Exam Info

When & Where

The final exam will be held in our regular classroom on Monday, May 6, 2024. It will start promptly at 4:00pm and you will have until 5:30pm to complete it.

Exam rules

Be sure to arrive on time. If you arrive after the exam starts, you will not be allowed to take it.

This will be a closed book, closed notes exam. Calculators, phones, augmented reality glasses, laptops, and tablets are neither needed nor permitted. If you have these devices, you must turn them off, put them out of sight, and not access them for the duration of the exam.

No other electronic devices are permitted except for hearing aids, pacemakers, electronic nerve stimulators, other implanted medical devices, or electronic watches that function only as timekeeping devices or chronographs.

Bring a couple of pens or pencils with you. Plan to use a pen only if you are supremely confident in not changing your mind about your answers. . Check here for information about pencils, sharpeners, and the craft of pencil sharpening.

Past exams

The exam will be similar in structure to mid-semester exams but will cover material for the entire course. You can use past exams as a guide to what this exam may look like.

I do not refer to old exams when I come up with a new one, so it is likely that many of the topics that I considered important in past exams will show up on future exams. Some material may have changed, however, so do not worry about questions that appear to relate to topics we have not covered.

Get past 419 exams here.

Study guide

You are responsible for the material from the first four lectures and recitations.

The final exam study guide is a concatenation of the previous three study guides along with the last lecture and attempts to cover most of the material you should know. It is not a substitute for the lectures, lecture material, and other reading matter. My goal is to put most of the information you need to know in as concise a form as possible.

Get the study guide

Topics

Topics that you should know and may be on the exam include:

Introduction

  • What is computer security? Know the terms
    • CIA Triad
    • Confidentiality
    • Understand how privacy relates to confidentiality
    • Integrity
      • Data integrity
      • origin/destination (endpoint) integrity
      • system integrity
    • Availability
  • Security goals
    • Prevention
    • Detection
    • Recovery
  • Policy vs. Mechanism
  • Definitions
    • Vulnerability
    • Exploit
    • Attack, attack vector, attack surface
    • Threat categories (know but don’t memorize)
      • Disclosure
      • Deception
      • Disruption
      • Usurpation
    • Threat modeling
  • Examples of threats
    • Snooping
    • Modification
    • Alteration
    • Repudiation of origin
    • Denial of receipt
    • Delay
    • Denial of service
  • Internet-enabled threats
    • Distance
    • Asymmetric force
    • Anonymity
    • Indistinct data
  • Types of attackers: opportunistic, targeted, advanced persistent threat
  • What is a trusted computing base?

Cryptography: Symmetric

  • Terms:
    • authentication, integrity, nonrepudiation, confidentiality
    • plaintext, encryption, ciphertext, decription, cipher
    • secret algorithm, public key cipher, symmetric cipher, symmetric key, public key, private key
  • Schneier’s Law
  • Kerckhoffs’s principle
  • Properties of a good cryptosystem
  • What is Shannon entropy? (You don’t need to know the formula)
  • Key length
  • Classic cryptography
    • Monoalphabetic substitution cipher; shift cipher
    • Attacks: frequency analysis
    • Polyalphabetic substitution cipher: Vigenère cipher
      • Why is it better than a monoalphabetic substitution cipher?
    • One-time pad: why is it so secure?
  • What is perfect secrecy and what is needed to achieve it?
  • What is a stream cipher and a keystream? Seeded pseudorandom number generator.
    • What is a running key?
  • What is a rotor machine? Just know it’s a symmetric polyalphabetic cipher.
  • Transposition cipher: Have a basic idea of what it does
    • What’s a scytale?
    • Columnar transposition cipher
  • What is a block cipher?
    • What is meant by an iterative cipher and multiple rounds?
    • What is a subkey?
    • What is meant by substitution-permutation?
    • What is meant by confusion and diffusion?
    • What is an s-box?
    • What is the general idea behind a Feistel cipher?
    • What is an SP-Network?
    • I will not ask you how DES works but know it’s a Feistel cipher
    • DES vs. 3DES
    • I will not ask you how AES works but know it’s an SP-Network
  • Block cipher modes
    • Electronic Code Book mode (ECB) - problems with using it
    • Cipher Block Chaining mode (CBC)
    • Counter mode (CTR)

Cryptography: Public

  • Key distribution
    • Why is it a problem?
  • What is meant by a trapdoor function?
  • Public key cryptography
    • Understand how you use public & private keys
    • I will not ask you about how RSA works but know it’s based on the difficulty of factoring products of large primes.
    • I will not ask you about how ECC works but know it’s based on the difficulty of computing discrete logarithms
    • Some problems with using public key algorithms for general purpose communication
  • Diffie-Hellman key exchange
    • You don’t have to know the algorithm
    • Know that it’s for key exchange and not encryption
    • Understand how public & private keys are exchanged (you don’t need to know the formula)
    • Know that it is based on (ab)mod c and its strength is based on our inability to find the inverse - do discrete logarithms
    • Advantage over using RSA for key exchange
  • What is a hybrid cryptosystem? What’s the advantage?
  • What is meant by forward secrecy?
  • What are ephemeral keys vs. long-term keys?
  • What are session keys?
  • Understand what algorithms are most affected by quantum computing

Message Integrity

  • What is a one-way function?
  • What is a cryptographic hash function?
    • What are the properties of a cryptographic hash function?
    • What is pre-image resistance?
    • What does it mean to be collision resistant?
    • How do the birthday paradox and the pigeonhole principle tell us about hash functions?
    • I will not ask you about the difference between strong and weak collision resistance
  • I will not ask you how SHA-1 or SHA-2 work
  • Message Authentication Codes
    • What is a Message Authentication Code (MAC, or keyed hash)?
    • I will not ask you the formula for HMAC but understand it’s based on hashing the message and a secret key
    • Understand what a CBC-MAC is
  • Digital signatures
    • What is a digital signature? How do you create one?
    • What are the properties of a digital signature?
    • What are the three basic operations you need to create and use digital signatures?
  • What is a session key?
  • How can a public key serve as an anonymous identity?
  • Certificates
    • How do certificates serve as non-anonymous identities?
    • Understand that a certificate contatins identifying information, a public key, the CA’s identification, and CA’s signature
    • What is a CA (Certification Authority)?
    • What is certificate revocation?
  • Signed software
    • Understand the principle
    • Advantage of per-page signatures

Combined authentication and key exchange

  • Use of a trusted third party for combined authentication and key exchange
  • Public key authentication
  • Diffie-Hellman key exchange (see earlier notes)
  • Needham-Schroeder: understand the value of adding a nonce
  • Understand the value of adding a timestamp (you don’t have to remember the names Denning-Sacco)
  • Understand the value of using session IDs (you don’t have to remember the names Otway-Rees)
  • Kerberos
    • Understand it uses a trusted third party
    • You don’t have to know the protocol in detail but understand the phases and data you get
    • Understand that you get an encryted session key and a ticket
    • Understand what a ticket is (basically, the same session key encrypted for the service)
    • Understand what a Ticket Granting Server does (provides tickets for all services other than giving the user a ticket for the TGS)

Authentication

  • Distinction between identification, authentication, & authorization
  • What are the three factors of authentication?
  • What is multi-factor authentication?
  • Password Authentication Protocol
    • How does it work?
    • What are the security problems?
    • Hashed passwords
    • Dictionary vs. brute force attacks
    • Precomputed hashes
    • Salt
    • Password recovery options
  • One-time Passwords
    • Sequence-based
      • Understand how one-way functions can be used to create a list of one-time passwords
    • Challenge-based
      • Know the basic steps of CHAP
      • What makes it secure over a network?
      • Passkey authentication
    • Time-based (or sequence-based)
      • Have a basic understanding of how time-based one-time passwords (TOTP) work: f(time, key)
      • I will not ask abou Yubikey or SecurID (we didn’t cover those)
  • How are authentication protocols vulnerable to man-in-the-middle attacks?
  • How can you guard against man-in-the-middle attacks?

Biometric Authentication

  • Text: Chapter 15: pages 457–482 (from homework)
  • How does pattern recognition apply to biometrics?
  • How do _thresholds apply to biometrics?
  • False accept rate (FAR) vs. false reject rate (FRR)
  • Receiver Operator Characteristic (ROC) plot
  • Behavioral factors
  • Fingerprint minutiae
  • Robustness vs. distinctiveness
  • Authentication process: enrollment, sensing, feature extraction, pattern matching, decision
  • Challenges:
    • trusted devices and data path
    • human liveness
    • tamper-proof devices and secure communications
    • thresholds
    • compartmentalization
    • theft of biometric
  • Cooperative vs. non-cooperative systems

Bitcoin and Blockchain

  • Addresses (you don’t need to know the steps for deriving one)
  • Distributed ledger: blocks and blockchains
  • User identification (“addresses”)
  • Transaction components: inputs, outputs, change, fee
  • Double spending problem
  • Role of Merkle trees and blockchains
  • Role of mining and proof of work
  • Target hash
  • Difficulty Adjustment Algorithm (just know what it does)
  • Handling competing chains
  • Confirmation
  • What is a 51% attack?

Access control

  • What is protection?
  • What is access control?
  • Basic OS and hardware mechanisms for protection
    • Hardware timer
    • Process scheduler
    • Memory management unit (MMU)
    • user vs. kernel mode execution
    • You do not need to know about rings of privilege levels or call gates
    • Purpose of authentication
    • Subjects vs. objects
  • Unix access control model
    • root user
    • User, group, other
    • Read, write, execute permissions
    • You don’t need to know the order of checking
    • You don’t need to know windows domains
    • You don’t need to know what permissions mean for directories (e.g., execute?)?
    • You don’t need to remember /etc/passwd and /etc/group but know that there’s a file that stores a user' login, user ID, and a user’s default group … and another that stores a list of groups and user names that belong to each group
    • You don’t need to remember syntax but know:
      • chmod - change permissions of a file
      • chown - change ownership of a file
      • chgrp - change group of a file
      • umask - initial (default) permissions of a file
      • possible race condition with using umask
    • setuid - what does it do? What are the risks?
  • Access control lists (ACLs)
    • Know the purpose of ACLs
    • You don’t need to know any syntax for setting them
  • Principle of least privilege
  • Privilege separation
  • Access control matrix
    • What’s a row annd what’s a column?
    • I will not ask about access transitions
    • I will not ask about domain transfers
    • Implementation problems of ACLs
    • Implementation problems of capability lists
  • Mandatory Access Control (MAC)
    • DAC vs. MAC
    • Bell-LaPadula Model
      • Simple Security Property
      • *-Property
      • Discretionary Security Property
      • I will not ask about Bell-LaPadula tranquility principles
    • Biba Integrity Model
      • Difference from Bell-LaPadula
      • Simple Integrity Property
      • *-Property
    • Type Enforcement (TE) Model
      • Just the concept
    • Role-Based Access Control (RBAC) Model
      • Just the concept
  • Multilateral security (lattice model)
    • What is the concept?
    • What is a compartment?
    • What does a lattice model represent?
  • Chinese Wall model
    • What is the goal?
    • What is a conflict class?
    • I will not ask you about the Simple security property and *-property but understand when a subject will or will not be granted access to an object.
    • I will not ask you about unsanitized data

Code injection attacks

  • What is a buffer overflow?
  • Why are setuid programs attractive targets?
  • Stack overflow
    • Role of stack pointer
    • Return address overwrite
    • NOP slide = landing zone
  • Off-by-one stack overflow
    • What is a frame pointer?
    • Taking control
  • Heap overflow
    • What is the risk?
  • Format string attacks
    • What creates the vulnerability?
    • Understand how you can read the stack
    • Understand how you can write to memory via printf
  • Defenses
    • Safe vs. dangerous functions (e.g., strncpy vs. strcpy)
    • What does fuzzing do?
    • What’s the problem with languages like C or C++?
    • Data Execution Prevention (DEP)
      • What does it do?
      • What is a return-to-libc attack?
      • What is Return Oriented Programming (ROP)?
    • Address Space Layout Randomization (ASLR)
      • What is it?
    • Stack canaries
      • What are they?
      • When are they checked?
      • Why would a compiler re-order how variables are allocated on the stack?
    • Shadow stacks

Input bugs, overflow, command injection attacks

  • Concepts and effects of overflow and underflow
  • Command injection attacks
    • What are they?
    • Difference from code injection
  • SQL injection attack
    • I do not expect you to know SQL but recognize how the attack works and how interpreted languages and command interpreters in general are vulnerable
    • Prevention
      • Escaping
      • Parameterized queries
  • Importance of input sanitization (input validation)
  • Dangers of using Python’s eval() or exec()
  • What does shlex.quote() do in Python and what are its limitations?
  • Shell and execution environment attacks
    • system() and popen() risks
      • Understand that the attacks are essentially the same as for SQL injection
    • PATH: what is the risk?
    • LD_PRELOAD/LD_LIBRARY_PATH: what is the risk?
    • Assumptions about stdin, stdout, stderr: how might you attack a program via a file descriptor?
  • Function interposition
  • Non-injection attacks
    • Understand what is meant by comprehension errors
    • Understand why parsing a filename can be tricky
    • Understand why unicode can make parsing even trickier
    • What is a TOCTTOU (Time Of Check To Time Of Use) attack?
    • mktemp() problem

App Confinement

  • Why is access control not sufficient?

  • chroot

    • What does it do?
    • Why must it only be run as root?
    • What is the purpose of a jailkit?
    • How can you escape a chroot jail if you get root privileges?

  • FreeBSD Jails

    • Understand the goal and how they wanted to improve chroot
    • Ability to restric what root can do inside a jail

  • Linux app isolation

    • Namespaces
      • Recognize the different namespaces: IPC, network, mount (file system), process IDs, user/group IDs, network name
      • Understand the concept of the clone() system call: create a new process but specify which namespaces get shared
    • Capabilities
      • Note that these have no relation to capability lists for files
      • Know that they restrict what a proess can do with root privileges if it becomes root
      • You don’t have to know the capabilities but it might be good to recognize a few of them to understand what kind of things they control
    • Control groups
      • Just know that they allow you to limit the amount of resources used by a proces (CPU, memory, file I/O, network I/O)

  • Containers

    • Security components: namespaces, cgroups, capabilities
      • Remember what these do
    • What are containers and what are the benefits?
      • Separate policy from enforcement
      • Helps avoid comprehension errors
      • How does a container differ from a virtual machine?
      • Main components: control groups, namespaces, capabilities, copy-on-write file system
      • Understand some possible security problems with containers
    • You don’t need to know Docker Hub and Docker swarm or any Docker commands
    • What’s meant by container orchestration?
    • What is Kubernetes designed for?

Virtual Machines

  • Process virtual machine: what is it? How does it differ from a VM?
  • What’s a hypervisor (virtual machine manager)
  • Handling of privileged instructions with VMM in place
  • Native vs. hosted VM
  • Covert channel (side channel attack): what is it?

App Confinement: Application Sandboxing

  • Kernel hooks with user-level validation (e.g., Janus)
    • Hooks
    • Per-process policies
    • User-level validation (e.g., Janus) problems: TOCTTOU, state synchronization
  • Native OS sandboxing
    • Linux Seccomp-BPF
    • system call filters
    • pattern matching
    • You don’t need to know anything about the Apple Sandbox
  • Java sandbox roles of bytecode verifier, class loader, security manager
  • You don’t need to know anything about web sandboxes or the Chromium Native Client

Malware

  • Be familiar with terms: adware, exfiltration, spyware, ransomware, DoS, DDoS, zero-day, social engineering

  • Worm vs. virus

  • Virus components: infection mechanism, packer, dropper, payload, trigger (logic bomb)

  • Infiltration mechanisms

    • Code vulnerabilities, modified compilers, modified USB firmware, …
    • Social engineering
    • Credential stuffing

  • Where malware lives

    • File infector virus
    • Bootloader (or boot sector) virus, bootkits
    • Infected flash drives: AutoRun, hacked firmware (UEFI), and data leakage
    • Macro viruses
    • Trojans
    • Backdoors
    • I will not ask about JavaScript, source repositories
    • Rootkits: user & kernel mode rootkits
      • Hypervisor rootkit: what makes it more dangerous than other rootkits?
    • I will not ask you about the Red Pill (SIDT instruction)
    • I will not ask about Stuxnet

  • Gathering information via malware

    • Phishing, spear phishing
    • Keyloggers
    • Deceptive websites

  • Bots, botnets, command & control servers

  • Defenses

    • file protection (including MAC)
    • warning users
    • Anti-malware software
      • Signature scanning
      • Static heuristic analysis
      • Behavioral analysis
      • Sandboxing
    • Other defenses
      • Removing admin rights from users
      • Containers (but know there are problems)
    • Malware countermeasures: packers, polymorphism, triggers.
    • Understand the lessons of Reflections on Trusting Trust

Network security

  • Basic concepts of local area network (LAN), IP, transport layer, TCP, UDP
  • Link layer
    • What does a CAM overflow attack do?
    • What does a switch spoofing attack (VLAN hopping) do?
    • What is ARP cache poisoning?
    • What is the purpose of ARP? Know the purpose of an ARP response and a gratuitous ARP.
    • How can a system try to defend against ARP cache poisoning?
  • Network layer
    • What is DHCP server spoofing?
    • How does DHCP snooping work?
    • Understand lack of authentication in IP datagrams, source address spoofing
    • Router attacks
  • Transport layer
    • Simplicity of forging UDP packets
    • Understand the need for random TCP starting sequence numbers
    • What is a SYN flooding attack and how can you guard against it?
  • Routing
    • You don’t need to know External BGP vs. Internal BGP or OSPF (that’s background 352 info)
    • What is the security problem with BGP?
    • Path forgery, prefix forgery
    • Purpose of RPKI
    • Purpose of BGPsec
    • Security problem with DNS
    • You don’t need to know about the domain registry, registar, root servers (that’s background 352 info)
    • How does DNS cache poisoning work?
    • How does DNS cache poisoning differ from pharming?
    • Possible defenses against DNS spoofing
    • What is a DNS rebinding attack?

Firewalls & VPNs

  • Now doe Network Address Translation help with security?

  • Virtual Private Networks

    • What is a tunnel?
    • Tunnel mode vs. transport mode
    • IPsec Authentication Heander (AH) protocol
      • Just understand what it authenticates and encrypts
    • IPsec Encapsulating Security Payload (ESP) protocol
      • Just understand what it authenticates and encrypts
    • You don’t need to know the ciphers used by IPsec but know that it uses symmetric cryptography and HMACs. Know that Diffie-Hellman is most commonly used for key exchange.

  • Transport Layer Security (TLS)

    • Goal of SSL/TLS
    • Mutual vs. uni-directional authentication
    • Remember that SSL (Secure Socket Layer) evolved into TLS (just to not be confused between the acronyms)
    • Basic concepts: authentication, key exchange, message integrity, communication.
    • You don’t need to know the ciphers used by TLS but know that authentication is done with public keys and X.509 certificates, key exchange is be done with Diffie-Hellman keys; know that data is encrypted with a symmetric algorithm (usually AES), and data integrity is provided with an HMAC.
      • Know there are handshake and communication phases
    • You don’t need to know how the protocol changed in TLS 1.3
      • You don’t need to know TLS 1.3 key derivation (HKDF) or AEAD
    • You don’t need to know past attacks on TLS
    • Know that client authentication is almost never used. Why?

  • Difference between using VPNs and TLS

  • Firewalls

    • High-level goal of a firewall
    • Approaches: Packet filters (screening routers), application proxies, IDS/IPS
    • Packet filters
      • What does a screening router do?
      • What is a filter chain?
      • You don’t have to know the syntax of rules but should recognize allow/reject rules
      • You don’t have to know any of differences between Windows, OpenBSD, and Linux implementations
      • What is the basic firewalling principle?
      • Why is a default deny model good?
      • How do you guard against spoofed traffic?
      • First-generation vs. second-generation vs. third-generation packet filters
      • What does stateful inspecion add to a packet filter?
      • What is a DMZ (demilitarized zone)?
      • What is deep packet inspection (DPI) and deep content inspection (DCI)?
    • Intrusion Detection/Prevention Systems (IDS/IPS)
      • Understand the three types of systems: protocol-, signature-, and anomaly-based
      • Anomaly vs. misuse detection
      • Problem of false positives
      • Signatures in the context of IDS/IPS
      • Why is anomaly detection difficult?
    • Application proxies
      • What are they?
      • What is a dual-homed host?
      • What is a bastion host?
    • What is deperimiterization and how does the zero-trust model address it?
    • Host-based vs. network firewalls

DDoS Attacks

  • Distributed Denial of Service attack
  • Volumetric vs packet-per-second attack
  • Reflection amplification

Web browser security

  • Understand the increase in browser complexity (don’t memorize the list but understand the issues)
    • JavaScript, DOM allows modification of pages, more communication models, multimedia support
    • Components come from multiple sources
  • Role of iFrames
  • Same-origin policy
    • When are frames considered to have the same origin?
    • What unique resources can an origin access? Cookies, JavaScript namespace, DOM storage, DOM tree
    • I won’t ask you about the MIME sniffing attack
    • What can go cross origin? Images, CSS, JavaScript
    • Cross-Origin Resource Sharing (CORS)
    • What does CORS enable?
  • Cookies
    • When are they sent to the server?
    • Purpose of HttpOnly
    • Purpose of Secure flag
  • Cross-Site Request Forgery (XSRF)
    • How does it work and when is it a problem?
    • How can you defend against it?
  • What is Clickjacking? How can you defend against it?
  • I will not ask you about screen sharing attacks
  • Input sanitization issues
  • What is an SQL injection attack?
  • Cross-Site Scripting (XSS)
    • What is XSS?
    • Whet causes it?
    • Reflected vs. Persistent XSS
    • How do you defend against it?
  • Homograph/homoglyph attacks
  • Using images on the web to track access: tracking (spy) pixels

Steganography

  • What is steganography?
  • How does it differ from watermarking?
  • What is a null cipher?
  • What is chaffing and Winnowing?
  • Some techniques to add data to images that users will not detect
  • Text shifting

Mobile device security

  • Why are mobile devices attractive targets?
  • Android security
    • Application manifest
    • Use of Linux user IDs
    • Permissions and Intents
    • Use of stack canaries, heap overflow protection, ASLR, non-executable memory
    • Malicious intents, permission re-delegation, permission avoidance
  • iOS security
    • Sandbox with per-app directory
    • Permission-based access to resources
    • ASLR, Non-executable memory pages
    • Mandatory code signing
    • Per-file encryption (you don’t know how keys are derived)
    • Disk content encryption by encrypting metadata.
    • Masque attack
  • Hardware support for security
    • ARM TrustZone: trusted (secure) and non-trusted (non-secure) worlds
    • Apple Secure Enclave - basic similarity and difference from TrustZone
Last modified April 28, 2024.

© Paul Krzyzanowski. All rights reserved.

For questions or comments about this site, contact Paul Krzyzanowski, gro.kp@ofnibew

recycled pixels

The entire contents of this site are protected by copyright under national and international law. No part of this site may be copied, reproduced, stored in a retrieval system, or transmitted, in any form, or by any means whether electronic, mechanical or otherwise without the prior written consent of the copyright holder. If there is something on this page that you want to use, please let me know. Any opinions expressed on this page do not necessarily reflect the opinions of my employers and may not even reflect my own.

Page design derived from: HTML5 UP.