policy.  For example, x: integer class { A, B } Program Statements A program consists of several types of statements. Typically, they are ·         Assignment statements ·         Compound statements ·         Conditional statements ·         Iterative statements ·         Goto statements ·         Procedure calls ·         Function calls ·         Input/output statements. Assignment Statements An assignment statement has the form y := f(x1, ..., xn) where y and x1, ..., xn are variables and f is some function of those variables. Information flows from each of the xi's to y. Hence, the requirement for the information flow to be secure is lub{x1, ..., xn}  y Compound Statements A compound statement has the form begin      S1;      ...      Sn; end;
9.	Write about the computer viruses and several types of computer viruses.              A computer virus is a program that inserts itself into one or more files and then performs some (possibly null) action. •           A boot sector infector is a virus that inserts itself into the boot sector of a disk. •           An executable infector is a virus that infects executable programs. •           A multipartite virus is one that can infect either boot sectors or applications. •           A terminate and stay resident (TSR) virus is one that stays active (resident) in memory after the application (or bootstrapping, or disk mounting) has terminated. •           Stealth viruses are viruses that conceal the infection of files. •           A polymorphic virus is a virus that changes its form each time it inserts itself into another program.
10.	Explain the following a)    Anatomy of an Auditing System.  (5) ·         Logging is the recording of events or statistics to provide information about system use and performance. ·         Auditing is the analysis of log records to present information about the system in a clear and understandable manner. ·         Logger ·         Logging mechanisms record information. The type and quantity of information are dictated by system or program configuration parameters. The mechanisms may record information in binary or human-readable form or transmit it directly to an analysis mechanism. ·         Analyzer ·         An analyzer takes a log as input and analyzes it. The results of the analysis may lead to changes in the data being recorded, to detection of some event or problem, or both. ·         Notifier ·         The analyzer passes the results of the analysis to the notifier. The notifier informs the analyst, and other entities, of the results of the audit. The entities may take some action in response to these results. ·         An anonymizing sanitizer deletes information in such a way that it cannot be reconstructed by either the recipient or the originator of the data in the log. A pseudonymizing sanitizer deletes information in such a way that the originator of the log can reconstruct the deleted information. ·         A state-based logging mechanism records information about a system's state. A state-based auditing mechanism determines whether or not a state of the system is unauthorized. ·         A transition-based logging mechanism records information about an action on a system. A transition-based auditing mechanism examines the current state of the system and the proposed transition (command) to determine if the result will place the system in an unauthorized state. b)    Intrusion detection architecture.  (5) Architecture of an intrusion detection system. Agent                 An agent obtains information from a data source (or set of data sources). Host-Based Information Gathering                   Host-based agents usually use system and application logs to obtain records of events, and analyze them to determine what to pass to the director. The events to look for, and to analyze, are determined by the goals of the intrusion detection mechanism. Combining Sources                  The goal of an agent is to provide the director with information so that the director can report possible violations of the security policy (intrusions). An aggregate of information is needed. However, the information can be viewed at several levels. Director                   The director itself reduces the incoming log entries to eliminate unnecessary and redundant records. It then uses an analysis engine to determine if an attack (or the precursor to an attack) is underway. The analysis engine may use any of, or a mixture of, several techniques to perform its analysis. Notifier                    The notifier accepts information from the director and takes the appropriate action. In some cases, this is simply a notification to the system security officer that an attack is believed to be underway. In other cases, the notifier may take some action to respond to the attack.