-
Notifications
You must be signed in to change notification settings - Fork 0
/
finalReview.tex
327 lines (215 loc) · 10 KB
/
finalReview.tex
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
\documentclass[8pt]{extreport}
\usepackage[margin=0.25in]{geometry}
% TESTING
\begin{document}
XXX Safety Policy - Prove that any future state will not result in the leakage
of an access right to an unauthorized user XXX
{\Huge Access Control}
% Chapter 4: review questions 4.1-4.7, problems 4.3, 4.4, 4.5, 4.8
{\bf R.4.1} MAC provides a static, provably safe access control system. DAC
trusts the admission and rejection of access rights to user's as opposed to
administrators and thus it is not provably secure.
{\bf R.4.2} RBAC relates to MAC in that users are assigned a role by the
administrator and have access to only the system objects that people with that
role have access rights to. RBAC varies from both DAC and MAC in that the access
rights of a role are strictly applied to groups of people who are given that
role, while DAC and MAC traditionally are determined on a per-user/person basis.
{\bf R.4.3}
Owner: The owner, typically creator of an object
Group: A set of users that have certain access rights to an object
Other: Everybody else
{\bf R.4.4} A subject is the actor, it acts on objects. The object is the entity
of interest, it is acted upon.
{\bf R.4.5} An access right is an indicator that a particular subject can act on
a particular object.
{\bf R.4.6}
ACL: An object and the rights that each subject has to act on it.
Ticket: A subject and the rights it has to act on each object.
{\bf R.4.7}
A protection domain is a grouping of access rights that a particular set of
objects have. One simple example of this is Kernel access rights as opposed to
User access rights; User Mode can access only certain objects while Kernel mode
can access all objects.
%{\bf 4.3}
%{\bf 4.4}
%{\bf 4.5}
%{\bf 4.8}
% Chapter 6: review questions 6.1, 6.7, 6.9, problems 6.7, 6.10, 6.12
{\Huge Malware}
Worm is a stand alone programs while virus is dependent on another piece of
software.
{\bf R.6.1} Malware can propagate through
1. Social Engineering Attacks,
2. Vulnerability Exploits,
3. Infected Content.
{\bf R.6.7} A drive-by-download is a web browser exploit (or potentially other
internet application I think) that is triggered upon visiting a certain
web-site. This differs from a worm in that the drive-by-download does not
actively propagate itself once it has infected a host, it continues to sit
dormant on the web server waiting for other unsuspecting users to visit the
page.
{\bf R.6.9}
Backdoor: A mechanism that allows bypassing of a security check.
Bot: A machine whose computational/network resources have been remotely taken
over by a hacker.
Keylogger: Software that captures the key-strokes of a user.
Spyware: Software that collects information about users using the infected
machine and sends the information off to the hackers server. \texttt{This
does/can include a keylogger}
Rootkit: A set of tools which are installed with root access that will provide a
hacker a returning backdoor, as well as other tools the hacker might need when
accessing the infected machine. This is done with root access, so at the kernel
level, and cannot be detected by the operating system because it is a part of
the operating system essentially. \texttt{This does/can include all of the above}
% Chapter 8: review questions 8.1-8.9, 8.13, problems 8.6, 8.8
{\Huge Intrusion Detection}
{\bf R.8.1}
Masquerader: Someone who does not have access that penetrates system and then
pretends to be a legit user accesses.
Misfeasor: Legitimate user who misuses their rights.
Clandestine User: Gets admin access and evades detection by avoiding or
suppressing audit selection and bypassing access right checks.
{\bf R.8.2} What are the components of an IDS?
Sensor: Collecting the data.
Analyzer: Receive input from sensor or other analyzer and decide if intrusion
has occurred could provide evidence and suggest what to do next.
User Interface: Portray results to user. And control.
{\bf R.8.3}
HIDS: Monitors single host and looks for suspicious activities of that host.
NIDS: Monitor network traffic at network, transport, and application layers.
{\bf R.8.4} Benefits of IDS:
1. If able to react fast enough, can detect and eject intruder, 2. Deterrent...,
3. Can provide information about intrusion techniques that makes us more robust
against intrusion in the future.
%{\bf R.8.5}
{\bf R.8.6}
Anomaly Detection: (WhiteList) Make profile for user and use statistical methods to test
against that profile to see if user is acting as an anomaly.
Signature Detection: (BlackList) Look for some particular predefined bad
behavior.
{\bf R.8.7}
Metrics and measures for intrusion detection:
- Login and Session Activity
- Command or Program Execution Activity
- File Access Activity
{\bf R.8.8}
Rule-based Anomaly Detection: Same as anomaly detection except uses history of
audit to make rules, then make rules based on run-time and compares the two.
Rule-based Penetration Detection: Build rules based on analysis of attack tools
and scripts collected on internet. Allows 'penetration' to be within bounds of
non-anomaly like behavior.
{\bf R.8.9} Base Rate Fallacy:
Even with system that has 99\% acc., end up getting lots of false positives or
false negatives depending on what the system is built for. For security, prefer
false positive; For usability false positives interfere with usability. False
negatives mean that we think system is secure but it is actually not.
{\bf R.8.13}
Honypot: Outside of firewall, used as decoy to either satisfy dumb adversary or
to bait malicious people and blacklist them.
% Chapter 9: review questions 9.1-9.5, 9.11, 9.13, problems 9.4, 9.5
{\Huge Firewall}
{\bf R.9.1}
Goals of firewall:
1. All traffic must be captured by firewall.
2. Only authorized traffic must pass by firewall.
3. System/hardware running firewall cannot be penetrated
{\bf R.9.2}
Firewall techniques for enforcing security policy.
Service Control: Which internet services can be accessed.
Behavior Control: Controls how internet services are used; e.g. filter email spam.
Direction Control: Determines direction that internet service can flow for
particular services.
User Control: Control access to internet service based on the user trying to
access it.
{\bf R.9.3}
What mechanisms are used in packet firewalls: Src IP, Dst IP, TCP/UDP Port, IP
protocol, NIC(MAC addr).
{\bf R.9.4}
Weaknesses of packet filter: IP spoofing attack, Tiny fragment attacks, hard to
configure correctly, no advanced authentication.
{\bf R.9.5}
Stateful Firewall: Can track TCP sessions and sequence numbers, removing
possibility for session hijacking.
{\bf R.9.11}
DMZ = Demilitarized Zone: Has all public facing servers.
{\bf R.9.13}
IPS = Intrusion Prevention System: Super smart firewall IDS.
% Chapter 10: review questions 10.1-10.9, problem 10.10
{\Huge Buffer Overflow}
{\bf R.10.1}
Buffer Overflow: When you step past bounds of buffer.
{\bf R.10.2}
Stack, Heap, Global Data Area can be hit by buffer overflow and exploited.
{\bf R.10.3}
If can reach EIP, redirect flow of execution.
{\bf R.10.4} Two essential ingredients for Buffer Overflow exploit:
Location of SC, and how far EIP is from buffer overflow.
{\bf R.10.5}
Lower level languages, that do not automatically check buffer ranges upon
accesses are vulnerable to buffer overflow.
%{\bf R.10.6}
%{\bf R.10.7}
%SC: a piece of code that gives you a shell.
% {\bf R.10.8}
% {\bf R.10.9}
% Chapter 11: review questions 11.4-11.7, 11.11, 11.13, problem 11.4
{\Huge Software Security}
{\bf R.11.4}
Injection Attack: Non-sanitized input gets executed because of poor programming
convention.
{\bf R.11.5}
SQL injection: Will execute arbitrary querry to a DB on server.
Command injection: Will execute arbitrary server code.
{\bf R.11.6}
XSS: Input from one user including malicious code is output to another user who
upon viewing will execute that code; guest-book example.
{\bf R.11.7}
Input Sanitization is the most commonly used method to verify the correctness of
input. Make sure input has no code, essentially.
{\bf R.11.11}
Race Condition: Two procs share mem and are trying to perform write, final value
of mem depends on the order that the procs get to the memory.
{\bf R.11.13}
Principle of Least Privilege: Give each user the minimal set of access rights
needed to execute what they need to execute to fulfill their role.
% Chapter 12: review questions 12.3-12.7, 12.17, problems 12.1, 12.4, 12.5
{\Huge OS Security}
{\bf R.12.3}
Basic steps to secure base OS:
1. Install/Patch(Update) ; 2. Harden and Config (RM unneeded services, Config users and permissions,
configure resource controls); 3. install security controls (IDS, Firewall,
Anti-Virus). 4. TEST
{\bf R.12.4}
Keeping up to date important because new flaws always discovered.
{\bf R.12.5}
Autopatching is easier for sys-admin, bad because might patch be stupid and
introduce instability. Patches should likely be investigated by sys-admin
whereever security is of utmost importance.
%{\bf R.12.6}
%Less vectors of attc
%{\bf R.12.7}
{\bf R.12.17}
Chroot jail: restricts services/applications view of filesystem to particular
folder. CAN BE CIRCUMVENTED.
% Chapter 13: review questions 13.2, 13.4, 3.8, 13.9, 13.13, problems 13.1, 13.2, 13.4, 13.9
{\Huge MLS}
{\bf R.13.2}
Properties of MLS BLP
1. ss-property: (read-up) Can only read if subjects level is >= than the objects.
2. *-property: (write-down) Can only write if subjects level is <= than the objects.
3. ds-property: (static?) If subject currently has access to object, then they have the
access rights to it.
{\bf R.13.4}
BLP: (Confidentiality) No Read-Up, No Write-Down
Biba: (Integrity) No Read-Down, No Write-Up
{\bf R.13.8}
Reference monitor must enforce security rules -- No Read-Up, No Write-Down
{\bf R.13.9}
Reference monitor must have 1. Complete Mediation (Every access must be
handled), 2. Isolation (DB cannot be accessed or written by unauthorized
subjects), 3. Verifiable (Provable correctness of actions)
{\bf R.13.13}
TMP Offers: 1. Auth Boot, 2. Certification (it has a private key that only it knows),
3. Encryption (Only machine with particular setting can decrypt what TPM has
encrypted)
\end{document}