CS 419 Exam info

When & where

The third exam will be held in our regular classroom on April 29, 2019. It will take up about half the lecture, starting approximately during the second half of the class period. Please be sure to arrive on time and do not plan on coming in just to take the exam. If you arrive after the exam has started, you will not be allowed to take it.

Be sure to bring a pencil!

Exam rules

Be sure to arrive on time. If you arrive after the exam starts, you will not be allowed to take it.

This will be a closed book, closed notes exam. Calculators, phones, augmented reality glasses, laptops, and tablets are neither needed nor permitted. If you have these devices, you must turn them off, put them out of sight, and not access them for the duration of the exam.

No other electronic devices are permitted except for hearing aids, pacemakers, electronic nerve stimulators, other implanted medical devices, or electronic watches that function only as timekeeping devices or chronographs.

Bring a couple of pens or pencils with you. The exam will be scanned, so use a pen only if you are supremely confident in not changing your mind. An extra pencil is affordable fault tolerance. If you want to splurge, the Palomino Blackwing 602 is considered by many to be one of the finest pencils available. The company advertises its key virtue as "half the pressure, twice the speed." If that claim is really true, using this product might help you complete the exam quicker. If you do not choose bring several extra pencils, you may want to bring a pencil sharpener. Palamino makes a companion Blackwing Long Point Sharpener. This, too, is pricey at $11.00. For a bit less money, you can get what looks like a clone: the Alvin Kum Long Point Pencil Sharpener. Both of these feature two-step sharpening: one for the wood case and another for the graphite core of the pencil. A truly beautiful sharpener is the El Casco Pencil Sharpener, but bringing this to class is really overkill, as is spending over $300 on a pencil sharpener. If you would like to learn the craft of pencil sharpening, there are several books available. The best of these may be How to Sharpen Pencils: A Practical & Theoretical Treatise on the Artisanal Craft of Pencil Sharpening for Writers, Artists, Contractors, Flange Turners, Anglesmiths, & Civil Servants by David Rees. Do not be intimidated by the omission of "students" in the title. You can read more about it at artisinalpencilsharpening.com. A video by David Rees is here. You are welcome to bring a full pencil sharpening travel kit to the exam but be aware that a proper sharpening routine may consume too much time during the exam and may be messy.

Past exams

You can use my recent exams as a guide to what this exam may look like. Expect a bunch of multiple-choice questions.

Get past 419 exams here.

Study guide

You are responsible for the material from since exam 2: weeks 10 through 13.

I've prepared a study guide that attempts to cover most of the material you should know. The guide is not a substitute for the lectures, lecture material, and other reading matter. My goal is to put most of the information you need to know in as concise a form as possible, with more elaboration in areas where textbook coverage may be lacking.

You can download lecture slides from the documents page. This link is the entire collection of lecture slides.


Topics that you should know and may be on the exam include:


  • Distinction between identification, authentication, & authorization
  • What are the three factors of authentication?
  • What is multi-factor authentication?
  • Password Authentication Protocol
    • How does it work?
    • What are the security problems?
    • Hashed passwords
    • Dictionary vs. brute force attacks
    • Precomputed hashes
    • Salt
    • Password recovery options
  • One-time Passwords
    • Sequence-based
      • Understand how one-way functions can be used to create a list of one-time passwords
    • Challenge-based
      • Know the basic steps of CHAP
      • What makes it secure over a network?
      • I will not ask you about MS-CHAP
    • Time-based
      • Have a basic understanding of how time-based one-time passwords (TOTP) work: f(time, key)
      • I will not ask you about SecurID cards
  • How are authentication protocols vulnerable to man-in-the-middle attacks?
  • How do you guard against man-in-the-middle attacks?
  • Public key authentication
  • Signed software
    • Understand the principle
    • Advantage of per-page signatures

Biometric Authentication

  • Text: Chapter 15: pages 457-482
  • What is statistical pattern recognition?
  • False accept rate (FAR) vs. false reject rate (FRR)
  • Receiver Operator Characteristic (ROC) plot
  • Behavioral factors
  • Fingerprint minutia
  • Robustness vs. distinctiveness
  • Authentication process: enrollment, sensing, feature extraction, pattern matching, decision
  • Challenges:
    • trusted devices and data path
    • human liveness
    • tamper-proof devices and secure communications
    • thresholds
    • compartmentalization
    • theft of biometric
  • Cooperative vs. non-cooperative systems
  • Detecting humans
    • What does Gestalt psychology address?
    • Goal of CAPTCHA
    • Improvement with NoCAPTCHA reCAPTCHA
  • Signed software: understand the principle
    • Why per-page signatures?

Network security

  • Link layer
    • What does a CAM overflow attack do?
    • What does a switch spoofing attack do?
    • What is ARP cache poisoning?
    • How can you defend against ARP cache poisoning?
  • Network layer
    • What is DHCP server spoofing?
    • How does DHCP snooping work?
    • Understand lack of authentication in IP datagrams
  • Transport layer
    • Simplicity of forging UDP packets
    • Understand need for random TCP sequence numbers
    • What is a SYN flooding attack?
    • How can you guard against it?
    • What does a TCP RESET accomplish?
  • Routing
    • What is the security problem with BGP?
    • You don't need to know RPKI and BGPsec
    • Security problem with DNS
    • How does DNS cache poisoning work?
    • Is there a defense against it?
    • What is a DNS rebinding attack?

Firewalls & VPNs

  • Virtual Private Networks
    • What is a tunnel?
    • Tunnel mode vs. transport mode
    • IPsec Authentication Heander (AH) protocol
      • Just understnad what it authenticats and encrypts
    • IPsec Encapsulating Security Payload (ESP) protocol
      • Just understnad what it authenticats and encrypts
    • You don't need to know the ciphers used by IPsec but know that it uses symmetric cryptography and MACs. Know that Diffie-Hellman can be used for key generation.
  • Transport Layer Security (TLS)
    • Goal of SSL/TLS
    • Mutual vs. uni-directional authentication
    • Know that SSL (Secure Socket Layer) evolved into TLS
    • Basic concepts: authentication, key exchange, message integrity, communication.
    • You don't need to know the ciphers used by TLS but know that key echange can be done with public keys, Diffie-Hellman keys, or pre-shared keys; know that data is encrypted with a symmetric algorithm (usually AES), and data integrity is provided with an HMAC.
    • Don't memorize TLS protocol attacks but recognize them if you see them described.
    • Know that client authentication is almost never used. Why?
  • Firewalls
    • High-level goal of a firewall
    • Approaches: Packet filters (screening routers), application proxies, IDS/IPS
    • Packet filters
      • What does a screening router do?
      • What is a filter chain?
      • You don't have to know the syntax of rules but should recognize allow/reject rules
      • You don't have to know the details of differences between Windows, OpenBSD, and Linux implementations
      • What is the basic firewalling principle?
      • Why is a default deny model good?
      • How do you guard against spoofed traffic?
      • What does stateful inspecion add to a packet filter?
      • What is a DMZ (demilitarized zone)?
      • What is deep packet inspection (DPI)?
    • Intrusion Detection/Prevention Systems (IDS/IPS)
      • Understand the three types of systems: protocol-, signature-, and anomaly-based
      • Anomoly vs. misuse detection
      • Problem of false positives
      • Signatures in the context of IDS/IPS
      • Why is anomaly detection difficult?
    • Application proxies
      • What are they?
      • What is a dual-homed host?
      • What is a bastion host?
    • What is deperimiterization?
    • Host-based vs. network firewalls

Web browser security

  • Understand the increase in browser complexity (don't memorize the list but understand the issues)
    • JavaScript, DOM allows modification of pages, more communication models, multimedia support
    • Components come from multiple sources
  • Role of Frames (and iFrames)
  • Risks of mixed http/https content
  • What is an extended validation (EV) certificate?
  • Same-origin policy
    • When are frames considered to have the same origin?
    • What unique resources can an origin access? Cookies, JavaScript namespace, DOM storage, DOM tree
    • I won't ask you about the MIME sniffing attack
    • What can go cross origin? Images, CSS, JavaScript
  • Cross-Origin Resource Sharing (CORS)
    • KNow that a page can load content cross origin
    • But JavaScript-based downloads must be same-origin
    • CORS allows servers to define other acceptable origins
  • Cookies
    • When are they sent to the server?
    • Purpose of HttpOnly
    • Purpose of Secure flag
  • Cross-Site Request Forgery (XSRF)
    • How does it work and when is it a problem?
    • How can you defend against it?
  • What is Clickjacking? How can you defend against it?
  • I will not ask you about screen sharing attacks
  • Input sanitization issues
  • SQL injection attacks
  • Pathname attacks to escape the HTML directory
  • I will not ask you about the Shellshock attack
  • Cross-Site Scriptnig (XSS)
    • What is XSS?
    • Whet causes it?
    • Reflected vs. Persistent XSS
    • How do you defend against it?
  • What is the GIFAR attack?
  • Data transfer with HTML image tags

Bitcoin and Blockchain

  • Double spending problem
  • Distributed ledger: blocks and blockchains
  • User identification ("addresses")
  • Role of mining and proof of work
  • Handling competing chains
  • What is a 51% attack?

Mobile device security

  • Why are mobile devices attractive targets?
  • Android security
    • Dalvik VM model
    • Use of Linux user IDs
    • Intents
    • Permission model
    • Use of stack canaries, heap overflow protection, ASLR
    • Malicious intents, permission re-delegation, permission avoidance
  • iOS security
    • Sandbox with per-app directory
    • Permission-based access to resources
    • Non-executable memory pages
    • Mandatory code signing
    • Per-file encryption
    • Disk content encryption by encrypting metadata.
    • Masque attack
  • Hardware support for security
    • ARM TrustZone: secure and non-secure worlds