Name __________________________

ICOM 5007 Exam III

Spring 2009

April 29, 2009

Open book and notes.  Only the course text and notes of your own making may be used, meaning no reference books, old exams, or notes made by others.  In the interests of originality and creativity please turn off all electronic communication devices including celulares, laptops, and pocket computing devices

 

 

1.      This problem relates to security topics.   Answer the following, briefly, please.

 

a.       A MAC (message authentication code) can be formed from a hash (message digest) by encrypting it.

i.                    If the encryption is done using a session key, why would you not want to use this as a method verifying the integrity of a downloaded software package?

You would have to retain the session key for each download; also a new key would have to be distributed for each download.

ii.                  If the encryption is done in the public key of the supplier, would this be of any practical use?  Explain.

No, only the supplier knows its private key, so users cannot decrypt and thus check content.

iii.                If the encryption is done in the private key of the supplier, would this be of any practical use?  Explain.

This is the way you do it – the supplier’s public key can be recovered and the download validated even at some later date – the supplier has thus authenticated.

b.      A common virus exploit is to overwrite the hosts file on a machine.  Explain how this foils the automatic update feature of the virus checker.

The local installation of the virus checker can’t find the supplier’s address, or it actually accesses a fake supplier who furnishes malware.

 

c.       What does a rootkit do that a virus by itself does not?  (there are multiple answers).

A virus self-replicates and spreads copies to other systems.  A rootkit does not, but it plants something that permits later privilege escalation.

d.      Why is shellcode useful in constructing a buffer overflow attack on the stack?

It permits constructing a short and exact package which can be placed on the stack to modify return addresses and the calling process’s variables.  A compiler or conventional assembler usually can’t construct the exact code needed.

 

2.      The following questions relate to  I/O as implemented in Unix/Linux.

a.       What meant by the term line discipline?

The method used to allow the backspace and other keys to be used to edit a line before it is finally entered using the newline.  The alternative is raw mode, when all keystrokes are sent directly to the application.

b.      The read system call is designed for sequential reading with an understood file pointer.  Where in the system (in user or system space) does the file pointer reside and why?

It lives in the FILE structure which belongs to the individual user process.  Thus each user has its own pointer and is not disturbed by another process reading at the same time.

c.       If you are appending to a file managed as in part b., what system call do you use to do so?

lseek or llseek – these can move the pointer to a desired position relative to the beginning, or the end, or the current file position.

d.      How do you use this method to overwrite part of a file?

position the pointer to the desired point and then write.  You have to know a numerical value for the desired point.

 

2.      This problem relates to the network protocol stack and network security.   Answer the following, briefly, please. 

a.       Between what protocol layers does SSL (secure socket layer) go, and also how does a browser code use SSL to do a secure login?

Above the TCP layer.  A call to the SSL API reaches the top of the TCP layer.

b.      Where does IPsec (IP security) go and why is it, rather than SSL used in routers?

Between TCP and IP.  A router works at the IP level and doesn’t use or understand TCP

c.       Describe some security issue you have recently found while surfing (the web, not Rincon)

Answer

d.      What is the suid permission and where is it to be found in the file system?.

SUID means the process executing a file with SUIT set can make the setuid() call and temporarily use the effective user ID of the process owning the file.  The suid bit is in the permissions word in the inode of the file.