Answer Key for Software Security Technologies Richard Sinn Chapter 1 Review questions 1-1 faked, trustworthy 1-2 An attacker maliciously changes data in transit or in medium. 1-3 Confidentiality, Authentication, Integrity 1-4 Entity Authentication provides identification of the specific entity involved in isolation from any other activity that the entity might want to perform. Data Origin Authentication is also called non-repudiation, it identifies a specific entity as the source or origin of a given piece of data. 1-5 Single, secret 1-6 P[i] = KS[i] XOR C[i] 1-7 Digits, digit 1-8 The cipher in ECB takes a single block of plaintext and produces a single block of ciphertext. 1-9 In CBC mode, the encryption of each plaintext block depends on the ciphertext of the previous block. 1-10 CFB mode turns a block cipher into a stream cipher. 1-11 OFB is another way of changing a block cipher into a stream cipher. It generates the next keystream block by encrypting the previous keystream block. 1-12 stream 1-13 Dictionary attack is the general technique of guessing a secret (such as key or password) by running through a list of possibilities, often a list of words from a dictionary. 1-14 2a/2 1-15 For encryption of first block. 1-16 Snooping. 1-17 The algorithm becomes the same as DES and 3DES hardware can be made to interoperate with DES hardware. 1-18 False, RC4 is a stream cipher. 1-19 d 1-20 Preimage resistant, Second preimage resistant, Collision-resistant. 1-21 Replay Attack 1-22 MAC uses a key 1-23 slow 1-24 A relatively small e makes operations performed with the public key faster. 1-25 Sender verification 1-26 Custom computation 1-27 Issuer dn + serial number 1-28 cn=Winnie Chan Wang, ou=engineering, o=HighTech, Inc, c=US. 1-29 PKCS 12 1-30 7 Chapter 2 Review questions 2-1 Create, secure 2-2 True 2-3 Adversary Economics Formula n * Cb >> Ch + n * Cc + P11(n) * C11(n) Cb: The cost of buying the software item. Ch: The cost of breaking the protection. Cc: The value of the pirate software. P11: The probability (risk) of getting caught. C11: The cost of getting caught. N: The number of pirate copies to make. 2-4 e 2-5 infringement 2-6 It represents the uniqueness between a particular license and the environment where the software product is deployed. 2-7 Licensing and code protection 2-8 Building a 100% secure system is either too expensive or not possible. 2-9 A worm is a special type of “smart” virus that can replicate from system to system without any human user intervention. Trojan horse is standalone software attack that do not replicate by itself. 2-10 Top secret, secret, confidential unclassified 2-11 No Read up, no write down 2-12 The compartments can be used to indicate whether or not the data can be shared in particular departments, organizations, companies, or even countries. 2-13 Lattice 2-14 Formal specifications 2-15 B3 2-16 Formal math proof 2-17 Storage, covert, timing channels 2-18 Virus attack, reclassification difficult, high cost of creation and validation. 2-19 Maintenance 2-20 Negative test cases test error condition. 2-21 Risk assessment, external audit, comprehensive test plan 2-22 commercial off-the-shelf software 2-23 Please refer to sidebar. 2-24 11 2-25 False 2-26 security education 2-27 True 2-28 Refactoring is defined as the process of changing the internal structure of software program to make it easier to understand and maintain without modifying its external behavior. 2-29 metaphors 2-30 Security user stories and daily security checkup 2-31 Add automatic positive and negative unit test cases 2-32 Code review is static, dynamic analysis is software analysis that involves actually running of software programs. 2-33 aspect 2-34 AOP defines the concept of join point: it is a well-defined point in the program flow. 2-35 Define security policy. 2-36 True Chapter 3 Review questions 3-1 Well-defined Entry Points, Predictable Security, End-User Transparency 3-2 Authentication, Confidentiality, Integrity 3-3 Something you know, have, are, do. 3-4 Use finger print to access a token card you have, then PIN to login. 3-5 1 3-6 Yes 3-7 The basic concept is to provide notarization on digital data within the PKI framework. 3-8 No 3-9 Figure 3.3 3-10 Certificate Authority 3-11 False, CA does the issue. RA handles CSR. 3-12 Intermediate CA 3-13 Creation and backup services of keys 3-14 This is the algorithm ID (object identifier (OID) plus any associated parameters) used to sign the certificate. 3-15 Issuer dn and serial number 3-16 False 3-17 root 3-18 Certificate cannot be changed. 3-19 Class 1, 2, 3 3-20 This update – CRL creation time. Next update – Next CRL issue time. 3-21 Authority Revocation List (ARL) Complete Certificate Revocation List (CRL) CRL Distribution Point (DP) Redirect CRL Delta CRL Indirect CRL 3-22 Computer CRL 3-23 False. Application needs to implement the check. No standard to enforce the check. 3-24 False. Can do more then one. 3-25 False. Chapter 4 Review questions 4-1 Model of: what you can trust, how you are going to build any trust relationship, and when to apply and verify the trust. 4-2 Threat modeling 4-3 Yes. But usually not a good idea as trust might not match organizational structure. 4-4 “A” trusts “B” when “A” assumes that “B” will behave exactly as “A” expects. 4-5 subordinate trust anchor 4-6 Trust processing can be evenly distributed. 4-7 It is hard to have only one root trust in many cases. 4-8 Hub and Mesh configuration 4-9 A forward cross-certificate is the trusted token a CA needs to go to another community. And a reverse cross-certificate is the trusted token other CA needs to get into the current community. 4-10 Binding of CA to browser is not signed, user can add or delete any certificate installed. 4-11 Yes. 4-12 Centralized and decentralized systems 4-13 fundamental risk, Particular risk 4-14 Please refer to section 4.11 4-15 Attack tree is a formal methodology for analyzing the security of software systems. 4-16 Attack pattern 4-17 XSS 4-18 Filter meta characters. 4-19 Filter meta characters. 4-20 Filter meta characters. Filter from browser, filer using URL databases. Chapter 5 Review questions 5-1 Yes. 5-2 Controlled environment. No, not for DOS, etc. 5-3 Yes, with command line option javap. 5-4 False 5-5 Magic number check, syntax checking, instruction checking, access control modifier checking 5-6 False. Package level (default) 5-7 Use –Xverify:all option 5-8 Avoid stepping over and provide protection 5-9 ClassLoader 5-10 Name space 5-11 True 5-12 Generations are memory pools holding objects of different ages. Memory is managed in generations in garbage collection and the collection process occurs in each generation when the generation fills up. 5-13 Use immutable objects if possible. No. 5-14 Avoid using inner classes. After compilation, an inner class is translated into byte codes where any class in the same package can access it. Furthermore, the enclosing class’s private fields are converted into non-private to permit access by the inner class. 5-15 Transient instance fields are neither saved nor restored by the standard Java serialization mechanism. 5-16 Use package.definition=MyPackage1 [MyPackage2, . . . MyPackageN] 5-17 False 5-18 False 5-19 Protection Domain 5-20 When "x implies y", anyone that is granted permission "x", is automatically granted permission "y". 5-21 policy file 5-22 CodeBase ends with "/" matches all class files (not JAR files) in the specified directory. CodeBase ends with "/-" matches all files (both class and JAR files) in the directory and recursively all files in subdirectories contained in that directory. 5-23 New ones will be implemented in the future. 5-24 False 5-25 No. Optional. 5-26 Accesscontrolexcception 5-27 False 5-28 Use rule of intersection. 5-29 5-30 5-31 stops To decide whether an access to a critical system resource is allowed or denied based on the current effective security policy. To mark code as being "privileged", thus affecting subsequent access determinations. To obtain a "snapshot" of the current calling context and enable access-control decisions from a different context can be made with respect to the saved context. The code is in the run method of any implementation of either the java.security.PrivilegedAction or the java.security.PrivilegedExceptionAction interface. And, The run() method is executed by the doPrivileged() method of java.security.AccessController class. Chapter 6 Review questions 6-1 A provider supplies a concrete implementation of a subset of the cryptography functions. Architecture allows switching. 6-2 Yes. 6-3 Static and dynamic. 6-4 Text based but long. 6-5 Message digest 6-6 weak strong 6-7 Key, data, and algo. 6-8 (1/2)*2**1024 6-9 blocks 6-10 IV 6-11 Key exchange 6-12 Digital signature needs private key for signing to create. 6-13 Padding 6-14 Signed by trusted CA 6-15 False. 6-16 False 6-17 key store stores key. Trust store is for trusted certificates. 6-18 Using password 6-19 Use jarsign 6-20 Signed applet can access system resources 6-21 certification path 6-22 True for some version. False otherwise. Trick question. 6-23 Provide abstraction Chapter 7 Review questions 7-1 Authentication 7-2 Authorization 7-3 Get cash from ATM machine 7-4 The protocol that picks one of the available authentication methods for a system. Negotiate implements RFC 2478: The Simple and Protected GSS-API Negotiation Mechanism. 7-5 Authorization is implemented when you control permissions for new objects created in a container object by setting inheritable permissions on the container. 7-6 User ACL, Group ACL, role based 7-7 False. It is an infrastructure to build with. 7-8 PAM divides authentication into front-end (the authentication interface library) and the back-end (the actual authentication mechanism-specific modules). 7-9 Principal, is used to represent a name associated with a subject. 7-10 Use refreshable 7-11 Configuration such as JAAS_Demo { RegistrationPAM required; PasswordPAM optional; RolePAM required; com.sun.security.auth.module.NTLoginModule required; }; 7-12 LoginContext, load PAMs, login is called, invokes PAM one at a time, authentication status return to applications, retrieve Subject 7-13 Use login phase and commit phase 7-14 Applications implement the CallbackHandler and pass it to the LoginContext that in turns forward it to the underlying LoginModules. 7-15 independent 7-16 grant getsubject, modifyprincipals, createlogincontext 7-17 required indicates that the login module must be successful. 7-18 requisite indicates that the login module must be successful, and if it fails no other login modules will be called. 7-19 abort 7-20 sufficient 7-21 optional 7-22 See section 7.8 7-23 Static and Dynamic Chapter 8 Review questions 8-1 type checking 8-2 Smart pointer, reference count 8-3 buffer overflow occurs anytime the program writes more data into the memory buffer than the space it has allocated. 8-4 False 8-5 Heap 8-6 variable attack 8-7 stack overrun 8-8 snprint 8-9 It starts with default environment, and can be substitute to run something else. 8-10 Key size 8-11 Use instead of using long combination of commands. 8-12 relative pathnames 8-13 True 8-14 False 8-15 No prompting but password in clear text when check with system tool such as ps –eaf. 8-16 openssl bf-cfb -e -in mydata.txt -out out.txt 8-17 openssl x509 -in mycert.pem -text -noout 8-18 Hashing 8-19 Iterations of several rounds of the same algorithm will be applied by product ciphers. And each iteration is termed a cipher round. 8-20 handshake 8-21 records 8-22 Get the client certificate for verification 8-23 Section 8.13 Chapter 9 Review questions 9-1 False 9-2 Taint mode 9-3 Perl automatically enter taint mode when it detects its program running with differing real and effective user or group IDs. Or use –T. 9-4 External input, expression with other tainted data, etc. 9-5 Because hacker can substitute program with same name but different content to run. 9-6 True 9-7 tainted 9-8 ‘PATH’, 'IFS', 'CDPATH', 'ENV', 'BASH_ENV' 9-9 Because the list of filenames comes from outside of the program. 9-10 Use to check unix password. 9-11 sub-pattern matches 9-12 Own scope, need sharing of variables, all underscore variables are shared. 9-13 Use if ($@) 9-14 Use share_from 9-15 Replace file with same name. 9-16 It uses tmpfile from C and implementation might not be good. 9-17 Race condition Chapter 10 Review questions 10-1 We define Data Store as a collection of information about objects arranged in some order that gives details about each object. System of Records are systems that store data records that is in specific format that are used by various commercial packages. SAP, PeopleSoft, J.D.Edwards, or any HR package is an example of System of Records. 10-2 No replication, both to both data store and system of records. 10-3 False 10-4 Object class (OC) is just a mechanism for defining a collection of attributes for the instantiation of a directory entry. 10-5 a. dn: cn=Nicholas Sinn b. inetOrgPerson c. subclasses d. email, password 10-6 Object class (OC) 10-7 Replication, not real time access, full audit in replication. 10-8 distinguished name (DN) 10-9 Workflow 10-10 Delegated Administration 10-11 In Rule-Based Modeling, the administrator programs a set of rules that would apply to the identity data set. Role-Based Modeling is a technique of Identity Management modeling in which identities are granted resources, authorization and assignment to one or more pre-defined roles. 10-12 False 10-13 e. 10-14 Lower the possibility guessing attack 10-15 Passphrase are longer and more secure in general 10-16 System binary needs to be changed. 10-17 Provisioning 10-18 certificate 10-19 Credential 10-20 Authentication – who you are Authorization – what you can do 10-21 Universal Description, Discovery and Integration 10-22 Need to change network topology and hard to customize 10-23 Network addresses used, id request for web resource. Chapter 11 Review questions 11-1 MX 11-2 When the primary server fail, it can be used as a backup for re-deliver. 11-3 POP, IMAP 11-4 False 11-5 25 11-6 Ease of lost of device due to its size and portability. 11-7 Power-on password should be used as the first gate for protecting access to the device. An application running in a mobile device can prompt for additional authentication whenever a user tries to run the application. 11-8 Authentication for OS user vs DB user. 11-9 Privileges for an administrator to grant the ability to create new database objects (tables), to delete database objects, to execute SQL statements, or stored procedures. 11-10 Logical, Physical, Temporal, Cryptographic. 11-11 An operating system must provide a security policy and security model. 11-12 The startup or bootstrap mode run all the operating commands with administrator or root privileges. Once the attacker spoofs the OS bootstrap, files might be mounted to a newly booted foreign operating system. As a result, the original access control can be bypassed to access any file. 11-13 Network layer 11-14 Packet filtering firewall, proxy, application gateway 11-15 Flooding