Q.1] Explain in brief goals of system security?

Ans. When we talk about system security we mean Financial security , physical security , Computer security
.
The computer security means that we are addressing three very important aspects of
any computer related system ; confidentiality , integrity , and availability .

Confidentiality : ensures that computer related assets are accessed only by authorized parties .It is
sometimes called secrecy or policy . Confidentiality is the security property we understand best because its
meaning is narrower than the other two .this defines which people or systems are authorized to access the
current system? By accessing data do we mean that a authorized party can access a single bit ? pieces of
data out of context? Can someone who is authorized disclose those data to other parties ? this is defined by
the confidentiality which determines the data access strategies among the users and databases .

Integrity :
Integrity is much harder to pin down . when we survey the way some people use the term we find several
different meanings .

Relationships between confidentiality , integrity , availability .

for example , if we say that we have preserved the integrity of an item ,we may mean that the item is
Precise
Accurate
Unmodified
Modified only in acceptable ways
Modified only by authorized person
Modified only by authorized process
Consistent
Internally consistent
Meaningful and usable

Availability :
Availability applies both to data and to services for example an object or service is thought to be available
if: It is present in a usable form
It has capacity enough to meet service needs
It is making clear progress and if I wait mode it has bounded waiting time
The service is completed in an acceptable period of time.
We can trust an overall description of availability by combining these goals . We say a data item , service is
available if
1. there is a timely response to our request .
2. there is a fair allocation of resources , so that some requestors are not favored over others .
3. the service or system involved follows a philosophy of fault tolerance , whereby hardware or software
faults lead to graceful cessation of service or to work a rounds rather than to crashes and abrupt
loss of information .
4. th service or system can be used easily and in the way it was intended to be used .
 5. there is controlled concurrency ; that is there is support for simultaneous access , deadlock
management , and exclusive access as required .
These are the various goals of a security systems

Q.2: Explain vulnerability of computing system?

Ans:
Vulnerability is sometimes easier to consider vulnerabilities as they apply to all three broad categories
of system resources (hardware, software and data) rather than to start with the security goals themselves.
The foll. Fig. shows the types of vulnerabilities:

Interruption Interception

Hardware

Modification Fabrication

Interruption Fabrication Interruption Interception

Software Data

Interception Modification Fabrication Modification

Fig.: Vulnerabilities of Computing Systems

Hardware Vulnerabilities:
Hardware is more visible than software, largely because it is composed of physical objects. Because
we can see what devices are hooked to the system, it is rather simple to attack by adding devices, changing
them, removing them, intercepting the traffic to them, or flooding them with traffic until they can no longer
function. However, designers can usually put safeguards in place.
But there are other ways that computer hardware can be attacked physically. Computers have been
drenched with water, burned, frozen, gassed and electrocuted with power surges. People have spilled soft
drinks, corn chips, ketchup, beer and many of dust, and especially ash from cigarette smoke, have
threatened precisely engineered moving parts. Computers have been kicked, slapped, bumped, jarred, and
punched. Although such attacks might be intentional, most are not; this abuse might be considered
“involuntary machine slaughter”: accidental acts not intended to do serious damage to the hardware
involved.

Software Vulnerabilities:
Computing equipment is of little use without the software (operating system, controllers, utility programs,
and application programs) that users expect. Software can be replaced, changed, or destroyed maliciously,
or it can be modified, deleted, or misplaced accidentally. Whether intentional or not, these attacks exploit
the software’s vulnerabilities.
Sometimes, the attacks are obvious, as when the software no longer runs. More subtle are attacks in which
the software has been altered but seems to run normally. Whereas physical equipment usually show some
mark of inflicted injury when its boundary has been breached, the loss of a line of source or object code
may not leave an obvious mark in a program. Furthermore, it is possible to change a program so that it
does all it did before, and then some. That is, a malicious intruder can “enhance” the software to enable it
to perform functions you may not find desirable. In this case, it may be very hard to detect that the
software has been changed, let alone to determine the extent of the change.

Data Vulnerabilities:
 Hardware security is usually the concern of a relatively small staff of computing center professionals.
Software security is a larger problem, extending to all programmers and analysts who create or modify
programs. Computer programs are written in a dialect intelligible primarily to computer professionals, so a
“leaked” source listing of a program might very well be meaningless to the general public.
Printed data, however, can be readily interpreted by the general public. Because of its visible nature, a
data attack is a more widespread and serious problem than either a hardware or software attack. Thus, data
items have greater public value than hardware and software, because more people know how to use or
interpret data.

Q 3] Explain the term ‘Computer Criminals’?

Ans : Computer criminals have an access to enormous amounts of hardware, software and data; they have
the potential to cripple much of effective business and government throughout the world. In a sense,
then the purpose of computer security is to prevent these criminals from doing damage.
The general characteristics of computer criminals are :-

a) Amateurs:- Most Amateurs are not career criminals but rather are normal people who observe
weakness in a security system that allows them to access cash or other valuables. In the
same sense, most capture criminals are ordinary computer professionals or users doing their
jobs when they discover they have access to something valuables.

b) Crackers:- System crackers often high school or university students attempts to access
computing facilities for which they have not been authorized. Cracking a computer defense is
seen as the ultimate victimless crime. The perception is that nobody is hurt or even
endangered by a little stolen time. Crackers enjoy the simple challenge of trying to login just
to see whether it can be done. Most crackers can do their harm without confronting any-body
not even making a sound. In the absence of explicit warnings not to trespass in a system,
crackers infer that access is permitted.

c) Career criminal:- By contrast the career computer criminals understands the targets of
computer crime. Criminals seldom change fields from murder. More often, criminals begins as
computer professionals who engage in computer crime, finding the prospects & pay off good.
There is some evidence that organized crime & international groups are engaged computer
crime. Recently, electronic spices & information brokers have begun to recognize that trading
companies or individuals, secrets can be lucrative.

Q5] What are different security controls?

Ans.There are three types of security controls.

• Software controls: Programs must be secure enough to prevent outside attack. They must also
be developed and maintained so that we can be confident of the programs dependability.
Program controls include the following:

Internal program control: Parts of the programs that enforce security restrictions such as access
limitations in database management programs.
Operating system and network system controls: limitations enforced by the operating system or
network to protect each user from other users.
Independent control programs: application programs such as password checkers or virus scanners
that protect certain types of vulnerability
Development controls: Quality standards, under which a program is designed coded, tested and
maintained to prevent software faults from becoming exploitable.

• Hardware controls: Numerous hardware devices have been created to assist in providing
computer security such as
 Hardware or smart card implementation of encryption
 Lock or cable limiting access
 Devises to verify users identity
 Intrusion detect system
 Circuit board that control access to storage media
 • Physical control: some of the easiest, most effective and least expensive controls are physical
controls. Physical controls include locks on doors, guard set and entry point, backup copies of
important software and data, and physical side planning that reduces the risk of natural
disaster. Often the simple system controls are overlooked while we seek more sophisticated
approaches.

Q 6] Explain the terms with respect to threats, vulnerabilities, & control in the security system.

Ans: A computer system has three separate but vulnerable component hardware, software and data. Each
of these assets offers value to different members of community affected by the system. To analyze
security, we can brainstorm about the ways in which the system or its information can experience
some kind of loss or harm.

a) Threats:- A threat to a computing system is a set of circumstances that has potential to

cause loss or harm. There are many threats to computer system including human
initiated and computer initiated ones. We have all experienced the result of inadvertent
human errors. Hardware design flows and software failures but natural disasters are
threats too. They can bring down a system when computer room is flooded. We can view
any threat as being one of four kinds:

1) Interception: Interception threats means that some unauthorized party has gain access to an
asset. The outsider party can be a person, program or computing system.
2) Interruption: In an interruption an asset of the system is being lost, unavailable or unstable.
An example is malicious instruction of hardware device.
3) Modification: If an unauthorized party not only accesses but also tampers with an asset, the
threat is a modification. For example someone may change the values in database.
4) Fabrication: An unauthorized party might create fabrication of counter feet objects on a
computing system. The intruder may insert spurious transaction to a network communication
system or adds records to existing databases.

b) Vulnerability: A Vulnerability is a weakness in the security system. For example, in the procedures,
design or implementation that might be exploited to cause loss or harm. For instant a particular
system may be Vulnerable to unauthorized data manipulation because system does not verify users
identity before allowing data access.

b) Control: How do we address the problem? We use control as protective measures. That is control is
an action, device, procedures or technique that removes or reduces Vulnerabilities. In general we
can describe the relationship among threat, Vulnerability, control in this way. A threat is blocked by
control of Vulnerability.

Q 7.] Distinguish between vulnerabilities, & control in the security system.

Ans: A computer system has three separate but vulnerable component hardware, software and
data. Each of these assets offers value to different members of community affected by the system.
To analyze security, we can brainstorm about the ways in which the system or its information can
experience some kind of loss or harm:
a) Threats: - A threat to a computing system is a set of circumstances that has potential to cause loss
or harm. There are many threats to computer system including human initiated and computer
initiated ones. We have all experienced the result of inadvertent human errors. Hardware design
flows and software failures but natural disasters are threats too. They can bring down a system when
computer room is flooded. We can view any threat as being one of four kinds:

1) Interception: Interception threats means that some unauthorized party has gain access to an
asset. The outsider party can be a person, program or computing system.
2) Interruption: In an interruption an asset of the system is being lost, unavailable or unstable.
An example is malicious instruction of hardware device.
3) Modification: If an unauthorized party not only accesses but also tampers with an asset, the
threat is a modification. For example someone may change the values in database.
 4) Fabrication: An unauthorized party might create fabrication of counter fit objects on a
computing system. The intruder may insert spurious transaction to a network communication
system or adds records to existing databases.

b) Vulnerability: - Vulnerability is a weakness in the security system. For example, in the procedures,
design or implementation that might be exploited to cause loss or harm. For instance a particular
system may be Vulnerable to unauthorized data manipulation because system does not verify users
identity before allowing data access.
There are three types of vulnerabilities:
1) Hardware vulnerability: Hardware is more visible than software largely because it is composed
of physical objects. Because we can see what devices are hooked to the system and it is
rather simple to attack by adding devices changing them, removing them, intercepting the
traffic to them, or floating them with traffic until they can no longer function.
Interruption (Denial of service)
Interception (Theft)

Hardware
Modification Fabrication (Substitution)

2) Software vulnerabilities: Computing equipment is of little use without the software can be
replaced, changed, or destroyed. Whether intentional or not these attacks exploit the
software’s vulnerabilities.
Interruption (Deletion)
Interception

Software
Modification Fabrication

3) Data vulnerabilities: The general public can readily interpret Printed data. Because of its
visible nature a data attack is more widespread and serious problem than hardware or
software attack. Thus data items have greater public values than h/w and s/w because more
people know how to use data.
Interruption (Loss)
Interception

Data
Modification Fabrication

c) Control: - How do we address the problem? We use control as protective measures. That is control
is an action, device, procedures or technique that removes or reduces Vulnerabilities. In general we
can describe the relationship among threat, Vulnerability, control in this way. A threat is blocked by
control of Vulnerabilities.
Types of control are as follows:
I. Encryption, II. Policies and procedures,
III. Hardware control, IV. Physical control,
V. Software control.

Q.8] What are the risks involving in software computing?

Ans.: Any part of a computing system can be the target of a crime. A computing system is a collection of
hardware, software, storage media, data and people that an organization uses to perform computing tasks.
An intruder must be expected to use any available means of penetration. The penetration may not
necessarily be the most obvious, means, nor is it necessarily the one against which the most solid defense
has been installed.
 ATTACKS
When you test any computer system, one of your jobs is to imagine how the system could malfunction.
Then you improve the system’s design so that the system can withstand any of the problems you have
identified.

Threats, Vulnerabilities, and Controls

A computer system has three separate but valuable components: hardware, software, and data. Each of
these assets offers value to different members of the community affected by the system. We want security
system to make sure that no data are disclosed to unauthorized parties. Neither do we want the data to be
modified in illegitimate ways. At the same time, we want to ensure that legitimate users have access to the
data. In this way, we can identify weaknesses in the system. A vulnerability is a weakness in the security
system, for example, in procedures, design, or implementation, that might be exploited to cause loss or
harm. For instance, a particular system may be vulnerable to unauthorized data manipulation because the
system does not verify a user’s identity before following data access.

A threat to a computing system is a set of circumstances that has the potential to cause loss or harm.

There are many threats to a computer system, including human-initiated and computer-initiated ones. We
have all experienced the results of inadvertent human errors, hardware design flaws, and software failures.
But natural disasters are threats, they can bring the system down when the computer room is flooded or
the data center collapses from an earthquake.
We use a control as a protecting measure. That is, a control is an action, device, procedure, or technique
that removes or reduces vulnerability.
A threat is blocked by control of vulnerability.
To device controls, we must know as much about threats as possible. We can view any threat as being one
of four kinds: interception, interruption, modification, and fabrication.

• An interception means that some unauthorized party has gained access to an asset. The outside
party can be a person, a program, or a computing system. Examples of this type of failure are illicit
copying of program or data files, or wiretapping to obtain data in a network.

• In an interruption, an asset of the system becomes lost, unavailable, or unusable. An example is

malicious destruction of a hardware device, erasure of a program or data file, or malfunction of an
operating system file manager so that it cannot find a particular disk file.

• If an unauthorized party not only accesses but tampers with an asset, the threat is a modification.
For example, someone might change the values in a database, alter a program so that it performs an
additional computation, or modify data being transmitted electronically.

• Finally, an unauthorized party might create a fabrication of a counterfeit objects on a computing

system. The intruder may insert spurious transactions to a network communication system or add
records to an existing database. Sometimes these additions can be detected as forgeries, but if
skillfully done, they are virtually indistinguishable from the real thing.

These four classes of threats-interception, interruption, modification and fabrication- describe the kinds
of problems we might encounter.

Q.9] Write a short note on Encryption Method?

Ans:

Encryption is the process of encoding a message so that its meaning is not obvious and nobody able
to break the code easily. Encryption method convert the plaintext i.e. the text which is suppose to
converted in the encrypted form called ciphertext
Various Encryption methods are as follows:

1. SUBSTITUTION CIPHERS
 In this encryption method we substitute a character or a symbol for each character of the original
message .This technique is called a monoalphabetic cipher or simple substitution. The various substitution
cipher are:

1.1 The Caesar Cipher

Julius Caesar is said to have been the first to use this scheme,in which each letter is translated to
a letter a fixed number of places after it is in the alphabet .
Ceasar used a shift of 3. For example plaintext pi enciphered as ciphertext letter ci
Ci=E(Pi)=Pi + 3

Example:
Plaintext: TREATY IMPOSSIBLE
Ciphertext: WUHDWB LPSRVVLEOH

1.2 The Vernam Cipher:

The Vernam Cipher is a type of one-time pad davised by Gilbert Vernam for AT&T. This cipher is
immune to most cryptanalytic attacks . The basic encryption involves arbitrarily long nonrepeating
sequence of numbers that are combine with the sequence of plaintext
Example:
Plaintext: VERNAM CIPHER
Is encoded as
Tehrsp itxmab

2. TRANPOSITIONS(PERMUTATIONS)

A transposition is a encryption in which the letters of the message are rearranged .With the
transposition ,the cryptography aims for diffusion .

2.1 Columnar Transposition:

As with the substitution we begin the study of transposition by examining simple
example. The columnar transposition is the rearrangement of characters of the plaintext into columns. The
following set if characters is a five column transposition

C1 C2 C3 C4 C5

C6 C7 C8 C9 C10

C11 C12 etc..

The plaintext is as follows:

Tssoh oaniw haaso lrsto inghw

The resulting ciphertext is as follows:

Utpir seeoa mrook istwc nasns.

3. Stream and block ciphers

Stream ciphers convert one symbol of plaintext immediately into symbol of ciphertext. The transformation
depends only on the symbol, the key and the control information of the encipherment algorithm. The stream
cipher works as shown below
 fig: stream ciphers

Block cipher encrypts a group of plaintext symbols as one block. The columnar transposition and the other
transpositions are the examples of block cipher. The block cipher words as shown below.

figure: block encryption

Q10] Discuss the role of Encryption in Security System with the help of block diagram. How it
differ from enciphering?

Ans.
Encryption is the process of encoding a message so that its meaning is not obvious; decryption is the
reverse process, transforming an encrypted message back into its normal, original form. Alternatively, the
terms encode and decode are used instead of encrypt and decrypt. That is, we say that we encode, encrypt
or encipher the original message to hide its meaning. Then we decode, decrypt or decipher it to reveal the
original message. A system for encryption and decryption called a cryptosystem.
The original form of a message is known as plaintext, and the encrypted form is called ciphertext.
The relationship is shown in following figure: For convenience in explanation, we denote a plaintext message
P as a sequence of individual characters P = (p1, p2, ……….., pn). Similarly, ciphertext is written as C = (c1,
c2, ……….cm). For instance, the plaintext message “I want cookies” can be thought of as the message
string (I, , w,a,n,t, , c,o,o,k,i,,e,s ).It may be transformed into ciphertext(c1, c2, ………..,c14), and the
encryption algorithm tells how the transformation is done.
We use this formal information to describe the transformation between plaintext and ciphertext

Encryption Decryption
Plaintext Ciphertext Original

Plaintext

Encryption
For eg., We write C =E(p) and P= D(c), where C represents the ciphertext, E is the encryption rule, P is the
plaintext, and D is the decryption rule. What we seek is a cryptosystem for which P =D(E(P)). In other
words, we want to be able to convert the message to protect it from an intruder, but we also want to be
able to get the original message back so that the receiver can read it properly.
There are slight differences in the meanings of these three pairs of words, although they are not
significant in this context. Strictly speaking, encoding is the process of translating entire words or phases
to other words or phases, whereas enciphering is the translating letters or symbols individually; encryption
is the group term that covers both encoding & enciphering.

Q11] Define Cryptosystems and Differentiate between symmetric and asymmetric

Cryptosystems ?

Ans. A system for encryption and decryption is called a Cryptosystem.

Encryption is the process of encoding a message so that its meaning is not obvious.
Decryption is the reverse process, transforming an encrypted message back into its normal, original
form. Alternatively, the terms encode and decode or encipher and decipher are used instead of encrypt
and decrypt. We say that we encode, encrypt, or encipher the original message to hide its meaning.
We then decode, decrypt, or decipher it to reveal the original message. A system for encryption and
decryption is called a cryptosystem.
The original form of a message is known as plaintext, and the encrypted form is called
ciphertext.The relationship is shown as follows:

Original
Cipher text Plaintext
Plaintext
Encryption Decryption

The cryptosystems involves a set of rules for how to encrypt the plaintext and how to decrypt the
cipher text. The encryption and decryption rules, called algorithms, often use a device called a key, denoted
by K, so that the resulting cipher text depends on the original plaintext message, the algorithm, and the key
value. We write this dependence as C = E (K,P) where E is a set of encryption algorithms, and the key K
selects one specific algorithm from the set. Sometimes the encryption and decryption keys are the same so,
P = D(K, E(K,P)). This form is called symmetric encryption because D and E are mirror- image processes. At
other times, encryption and decryption keys comes in pairs. Then a decryption key, KD, inverts the
encryption of key KE, so that P = D(KD, E(KE, P)). Encryption algorithms of this forms are called asymmetric
because converting C back to P involves a series of steps and a key that are different from the steps and
key of E.

The difference between symmetric and asymmetric encryption is as shown in the figure:

Key

Original
Cipher text Plaintext
Plaintext
Encryption Decryption

a) Symmetric Cryptosystem
 Encryption Key KE Decryption Key KD

Original
Cipher text Plaintext
Plaintext
Encryption Decryption

b) Asymmetric Cryptosystem

Disadvantages Low diffusion: each symbol is Slowness of encryption: the

separately enciphered: Therefore, all person or machine using a block
the information of that symbol is cipher must wait until an entire
contained in one symbol of the cipher block of plaintext symbols has been
text. received before starting the
Susceptibility to malicious insertions encryption process.
and modifications: Because each Error propagation: An error will
symbol is separately enciphered, an affect the transformation of all other
active interceptor who has broken the characters in the same block.
code can splice together pieces of
previous messages and transmit a
spurious new message that may look
authentic
.

Q: 13 Write short note on:

1. Key Management
2. Key Distribution
3. Key Exchange
4. Key Generation

Ans: Key Exchange:

The problem of two previously unknown parties exchanging cryptographic keys is both hard
and important to establish an encrypted session. one needs an encrypted means to exchange keys.
Public key cryptography can help since asymmetric keys come in pairs one half of the pair can
be exposed without compromising other half.
Suppose S and R want to derive a shared symmetric key.
S and R both have public keys for a common encryption algorithm; KR-s,KU-s, KR-r,KU-r
for private and public keys for S and R res.
The simplest solution is for S to choose any symmetric key K and send E (KR-r, K) to R.
Then only R can decrypt the key, to assure that K came from S. The solution is for S to send R:
E (KP-r, E (KR-s, K))
Key Management:
In the real world Key Management is the hardest part of the Cryptography.
Designing secure cryptographic algorithms and protocols is not easy but one can relay on large body
of academic research .keeping key secret is much harder.
Cryptanalyst often attack both symmetric and public key Cryptosystems through their key
management. If one can spend $1000 bribing a clerk? Why should he spend &10 million building a
cryptanalysis machine? If key is not changed regularly, this can be a enormous amount of data. Key
management considers following issues:

-Key generation:
It generates the key hard to guess for eavesdroppers.

-Key transfer:
Distribution of the key to the communicational parties.
 -Updating keys:
Updating key for the secure communication.
-Storing key:
Storing the key securely on storing devices.
-Compromised key:
It is needed when the key is lost, stolen.
-Lifetime of keys:
Keys are generated according to their use for particular time after that time security of
the key is not necessary.

Key Distribution:
It is one of the important issue in the key management. The X9.17 standard specifies 2 types
of keys:
- Key-encryption key
- Data key
Key-encryption key encrypts other keys for distribution. data key encrypt message traffic. These are
most commonly used concepts in the key distribution.
Solution to the distribution problem is split the key into several different parts and send each
of these parts over different channels.
Key-encryption key shared by pairs works well in small networks, but can quickly get cumbersome
if network becomes large.
Since every pair of user s must exchange key, total no. of key
exchanges required in an ‘n’ person network is n(n-1)/2.

In 6 person network, 15 key exchanges are required. In 1000 person network nearly50000
key exchanges are required. In these cases creating central key server makes operation much more
efficient.

Key Generation:
The security of fan algorithm rests in the key, if you are using cryptographically weak process
to generate keys, then your whole system is weak.

-Reduced key spaces:

Longer the key, harder to break it. from time to time analysis it is proven that large
size key with large number of characters (e.g. ASCII characters(256)) will generate the
secure key.

-poor key choices:

If the selection of the key is the common names in the dictionary or the name of the
relatives or the places are very prone to break. The attack is called Dictionary attack.

-Random keys:
Random keys are hard to remember hence may be used for key generation.

-X9.17 key generation:

the ANSI X9.17 standard specifies a method of key generation. this does not generate
easy to remember keys, It is more suitable for generating session keys or pseudo-random
numbers with a system.
available on the market for use as basic components in devices that the DES encryption in an application
.Examples of DES are : double DES , Triple DES
 Right half text

Left half
text
Combine key

substitute

permute

Add halves

New left New right

half text half text
Cycles of substitution and Permutation

Q.15] Describe Double and Triple DES algorithm and also discuss the security DES.

ANS: DOUBLE DES

To address the discomfort, some researchers suggest using a double encryption for greater
secrecy. The double encryption works in the following way. Take two keys, k1 and k2, and perform two
encryption, one on top of the encryption, just as two locks are harder to pick than one.
Unfortunately, that assumption is false. Merkle and Hellman showed that two encryption are
no better one. The basis of their arguments is that the cryptanalyst works plaintext and ciphertext toward
each other. The analyst needs two pairs of plaintext and corresponding ciphertext, c1 and c2, but not keys
used to encrypt them. The analyst then tries decrypting c1 with a single key and looking for a match in
the saved Ps. A match is a possible pair of double keys, so the analyst checks the match with p2 and c2.

TRIPLE DES
However, a simple trick does indeed enhance the security of DES. Using two keys and
applying them in three operation adds apparent strength.
The so-called triple DES procedure is C=E(k1, D(k2, E(k1,m))). That is , you encrypt with the
second, and encrypt first again.
Although this process is called triple DES, because of the three applications of the DES
algorithm, it only doubles the effective key length. But a 112-bit effective key length is quite strong, and it
is effective against all feasible known attacks.

SECURITY OF THE DES

Since its was first announced, DES has been controversial. Many reasearcher have questioned
the security it provides. Much of this controversy has appeared in the open literature, but certain DES
features have neither been revealed by the designer not inferred by outside analysts.
In 1990, Biham and Shamir invented a technique, differential cryptanalysis, that investigates
the change in algorithmic strength when an encryption algorithm is changed in some way. In 1991 they
applied their technique to DES, showing that almost any change to the algorithm weakens it. Their changes
included cutting the number of iteration from 16 to 15, changing the expansion or substitution rule, or
altering the order of an iteration.

Q17] What is difference between DES and AES, explain in details.

i) DES stands for Data Encryption Standard, which was developed by U.S. government in 1976. But after
few years it was found to be less efficient as compared to the requirements of the computer systems.
Thus in 1999 U.S. National Institute of Standards and Technology designed an algorithm called Advanced
Encryption Standards (AES).
Both the algorithms are block cipher algorithms and use a key (public key or private key) for encryption.

ii) Key Used:

 DES uses 56-bit key.
AES uses key of length of 128, 192, 256 bits.
Thus we can see that key used by AES is almost double in length than key used by DES, and it can be
doubled further. Hence AES gives us better encryption and it is more difficult to attack on the code
encrypted by AES than that of DES.

iii) Block size:

DES encrypts 64 bits at a time.
AES encrypts 128 bits at a time.
Because of larger block size AES is found to be more effective than DES.

iv) DES algorithm performs encryption by passing data through processes like substitution and
permutation.
Whereas AES performs substitution, shifting, and bit mixing processes to encrypt the data.

v) DES algorithm was designed to go through 16 rounds precisely. In order to increase this number, the
whole algorithm will be required to be redefined.
AES, on the other hand, was designed in such a way that, changing the limit on repeat loop can easily
change number of cycles of AES.
Q18]: Discuss the application of Encryption in cryptographic hash function?

ANS]: With the recent news of weaknesses in some common security algorithms (MD4, MD5, SHA-0), many
are wondering exactly what these things are: They form the underpinning of much of our electronic
infrastructure, and in this Guide we'll try to give an overview of what they are and how to understand them
in the context of the recent developments.

Though we're fairly strong on security issues, we are not crypto experts. We've done our best to assemble
(digest?) the best available information into this Guide, but we welcome being pointed to the errors of our
ways. A "hash" (also called a "digest", and informally a "checksum") is a kind of "signature" for a stream of
data that represents the contents. The closest real-life analog we can think is "a tamper-evident seal on a
software package": if you open the box (change the file), it's detected.

This is a common confusion, especially because all these words are in the category of "cryptography", but
it's important to understand the difference. Encryption transforms data from a cleartext to ciphertext and
back (given the right keys), and the two texts should roughly correspond to each other in size: big cleartext
yields big ciphertext, and so on. "Encryption" is a two-way operation.

Hashes, on the other hand, compile a stream of data into a small digest (a summarized form: think
"Reader's Digest"), and it's strictly a one way operation. All hashes of the same type - this example shows
the "MD5" variety - have the same size no matter how big the inputs are: "Encryption" is an obvious target
for attack (e.g., "try to read the encrypted text without the key"), but even the one-way nature of hashes
admits of more subtle attacks. We'll cover them shortly, but first we must see for what purposes hashes are
commonly used. We'll note here that though hashes and digests are often informally called "checksums",
they really aren't. True checksums, such as a Cyclic Redundancy Check are designed to catch data-
transmission errors and not deliberate attempts at tampering with data. Aside of the small output space
(usually 32 bits), they are not designed with the same properties in mind. We won't mention true
checksums again.

What's inside a cryptographic hash? The first answer is "it depends on the kind of hash", but the
second answer usually starts with "a lot of math". A colloquial explanation is that all the bits are
poured into a pot and stirred briskly, and this is about as technical we care to delve into here.
There are plenty of resources that show the internal workings of a hash algorithm, almost all of
which involve lots of shifting and rotating through multiple "rounds:

One iteration within the SHA-1

compression function. A, B, C, D and E are
32-bit words of the state; F is a nonlinear
function that varies;
<<< denotes left circular shift. Kt is a
constant.
Some of the popular hash algorithms:

• MD4 (128 bits, obsolete)

• MD5 (128 bits)
• RIPEMD-160 (160 bits)
• SHA-1 (160 bits)
• SHA-256, SHA-384, and SHA-512 (longer versions of SHA-1)

Each has its own advantages in terms of performance, several variations of collision resistance, how well its
security has been studied professionally, and so on.

Reliably generate collisions in four hash functions much faster than brute-force time, and in one case (MD4,
which is admittedly obsolete), with a hand calculation. This has been a stunning development. In the short
term, this will have only a limited impact on computer security. The bad guys can't suddenly start tampering
with software that can fool published checksums, and they can't suddenly start cracking hashed passwords.
Previously-signed digital signatures are just as secure as they were before, because one can't retroactively
generate new documents to sign with your matched pair of inputs. What it does mean, though, is that we've
got to start migrating to better hash functions. Even though SHA-1 has long been thought to be secure,
NIST (the National Institute of Standards and Technology) has standard for even longer hash functions
which are named for the number of bits in their output: SHA-224, SHA-256, SHA-384, and SHA-512.

Five hundred twelve bits of hash holds 1.34 x 10154 possible values, which is far, far more than the number
of hydrogen atoms in the universe. This is likely to be safe from brute-force attacks for quite a while.

Q:19] Describe how Digital Signatures are applicable for encryption .Write its properties and
explain its requirements with relevant block diagram

Another typical situation parallels a common human need an order to transfer funds from one person to
another .in other words we want to be able to send electronically the equivalent of a computerized
checking .
• a check is tangibler object authorizing financial transaction
• the signature on the check confirms authenticity since only the legitimate signer can produce that
signature
• in the case of an alleged forgery , a third party can be called in to judge authenticity
• once a check is cashed , it is cancelled so that it cannot be reused
• the paper check is not alterable . or most forms of aleration are easily detected

Digital signature is a protocol that produces the same effect as a real signature . ti is a mark that only the
sender can make but other people can easily recognize as belonging to the sender . just like a real signature
, a digital signature is used to confirm agreement to a message.
Properties
A digital signature must meet 2 primary conditions
• It must be forgeable . If person P signs message M with signature S(P,M), it is impossible for
anyone else to produce the pair [M,S(P,M)]
• It must be authentic. If a person R receives the pair [M,S(P,M)] purposely from P , R can check
that the signature is really from P could have created this signature and the algorithm.
• It is not alterable .after being transmitted ,M cannot be changed by S,R or any other
interceptor.
• It is not reusable . a previous message presented again will be again be detected by R
 DIGITAL SIGNATURE

DIGITAL SIGNATURE

TOP SECRETE
UNFORGEABLE
(PROTECTS A)

Q.21] What are the point that should keep in mind about any key distribution Protocol?
The two basic kinds of encryptions are symmetric (also called “secret key”) and asymmetric (also
called “public key”). Symmetric algorithms use one key, which works for both encryption and decryption.
Usually, the decryption algorithm is closely related to the encryption one. (For e.g. the Creaser cipher with a
shift of 3 uses the encryption algorithm “substitute the character three letters later in the alphabet” with the
decryption “substitute the character three latter a earlier in the alphabet”. )
The symmetric systems provide a two-way channel to their user: A and B share a secret key and
they can both encrypt information to send to the other as well as decrypt information from other. As long as
the key remain secret, the system also provides authentication, proof that a message received was not
fabricated by someone other than declared sender, Authentication is ensured because only legitimate
sender can produce a message that will decrypt properly with the shared key.
The symmetric of this situation is major advantage of this type of encryption, but it also leads to a
problem: key distribution. How do A and B obtain their shared secret key? And only A and B can that key for
their encrypted communications. If A wants to share encrypted communication with other user C, A and C
need a different shared key. Key distribution is major difficulty in using symmetric encrypted. In general, n
user who want to communicate in pair need n*(n-1)/2 keys. In other words, the number of keys needed
increase at rate proportional to the square of the number of users. So a property of symmetric encryption
system is that they required means of key distribution.
Public key systems, on other hand, exile at key management. By the nature of the public key
approach, you can send a public key in an e-mail message or post it into a public directory. Only the
corresponding private key, which presumably kept private, can decrypt what has been encrypted with the
public key.
But for both kind of encryption, a key must be kept secured. Once symmetric or private key is know
by an outsider, all message written previously or in the future can be decrypted (and hence read or
modified) by the outsider. So, for all encryption algorithms, key management is major issue. It involves
storing, safeguarding and activating keys.

Q22] What are the main characteristics of a good cipher?

Shannon’s Characteristics of “Good Cipher”

1. The amount of secrecy needed should determine the amount labor appropriate for the encryption
and decryption.
Principle 1 is a reiteration of the principle of timeliness and of the earlier observation that even a simple
cipher may be strong enough to deter the casual interceptor or to hold off any interceptor for a short time.
2. The set of keys and the enciphering algorithm should be free from complexity.
This principle implies that we should restrict neither the choice of keys nor the types of plaintext on which
the algorithm can work. For instance, an algorithm that works only on plaintext having an equal number of
As and Es is useless. Similarly it would be difficult to select keys such that the sum of the values of the
letters of the key is a prime number. Restrictions such as these make the use of encipherment prohibitively
complex, it will not be used. Furthermore the key must be transmitted, stored, and remembered, so it must
be short.
3. The implementation of process should be as simple as possible.
Principle 3 was formulated with hand implementation in mind. A complicated algorithm is prone to error or
likely to be forgotten. With the development and popularity of digital computers, algorithms far too complex
for hand implementation became feasible. Still the issue of complexity is important. People will avoid an
encryption algorithm whose implementation process severely hinders message transmission, there by
undermining security. And a complex algorithm is more likely to be programmed incorrectly.
4. Error in ciphering should not propagate and cause corruption of further information in the message.
Principle 4 acknowledges that humans make errors in their use of enciphering algorithms. One error early in
the process should not throw off the entire remaining cipher-text. For example, dropping one letter in a
columnar transposition throws off the entire remaining encipherment unless the receiver can guess where
the letter was dropped; the remaining of the message will be unintelligible. By contrast, reading the wrong
row or column for a poly alphabetic substitution affects only one character remaining characters are
unaffected.
5. The size enciphered text should no larger than the text of the original message.
The idea behind principle 5 is that a cipher text that expands dramatically in size cannot possibly carry more
information that the plaintext, yet it gives the cryptanalyst more data from which to infer a pattern.
Furthermore, a longer cipher text implies more space for storage and more time to communicate.

These principles were developed before the ready availability of digital computers, even though Shannon
was aware of computers and the computational power they represented.

Thus these are the main characteristics of a good cipher.

Q.26] What are Modularity, Encapsulation, and Information Hiding?

Modularity, Encapsulation, and Information Hiding :
Code usually has a long shelf-life, and it is enhanced over time as needs change and faults are found and
fixed. For this reason, a key principle of software engineering is to create a design or code in small, self-
contained units, called components or modules; when a system is written this way, we say that it is
modular. Modularity offers advantages for program development in general and security in particular.

If a component is isolated from the effects of other components, then it is easier to trace a problem to the
fault that caused it and to limit the damage the fault causes. It is also easier to maintain the system, since
changes to an isolated component do not affect other components. And it is easier to see where
vulnerabilities may lie if the component is isolated. We call this isolation encapsulation.

Information hiding is another characteristic of modular software. When information is hidden, each
component hides its precise implementation or some other design decision from the others. Thus, when a
change is needed, the overall design can remain intact while only the necessary changes are made to
particular components.
Modularity

Modularization is the process of dividing a task into subtasks. This division is done on a logical or
functional basis. Each component performs a separate, independent part of the task. The goal is to have
each component meet four conditions:

• single-purpose: performs one function

• small: consists of an amount of information for which a human can readily grasp both
structure and content
• simple: is of a low degree of complexity so that a human can readily understand the purpose
and structure of the module
• independent: performs a task isolated from other modules

Often, other characteristics, such as having a single input and single output or using a limited set of
programming constructs, help a component be modular. From a security standpoint, modularity should
improve the likelihood that an implementation is correct.

In particular, smallness is an important quality that can help security analysts understand what each
component does. That is, in good software, design and program units should be only as large as needed
to perform their required functions. There are several advantages to having small, independent
components.

• Maintenance. If a component implements a single function, it can be replaced easily with a

revised one if necessary. The new component may be needed because of a change in
requirements, hardware, or environment. Sometimes the replacement is an enhancement, using
a smaller, faster, more correct, or otherwise better module. The interfaces between this
component and the remainder of the design or code are few and well described, so the effects of
the replacement are evident.
• Understandability. A system composed of many small components is usually easier to
comprehend than one large, unstructured block of code.
• Reuse. Components developed for one purpose can often be reused in other systems. Reuse
of correct, existing design or code components can significantly reduce the difficulty of
implementation and testing.
• Correctness. A failure can be quickly traced to its cause if the components perform only one
task each.
• Testing. A single component with well-defined inputs, output, and function can be tested
exhaustively by itself, without concern for its effects on other modules (other than the expected
function and output, of course).

Security analysts must be able to understand each component as an independent unit and be assured of
its limited effect on other components.
 A modular component usually has high cohesion and low coupling. By cohesion, we mean that all the
elements of a component have a logical and functional reason for being there; every aspect of the
component is tied to the component's single purpose. A highly cohesive component has a high degree of
focus on the purpose; a low degree of cohesion means that the component's contents are an unrelated
jumble of actions, often put together because of time-dependencies or convenience.

Coupling refers to the degree with which a component depends on other components in the system.
Thus, low or loose coupling is better than high or tight coupling, because the loosely coupled
components are free from unwitting interference from other components.

Encapsulation

Encapsulation hides a component's implementation details, but it does not necessarily mean complete
isolation. Many components must share information with other components, usually with good reason.
However, this sharing is carefully documented so that a component is affected only in known ways by
others in the system. Sharing is minimized so that the fewest interfaces possible are used. Limited
interfaces reduce the number of covert channels that can be constructed.

An encapsulated component's protective boundary can be translucent or transparent, as needed. The

encapsulation is the "technique for packaging the information [inside a component] in such a way as to
hide what should be hidden and make visible what is intended to be visible."

Information Hiding

Developers who work where modularization is stressed can be sure that other components will have
limited effect on the ones they write. Thus, we can think of a component as a kind of black box, with
certain well-defined inputs and outputs and a well-defined function. Other components' designers do not
need to know how the module completes its function; it is enough to be assured that the component
performs its task in some correct manner.

Information hiding is desirable, because developers cannot easily and maliciously alter the components
of others if they do not know how the components work.

These three characteristics—modularity, encapsulation, and information hiding—are fundamental

principles of software engineering. They are also good security practices because they lead to modules
that can be understood, analyzed, and trusted.

Q27] Short note on Code Red.

Code Red appeared on the middle of 2001; to devastating effect. On the July 29th the U.S. Federal Bureau
of Investigation proclaimed in a news that on July 19th the Code Red worm infected more than 250000
systems in just 9hrs.
The Code Red includes several kinds of malicious code, it mutated from one version to another. Malicious
software that propagate itself on web servers running Microsoft’s Internet Information Server (IIS). Code
Red takes two steps: Infection and Propagation. To infect a server the worm takes advantages of a
vulnerability in Microsoft’s IIS. It overflows the buffer in the server’s memory. Then to propagate the Code
Red checks the IP address of port 80 of the PC to see if that server in vulnerable.
 Effect:- The original Code Red’s activities were determined by the data. From day 1 to 19 of the month,
the worm spawned 99 threads that scanned for other vulnerable computers, starting at the same IP
address. Then on days 20 to 27 the worm launched a distributed Daniel-of-service attacks. A Daniel-of-
service attack floods the site with large numbers of messages in an attempt to slow down or to stop the
site Because the site is overwhelmed & cannot handle the message. Finally from day 28 to end of month the
worm did nothing.
Working:- The worm crashes Windows NT based servers but executed code on Windows 2000 systems.
Code Red includes its own copy of file explore.exe, placing it o the C: & D: drivers, so that Windows would
run the malicious copy, not the original copy. This Trojan Horse run at the original, untainted version of
explore.exe but it modified the system registry to disable certain kind of file protection & ensure that some
directories have to read, write, & execute permission. As a result a Trojan Horse had a virtual path that
could be followed even when explore.exe was not running. The Trojan Horse continues to run in background
resetting the registry in 10 minutes. Thus even if a system administrator notices that the changes & undoes
them, the changes are applied again by the malicious code.
To propagate the worm, creates 300 or 600 threads depends upon the variant and tried for 24 or 48 hrs to
spread to other machines. After that the system was forcibly rebooted, flushing the worm in memory but
leaving the backdoor and Trojan Horse is placed.

Q28] Explain in brief causes and effects of viruses.

Virus attaches itself to program and propagates copies of itself to other program.
Virus effects and causes are as follow:
Attach to executable program
A program virus attaches itself to program, then whenever the program is run, the virus is activated. This
kind of attachment is usually easy to program.
In the simplest case, a virus inserts a copy of itself into the executable program file before the first
executable instruction. Then all the virus instruction execute first, after the last virus instruction, control
flows naturally to what used to be the first program instruction.
This kind of attachment is simple and usually effective. The virus writer does not need to know
anything about the program to which the virus will attach and often the attached program simply
serves as a carrier for virus .The virus perform its task and then transfer to original program.
 Virus that surround a program
An alternative to attachment is a virus that runs the original program but has control before and after its
execution.
 Integrated viruses and replacements
The third situation occurred when the virus replaces some of its target, integrating itself into the original
code of the target.
The virus can cause due to:
• Modify file directory
• Write to executable program file
Attach to data or control file
Currently the most popular virus type is called as document virus, which is implemented within a
formatted document , such as a written document ,a database, a slide presentation or a spread sheet.
These documents are highly structured file that contain both data and commands. The commands are part
of rich programming language, including macros, variables and procedures, file accesses and even system
call. The writer of document virus uses any of features of programming language to perform malicious
actions.
The virus can cause due to:
• Modify directory.
• Rewrite data
• Append to data
• Append data to self
 Remain in memory
Some part of operating system and most user programs execute, terminate, and disappear, with their
space in memory being available for anything executed later. For very frequently used parts of operating
system and for few specialized user programs, it would take too long to reload the program each time it was
needed. Such code remains in memory, and is called resident code.
Virus writers also like to attach viruses to resident code because the resident code is activated many
times while the machine is running. Each time the resident code runs, the virus does too. Once activated
the virus can look for and infect the uninfected carriers.
• Intercept interrupt by modifying interrupt handler address table.
• Load self in nontransient memory area.
Infect disks
Most virus attach to program that are store on media such as disks. The attached virus piece is
invariant , so that the start of virus code becomes a detectable signature. The attached piece is always
located at the same position relative to its attached files.

The virus can cause due to:

• Intercept interrupt
• Intercept operating system call
• Modify system file
• Modify ordinary executable program

Q30.Write short Virus effects How it is caused

note on: Attach to executable program 1.modify file directory
2. Write to executable program file.
1. Boot Sector Attach to data or control file 1.modify directory.
viruses: 2.Rewrite data.
A special case of 3.Append to data.
virus attachment, 4.Append data to self.
but formerly a fairly
popular one, is the Remain in memory 1.Intercept interrupt by modifying
so called boot sector interrupt handler address table
virus. When a 2.Load self in nontransient memory
computer is started, area
control begins with Infect disks 1.Intercept interrupt
firmware that 2.Intercept operating system call
determines with (to format disk, for example)
hardware 3.Modify system file
components are Modify ordinary executable program
present, tests them,
and transfers control Conceal self 1.Intercept system calls that would
to an operating Reveal self and falsify result
system. A given 2.Classify self as “hidden” file
hardware platform Spread infection 1.Infect boot sector
can run many 2.Infect systems program
different operating 3.Infect ordinary program
systems, so the 4.Infect data ordinary program reads to
operating system is control its execution
not coded in Prevent deactivation 1.Activate before deactivating program
firmware but is block deactivation
instead invoked 2.Store copy to reinfect after deactivation
dynamically, perhaps
even by a user’s choice, after the hardware test.
The operating system is software stored on disk. Code copies the operating system from disk to memory
and transfers control to it; this copying is called the bootstrap load because the operating system
figuratively pulls itself into memory by its bootstraps. The firmware does its control transfer by reading a
fixed number of bytes from a fixed location on the disk to a fixed address in memory and then jumping to
that address. The bootstrap loader then read into memory the rest of the operating system from the disk.
To run a different operating system the user must insert a disk with the new operating system and a
bootstrap loader. When the user reboot from this new disk, the loader there brings in and runs another
operating system. This same scheme is used for personal computers, workstations, and large mainframes.
To allow for change, expansion and uncertainty, hardware designers reserve a large amount of space for the
bootstrap load. The boot sector on a PC is slightly less than 512 bytes but since the loader is larger than
that the designers support ‘chaining’, in which each block of the bootstrap is chained to the next block. This
chaining allows big bootstrap but also simplifies the installation. The virus writer simply breaks the chain at
any point, inserts a pointer to the virus code to be executed, and reconnects the chain after the virus has
been installed.
The boot sector is an appealing place to house a virus. The virus gains control early in the boot process,
before most detection tools are empty, so that it can avoid or at least complicate detection.
 Other Sector
Boot sector
Bootstrap
System
Loader
Initialization

chain
a) Before infection

Boot Sector Other sector

Virus System Bootstrap

Code Initialization Loader
Chain
Chain

b) After infection
2. Memory Resident Viruses:
Some part of the operating system and most user program execute, terminate and disappear. For
very frequently used parts of the operating system and for very specialized user programs, it would take too
long to reload the program each time it was needed. Such code remains in memory and is called resident
code. Examples of resident code are the routine that interprets keys pressed on keyboard, code that
handles error condition that arise during program execution, or a program that acts like an alarm clock.
Resident routine are sometimes called TSR or “terminate and stay resident” routines.
Virus writers also like to attach virus to resident code because resident code is activated many times
while the machine is running. Each time the resident code runs the virus does too. Once activated the virus
can look for and infect uninfected carriers. For example after activation boot sector might attach itself to a
piece of resident code. Then each time the virus was activated it might check whether any removable disk in
a disk drive was infected and if not infect it.
3. Document virus:
The most popular virus type is document virus which is implemented within a formatted document
such as written document, a database, a slide presentation or a spreadsheet. These documents are highly
structured files that contain both data and commands. The commands are part of programming language
including macros, variables and procedures, file accesses and even system calls. The writer of document
virus uses any of the features of programming language to perform malicious action.
The ordinary user sees only the content of the document, so virus writer simply includes virus in command
part of the document as in integrated program virus

Q-31: Explain the time-of-check to time-of-use errors.

Access control is the fundamental part in the computer security; we want to make sure that only
those who should access an object are allowed an access. Every requested access must be governed by an
access policy stating who is allowed an access to what; then the request must be mediated by an access
policy enforcement agent. But an incomplete mediation problem occurs when access is not checked
universally. The time-of-check to time-of-use flaw concerns mediation that is performed with a “bait and
switch” in the middle. It is also known as serialization or synchronization flaw.
E.g., suppose a request to access a file were present as a data structure, with the name of the file
and the mode of access presented in the structure.

My_file Change byte 4 to “A”

Figure: data structure for file access
Normally the access control mediator receives the data structure, determines whether the access
should be allowed, and either rejects the access and stops or allows the access and forwards the data
structure to the file handler for processing.
 To carry out this authorization sequence, the access control mediator would have to look up the file
name in tables. The mediator would compare the names in the table to the file name in the data structure
and determine whether the access I is appropriate. More likely, the mediator would copy the file name into
its own local storage area and compare from there. Comparing from the copy leaves the data structure in
the user’s area, under the user’s control.
It is at this point that the incomplete mediation flaw can be exploited. While the mediator is checking
access rights for the file my_file, the user could change the file name descriptor to your_file. Having read
the work ticket once, the mediator would not be expected to reread the ticket before approving; the
mediator would approve the access and send the now modified descriptor to the file handler.

Your_file Delete file

Figure: modified data
The problem is called a time-of-check to time-of –use flaw because it exploits the delay between the
two times. That is, between the time the access was checked and the time the result of the check was used,
a change occurred, invalidating the result of the check.
Q32. Give a details note on
1. Trapdoors 2. Salami Attack
Trapdoors:
This is a program that has a secret entry point. It is also called as backdoor. It is a feature in
the program by which someone can access the program other than the obvious, direct call,
perhaps with special privileges.
For e.g., an automated teller program might allow anyone entering the number 990099 on
the keypad to process the log of everyone’s transactions on that machine.
A trapdoor may be intentional, for maintenance purposes, or it could be an illicit way for the
implementer to wipe out any traces of a crime. Sometimes trapdoors are inserted for
debugging purposes by the developer, who later forgot to remove it before publishing the
product. In other cases, the developer may use the trapdoor for unauthorized access for
monetary benefit.
Salami Attack:
Salami attack is another form of targeted malicious code. Its name comes from the way odd
bits of meat and fat are fused together in salami.
In the same way, a salami attack merges bits of seemingly inconsequential data to yield
powerful results.
Programs often disregard small amounts of money in their calculations, as when there are
fractional pennies as interest or tax is calculated. These small amounts may be accumulated
somewhere else, such as an individual’s bank account. The shaved amount is so small in an
individual’s case that it may be unnoticed or ignored, but over a period of time, it may result
in a large sum. The reason they are not noticed is that they do not show up in accounts while
balancing.
Salami attacks are persistent because of rounding errors while computations.

Q33. Write a note on the following:

1. Web Bugs 2. Brain Virus

A. Web Bug:
A web bug, sometimes called a pixel tag, clear gif, one-by-one gif, invisible gif, or beacon gif,
is a hidden image on any document that can display HTML tags, such as a web page, HTML e-
mail message, or even a spreadsheet. Its creator intends the bug to be invisible, unseen bu
users but very useful since it can track the web activities of an user.
E.g. On Blue Nile Home Page, the following big code automatically downloads as a web bug
from the site.

<img height=1 width=1 Src =

“http://switch.avenuea.com/action/blenile_homepage/v2/a/AD7029944”>

Web bugs do not seem to be malicious. They plant numerical data but do not track personal
info. They can be used to track the surfing habits of an user. Their profile can be used to
direct retailers in whom you are interested. More malicious codes can be clearly used to
review the web server’s log files and determine your PC info, e.g. IP Address. The Web Server
can capture things such as, IP Address, the kind of web browser used, monitor's resolution,
browser settings, connection time, and previous cookie values.
 Brain Virus:
One of the earliest virus, it was given its name because it changes the label of any disk it
attacks, to the word "BRAIN". It attacks PC's running Microsoft Operating System.

What it does:
The virus first locates itself in the upper memory and executes a system call to reset the
upper memory limit to itself. It traps interrupt no. 19 (disk read) by resetting interrupt vector
table to point to it. It then sets the address for interrupt no. 6to former address of interrupt
no. 9
The Brain Virus appears to have no effect other than to pass the infection. Variants of this
virus erase disks or destroys the FAT.

How it Spreads:
The Brain Virus positions itself in the boot sector and 6 other sectors. One of the sectors will
contain the original boot code, moved from the original location, while 2 other contain
remaining code of virus. Once installed, the virus intercepts disk read requests for the disk
drive under attack.
The virus reads the boot sector and inspects the 5 and 6 bytes for hexadecimal value 1234.

Q-34. One feature of a capability-based protection system is the ability of one process to transfer
a copy to another process. Describe a situation in which one process should be able to transfer a
capability to another.

Capability is analogous to a ticket or identification card giving permission to a subject to have a

certain type of access to an object. Capabilities can be encrypted under a key available only to the access
mechanism.

One possible access right to an object is transfer or propagate .A subject having this right can pass
copies of capabilities to other subjects. In turn each of these capabilities has a list of permitted types of
accesses, one of which might also be transfer. In this instance, process A can pass a copy of a capability to
B, who can then pass a copy to C.B can prevent further distribution of capability by omitting the transfer
right from the rights passed in the capability to C. B might still pass certain access right to C, but not the
rights to propagate access rights to other subjects.

As a process executes, it operates in a domain. The domain is the collection of objects to which the
process has access. As execution continues, the process may call a sub procedure, passing some of the
objects to which it has access as arguments to the sub procedure. The domain of the sub procedure is not
necessarily the same as that of its calling procedure; in fact, a calling procedure may pas only some of its
objects to the sub procedure and the sub procedure may have access rights to other objects not accessible
to the calling procedure. The caller may also pass only some of its access rights for the object it passes to
the sub procedure.

Domain for MAIN

Process Files Devices

Data Storage
Figure: process execution domain
Since each capability identifies a single object in a domain, the collection of capabilities defines the
domain. When a process calls a sub procedure and passes certain objects to the sub procedure, the
operating system forms a stack of all the capabilities of the current procedure. The operating system then
creates new capabilities for the sub procedures, as shown in the figure
Domain for MAIN

Devices
Process Files
CALL SUB

Data Storage

Domain for Sub

Devices
Process Files

Data Storage

Figure: Passing Objects to a Subject.

Capabilities are straightforward way to keep rack of the access rights of subjects to objects during
execution. The capabilities are backed by more comprehensive table, such as an access control matrix or an
access control list. Each time a process seeks to use a new object, the operating system examines the
master list of objects and subjects to determine whether the object is accessible. If so, the operating
system creates a capability for that object.

Capabilities must be stored in memory inaccessible to normal users. One way of accomplishing this is
to store capabilities in segments not pointed at by user’s segment table or enclose them in protected
memory as from a pair of base/bounds registers. During execution, only the capabilities of objects that have
been accessed by current process are kept readily available. This restriction improves the speed with which
access to an object can be checked. They can be revoked. When an subject revokes a capability, no further
access under the revoked capability should be permitted. A capability table can contain pointers to the
active capabilities spawned under it so that the operating system can trace what access rights should be
deleted if a capability is revoked.

Q35. Explain why asynchronous I/O activity is a problem with many memory protection scheme
including base bound and paging. Suggest a solution to problem.

A major advantage of an operating system with fence register is the ability to relocate, this characteristic is
important in a multiuser environment. With two or more user, none can know in advance where a program
will be loaded for execution. The relocation register solves the problem by providing base or starting
address. All address inside programs are offsets from that base address. All address inside programs are
offsets from that base address. A variable fence register is known as base register.
Fence register provide a lower bound but not an upper one. An upper bound can be useful in knowing
how much space is allotted and in checking for overflows into forbidden areas. To overcome this problem a
second register is often added. The second register called a bound register is an upper address limit. Each
program address is forced to be above the base address because the content of base register is added to
address.
This technique protects a program address from modification by another user. When execution
changes from one user program to another, the operating system must change the content of base and
bound register to reflect the true address space for that user. This change is part of general preparation
called a context switch.
With a pair of base/bound register a user is perfectly protected from outside user. Erroneous address
inside a user address space can still affect that program because the base/bound checking guarantees only
that each address is inside the user address space.
We can solve this problem by using another pair of base/bound registers, one for the instruction of the
program and a second for the data space. Then only instruction fetches are relocated and checked with the
first register pair and only data accesses are relocated and checked with the second register pair. Although
two pair of register does not prevent all program errors, they limit the effect of data manipulating
instruction to the data space. The pair of register offers another more important advantage: the ability to
split a program into two pieces that can relocated separately.
These two features seem to call for the use of three or more pair of registers: one for code, one for read
only data and one for modifiable data value. Although two pair of registers are the limit for practical
computer design. For each additional pair of registers, something in the machine code of each instruction
must indicate which relocation pair into be used to address the instruction operands. That is with more than
two pairs each instruction specifies one of two or more data spaces. But with only two pairs the decision can
be automatic: instruction with one pair, data with other.

Q36. Design protocol by which two mutually suspicious parties can authenticate each other.

Protocols are publicly posted for scrutiny by the entire internet community. Each accepted protocol is
known by its request for comment (RFC) number.
Many problems with protocol have been identified by sharp reviewer and corrected before the protocol
was established as standard.
Two mutually suspicious parties can authenticate each other by establishing TCP connection through
sequence number. The client sends a sequence number to open connection, the server response with that
number and the sequence number of its own, and the client responds with server’s sequence number. One
can guess client’s next sequence number. Sequence numbers are incremented regularly, so it can be easy
to predicate the next number.
The user of the service can be assured of any server’s authenticity by requesting an authenticating
response from the server.
Authentication is effective only when it works .A weak or flawed authentication allows access to any
system or person who can circumvent the authentication.
The protocol should allow the two parties to authenticate the data that is unique and difficult to
guess. If same users to store data and run processes use two computers and if each has authenticated its
user on first access, you might assume that computer-to-computer or local user to remote process
authentication is unnecessary.
Some time the system demands for certain identification of user ,but the user is supposed to trust the
system .The programmer can easily write a program that displays the standard prompt for user ID and
password. The user can be suspicious of the computing system, just as system is suspicious of the user. The
user can not enter the confidential data until convinced that the computing system is legitimate. The
computer acknowledges the user only after passing the authentication process.
User authentication is a serious issue that becomes even more serious when unacquainted users
seek to share facilities by means of computer network. The traditional authentication device is a password.
A plaintext password file presents a serious vulnerability for a computing system. These files are usually
heavily protected or encrypted. The problem over here is to choose the strong password for the user. The
protocols are needed to perform mutual authentication in an atmosphere of distrust.

Q38. Enumerate the different types of attacks on user password.

The most common authentication mechanism for user to operating system is user password, a word known
to computer and user. Although password protection offers a relatively secure system. But the question is
how secure are password itself? Password are somewhat limited as protection devices because of the
relatively small number of bit of information they contain.
Here are some way user can might be able to determine the
User’s password.

1. Try all possible passwords.

2. Try many probable password
3. Try possible password likely for the user.
4. Search for the system list of the password.
5. Ask the user.

1.Exhaustive attack:-
This is also called as brute force attack. The attacker tries all possible passwords, usually in
some automated fashion. The number of possible passwords depends upon the implementation of the
particular computing system. The password might from 1 to 8 character hence that number might be
tractable. Hence intruder may break the file.

But break in time can be made more tractable in number of ways. Searching for a particular
password does not necessarily require all passwords to be tried.

2. Probable passwords:-
Penetrators searching for passwords they realize these very human characteristics and use
them to their advantages. Therefore penetrators try techniques that are likely to lead rapid success. If
people try short passwords to long once the petnetrators will try all passwords in order by length.

Q No 39. Explain various file protection mechanisms.

All multi-user operating systems must provide minimal protection to keep one user from maliciously
modifying the files of another user. For the reason many file protection mechanisms are used.
1. Basic form of protection
a. All-None protection
In original IBM OS operating systems, files were by default public, means that any user can do all
file operations on files of any other user. Instead of software or hardware based protection
involved is trust combined with ignorance. The system designer were supposed that user will not
access other users files and he will try to access files for which he/she knows the name of the file.
Certain sytems files were sensitive and administrator can control the access of file by means of
password to indivisual file.
However all this non protection is unacceptable for several reasons?
I. Lack of trust.
II. All or nothing
III. Rise of time sharing
IV. Complexity
V. File listings.
 b. Group Protection
The previous has many drawbacks, researchers sought new way of file protection. In this system
group of users are identified with common relationship. World is divided into three classes user,
group, world. All authorized users are separated into groups. A group may consist of a member
working on common project and may be with same motivation. When creating file user defines
permission for user, other group member and for the rest of the world. The choices for access
rights may be read, write , execute, delete etc.
Advantage in this system is implementation of the system. A user is identified by two id’s user id
and group id. These identifiers are stored in the file directory entry for each file while creating.
When user logs in operating systems can easily identify user by obtaining the permissions. Some
disadvantages are
I. Group affiliation
II. Multiple personalities
III. All groups
IV. Limited sharing

2. Single Permissions
a. Password or Other token
We can apply simple form of password protection to file protection by allowing user to assign a
password to a file. Accesses are limited to those who provide correct access at the time of file
opening. Password access may be given as read-only or modifications.
However file password suffer from many difficulties like
I. Loss: password may be forgotten
II. Use: supplying password at each time is inconvenient and time consuming
III. Disclosure: if password is disclosed to authorized access file becomes accessible
IV. Revocation: to revoke one user’s access rights to file, someone must change the
password, causing same problems as disclosure.
b. Temporal Acquired Permission
The UNIX operating system provides an interesting scheme based on a three level user-group-
world hierarchy. The UNIX designers added a permissions called set user id (suid). If this
protection is set to the file to be executed, the protection level is of file’s owner not of executor.
This mechanism is convenient for systems function that general users should be able to perform
only in the prescribed way.
3. Per- Object and Per-User Protection
The primary limitation of these file protection scheme is the ability to create meaningful groups of
related users who should have similar access to one or more data sets. The access control lists or access
control matrices described earlier provided very flexible protection. Their disadvantage is for user who
wants to allow access to many users and to many different data sets; such user must still specify each
data to be accessed by each user. As a new user is added, that user’s special access rights must be
specified by all appropriate user.
Q 40] What are different methods of protection and protection level of the operating system?
Security Methods of Operating System:

The basic protection is separation: keeping one user’s objects separate from other users. Separation
in an operating system can occur in several ways:
1) Physical separation
2) Temporal separation
3) Logical separation
4) Cryptographic separation

Physical separation: in which different processes use different physical objects, such as separate printers for
output requiring different levels of security.

Temporal separation: in which processes having different security requirements are executed at different
times.

Logical separation: in which users operate under the illusion that no other processes exist, as when an
operating system constrains a program’s access so that program cannot access objects outside its permitted
domain.

Cryptographic separation: in which processes conceal their data and computations in such a way that they
are unintelligible to outside processes.

Combinations of two or more of these forms of separation are also possible. The categories of separation
are listed roughly in increasing order of complexity to implement, and, for the first three, in decreasing
order of the security provided.

Protection levels in Operating System:

There are several ways an operating system can assist, offering protection at any of several levels.

Do not protect: Operating systems with no protection are appropriate when sensitive procedures are being
run at separate times.

Isolate: When an operating system provides isolation, different processes running concurrently are unaware
of the presence of each other. Each process has its own address space, files, and other objects. The
operating system must confine each process somehow, so that the objects of the other processes are
completely concealed.
Share all or share nothing: With this form of protection, the owner of an object declares it to be public or
private. A public object is available to all users, whereas a private object is available only to its owners.
Share via access limitation: With protection by access limitation, the operating system checks the allow
ability of each user’s potential access to an object. Lists of acceptable actions guide the operating system in
determine whether a particular user should have access to particular objects. In some sense, operating
system acts as a guard between users and objects, ensuring that only authorized accesses occurs.
Share by capability: An extension of limited access sharing, this form of protection allows dynamic creation
of sharing rights for objects. The degree of sharing can depend on the owner or the subject, on the context
of the computation, or on the object itself.
Limit use of an object: This form of protection limits not just the access to an object but the use made of
that object after it has been accessed. More powerfully, a user may be allowed access to data in a database
to derive statistical summaries, but not to determine specific data values.

These modes of sharing are arranged in increasing order of difficulty to implement, but also in increasing
order of fineness of protection they provide. A given operating system may provide different levels of
protection for different objects, users, or situations. The granularity of control concerns us. The larger the
level of object controlled, the easier it is to implement access control.

Q.42] What are the various password selection criteria?

The various password selection criteria are as follows:

1. Use characters other than A-Z. If passwords are chosen from the letters A-Z, there are only 26
possibilities for each character. Adding digits expands the number of possible characters to 62.
Although this change seems small the effect is large when some one is testing a full space of possible
 combination of characters. It takes about 100 hours to test all 6-letter words chosen from letters of
one case only, but it takes about 2 years is oppressive enough to make this attack far less attractive.
2. Choose long passwords. The combinational explosion of passwords begins at length 4 or 5. Choosing
longer passwords makes it less likely that a password will be uncovered. Remember that a brute
force penetration can stop as soon as the password is found. Some penetrators will try the easy
cases – known words and short passwords – and move onto another target if those attacks fail.
3. Avoid actual names or words. Theoretically, there are 266 or about 300 million “words” of length 6,
but there are only about 150,000 words in a good collegiate dictionary, ignoring length. By picking
one of the 99.95 percent non-words, you force the attacker to used the longer brute force search
instead of the abbreviated dictionary search.
4. Choose an unlikely password. Password choice is a double bind. To remember the password easily,
you want one that has a special meaning to you. However, you don’t want someone else to be able
to guess this special meaning. One easy to remember password is 2Brn2B. that unlikely looking
jumble is a simple transformation of “to be or not to be”. The first letters of a line from a song, a few
letters from different words of a private phrase, or a memorable football score are examples of
reasonable passwords. But don’t be too obvious. Password-cracking tools also test replacements of 0
(zero) for o or O (letter “oh”) and 1 (one) for 1 (letter “ell”) or $ for S (letter “ess”). So Il0veu is
already in the search file.
5. Change the password regularly. Even if there is no reason to suspect that the password has been
comprised, change is advised. A penetrator may break a password system by obtaining an old list or
working exhaustively on an encrypted list.
6. Don’t write it down. (Note: This time-honored advice is relevant only if physical security is a serious
risk. People who have accounts on many different machines and servers, not to mention bank and
charge cards PINs, may have trouble remembering all the access codes. Setting all codes the same
or using insecure but easy-to-remember passwords may be more risky than writing passwords on a
reasonably well protected list.)

Don’t tell anyone else. The easiest attack is social engineering, in which the attacker contacts the
system’s administrator or a user to elicit the password in some way. For example, the attacker may phone a
user, claim to be “system administrator”, and ask the user to verify the user’s password. Under no
circumstances should you ever give out your private password; legitimate administrators can circumvent
your password if need be, and others are merely trying to deceive you.

Q43. What are some other levels of protection that users might want to apply to code or data in
addition to the common read write or execute permissions?

There are various protection levels that users might want to apply to code or data in addition to the
common read write or execute permissions and they are:-

Class D- Minimal Protection.

This class is applied systems that have been evaluated for a higher category that but have been framed the
evaluation no security characteristics are needed for a D rating.

Class C1 - Discretionary Security Protection.

C1 is intended for an environment of cooperating users processing data at the same level of sensitivity. A
system evaluated as C1 provides the separation of users from data. That must be controls that appear
Sufficient to implement access. Limitations to allow what used to protect their data. The controls of C1
system may not have been stringently evaluated. The evaluation may be based more on the presence of
certain features. To qualify for a C1 system must have a domain that includes security features and that is
protected against Tampering.

Class C2 - Controlled Access Protection.

A C2 system still implements discretionary access control. Although the granularity of the control is finer.
The audit trail must be capable of tracking each individual's access (or attempted access) to each object.

Class B1- Labeled Security Protection.

All certification in the B division include nondiscretionary access control. At the b level, each controlled
subject and the object must be a sign the security level (for class b the protection system does not need to
control every object).
Each controlled object must be the. Individually labeled for security level and these labels must be used as
the basis for access control decisions. That access control must be based on a model employing both
hierarchical levels and non hierarchical categories. ( The military model It is an example of system and the
hierarchical levels – unclassified, classified, secret , top secret - and non hierarchical categories - need to
know category sets) the mandatory access policy is the Bell- la Padula. Controls for all accesses with user
discretionary access controls to further limit access.

Class B2- The Structured Protection.

The major enhancement for B2 is a design requirement. The design and implementation of a B2 system
must enable a more thorough testing and review. A verifiable top level. Designed must be presented and
testing must confirm that the system implements this design. The system must be internally structured into
“well- defined largely independent modules”. The principle of least privilege is to be enforced in the design.
Access control policies must be enforced on all objects and subjects including devices. Analysis of covert
channels is required.

Class B3 - Security Domains.

The security functions of a B3 system must be small enough that extensive testing. Higher level design
must be complete and conceptually simple and a convincing argument must exist that the system
implements is design. The implementation of the design must incorporate significant use of layering,
abstractions, and information hiding.
The security functions must be tamper proof. Further more the system must be” Highly Resistant to
penetration”. There is also a requirement that the system audit facility be able to identify when a violation
of security is imminent.

Class A1 - Verified Design.

Class A1 requires are formerly verified system design. The capabilities of the system are the same as for
class B3. But in addition there are five important criteria for class A1 certification: 1) A formal model of the
protected system and a proof of its consistency and adequacy .2) A formal top-level specification of the
protection system. 3) A demonstration that top level corresponds to the model,4) an implementation
“informally” shown to be consistent with the specification and 5) formal analysis of covert channels.
The above criteria were developed in the United States of America. However there are other criteria which
were developed in Europe. They include:-

The German Green Book

The German information security agency produced a catalog of criteria. Five years after U.S. Keeping with
tradition the security community began to call the document the German green book because of its green
cover. The German criteria identified eight basic security functions deemed a sufficient to enforce a broad
spectrum of security policies:

1. Identification and authentication: - unique and certain association of an identity with the subject or
object.
2. Administration of rights: - the ability to control the assignment and revocation. Off to access rights
and subjects and objects. .
3. Verification of rights :- the mediation off the attempt at subject to exercise rights with respect to an
object
4. Audit:- a record of information on the successful or attempted Unsuccessful exercise their rights
5. Object reuse: - Resetting reusable resources in such a way that no information flows occurs in
contradiction to the security policy.
6. Error Recovery:- identification of situations from which to recovery is necessary and invocation of the
appropriate action
7. Continuity of services: - identification of functionality that must be available in the system and what
degree of delay or loss can be isolated.
8. Data communications security: - Peer entity authentication control of access the communications
systems as did confidentiality, integrity and origin authentication.

The British Criteria

The British developed jointly the first public version of criteria. The original United Kingdom criteria were
based on that claims language, a metalanguage by which a vendor could make claims about functionality in
a product. The claims language consisted of a list of actions phrases and target phrases with parameter.

Information Technology Security Evaluation Criteria

This preserved the German functionality while at the same time preserving the British functionality. A
vendor has to define a target of evaluation the item that is the evaluation’s focus. This is considered as to
be the operational environment and security enforcement requirements. An evaluation can address a
product or a system.

These protection level criteria are the ones that can be used by the user to apply to code or data other than
the normal read/write/execute permissions.

Q. 44 Why should the directory of one user not be generally accessible (for read only) to other
user?
Every file has a unique owner who possesses “control” access right (include the rights to declare who
has what access) and to revoke access to any person at any time. Each user has a file directory, which lists
all the files to which that user has access.
Clearly, no user can be allowed to write in the file directory because that would be a way to forge
access to a file. Therefore, the operating system must maintain all file directories, under commands from
the owners of files. The obvious rights to files are the common read, write and execute familiar on many
shared system. Furthermore, an other right, owner, is possessed by the owner, permitting that user to
grant and revoke access rights. Fig. shows an e.g. of file directory.

File User B Directory

User A Directory File Name Access File
File Name Access File Files Rights Pointer
Rights Pointer PROG1.C ORW
PROG1.C ORW PROG1.EXE OX
PROG1.EXE OX BIBLIOG ORW
BIBLIOG ORW HELP.TET R
HELP.TET R TEMP ORW
TEMP ORW

This approach is easy to implement because it uses one list per user, naming all the objects that user
is allowed to access. However, several difficulties can arise. First, the list becomes too large if many shared
objects, such as libraries of subprograms or a common table of users, are accessible to all users. The
directory of each user must have one entry for such shared object, even if the user has no intention of
accessing the object.
A second difficulty is revocation of access. If owner A has passed to user B the right to read file F, an
entry for F is made in the directory for B. This granting of access implies a level of trust between A and B. If
A later questions that trust, A may want to revoke the access right of B. The operating system can respond
easily to the single request to delete the right of B to access F, because that action involves deleting one
entry from a specific directory. But if A wants to remove the rights of everyone to access F, the operating
system must search each individual directory for the entry f, an activity that can be time consuming on a
large system. For e.g. large timesharing systems or networks of smaller system can easily have 5,000 to
10,000 active accounts. Moreover, B may have passed the access right for F to another user, so A may not
know that F’s access exits and should be revoked. This problem is particularly serious in a network.
A third difficulty involves pseudonyms .Owner A and B may have two different files named F, and
they may both want to allow access by S. Clearly, the directory for S can’t contain two entries under the
same name for different files. Therefore, S has to be able to uniquely identify the F for A (or B). One
approach is to include the original owner’s designation as if were part of the file name, with a notation such
as A: F (or B: F).

Q45] Explain the fence register used for relocating the users programming.

The most obvious problem in multiprogramming is preventing one program from affecting the memory of
other programs. Fortunately, protection can be built into the hardware mechanism that controls efficient use
of memory, so that solid protection can be provided at essentially no additional cost.

Fence: The simplest form of memory protection was introduced in single user operating system to prevent
faulty user program from destroying part of the resident portion of operating system. As name implies a
fence is a method to confine users to one side of a boundary.
In one implementation, the fence was a predefined memory address, enabling the operating system to
reside on one side and the user to stay the other. An example of this situation is depicted in figure.
Unfortunately this kind of implementation was very restrictive because a predefined amount of space was
always reserved for operating system, whether it is needed or not. If less that the predefined space is
needed then excess space was wasted. Conversely if the operating system needed more space, it could not
grow beyond the fence boundary.

Another implementation used a

hardware register often called fence register containing the address of the end of operating systems. In
contrast a fixed fence, in this scheme the location of the fence could be changed. Each time a user program
generated an address for data modification, the address was automatically compared with fence address. If
the address was greater than the fence address (that is the users area) the instruction was executed; if it
was less that the fence address (that is the operating system area), an error condition was raised. The user
fence register is show in following figure.
A fence register protects only in one direction. In other words an operating system can be protected from
single user but fence can not protect one user from another user. Similarly a user can not identify certain
areas of the program an inviolable (such as the code of the program itself or read only data)

Relocation:

If the operating system can be assumed to be fixed size, programmers can write their code assuming
that the program begins at a constant address. This feature of the operating system makes it easy to
determine the address of any object in the program. However it also makes it essentially impossible to
change the starting address if, for example the new version of the operating system is larger or smaller
than the old. If the size of the operating system is allowed to change, then the program must be written in
the way that does not depend on placement at a specific location in memory.
Relocation is the process of taking a program written as if it began at address 0 and changing all
addresses to reflect the actual address at which the program is located in memory. In many instances the
effort merely entails adding a constant relocation factor to each address of the program. That is the
relocation factor is the starting address of the memory assigned for the program.
Continently the fence register can be used in this situation to provide an extra benefit: the fence
register can be hardware relocation device. The contents of the fence are added to each program address.
This action both relocates the address and guarantees that no one can access a location lower than the
fence address. (addresses are treated as unsigned integers, so adding the value in the fence register to any
number is guaranteed to produce a result at or above the fence address) Special instructions can be added
for the times when a program legitimately intends to access a location of the operating system.

Q.46] If two users share access to a segment , they must do it by same name . must their
protection rights to it be same?why or why not ?

1. Segmentation involves the simple notion of dividing segment into separate pieces . each piece
has a logical unity ,exhibiting a relationship among all of its code or data values .

2. For example , a segment may be a code of a single procedure , the data of an array ,or the
collection data value used by a particular module.

3. Segmentation was developed as a feasible means to produce the effect of the equivalent of a n
unbounded number of base/bound registers.

4. In other words segmentation allows a program to be divided into many pieces having different
access rights.

5. Of two users share access to a segment , they must do it by d different access rights.for this
segmentation processes uses both hardware and software .

6. The overall system can associate the certain levels of protection with certain segments and it
uses both the operating system and hardware to check that protection an each access to execute
only code and a third might be writeable data .

7. In a situation like this one , segmentation can approximate the goal of separate protection of
different pieces of a program

Q47]. Explain why asynchronous I/O activity is a problem with many memory protection scheme
including base bound and paging. Suggest a solution to problem.

A major advantage of an operating system with fence register is the ability to relocate, this characteristic is
important in a multiuser environment. With two or more user, none can know in advance where a program
will be loaded for execution. The relocation register solves the problem by providing base or starting
address. All address inside programs are offsets from that base address. All address inside programs are
offsets from that base address. A variable fence register is known as base register.

Fence register provide a lower bound but not an upper one. An upper bound can be useful in knowing how
much space is allotted and in checking for overflows into forbidden areas. To overcome this problem a
second register is often added. The second register called a bound register is an upper address limit. Each
program address is forced to be above the base address because the content of base register is added to
address.

This technique protects a program address from modification by another user. When execution changes
from one user program to another, the operating system must change the content of base and bound
register to reflect the true address space for that user. This change is part of general preparation called a
context switch.

With a pair of base/bound register a user is perfectly protected from outside user. Erroneous address inside
a user address space can still affect that program because the base/bound checking guarantees only that
each address is inside the user address space.

We can solve this problem by using another pair of base/bound registers, one for the instruction of the
program and a second for the data space. Then only instruction fetches are relocated and checked with the
first register pair and only data accesses are relocated and checked with the second register pair. Although
two pair of register does not prevent all program errors, they limit the effect of data manipulating
instruction to the data space. The pair of register offers another more important advantage: the ability to
split a program into two pieces that can relocated separately.

These two features seem to call for the use of three or more pair of registers: one for code, one for read only
data and one for modifiable data value. Although two pair of registers are the limit for practical computer
design. For each additional pair of registers, something in the machine code of each instruction must indicate
which relocation pair into be used to address the instruction operands. That is with more than two pairs each
instruction specifies one of two or more data spaces. But with only two pairs the decision can be automatic:
instruction with one pair, data with other.

Addresse
Memor
s
y
0
Base Operating
Register System
N
N+1
N+1 User A
p Program
Space
P User
pq+1
User B Progra
Bounds P+ Program m
Register Space Space
q
User C
q+1 Program Space

Hig
h
Fig: Pair of Base/Bounds Registers.

Q48] List two disadvantages of using physical separation in a computing system.

In physical separation different processes use different physical objects. Thus disadvantages associated with
this method are listed below:

i) This method leads to the poor utilization of resources, which leads to

performance degradation of the system.
ii) System requirements are much higher as compared to other methods,
because of need of separate physical objects for different process.
Q. 50 Explain Two Phase Update technique with examples.

1) Failure of the computing system in the middle of modifying data , is a serious problem.
2) If the data item to be modified was a long field, half of the field might show the new value while the
other half would contain the old. Also, a more subtle problem occurs when several fields are updated and
no single file appears to be in obvious error.
3) The solution to this problem is – The Two Phase Update technique.
4) During the first, intent phase the DBMS gathers the resources it needs to perform the update including
data, create dummy records, open files, lock out other users and calculate.
5) The first phase is repeatable an unlimited number of times, as it takes no permutation actions. If the
system fails during execution, no harm is done. All the steps can be restarted and repeated after the
system resumes processing.
6) The last event of the first phase, is called commiting, involves the writing of a commit flag, to the
database. This means that the changes made are now permanent, after this point.
7) The second phase makes the permanent changes.No actions from before the commit can be repeated.If
the system fails during the second phase, the database may contain incomplete data, but the system can
repair these data by performing all activities of the second phase.

An Example of the Two Phase Update:

Suppose a database contains an inventory of a company’s office supplies.The stockroom
tores paper, pens, paper, paper clips etc. and the different departments requisition items as they need
them.
The company buys in bulk and each department has a budget for office supplies.The stockroom monitors
quantities of supplies on hand so as to order new supplies when the stock becomes low.
Suppose the process begins with a requisition from the accounting department for 50 boxes of paper clips.
Assume there are 107 boxes in stock and a new order is placed if the quantity is low (i.e the stock falls
below 100).

1. The stockroom checks the database to determine that 50 boxes of paper clips. If not, the requisition is
rejected and the transaction is complete.
2. If enough are in stock , the stockroom deducts 50 from the inventory. (107-50=57).
3. The stockroom charges accounting’s supplies budget for 50 boxes of paper clips.
4. The stockroom checks it’s remaining quantity to check if it is below the reord point.
5. A delivery order is prepared, enabling 50 boxes of paper clips to be sent to accounting.
Suppose a failure occurs while these steps are processed. If the failure occurs before
step1 is complete no harm is done.
However, during steps 2,3,4 changes are made to the elements in the database are inconsistent. When a
two-phase commit is used, shadow values are maintained for key data points.A shadow data value is
computed and stored locally during the intent phase, and it is copied to the actual database during the
commit phase.

Intent:
1. Check the value of COMMIT-FLAG in the database. If it is set, this phase cannot be performed. Halt or
loop , checking COMMIT-FLAG until it is not set.
2. Compare number of boxes of paper clips on hand to number requisitioned,if more are requisitioned than
are on hand, halt.
3. Compute TCLIPS= Onhand –REQUISITION.
4. Obtain BUDGET, the current supplies budget remaining for accounting \department. Computer TBUDGET
=BUDGET-COST.
5.Check whether TCLIPS is below reorder point; if so set TREORDER=TRUE; else set
TREORDER=FALSE.

COMMIT:
1. Set COMMIT-FLAG in database.
2. Copy TCLIPS to CLIPS in database.
3.Copy TBUDGET to BUDGET in database.
4. Copy TREORDER to REORDER in database.
5.Prepare notice to delivery paper clips to accounting department.
6. Unset COMMIT-FLAG.
 Q 52: What factors make a data sensitive? Give Example?

Sensitive data are data that should not be made public.The challenge of access control problem is to limits
user’s access so that they can obtain only the data to which they have legitimate access.
Several factors can make data sensitive.

• Inherently sensitive:-
The values itself is Sensitive indeed. E.g. The location of defensive missiles or the
maiden income of barbers in a town with only one barber.

• From sensitive sources:-

The source of data may indicate need for confidentiality. E.g. Information from an
informer whose identity would be compromised if information were disclose.

• Declared Sensitive:-
The database administrator or the owner of the data may have declared the data to be
sensitive. E.g. classified military data.

• Part of Sensitive attribute or Sensitive record:-

In database an entire database or record may be classified as sensitive. For E.g.
Salary attribute of personnel database.
• Sensitive in relation to previously disclosed information:-
Some data becomes Sensitive in the presence of other data. E.g. Longitude coordinate
of secret gold mines reveals little latitude coordinates pinpoints the mines.

Q 54] How does DBMS detect inconsistency in database? How does it ensure the concurrency in
such cases?

Database systems are often multi-user systems. Accesses by two users sharing the
same database must be constrained so that neither interferes with other. Simple locking is done by DBMS.
If two users attempt to read the same data item, there is no conflict because both obtain the same value.
If both users try to modify the same data items, we often assume that there is no conflict because each
knows what to write; the value to be written does not depend on the previous value of the data item.
However, this supposition is not quite accurate.
To see how concurrent modification can get us into trouble, suppose that the database consists of seat
reservations for a particular airline flight. Agent A, booking a seat for passenger Mock, submits a query to
find what seats are still available. The agent knows that Mock prefers a right aisle seat, and the agent finds
that seats 5D, 11D, and 14D are open. At the same time, agent B is trying to book seats for a family of
three traveling together. In response to a query, the database indicates that 8A-B-C and 11 D-E-F are two
remaining groups of three adjacentunasssigned seats. Agent A submits the update command.

SELECT ( SEAT – NO = ‘11D’ )

ASSIGN ‘ MOCK , E ‘ TO PASSENGER- NAME

While Agent B submits the update sequence

SELECT ( SEAT – NO = ‘11D’ )

ASSIGN ‘EHLERS , P ‘ TO PASSENGER- NAME

As well as commands for seats 11E and 11F. Then two passengers have been booked into the same seat.
Both agents have acted properly: Each sought a list of empty seats,
choose one seat from the list, and updated the database to show to whom the seat was assigned. The
difficulty in this situation is the time delay between reading a value from the database and writing a
modification of that value. During the delay time , another user has accessed the same data.

To resolve this problem, a DBMS treats the entire query update cycle as a single atomic operation. The
command from the agent must now resemble “read the current value of the seat PASSENGER- NAME for
seat 11D f it is ‘UNASSIGNED’ , modify to ‘ MOCK , E ‘”.The read-modify cycle must be completed as an
Uninterrupted item without allowing any other users access to the PASSENGER-NAME field for seat 11D. The
second agents request to book would not be considered until after the first agents had been completed at
the same time the value of PASSENGER-NAME would no longer be ‘UNASSIGNED’.

Another problem in concurrent access is read-write. Suppose one user is updating a value when a second
user wishes to read it. If the read is done while the write is in progress the reader may receive data are only
partly updated. Consequently, the DBMS locks any read requests until a write has been completed.

Q55. What is Element Integrity? How does it help to detect and correct manual errors?
Element Integrity:
It concern that the value of a specific data element is written or changed only by authorized users. Proper
access controls protect a database from corruption by unauthorized users.
The integrity of the database elements is their correctness or accuracy. Ultimately, authorized users are
responsible for entering correct data in databases. However, users and programs make mistakes collecting
data, computing results, and entering values. Therefore, DBMS sometimes take special action to help catch
errors as they are made and to correct errors after they are inserted.

This corrective action can be taken in three ways.

Field Checks:
A field might be required to be numeric, an uppercase letter, or one of a set of acceptable characters, The
check ensures that a value falls within specified bounds or is not greater than the sum of the values in two
other fields. These checks prevent simple errors as the data are entered.
Access Control:
Consider life before databases. Data files may contain data from several sources, and redundant data may
be stored in several different places. For eg., a student’ s home address may be stored in several different
campus files: at class registration, for dining hall privileges, at the bookstore, and in the financial aid office.
If the student moves from one residence to another, each separate file requires correction. Without a
database, there are several risks to data’s integrity.
First, at a given time, there could be some data files with the old address (they have not yet been updated)
and some simultaneously with the new address (they have already been updated). Second, there is always
the possibility that the data fields were changed incorrectly, again leading to files with incorrect information.
Third, there may be files of which the student is unaware, so he does not know to notify the file owner
about updating the address information. These problems are solved by databases. They enable collection
and control of this data at one central source, ensuring the student and users of having the correct address.
Change Log:
The third means for providing database integrity is maintaining a change log for the database. A change log
lists every change made to database; it contains both original and modified values. Using this log, a
database administrator can undo any changes that were made in error. For eg., a library fine might
erroneously be posted against Charles W. Robertson, instead of Charles M. Robertson, flagging Charles W.
Robertson as ineligible to participate in varsity athletics. Upon discovering this error, the database
administrator obtains Charles W.’s original eligibility value from the log and corrects the database.

Q.56] How is access control is implemented in database explain the user authentication and
access policies in this context?

Access Control:
Databases are often separated logically by user access privileges. For examples, all
Users can be granted access to general data, but only the personnel department can obtain sales data and
only the marketing department can obtain sales data.

The database administrator specifies who should be allowed to access to which data, at the view relation
,field ,record or even element level. The DBMS must enforce this policy ,granting access to all specified
data or no access where prohibited. Furthermore, the number of modes access to all specified data or no
access where prohibited.

It is important to notice that you can access data by inference without needing direct access to the secure
objects itself .Restricting inferences may mean prohibiting certain access to limit the queries from the users
who are not intend unauthorized access values. Moreover, attempts to check requested accesses for
possible unacceptable interferences may actually degrade the DBMS’s performance .
Access policies:

Integrity:
In case of multilevel database integrity becomes both more important more difficult to achieve.
Because of the property of access control, a process that reads high level data is not allowed to write a
file at lower level. When this applied to databases, however this principle says that high level user
should not be able to write a lower-level data element.
The problem with this interpretation arises when DBMS must be able to read all records in the
database and write new records for any of the following purpose: to do backups, to scan the database to
answer queries, to recognize the database according to user’s processing needs, or to update all records
of the database.
When people encounter this problem, they handle it by using trust and commonsense. People who have
access to sensitive information are careful not to convey it to uncleared individuals. In computing
systems, there are two choices: either the process cleared at high level cannot write to lower level, or
the process must be a “trusted process”, the computer equivalent of a person with security clearance.
Confidentiality:
User trusts that database will provide correct information, meaning that the data are consistent and
accurate. In multilevel databases two users working at two different levels of security might get two
different answers to the same query. In order to preserve confidentiality, precision is sacrificed.
Enforcing the confidentiality also leads to unknowing redundancy. Suppose a personnel; specialist
works at one level of access permission. The specialist knows tha t Bob Hill works for the company.
However Bob’s record does not appear on the retirement payment roster. The specialist assumes this
omission is an error and creates new record for Bob.
The reason that no record for Bob appears is that Bob is the secrete agent, and his employment with
the company is not supposed to be public knowledge. There actually is a record on Bob in the file but,
because of his special position, his record is not accessible to personnel specialist. The creation of new
record means that there are two records on Bob; one sensitive and one not. This situation is called
‘polyinstanntiation’ meaning that one record can appear many times with different level of
confidentiality at each time.
Thus, merely scanning the database for duplicate is not satisfactory way to find records entered
unknowingly by people with only low clearances.

Q. 57] Explain different attacks used to determine sensitive data values from a database.

The following attacks are used to determine sensitive data values from the database:
Direct Attack
In a direct attack, a user tries to determine values of sensitive fields by seeking them directly with queries
that yield few records. The most successful technique is to form a query so specific that it matches exactly
one data item.
In table 1 a sensitive query might be

List NAME where

SEX=M ^ DRUGS=1

The above query discloses that for record ADAMS, DRUGS=1. however, it is an obvious attack because it
selects people for whom DRUGS=1
Table 1.Sample database

Name Sex Race Aid Fines Drugs Dorm

Adams M C 5000 45. 1 Holmes

Bailey M B 0 0. 0 Grey

Chin F A 3000 20. 0 West

Hill F B 5000 10 2 West

Dewitt M B 1000 35 3 Grey

Earhart F C 2000 95 1 Holmes

Fein F C 1000 12 0 West

Groff M C 4000 0 3 West

Koch F C 0 0 1 West

Liu F A 0 10 2 Grey

Majors M C 2000 0 2 Grey

Indirect Attack
Another procedure, used by the U.S. Census Bureau and other organizations that gather sensitive data, is to
release only statistics. The organizations suppress individual names, addresses, or other characteristics by
which a single individual can be recognized. Only natural statistics, such as count, sum, and mean are
released.
The indirect attack seek to infer a final result based on one or more intermediate statistical results. But this
approach requires work outside the database itself.

Sum
An attack by sum tries to infer a value from a reported sum. For example, with the sample database in table
1, it might seem safe to report student aid total by sex and dorm. Such a report is shown in table 2. this
seemingly innocent report reveals that no female living in grey is receiving financial aid. Thus we can infer
that any female living in grey is certainly not receiving financial aid. This approach often allows us to
determine a negative result.

Table 2. Sums of Financial aid by dorm and sex

Holmes Grey West Total

M 5000 3000 4000 12000

F 7000 0 4000 11000

Total 12000 3000 8000 23000

Count
The count can be combined with the sum to produce some even more revealing results. Often these two
statistics are released for a database to allow users to determine average values.
Table 3 shows the count of records for students by dorm and sex. This table is innocuous by itself.
Combined with the sum table, this table demonstrates that the two males in Holmes and West are receiving
financial aid in the amount of $5000 and $4000, respectively. We can obtain the names by selecting the
subschema of NAME, DORM, which is not sensitive because it delivers only low-security data on the entire
database.

Table 3. Count of students by Dorm and Sex

 Holmes Grey West Total

M 1 3 1 5

F 2 1 3 6

Total 3 4 4 11

Median
By a slightly more complicated process, we can determine an individual value from medians. The attack
requires finding selections having one point of intersection that happens to be exactly in the middle.
For example, in our sample database, there are five males and three persons whose drug use value is 2.
arranged in the order of aid, these lists are shown in table 4. someone working at the Health Clinic might be
able to find out that Majors is a White male whose drug use score is 2. That information identifies majors as
the intersection of these two lists and pinpoints Majors financial aid as $2000. in this example, the queries
q = median (AID where SEX=M)
p = median (AID where DRUGS=2)
reveal the exact financial aid amount for Majors.

Table 4. Inference from Median of Two Lists

Name Sex Drugs Aid

Bailey M 0 0

Dewitt M 3 1000

Majors M 2 2000

Groff M 3 4000

Adams M 1 5000

Liu F 2 0

Majors M 2 2000

Hill F 2 5000

Attacks:
Attacks are the external things which causes the computer system malfunctioning and diminish the
value of the software’s assets. Attacks can destroy the system security gradually. There are various attacks
which determine sensitive data values from a database. They are given as follows.
1. Threats
A threat to a computer system is a set of circumstance that has the potential to cause loss or
harm.
2. Vulnerability
The vulnerability is a weakness in the security system, for example, in procedures, design, or
implementation that might be exploited to cause loss or harm. For instance, a particular system may be
vulnerable to unauthorized data manipulation because the system does not verify a user’s identity be fore
allowing data access.
However, we can see a small crack in the wall-a vulnerability that threatens the man’s security. If the
water rises to or beyond the level of the crack it will exploit the vulnerability and harm the man.
A human who exploits a vulnerability perpetrates an attack on the system .An attack can also be launched
by another system as when one system sends an overwhelming set of messages to another system virtually
shutting down second system’s ability to function.
3. Control:
A Control is an action, devise, procedure, or technique that removes or reduces vulnerability. For
example the man is placing his finger in the hole, controlling the threat of water leaks until he finds a more
permanent solution to the problem
Q 58] What is inference problem? Explain with respect to its vulnerability on database.

The inference problem is a way to infer or derive sensitive date from nonsensitive
data. The interference problem is a subtle vulnerability in database security.
The database in table-1 can help illustrate the inference problem. Recall that AID is the
amount of financial aid a student is receiving. FINES is the amount of parking fines still owed. DRUGS is
the result of a drug-use survey:0 means never used and 3 means frequent user. Obviously this
information should be kept confidential. We assume that AID, FINES, and DRUGS are sensitive fields,
although only when the values are related to specific individual.

Name Sex Race Aid Fines Drugs Dorm

Adams M 500 45. 1
C Holmes
Bailey M B 0 0. 0 Grey
Chin F A 3000 20. 0 West
Dewitt M B 1000 35. 3 Grey
Earhart F C 2000 95. 1 Holmes
Fein F C 1000 15. 0 West
Groff M C 4000 0. 3 West
Hill F B 5000 10. 2 Holmes
Koch F C 0 0. 1 West
Liu F A 0 10. 2 Grey
Majors M C 2000 0. 2 Grey

Table-1 Sample Database.

Direct Attack: In a direct attack, a user tries to determine values of sensitive fields by seeking them
directly with queries that yield few records. The most successful technique is to form a query so specific that
it matches exactly one data item.
In Table-1, a sensitive query might be

List NAME where

SEX = M /\ DRUGS = 1
This query disclose that for record ADAMS, DRUGS = 1. However, it is an obvious attack because it selects
people for whom DRUGS = 1.

Indirect Attack: Another procedure, used by organizations that gather sensitive data, is to release only
statistics. The organizations suppress individual names, addresses, or other characteristics by which a
single individual can be recognized. Only neural statistics, such as count, sum, and mean, are released.

• Sum: An attack by sum tries to infer a value from a reported sum. For example, with sample
database in Table-1, it might seem safe to report student aid total by sex and dorm. This
Highest
approach often allows us to determine a negative result.
• Count: The count can Values for
be combined with sum to produce some even more revealing results.
Often these two statistics are released for a database to allow users to determine average
Attribute 1
values.
• .
Median: By a slightly more complicated process, we can determine an individual value from
medians. The attack. requires finding selections having one point of intersection that happens to
be exactly in the middle, as shown in fig-1 below:

Lowest Median for Highest

Values for . . . . Attribute 1; . . . value for
Attribute 2 . Median for Attribute2
Attribute 2
Lowest
Fig-1: Intersecting Medians.
Tracker attack: Database management system may conceal data when a small number of entries make up
a large proportion of data revealed. A tracker attack can fool the database manager into locating the desired
data by using additional queries that produce small result. The tracker adds additional records to be
retrieved for two different queries; the two set of records cancel each other out, leaving only the statistics
or data desired. The approach is to use intelligent padding of two queries. In other words, instead of trying
to identify a unique value, we request n-1 other values. Given n and n-1, we can easily compute the desired
single element.
For instance, suppose we wish to know how many female Caucasians live in Holmes hall. A
query posed might be

Count ((SEX = F) /\ (RACE = C) /\ (DROM = Holmes))

Linear System Vulnerability: A tracker is a specific case of a more general vulnerability. With a little
logic, algebra, and luck in the distribution of the database contents, it may be possible to determine series
of queries that returns results relating to several different sets. This attack can also be used to obtain
results other than numerical ones.

Q59) Explain relationship between security and precision with help of Diagram ?

Least Sensitive

Conceal for
Maximum Security Most Sensitive

Concealed-Not Disclosed
Reveal for Maximum
Precision Cannot be inferred from queries
Figure: Security versus Precision

May be inferred from queries

Freely Disclosed in Response to Queries

 For reasons of confidentiality we want to disclose only those data that are not sensitive. Such an outlook
encourages a conservative philosophy in determining what data to disclose: less is better than more.
The conservative philosophy suggests rejecting any query that mentions a sensitive field. We may
thereby reject many reasonable and nondisclosing queries.

For example: A researcher may want list of grades for all students using drugs. These queries probably do
not compromise the identity of any individual. We want disclose as much data as possible so that users of
the database have access to the data they need. This goal called Precision, aims to protect all sensitive data
while revealing as much non sensitive data as possible.

We can depict the relationship between security and precision with help of concentric circles. As figure
shows, the sensitive data in the central circle should be carefully concealed. The outside line represents data
we willingly disclose in response to queries. But we know that the user may put together piecies of the
disclosed data and infer other , more deeply hidden, data. The figure shows us that beneath the outer layer
may be yet more nonsensitive data that the user cannot infer.
The ideal combination of security and precision allow us to maintain the perfect confidentiality with
maximum precision; in other words, we disclose all and on;y the nonsensitive data. But achieving this goal
is not as easy as it might seem.
Q.60] What is N item k % rule? How does it help to suppress personal data values?

The n-item k- percent rule eliminates certain low frequency elements from being displayed. It is not
sufficient to delete them, however, if their values can also be inferred.
The data in this table suggest that the cells with counts of 1 should be suppressed, their counts are too
revealing.But it does no good to suppress the Male-Holmes cell when the value 1 can be determined by
subtracting Female_Holmes (2) from the total (3) to determine 1 as shown in table.

Students by Dorm and Sex

Sex Holmes Grey West Total
M 1 3 1 5
F 2 1 3 6
Total 3 4 4 11

When one cell is suppressed in a table with totals for rows and columns, it is necessary to suppress
at least one additional cell on the rows and one on the columns to provide some confusion. Using this logic,
all cells would have to be suppressed in this small sample table. When totals are not provided, single cells in
a row or column can be suppressed.

Q 62] List security requirements for database system.

The basic security requirements of database systems are not unlike those of other
computing systems. The basic problems-access control, exclusion of spurious data,
authentication of users, and reliability –have appeared in many contexts.

Following is a list of requirements for database security.

a) Physical database integrity :- The data of a database are immune to physical problems, such
as power failures, and someone can reconstruct the database if it is destroyed through a
catastrophe.
b) Logical database integrity :- The structure of the database is preserved. With logical integrity
of a database, a modification to the value of one field does not affect other fields.
c) Element integrity :-The data contained in each element are accurate.
d) Auditability :-It is possible to track who or what has access(or modified) the elements in the
database.
e) Access control: The user is allowed to access only authorized data and different user can be
restricted to different modes of access.(such as read or write).
f) User authentication: Every user is positively identified ,both for the audit trail and for
permission to access certain data.
g) Availability: User can access the database

Q.63 Explain following points with respect to security of the database system?

1. Integrity of database
2. Auditability
3. User Authentication
4. Access control
5. Element integrity
6. Availability

Ans.

1. Integrity of database

The data of a database are immune to physical problems, such as power failures,
and someone can reconstruct the database if it is destroyed through a catastrophe. In logical database
integrity the structure of the database preserved. With logical integrity of the database, a modification to
the value one field does not affect other fields.

Integrity of the database as a whole is the responsibility of the DBMS, the operating system, the
computing system manager. From the perspective of the operating system and computing system
 manager, database and DBMSs are files and programs. Therefore, one way of protecting the database as
whole is to regularly back up all files on the system.

2. Auditability For all application it ,ay be desirable to generate an audit record of all access to
database. Such a record can help to maintain the database’s integrity, or at least to discover after
the fact who had affected what values and when. Another advantage of this is that user can access
protected data incrementally. That is no single access reveals the data.
3. User AuthenticationThe DBMS can require authentication, a DBMS might insist that a user pass
both specific password and time of day checks. This authentication supplements the authentication
performed by the operating system The DBMS runs as an application program on top of the
operating system. This sytem design means that there is no trusted path from the DBMS to the
operating system.
4. Access ControlDatabase are often prevented and separated logically by the user privileges. All
users can be granted access to general data, but only the personal department can obtain salary
data only the marketing department can obtain sales data. The database administrator specifies
who should be allowed access to which data as the view, relation, field, record, or even element
level. The DBMS must enforce this policy granting access to all specified data or no access where
prohibited.
5. Element Integrity The integrity of the database is their correctness or accuracy. Authorised users
are responsible for entering correct data in database. Users and programs are make mistakes
collecting data, computing results. Etc.
6. Avalibility A DBMS has aspects of both programs and a system. It is a program that uses other
hardware and software resources so that many users it is the application run. Users often the DBMS
for granted employing it as in the only essential tool with which to perform particulars task.

Q. 64] Explain clearly how 3 aspects of security integrity-confidentiality, reliability relate to

DBMS .

The computer security means that we are addressing three very important aspects of any computer related
system ; confidentiality , integrity and availability .

Integrity and confidentiality :

The three aspects of computer security – integrity , confidentiality availability clearly
relate to database management systems. Integrity applies to the individual elements of
a database as well as to the database as whole. Thus , integrity is a major concern in the design of
database management systems .
Confidentiality is a key issue with databases because of the inference problem , whereby a user
can access sensitive data indirectly . Inference and access controls strategies are defined in this.
Availability is important because of the shared access motivation underlying database
development . availability conflicts with confidentiality .
Reliability and Integrity :Databases amalgamate data from many sources , users expects a DBMS to provide
access to the data in a reliable way .
When software engineers say that software is reliable , they mean that the software runs for very
long periods of time without failing .
Users certainly expects a DBMS to be reliable , since the data usually are key to business or
organizational needs . Moreover , users entrust their data to a DBMS and integrity expect it to protect the
data from loss or damage .Concerns for reliability and integrity are general security issues , but they are
more highly apparent with databases
There are several ways that a DBMS guards against loss or damage , and the controls are not
absolute : no control can prevent an authorized user from inadvertently entering an acceptable but
incorrect value .

Database concerns about reliability abd integrity can be viewed from three dimensions as follows :

1. Database integrity : concern that a database as a whole is protected against damage , as from the
failure of a disk drive or the corruption of the master database index . these concerns are addressed
by operating system integrity controls and recovery procedures .
2. Element Integrity : concern that the value of a specific data element is written or changed only by
authorized users . proper access controls protect a database from corruption by un authorized
persons .
 3. Element Accuracy : Concern that only correct values are written into the elements of a database .
checks on the values of elements can help to prevent insertion of improper values . also , constraint
conditions can detect incorrect values .

For the reliability of data in an database we consider the following issues :

1. Protection features from Operating system .
2. Two phase update
3. redundancy / internal consistency
- error detection and correction codes
- shadow fields
2. recovery
3. monitors for structural integrity
4. Range comparisons
5. state constraints
6. transition constraints etc.

Thus , integrity ,confidentiality , reliability are closely related concepts in databases Users trust the DBMS
to maintain their data correctly , so integrity issues are very important to database security .

Q.65] ”Database concerns about reliability and integrity can be viewed from three dimensions.”
– Explain.

Databases amalgamate data from many sources, and users expect a DBMS to provide access to the
data in a reliable way. When software engineers say that software is reliable, they mean that the software
runs for very long periods of time without failing. Users certainly expect a DBMS to be reliable, since the
data usually are key to business or organizational needs. Moreover, users entrust their data to a DBMS and
rightly expect it to protect the data from loss or damage. Concerns for reliability and integrity are general
security issues, but they are more highly apparent with databases.

There are several ways that a DBMS guards against loss or damage. However, the controls we
consider are not absolute: no control can prevent an unauthorized user from advertently entering an
acceptable but incorrect value.

Database concerns about reliability and integrity can be viewed from three dimensions:

• Database integrity: concern that the database as a whole is protected against damage, as from the
failure of a disk drive or the corruption of the master database index. These concerns are addressed by
the operating system integrity controls and recovery procedures.

• Element integrity: concern that the value of a specific data element is written or changed only by
authorized users. Proper access controls protect a database from corruption by unauthorized users.

• Element accuracy: concern that only correct values are written in to the elements of a database.
Checks on the values of elements can help to prevent insertion of improper values. Also, constraint
conditions can detect incorrect values.

Q.66] What is sensitivity data? Explain several factors that can make data sensitive?

Some databases contain what is called sensitive data. As a working definition, let us say that sensitive
data are data that should not be made public. Determining which data items and fields are sensitive
depends both on individual database and the underlying meaning of the data. Obviously, some databases,
such as public library catalog, contain no sensitive data; other database, such as defense- related ones, are
totally sensitive These two cases- nothing sensitive and everything sensitive-are the easiest to handle
because they can be covered by access controls to the database itself. Someone either is or is not an
authorized user. These controls are provided by the operating system.

The more difficult problem, which is also the more interesting one, is the case in which some but not
all of the elements in the database are sensitive. There may be varying degrees of sensitivity. For example,
a university database might contain student data consisting of name, financial aid, dorm, drug use, sex,
parking fines, and race. Name and dorm are probably the least sensitivity; financial aid, parking fines, and
drug use the most; sex and race somewhere in between. That is, many people may have legitimate access
to name, some to sex and race, and relatively few to financial aid, parking fines, or drug use. Indeed,
knowledge of the existence of some fields, such as drug use, may itself be sensitive.

Sample Database:
Name Sex Race Aid Fines Drugs Dorm
Adams M C 5000 45 1 Holmes
Bailey M B 0 0 0 Grey
Chin F A 3000 20 0 West
Dewitt M B 1000 35 3 Grey
Earhart F C 2000 95 1 Holmes
Fein F C 1000 15 0 West
Groff M C 4000 0 3 West
Hill F B 5000 10 2 Holmes
Koch F C 0 0 1 West
Liu F A 0 10 2 Grey
Majors M C 2000 0 2 Grey

Several factors can make data sensitive.

1. Inherently sensitive. The value itself may be so revealing that it is sensitive. Examples are the
locations of defensive missiles or the median income of barbers in a town with only one barber.
2. From a sensitive source. The source of the data may indicate a need for confidentially. An example
is information from an informer whose identity would be compromised if the information were
disclosed.
3. Declared sensitive. The database administrator or the owner of the data may have declared the data
to be sensitive. Examples are classified military data or the name of the anonymous donor of a piece
of art.
4. Part of a sensitive attribute or a sensitive record. In a database, an entire attribute or record may be
classified as sensitive. Examples are the salary attribute of a personnel database or a record
describing a secret space mission.
5. Sensitive in relation to previously disclosed information. Some data become sensitive in the
presence of other data. For example, the longitude coordinate of a secret gold mine reveals little, but
the longitude coordinate in conjunction with the latitude pinpoints the mine.

Q.67] Write and explain types of disclosures.

Any descriptive information about data when revealed leads to a disclosure. Following are the types of
disclosures:

1. Exact Data: The most serious type of disclosure is the exact value of the data item concerned. The user
may intentionally request sensitive data, or may request general data unknowingly that some of it is
sensitive.
2. Bounds: Disclosing the bounds of a sensitive value is also a form of disclosure. This means indicating
that a sensitive value, say y lies between L & H. The user may then use a technique similar to binary
search, and issue multiple requests to determine L<=y<=H and then L<=y<=H/2 and so on till the
user gets the desired precision.
3. Negative Result: This means determining that z is NOT a value of y. A user can query to determine a
negative result. This may provide valuable information such as “0 is not the number of HIV cases in an
University” which means at least one case is present in the University.
4. Existence: Sometimes, the existence of a data is itself a sensitive information, regardless of its value.
E.g. An employer may not want his workers to know that all long distance lines are being monitored. In
that case, discovering a LONG DISTANCE entry in a personal record leads to disclosure.
5. Probable Value: It may be possible to determine the probability that a certain element has a certain
value.

Q. 68] Write short note on Security versus Precision.

Sometimes it is difficult to determine what data are sensitive and how to protect them. The situation
is complicated by desire to share no sensitive data. For reasons of confidentiality we want to disclose only
those data that are not sensitive. Such an outlook encourages a conservative philosophy in determining
what data to disclose ;less is better than more.
On the other hand, consider the users of the data. The conservative philosophy suggests rejecting
any query that mentions a sensitive field. We may thereby reject many reasonable and nondisclosing
queries. For example, a researcher may want a list of grades for all students using drugs. These queries
probably do not compromise the identity of any individual. We want to disclose as much data as possible so
that users of the database have access to the data they need.
Precision aims to protect all sensitive data while revealing as much non sensitive data as possible
where as security allows authorize access to information thereby not allowing the data to get corrupted by
intruders.
One can depict the relationship between security and precision with concentric circles. As shown in the
figure ,the sensitive data in the central circle should be carefully concealed.

Least sensitive

Conceal for maximum

Security

Concealed

Reveal for Maximum

Cannot be inferred from queries
Precision

May be inferred from queries

Freely disclosed in response to queries

The outside band represents data we willingly disclose in response to queries .But the user may put
together pieces of disclosed data and infer other, more deeply hidden, data. The figure shows that beneath
the outer layer may be yet more non sensitive data that the user cannot infer.
The ideal combination of security and precision allows us to maintain perfect confidentiality with maximum
precision; in other words, we disclose all and only the non sensitive data. But achieving this goal is not as
easy .

Q.69] Explain following types of attack for db system:

a)Direct attack
b)Indirect attack
c)Tracker attack

DIRECT ATTACK: In a direct attack,a user tries to determine values of sensitive fields by seeking them
directly with queries that yield few records.The most successful technique is to form a query so specific that
it matches exactly one data item.
In table below ,a sensitive query might be
List NAME where
SEX=M^ DRUGS=1
This query discloses that for record ADAMS,DRUGS=1.However,it is an obvious attack because it selects
people for whom DRUG=1.
Table Sample Database(repeated)

Name Sex Race Aid Fines Drugs Dorm

Adams M C 5500 45 1 Holmes
Bailey M B 0 0 0 Grey
Chin F A 3000 20 0 West
Dewitt M B 1000 35 3 Grey
Earhart F C 2000 95 1 Holmes
Fein F C 1000 15 0 West
Groff M C 4000 0 3 West
Hill F B 5000 10 2 Holmes
Koch F C 0 0 1 West
Liu F A 0 10 2 Grey
Majors M C 2000 0 2 Grey

A less obvious query is

List NAME where
(SEX=M^ DRUGS=1)v
(SEX!=M^ SEX!=F)v
(DORM=AYRES)

On the surface,this query looks as if it should conceal drug usage by selecting other non-drug-related
records as well.However,this query still retrieves only one record,revealing a name that corresponds to the
sensitive DRUG value.The DBMS needs to know that SEX has only two possible values,so that the second
clause will select no records.Even if that were possible,the DBMS would also need to know that no records
exist with DORM=AYRES,even though AYRES might in fact be an acceptable value for DORM.
The rule of “n items over k percent “ means that data should be withheld if n items represent
over k percent of the result reported .In the previous case, the one person selected represents hundred
percent of the data reported, so that there would be no ambiguity about which person matches the query.

INDIRECT ATTACK :
The indirect attack seeks to infer a final result based on one or more intermediate statistical results.But this
approach requires work outside the database itself.In particular, a statistical attack seeks to use some
apparently anonymous statistical measure to infer individual data.

We reprsent several examples of indirect of indirect attacks on databases that reports statistics.
Sum:
An attack by sum tries to infer a value from a reported sum.For,example with the sample database in table
drawn ealier ,it might seem safe to report student aid total by sex and dorm.Such a report is shown in the
table drawn below.This seemingly innocent report reveals that no female living in Grey is receiving financial
aid.Thus,we can infer that any female living in Grey(such as Liu) is certainly not receiving financial aid.This
approach often allows us to determine a negative result.

Sums of Financial Aid by Dorm and Sex

Holmes Grey West Total

M 5000 3000 4000 12000
F 7000 0 4000 11000
Total 12000 3000 8000 23000

TRACKER ATTACKS:
A tracker attack can fool the database manager into locating the desired data by using additional queries
that produce small results,The tracker adds additional records to be retrieved for two different queries; the
two sets records cancel each other out,leaving only the statistic or data desired.The approach is to use
intelligent padding of two queries.In other words,instead of trying to identify a unique value,we request n-1
other values.Given n and n-1,we can easily compute the desired single element.
For instance,suppose we wish to know how many female Caucasians live in Holmes Hall.A query
posed might be

Count ((SEX=F) ^ (RACE=C) ^ (DORM=Holmes))

The database management system might consult the database,find that the answer is 1,and refuse to
answer that query because one record dominates the result of the query. However further analysis of the
query allows us to track sensitive data through non-sensitive queries.
Q70] Write a short note on linear system vulnerability.

LINEAR SYSTEM VULNERABILITY

A tracker is a specific case of a general vulnerability .With a little logic ,algebra ,and luck in the distribution
of the database contents, it may be possible to determine a series of queries that returns results relating to
several different sets .For example ,the following system of five queries does not overtly reveal any single c
value from the database. However ,the queries’ equations can be solved for each of the unknown c values,
revealing them all.

Q1=c1+c2+c3+c4+c5
Q2=c1+c2+c4
Q3=c3+c4
Q4=c4+c5
Q5=c2+c5
To see how ,use of basic algebra to note that q1-q2=c3+c5, and q3-q4=c3-c5.Then ,subtracting these two
equations ,we obtain c5=((q1-q2)-(q3-q4)/2.Once we know c5,
We can derive the others .
In fact, this attack can also be used to obtain results other than numerical ones . Recall that we can apply
logical rules and ,or ,typical operators for database queries ,to derive
Values from a series of logical operations . For example ,each expression may represent a query asking for
precise data instead of counts .

The result of the query is a set of records . Using logic and set algebra in a manner
similar to our numerical example , we can carefully determine the actual values for each of the s value.

Q.71] Explain different controls for Statistical inference attacks.

The controls for all statistical attacks are similar.Eventually there are two ways to protect against inference
attacks.Either controls are applied to queries or controls are applied to individual items within the
database.Query controls are effective primarily against direct attacks.
Suppression and concealing are two controls applied to data items.With suppression sensitive
data values are not provided; the query is rejected without response.With concealing the answer provided is
close to but not exactly the actual value.examples of suppression and concealing are:-
Limited response suppression
Student by dorm and sex
Holmes Grey West Total
Male 1 3 1 5
Female 2 1 3 6
Total 3 4 4 11

The n-item k-percent rule eliminates certain low frequency elements from being displayed.the data in the
table suggests that the cell with count of one should be suppressed as theit counts are too revealing.But it
does no good to suppress the male-holmes cell when the value 1 can be determined by substracting female-
holmes from the total to determine I as shown in the next table.

Students by dorm and sex with low count suppression.

Holmes Grey West Total
Male - 3 - 5
Female 2 - 3 6
Total 3 4 4 11
When one cell is suppressed in a table with total for rows and columns,it is necessary to suppress at least
one additional cell on the row and one on the column to provide some confusion.
Combined result
Student by sex and drug use
Drug use

Sex 0 1 2 3

Male 1 1 1 2

Female 2 2 2 0
Another control combines rows or columns to protect sensitive values.these counts combine with other
results such as sum,permit us to infer individual drug use.
Suppression by combining revealing values
Drug use
Sex 0 or 1 2 or 3
male 2 3
female 4 2

To suppress sensitive information it is possible to combine the attributes values for 0 and 1 and ,also for 2
and 3,producing the less sensitive results as shown in the table above.

Random sample
With random sample control a result is not derived from the whole database;instead the result is
computed on arandom sample of the database.The sample chosen is large enough to be valid.thus a result
of 5 percent for a particular query means that 5 percent of the record chosen for the sample had the desired
property.In this way all equivalent queries will produce the saem result,although the result will be fo the
entire database.
Query analysis
A more complex form of security uses query analysis.Here a query and its implications are analysed to
determine whether a result should be provided.Query analysis can be quite difficult.One approach involves
maintaining a query history for each user and judging a query in the context of what inferences are possible
given previous results.

Q. 72] Explain aggregation in relation with inference problem.

AGGREGATION : Aggregation is a process of building sensitive result from less sensitive inputs.
Addressing the aggregation problem is difficult because it require the database management system to
track what results each user had already received and conceal any result that would let the user derive a
more sensitive result. Aggregation is especially difficult to counter because it can take place outside the
system. For example suppose the security policy is that anyone can have either the latitude or longitude of
the mine, but not both.
The inference problem is a way to infer or derive sensitive data from non sensitive data .The inference
problem is a subtle vulnerability in database security.
Aggregation was of interest to database security researchers at the same times as was inference. As
we have been few proposals for countering aggregation.

Q.73] Explain security issues in multilevel databases.

Integrity: In case of multilevel database integrity becomes both more important more difficult to achieve.
Because of the property of access control, a process that reads high level data is not allowed to write a file
at lower level. When this applied to databases, however this principle says that high level user should not be
able to write a lower-level data element.
The problem with this interpretation arises when DBMS must be able to read all records in the database and
write new records for any of the following purpose: to do backups, to scan the database to answer queries,
to recognize the database according to user’s processing needs, or to update all records of the database.
When people encounter this problem, they handle it by using trust and commonsense. People who have
access to sensitive information are careful not to convey it to uncleared individuals. In computing systems,
there are two choices: either the process cleared at high level cannot write to lower level, or the process
must be a “trusted process”, the computer equivalent of a person with security clearance.
Confidentiality:User trusts that database will provide correct information, meaning that the data are
consistent and accurate. In multilevel databases two users working at two different levels of security might
get two different answers to the same query. In order to preserve confidentiality, precision is sacrificed.
Enforcing the confidentiality also leads to unknowing redundancy. Suppose a personnel; specialist works at
one level of access permission. The specialist knows tha t Bob Hill works for the company. However Bob’s
record does not appear on the retirement payment roster. The specialist assumes this omission is an error
and creates new record for Bob.
The reason that no record for Bob appears is that Bob is the secrete agent, and his employment with the
company is not supposed to be public knowledge. There actually is a record on Bob in the file but, because
of his special position, his record is not accessible to personnel specialist. The creation of new record means
that there are two records on Bob; one sensitive and one not. This situation is called ‘polyinstanntiation’
meaning that one record can appear many times with different level of confidentiality at each time.Thus,
merely scanning the database for duplicate is not satisfactory way to find records entered unknowingly by
people with only low clearances.

Q74. Explain different mechanisms to implement separation in databases?

Different mechanisms to implement separation in databases are as follows:
Partitioning: The obvious control for multilevel databases is Partitioning. The database is divided into
separate databases, each at its own level of sensitivity. This approach is similar to maintaining separate files
in separate file cabinets.
This control destroys a basic advantage of database: elimination of redundancy & improved accuracy
through having only one field to update. Furthermore, it does not address the problem of a high-level user
who needs access some low-level data combined with high-level data.
Encryption: If sensitive data are encrypted, a user who accidentally receives them cannot interpret the
data. Thus, each level of sensitive data can be stored in a table encrypted under a key unique to the level of
sensitivity but encryption has certain disadvantages.
First a user can mount a chosen plaintext attack. Suppose party affiliation of REP or DEM is stored in
encrypted from in each record. A user who achieves access to these encrypted fields can easily decrypt
them by creating a new record with party=Dem & comparing the resulting encrypted version to that
element in all other records. Worse, if authentication data are encrypted, the malicious user can substitute
the encrypted form of his or her own data for that of any other user. Not only does this provide access for
the malicious user, but it also excludes the legitimate user whose authentication data have been changed to
that of the malicious user. These possibilities are shown below:

K1
D Q
E Z
M 7

K2
D
E
M @
P
Original Record Encryption 9
Encrypted Record
Mechanism

Cryptographic Separation: Different Encryption Keys.

Integrity Lock:
The integrity Lock is a way to provide both integrity and limited access for a database. A model of the
basic integrity lock is shown below. As illustrated, each apparent data item consists of three pieces: the
actual data item itself, a sensitivity label, and a checksum. The sensitivity label defines the sensitivity of the
data, and the checksum is computed across both data and sensitivity label to prevent unauthorized
modification of the data item or its label. The actual data item is stored in plaintext, for efficiency because
the DBMS may need to examine many fields when selecting records to match a query.
 The third piece of the integrity lock for a field is an error detecting code, called a cryptographic
checksum. To guarantee that a data value or its sensitivity classification has not been changed, the
checksum must be unique for a given database.
Data item Sensitivity Checksum

Secret Agent TS 10FB

Sensitivity Mark

Checksum

Fig: Integrity Lock

Sensitivity Lock: A Sensitivity Lock is a combination of a unique identifier and the sensitivity level.
Because the identifier is unique, each lock relates to one particular record. Many different elements will have
the same sensitivity level. A malicious subject should not able to identify two elements having identical
sensitivity levels just by looking at the sensitivity level portion of the lock. Because of the encryption, the
lock’s contents, especially the sensitivity level, are concealed from plain view. Thus, the lock is associated
with one specific record, and it protects the secrecy of the sensitivity level of that record.

Secr
R07 Secret Agent TS
Record Data Item Sensitivity Mark Sensitivity Lock
Number

Key K

Encryption
Function

Sensitivity Lock

Q. 75 Explain Integrity Lock DBMS Design ?

The integrity lock was proposed at the U.S. The lock is a way to provide both integrity and limited access for
database. A model of the basic integrity lock is shown in the figure below.

Data Item Sensitivity Checksum

Secrete Agent TS 10 FB

Sensitivity Mark

Checksum

Integrity Lock
As illustrated, each apparent data item consists of three pieces: the actual data item itself, a sensitivity
label, and a checksum. The sensitivity label defines the sensitivity of the data, and the checksum is
computed across both data and sensitivity label to prevent unauthorized modification of the data or its label.
The actual data item is stored in plain text, for efficiency because the DBMS may need to match a query.

The sensitivity label should be

 Unforgeable, so that malicious subject cannot create a new sensitivity level for an element.
 Unique, so that a malicious subject cannot copy a sensitivity level from another level.
 Concealed, so that malicious subject cannot even determine the sensitivity level of an arbitrary
element.

The third piece of the integrity lock for a field is an error-detecting code, called a cryptographic
checksum. To guarantee that a data value or its sensitivity classification has not been changed, this
checksum must be unique for a given element, and must contain both the elements data value and
something to tie that value to a particular position in the database. As shown in the figure below

Data Item Sensitivity Checksum

R07 Assignment Secret Agent TS 10FB

Sensitivity Mark

Checksum

An appropriate cryptographic checksum includes something unique to the record, something unique to this
datafield within the record, the value of this element, and the sensitivity classification of the element. These
four components guard against anyone’s changing, copying, or moving the data. The checksum can be
computed with a strong encryption algorithm such as the Data Encryption Standard(DES).
The integrity lock DBMS was invented as a short-term solution to the security problem for multilevel
databases. The intention was to able to use any (untrusted) database manager with a trusted procedure
that handles access control. The sensitive data were obliterated or concealed with encryption that protected
both a data item and its sensitivity. In this way, only the access procedure would need to be trusted
because only it would be able to achieve or grant access to sensitive data.
The efficiency of integrity lock’s is a serious drawback. The space needed for storing an
element must be expanded to contain the sensitivity label. Because there are several pieces in the label and
one label for every element, the space required is significant.

Q. 76 Explain the trusted front end design model for multilevel databases?

A trusted front end is also know as a guard and operates much like the reference monitor. This
approach, originated by Hinke and Schaefer, recognized that many DBMSs have been built and put into
use without considerations of multilevel security. Staff members are already trained in using these
DBMSs ad they may in fact use them frequently. The front-end concept takes advantage of \existing
tools and expertise, enhancing the security of these existing systems with minimal change to the
system. The interaction between a user, a trusted front end and a DBMS involves the following steps.

1. A user identifies himself or herself to the front end; the front end authenticates the user’s identify.
2. The user issues a query to the front end.
3. The front end verifies the users, authentication to data.
4. The front end issues a query to the database manager.
5. The data base manager performs I/O access, interacting with low level access control to achieve
access to actual data.
6. The database manager returns the result of the query to the trusted front end.
7. The front analyses the sensitivity levels of the data items in the result and selects those items
consistent with the user’s security level.
8. The front end transmits selected data to the untrusted front end for formatting.
9. The untrusted front end transmits formatted data to the user.
 The trusted front end serves as a one way filter, screening out results the user should not be able to
access. But the scheme is inefficient because potentially much data is retrieved and then discarded an
inappropriate for the user.
Q 77. Explain the use of commutative filters at record, attribute, and element level.
A commutative filter is a process that forms an interface between the user and a DBMS. However, unlike the
trusted front end, the filter tries to capitalize on the efficiently of most DBMSs. The filter reformats the
query so that the database manager does as much of the work as possible, screening out many
unacceptable records. The filter then provides a second screening to select only data to which the user has
access.

Filters can be used for security at record, attribute, or element level.

1. When used at record level , the filter requests desired data plus cryptographic checksum information;
it then verifies the accuracy and accessibility of data to be passed to the user.

2. At the attribute level, the filter checks whether all attributes in the user’s query are accessible to the
user and if so passes the query to the database manager. On return, it deletes all fields to which the
user has no access rights.

3. At the element level, the system requests desired data plus cryptographic
checksum information. When these are returned, it checks the classification level of every element of
every record retrieved against the user’s level.

Suppose a group of physicists in Washington works on very sensitive projects,. So the current user should
not be allowed to access the physicist’s names in the database. The restriction presents a problem with this
query:
retrieve NAME where ((OCCUP= PHYSICIST) ^ (CITY=WASHDC))
Suppose, too, that the current user is prohibited from knowing anything about any people in Moscow. Using
a conventional DBMS, the query might access all records, and the DBMS would pass the result on to the
user. However we have seen the user might infer things about Moscow employees or Washington physicists
working on secret projects without even accessing those fields directly.
The commutative filter reforms the original query in a trustable way so that threw sensitive information is
never extracted from the database. Our sample query would become
Retrieve NAME where ((OCCUP= PHYSICIST) ^ (CITY=WASHDC))
From all records R where
(NAME-SECRECY-LEVEL (R) <= USER-SECRECY-LEVEL) ^
(OCCUP-SECRECY-LEVEL (R) < = USER-SECRECY-LEVEL)^
(CITY-SECRECY-LEVEL (R) < = USER-SECRECY-LEVEL))
The filter works by restricting the query to the DBMS and the restricting the results before they are returned
to the user. In this instance, the filter would request NAME ,NAME-SECRECY-LEVEL , OCCUP, OCCUP-
SECRECY-LEVEL, CITY , CITY-SECRECY-LEVEL values and then would filter and return to the user those
fields on item that are of secrecy level acceptable for the user.
The below is an example of query filtering operation:
Q.79] What is purpose of the encryption in multilevel secure database management system?

PURPOSE OF ENCRYPTION IN MULTILEVEL SECURE DATABAS MANAGEMENT SYSTEM

If sensitive data are encrypted , a user who accidentally receives them cannot interpret the
data. Thus, Each level of sensitive data can stored in a table encrypted under a key unique to the level of
sensitivity. But encryption has certain disadvantages.
First, a user can mount a chosen plaintext attack. Suppose party affiliation of REP or DEM is
stored in encrypted form in each record. A user who achieves access t othese encrypted fields can easily
decrypt them by creating a new record with party=DEM and comparing the resulting encrypted version to
that element in all other records. Worse , it authentication data are encrypted, the malicious user can
substitute the encrypted form of his or her own data for that of any other user. Not only does this provide
access for the malicious user, but it also excludes the legitimate user whose authentication data have been
changed to that of the malicious user. These possibilities are shown in following fig.

K1

D Q
E Z
7
M

k K2

D @
E P
M 9

Using a different encryption key foe each record overcomes these

defects. Each record’s field can be encrypted with different key , or all fields of a record can be
cryptographically linked, as with cipher block chaining.
The disadvantage, then each field must be decrypted when users perform standard database operations
such as “select all records with SALARY >10,000.” Decrypting the SALARY field, even on rejected records,
increases the time to process a query . Thus , encryption is not often used to implement separation on
database.

Q:80] What are the disadvantages of partitioning

The obvious control for multilevel databases is partitioning . the database is divided into separate
databases , each at its own level of sensitivity . this approach is similar to maintaining separate files in
separate file cabinates .
The disadvantages of partitioning are
1. this control destroys the advantage of datadbases : elimination of redundancy and improved
accuracy through having only one field to update .
2. furthermore , it does not address the problem of a high level user who needs access some low lovel
data combined with high level data
3. Nevertheless, because of the difficulty of establishing , maintaining and using multilevel databases ,
many users with mixed sensitivities handle their data by using separate , isolated databases .

Q 81] Explain inference by sum, inference by count, & inference by median.

The inference problem is a way to infer or derive sensitive date from nonsensitive
data. The interference problem is a subtle vulnerability in database security.
The database in table-1 can help illustrate the inference problem. Recall that AID is the amount of financial
aid a student is receiving. FINES is the amount of parking fines still owed. DRUGS is the result of a drug-use
survey:0 means never used and 3 means frequent user. Obviously this information should be kept
confidential. We assume that AID, FINES, and DRUGS are sensitive fields, although only when the values
are related to specific individual.

Name Sex Race Aid Fines Drugs Dorm

Adams M 500 45. 1
C Holmes
Bailey M B 0 0. 0 Grey
Chin F A 3000 20. 0 West
Dewitt M B 1000 35. 3 Grey
Earhart F C 2000 95. 1 Holmes
Fein F C 1000 15. 0 West
Groff M C 4000 0. 3 West
Hill F B 5000 10. 2 Holmes
Koch F C 0 0. 1 West
Liu F A 0 10. 2 Grey
Majors M C 2000 0. 2 Grey

Table-1 Sample Database.

The indirect attack seeks to infer a final result based on one or more intermediate stastical results. But this
approach requires work outside the database itself. In particular , a stastical attack seeks to use some
apparently anonymous statistical measure to infer individual data.
Inference by sum:
An attack by sum tries to infer a value from a reported sum. For eg: In the table below showing a report
student aid by sex and dorm, reveals that no female living in Grey is receiving financial aid. Thus , we can
infer that any female living in Grey( such as Liu) is certainly not receiving financial aid.
Sums of Financial Aid by Dorm & Sex

Holmes Grey West Total

M 5000 3000 4000 12000

F 7000 0 4000 11000

Total 12000 3000 8000 23000

Inference by Count:
The count can be combined with the sum to produce some even more revealing results . Often these two
statistics are released for a database to allow users to determine average values. Table below shows the
count of records for students by dorm and sex. Combined this table demonstrates that two males in
Holmes and West are receiving financial aid in the amount of $5000 and $4000 respectively.

Sums of Financial Aid by Dorm and Sex

Holmes Grey West Total

M 1 3 1 5

F 2 1 3 6

Total 3 4 4 11

Inference by Median: By a slightly more complicated process, we can determine an individual value from
medians. The attack requires finding selections having one point of intersection that happens to be exactly
in the middle, as shown in fig-1 below:

Highest
Values for
Attribute 1
.
Lowest
. Median for Highest
Values for . . . Attribute 1; . . . value for
Attribute 2 Median for Attribute2
Attribute 2

.
Fig-1: Intersecting Medians. .
Lowest
Values for

Q82]: Explain different types of network.

ANS]: Types of Networking :-

There are many different types of computer networks. Peer-to-peer, ethernet, token ring, local area network
(LAN), and wide area network (WAN) are examples of computer network configurations. Each has its own
advantages and disadvantages.
Peer-to-peer Networks: Peer-to-peer networks are used when only a few computers
need to be linked together to share a printer and files. A networking program ( such as Lantastic) is used to
facilitate the operation of the network.
Ethernet Networks: Ethernet networks can use a configuration that has a central
switching hub with a number of computers all connecting tothe hub. A server or bridge to other networks may
also be connected to this central switch. The Ethernet protocol allows
each computer to request a data download or upload butonly one at a time. If two computers were to request
data at exactly the same time, then both requests would be sent
back and they would have to re-apply. Each computer and device within the network must be equipped with
an Ethernet card. The card is the physical connection between
the computer and the network cabling
Token ring Networks: Token-ring networks are networks laid out in a ring configuration. Each computer is
connected to the one next to it and the last one in the line is connected back to the first. A server or bridge to
other networks may also be connected in this ring. The token-ring protocol requires that a computer request a
software "token" to
attach to its request for data. The token travels around the ring in one direction looking for a computer in the
ring that needs its services, delivering requests, or returning data. All this happens mat very high speeds so
that a computer does not have to wait more than a fraction of a second for a free token. Each computer and
device within the network must be equipped with a token-ring card. The card is the physical connection
between the computer and the network cabling. The token-ring network is mainly an IBM system.
Local Area Networks: Local Area Networks (LANs) are usually located in one building and may consist of
several small networks linked together. The small networks may be of the same type or a combination of
types. A large computer server may act as a central control centre and storage area; or, each network within
the LAN may have its own server, and the LAN may exist just to enable the sharing between the networks.
The main function of a LAN is to share information and resources like printers and file servers. Computers
within the networks may or may not have hard drives (terminals). The protocol programs control the transfer
of data between the networks and the individual computer. Novell and
Microsoft NT ServerTM are examples of two network software protocol packages commonly used with LAN
systems.

Wide Area Networks: Wide Area Networks (WANs) are similar to LANs, but the WAN network usually
extends to other buildings and in some cases to other places. The networks may be wired together, but in
some cases the links include laser beams, microwaves, and/or radio waves. The main function of a WAN is to
share information and resources like printers and file servers. Computers within the network may or may not
have hard drives (terminals).
Internetworks: Internetwork can be defined as network of networks, and also called as internet. It is
connection of two or more separate networks. Internet is physically and logically exposed, i.e. any person or
even attacker can access internet. Due to its complex connectivity it practically possible to reach any
resource connected to the network.The most significant Internetwork is Internet. It has been spread
worldwide and it is impossible to count the number of hosts connected to the internet because hundreds of
users are getting added to Internet everyday.
There is one more type of the networks called as campus area network or CAN which covers the computers in
adjacent buildings and they are generally owned by an university or a company.

Q 83] Who attacks networks?

The three necessary components of an attack are: method, opportunity, motive. The four important motives
are: challenge, power, money, ideology. Based on this we can identify who attacks n/w.

Challenge: The single most significant motivation for a n/w attacker is the intellectual challenge. He or
she is intrigued with knowing he answers to Can I defeat this network? What would happen if I tried this
technique or action.
Some attackers enjoy the intellectual stimulation of defeating the supposedly undefeatable. Other attackers
seek to demonstrate the weakness in the network so that others may pay attention to strengthening the
security. Still other attackers are unknown, unnamed attackers who do it for fun.
Fame : Some attackers seek recognition for their activities. That is, part of the challenge is doing the
deed and the other part is taking the credit for it. They may not be able to brag too openly , but they enjoy
the personal thrill of setting their names written up in new media.
Money : Financial gains also thrill some attackers. Some attackers seek industrial espionage , seeking
information on a company’s products, clients, or long- range plans. Industrial espionage is illegal but it
occurs in part because of the high potential gain. Its existence and consequences can be embarrassing for
the target companies. Thus many incidents go unreported. There are a few reliable statistics on how much
espionage is going on.
Ideology: Many security analysts believe that the Code Red worm of 2001 was launched by a group
motivated by the tension in the U.S-China relations. We can distinguish between two types of related
behavior Hactivism and cyber terrorism.
Hactivism involves operations that use hacking techniques against a target’s (n/w ) with the client of
disrupting normal operations but not causing serious damage.
Cyber terrorism is more dangerous than above and involve politically motivated hacking operations intended
to cause grave harm such as loss of life or severe economic damage.

Q84. What are the characteristics of networks?

Anonymity: A cartoon image shows a dog typing at a workstation and saying to another dog on the internet
no knows you are a dog. A network removes most of the clues such as appearance, voice or contacts by
which e recognize acquaintances.
Automation: In some networks, one or both end points, as well as all intermediate points, involved in a
given communication may be machines with only minimal human supervision.

Distance:Many networks connect end points that are physically far apart. Although not all network
connections involve distance, the speed of communication is fast enough that humans usually can not tell
whether the remote site is near or far.

Opaqueness:Because the dimension of the distance s hidden, users can not tell whether a remote host is in
room next door or in a different country. In the same way users can not distinguish whether they are
connected to node in an office, school, home or warehouse or whether the nodes computing system is large
or small, modest or powerful. In fact the users can not tell the current communication involves the same
host with which they communicated last time.

Routing diversity:To maintain and improve reliability and performance, routing between two endpoints are
usually dynamic. That is the same interaction may follow one path through the network for the first time
and the different path through the network or the second time. In fact the query may take different path
from the response that follows few seconds later

Integrity • Protocol flaw

• Active wiretap
• Impersonation
• Falsification of message
• Noise
• Web site defacement
• DNS attack

Availability • Protocol flaw

• Transmission or component failure
• Connection flooding
• DNS attack
• Traffic redirection
• Distributed denial of service

Q.85] What makes a Network Vulnerable?

Following are the factor which makes Network Vulnerable.
Target Vulnerability
Precursors to attack • Port scan
• Social engineering
• Reconnaissance
• OS and application fingerprinting

Authentication failures • Impersonation

• Guessing
• Eavesdropping
• Spoofing
• Session hijacking
• Man-in-the-middle attack
Programming flaws • Buffer overflow
• Addressing errors
• Parameter modification,
time-of-check to time-of-user errors
• Server-side include
• Cookies
• Malicious active code :JavaScript, ActiveX
• Malicious code: virus, worm, Trojan horse
 • Malicious typed code

Confidentiality • Protocol flaw

• Eavesdropping
• Passive wiretap
• Misdelivery
• Exposure whit in the network
• Traffic flow analysis
• Cookies
Integrity • Protocol flaw
• Active wiretap
• Impersonation
• Falsification of message
• Noise
• Web site defacement
• DNS attack

Availability • Protocol flaw

• Transmission or component failure
• Connection flooding
• DNS attack
• Traffic redirection
• Distributed denial of service

Q87.List the various reason for which the networks are attacked.

The reasons for which the networks are attacked are as follows:

Challenge: Why do people do dangerous or daunting things, like climb mountains or swim across the English
Channel or engage in extreme spots? Because of the challenge, the situation is no different for someone
skilled in writing or using programs. The single most motivation for a network attacker is the intellectual
challenge. He or she is intrigued with knowing the answer to can I defeat this network? What would happen
if I tried this approach or that technique? Some attacker enjoys the intellectual stimulation of deleting the
supposedly undefeatable.

Money & Espionage: The challenge of accomplishment is enough for some attackers. But other attackers
perform industrial espionage, seeking information on a company’s product, clients or long range plans. We
know industrial espionage, has a role when we read about laptops & sensitive papers having been lifted
from hotel room s when other more valuable items were left behind. Some countries are notorious for using
espionage to aid their state –run industries. Sometimes industrial espionage is responsible for seemingly
strange corporate behavior .

Fame: The challenge of accomplishment is enough for some attackers. But other attacker seek recognition
for their activities. That is part of the challenge is doing the deed, another pert is taking credit for it. In
many cases, we do not know who the attacker really are, but they leave behind a “calling card with a
recognizable name, mafiaboy often retain some anonymity by using pseudonym but they achieve fane
nevertheless.

Ideology: In the fast few years, we are stating to find cases in which attacks perpetrated do advance
ideological ends. For example, many security analyses believe that the code Red Worm of2001 was
launched by a group motivated by the tension in U.S. China relations. Hactivism involves operation that use
hacking techniques against a target with the intent of distrusting normal operations but no causing serious
damage. Cyberorism is more dangerous than hactivism: practically motivated hacking operations intended
to cause grave harm such as loss of life serve economic danger.

Q 88)Write a note on Firewall. What are different types of Firewall ?

A firewall is a device that filters all traffic between a protected or “inside” network
 and a less trustworthy or “Outside” network. Usually a firewall runs on a dedicated device because it is a
single point through which traffic is channeled, performance is important, which means nonfirewall functions
should not be done on the same machine. Because a firewall is executable code, the attacker could
compromise that code and execute from the firewalls device.
The purpose of a firewall is to keep bad things outside a protected Environment To accomplish that ,
firewalls implement a security policy that is specifically designed to address what bad things may happen.
For example, the policy might be to prevent any access from outside ( While still allowing traffic to pass
from the inside to outside ). Alternatively, the policy might permit accesses only from certain places, from
certain users, or for certain activities. Part of the challenge of protecting a network with a firewall is
determining which security policy meets the needs of the installation
A firewall is a special form of reference monitor. By carefully positioning a firewall within a network , we can
assure that all the network accesses that we want to control must pass through it. This restriction meets the
“always invoked” condition. A firewall is typically well isolated, making it highly immune to modification.
Usually a firewallis implemented on a separate computer, with direct connections only to the outside and
inside networks. This isolation is expected to meet the “tamperproof” requirement. And firewall designers
strongly recommend keeping the functionality of the firewall simple.

Types of Firewall
Firewalls have wide range of capabilities. Types of Firewalls include:
1) Packet Filtering Gateways or Screening Routers.
2) Stateful inspection Firewalls.
3) Application proxies.
4) Guards.
5) Personal firewalls.

Packet Filtering Gateways: A Packet Filtering Gateways or screening routers is a simplest and in some
situations the most effective type of firewall. A Packet Filtering Gateways controls access to packets based
on address or specific transport protocol type (such as HTTP web traffic).

Stateful inspection firewall: A stateful inspection firewall maintains state information from one packet to
another. A stateful inspection firewall would track the sequence of packets and conditions from one packet
to another to thwart an attack.

Application Proxy: An application proxy gateway also called as bastion host is a firewall that stimulates the
effects of an application so that the application will receive only requests to act properly. A proxy gateway is
a two headed device. It looks to the inside as if it is the outside connection while to the outside it responds
just as the insider would.

Guard: A guard is a sophisticated firewall. It receives protocol data units , interprets them, and passes
through the same or different protocol data units that achieve either the same result or modified result.

Q90] Write a short note on digital distributed authentication

Ans) In the 1980’s ,Digital equipment Corporation organized the problem of needing to authenticate
nonhuman entities in a computing system. For example a process might retrieve a user query, which it then
reformats, perhaps limits, and submits to a database manager. Both the database manager and query
processor want to be sure that a particular communication channel is authentic between the two. Neither of
these servers is running under the direct control or supervision of a human. Human forms of access control
are thus inappropriate.
Digital created a simple architecture for this requirement effective against the following threats.
• Impersonation of a server by a rogue process for either of the two servers involved in the
authentication.
• Interception or modification of data exchange between the servers
• Replay of previous authentication
The architecture assumes that each server has it’s own private key and the corresponding public key is
available to or held by every other process that might need to establish an authenticated channel. To begin
an authenticated communication between server A and server B,A sends a request to B, encrypted under
B’s public key decrypts the request and replies with a message encrypted under A’s public key. To avoid
replay, A and B can append a random number to the message to be encrypted.
A and B can establish a private channel by one of them choosing an encryption key and sending it to the
other in the authentication message .Once the authentication is complete,all communication between the
secret key can be assumed to be as secure as was the original dual public key exchange. To protect the
privacy of the channel, Gasser recommends a separate cryptographic processor , such as a smart card ,so
that privacy keys are never exposed outside the processor.

Q 92] Write a short note on virtual private network.

Link encryption can be used to give a network’s users the sense that they are
on the private network, even when it is a part of a private network. For this reason, the approach is called a
virtual private network. Or (VPN)
Typically, physical security and administrative security are strong
enough to protect transmission inside the perimeter of the network. Thus, the greatest exposure for user is
between the user’s workstation or client and the perimeter of the host network or server.
A firewall is an access control device that sits between two networks
or two network segment. It filters all traffic between the protected or inside network and less trustworthy or
outside network or segment.
Many firewalls can be used to implement a VPN. When a user first establishes a communication with the
firewall, the user can request a VPN session with the firewall. The user can request a VPN session with the
firewall. The user’s client and the firewall negotiate a session encryption key, and the firewall client
subsequently used that key to encrypt all traffic between the two. In this way, the larger network is
restricted to those given special access by the VPN . In other word, it feels to user that the network is
private, even though it is not. With the VPN, the communication passes through an encrypted tunnel or
tunnel.
Virtual private network are created when the firewall interact with authentication service inside the
perimeter .The firewall may pass user authentication data to authentication server and, upon information of
authentication identity, the firewall provides the user with appropriate security privileges.
For example: known trusted person such as employee or system
administrator may be allow to access resources not available to general user. The firewall implements this
access control on the basis of VPN.

Exposed
Communication media
Physically protected perimeter

2
User’s Internal
Workstation Server
(Client) 3 Firewall

1 : Client authentication to firewall

2 : Firewall replies with encryption key
3 : client and server communicate via encrypted key

Fig : Establishing virtual private network

Q93. Write a short note on Intrusion Detection System ?

Ans:
Intrusion Detection software builds patterns of normal system usage, triggering an alarm any time
the usage seems abnormal. After a decade of promising research result in intrusion detection ,products are
now commercially available. Some trusted operating systems include a primitive degree of intrusion
detection software.
Although the problems are daunting, there have been many successful implementation of trusted
operating system.

In this case we will consider the three properties:

1. Kernalized Design
2. Isolation
 3. Ring structuring

Kernalized Design: A kernal is the part of an operating system that performs the lowest-level functions. In
standard operating system designs, the kernal implements operation such as synchronization, interprocess
communication, message passing, and interrupt handling. The Kernel is also called a nucleus or core. The
notion of designing an operating system around a kernel is described by Lampson and Sturgis and by Popek
and Kline.
A security kernel is responsible for enforcing the security mechanism of the entire operating system . The
security kernel provides the security interfaces among the hardware ,operating system and other parts of
the computing system.
Reference monitor: The most important part of the security kernel is the reference monitor, the portion
that controls accesses to objects. A reference monitor is not necessarily a single piece of code; rather, it is
the collection of access controls for devices, files, memory,interprocess communication an other kinds of
objects.
The reference monitor concept has been used for many trusted operating systems and also for smaller
pieces of trusted software.
Trusted computing base:The trusted computing base or TCB is the name we give to everything in the
trusted operating system necessary to enforce the security policy.

Following are the functions of TCB:

• Hardware: including processors, memory, registers and I/O devices.
• Some notion of processes, so that we can separate and protect security critical processes.
• Primitive files, such as security access control database and identification / authentication data.
• Protected memory
• Some interprocess communication.

TCB implementation :
Security related activities are likely to be performed in different places. Security is potentially related to
every memory access, every I /O Operation, every file or program access, every initiation or termination of
users and every interprocess communication.
Separation/ Isolation
There are four ways to separate one process from other:
Physical separation, temporal separation, cryptographic separation, logical separation.

With physical separation, two different processes use two different hardware facilities. For example:
sensitive computation can be performed on the reserved computing system, non sensitive task are
performed on public system
Hardware separation offers several attractive features including support for multiple independent threads
of execution, memory protection, mediation of I/O and at least three different degree of execution privilege.
Temporal separation occurs when different processes are run at different times.
Encryption is used for cryptographic separation, so two different processes can be run at same time,
because unauthorized user can not access sensitive data in a readable form .
Logical separation also called isolation is provided when process such as reference monitor separates one
user’s objects from those of other user. Secure computing systems have been built with each of these form
of separation.
Ring structuring:It is an example of open design and complete mediation.

Q94. What security problems are faced while using Kerberos in distributed system?
Kerberos is a system that supports authentication in distributed system. Originally designed to work with
secret key encryption. Kerberos is based on idea that a central server provides authenticated tokens called
tickets t requesting application. A ticket is unforgeble, nonreplayable, authenticated objects. That is it is an
encrypted data structure naming a user and a service that user is allowed to obtain. It also contains a time
value and some control information.
 Server access request
Ticket –Granting
User
Server
Service Ticket
Ticket Authorization

Unique Keys
Authentication
Service Requests

Other Other
Server Server
Authorization Keys

Other
Kerberos
Server

Security problems faced are as follows:

• Kerberos requires continues availability of a trusted ticket granting server: Because the ticket
granting server is the basis of access control and authentication, constant access to that server is
crucial. Both reliability and performance problems are addressed.
• Authenticity of server requires trusted relationship between the ticket granting server and
every server: the ticket granting server must share a unique encryption key with each trustworthy
server. The ticket granting server must be convinced of the authenticity of that server. In a wildly
distributed environment an administrator at one site can seldom justify trust in authenticity of server at
other sites.
• Kerberos require timely transaction: to prevent reply attack Kerberos limits the validity of ticket. A
reply attack could succeed during the period of validity, however. And setting the period fairly is hard:
too long increases the exposure to reply attacks, while too short requires prompt user actions and risks
providing the user with a ticket that will not be honored when presented to a server. Similarly,
subverting a server’s clock allows reuse of an expired ticket.
• A subverted workstation can save and later reply user passwords: This vulnerability exists in any
system in which passwords, encryption keys, or order constant, sensitive information is entered in the
clear on a workstation that might be subverted.
• Password guessing works. A user’s initial ticket is returned under the user’s password. An attacker
can submit an initial authentication request to the Kerberos server and then try to decrypt the response
by guessing at the password.
• Kerberos does not scale well. The architectural model of Kerberos, assumes one Kerberos server and
one ticket-granting server, plus a collection of other servers, each of which shares a unique key with the
ticket-granting server. Adding a second ticket-granting server, for example, to enhance performance or
reliability, would require duplicate keys or a second set for all servers. Duplication increases the risk of
exposure and complicates key up dates, and second keys more than double the work for each server to
act on a ticket.
• Kerberos is a complete solution. All application must use Kerberos authentication and access control.
Currently, few application use Kerberos authentication, and so integration of Kerberos into an existing
environment requires modification of existing applications, which is not feasible.

Q-95: What firewalls can and cannot block?

Firewalls are not complete solutions to all computer security problems. A firewall protects only the perimeter
of its environment against attacks from outsiders who want to execute code or access data on the machines
in the protected environment.

• Firewalls can protect an environment only if the firewalls control the entire perimeter. That is, firewalls
are effective only if no unmediated connections breach the perimeter. If even one inside host connects
to an outside address, by a modem for example, the entire inside net is vulnerable through the modem
and its host.
• Firewalls do not protect data outside the perimeter; data that have properly passed (outbound)
 through the firewall are exposed as if there were no firewall.
• Firewalls are the most visible part of an installation to the outside, so they are the most attractive
target for attack. For this reason, several different layers of protection, called defense in depth, are
better than relying on the strength of just a single firewall.
• Firewalls must be correctly configured, that configuration must be updated as the internal and
external environment changes, and firewall activity reports must be reviewed periodically for evidence
of attempted or successful intrusion.
• Firewalls are targets for the penetrators. While a firewall is designed to withstand attack, it is not
impenetrable. Designers intentionally keep a firewall small and simple so that even if a penetrator
breaks it, the firewall does not have further tools, such as compilers, linkers, loaders, and the like, to
continue an attack.
• Firewalls exercise only minor control over the content admitted to the inside, meaning that
inaccurate data or malicious code must be controlled by other means inside the perimeter.
Firewalls are important tools in protecting an environment connected to a network. However, the
environment must be viewed as a whole, all possible exposures must be considered, and the firewall must
fit onto a larger, comprehensive security strategy. Firewalls alone cannot secure an environment.
Q97. Describe 4 areas related with administrative and physical aspects?
The 4 areas related with administrative and physical aspects are :
1. Planning: What advance preparations and study lets us know that our implementation meets our
security needs for today and tomorrow.?
Every security plan must address seven issues:
a) policy, indicating the goals of computer security effort and willingness of the people involved to
work to achieve these goals.
b) current state, describing the status of security at the time of plan
c) requirements, recommending ways to meet the security goals.
d) recommended controls, mapping controls to the vulnerabilities identified in the policy and
requirements.
e) accountability, describing who is responsible for each security activity
f) continuing attention, specify a structure for periodically updating the security plan
2. Risk Analysis: How do we weigh the benefits of controls against their costs, and how do we justify any
controls?
Risk analysis is a process of examining a system and its operational context to determine possible
exposures and its potential harm they can cause
There are 3 strategies for risk reduction:
a). avoiding a risk, by changing requirements for security or the other system characteristics.
b). transferring the risk, by allocating risk to other systems, people, organizations, or assets; or by
buying insurance to cover any financial loss should the risk become a reality.
c)assuming a risk, by accepting it, controlling it with available resources, and preparing to deal with
the loss if it occurs.
3. Policy: How do we establish a framework to see that our computer security needs continue to me met?
A security policy is a high level management document to inform all users of thegoals and constraints
on using the system. A policy document is written in brod enough terms that it does not change frequently.
The policy should articulate senior management decision regarding security as well as asserting
management's commitment to security.
4. Physical Control: What aspects of the computing environment have an impact on security?
Physical Security is a term used to describe protection needed outside the computer system.
Typical physical security includes guards, locks and fences to deter direct attacks. Other protection include
protection from natural disasters like fires and floods and power outrages. Physical protection is also
endangered by human activities.

These 4 areas are essential for understanding computer security completely.

Q. 98] Explain briefly contents of security plan ?

A security plan identifies and organizes the security activities for a computing system . a plan is both a
description of the current situation and a plan for improvement.
Every security plan must address seven issues.

-Policy
-Current state
-Requirements
-Recommended controls
-Accountability
-Timetable
-Continuing attention

Policy :
A security plan must state the organization’s policy on security. A security policy is a high level statement
of purpose and intent. Basically policy is one of the most difficult sections to write well .This includes eight
steps as follows:
1.identify enterprise knowledge
2. identify operational area knowledge
3.identify staff knowledge
4.establish security requirements
5. map high priority information assets
6. Perform infrastructure vulnerability evaluation
7. Conduct multidimensional risk analysis
8. develop a protection strategy
 - who should be allowed to access ?
- to what system and organizational resources should access be allowed ?
- What type of access should be allowed?

Current security status :

To be able to plan for security an organization must understand the vulnerabilities to which it may be
exposed .The organization can determine the vulnerabilities by performing the risk analysis. A careful
investigation of the system, its environment, and the things that might go wrong. The status can be
expressed as a listing of the organizational assets the security threats to the assets and controls in place to
protect the assets.
Requirements :
The heart of the security plan is the set of requirement analysis: functional or performance demands placed
on a system to ensure a desired level of security .The requirements are usually derived from organizational
needs .A constraint is an aspect of the security policy that directs the implementation of the requirements
.The six requirements can be given as follows:
Security policy
Identification
Marking
Accountability
Assurance
Continuous protection
The system requirements have following characteristics:

Correctness: are the requirements understandable? Are they stated without error ?
Consistency : Are there any ambiguous requirements ?
Completeness : Are all possible situations addressed by the requirements ?

Security policies

Security plan
Security
planning
process
requirements

Security
Techniques &
controls

Recommended controls :The security requirements lay out the system needs in terms of what should be
protected. The security plan must also recommend what controls should be incorporated into the system to
meet those requirements.

Responsibility for implementation :A section of the security plan should identify which people are
responsible for implementing the security requirements . this documentations assists those who must co-
ordinate their individual responsibilities with those of other developers. At the same time, the plan makes
explicit who is accountable should some requirement not be mate or some vulnerabilities not be
addressed . that is , the plan notes who is responsible for implementing controls when a new vulnerability is
discovered or a new kind of asset is introduced .
Consider example the group listed below:
1. Personal computer users
2. Project leaders
3. Managers
4. Database administrators
5. Information officers
6. Personal staff members etc.
Timetable: A comprehensive security plan cannot be executed instantly . the security plan includes a
timetable that shows how and when the elements of the plan will be performed . these dates also gives
milestones so that management can track the progress of implementation .
The plan should specify the order in which the controls are to be implemented so that the most serious
exposures are covered as soon as possible . The plan must be extensible .
Continuing attention : Good intensions are not enough when it comes to security . We must not only take
care in defining requirements and controls , but we must find ways to evaluating a system’s security to be
sure that the system is as secure as we intend it to be.
Q.99 Explain response team in detail.

The evolution of the Internet has been widely chronicled. Resulting from a research project that
established communications among a handful of geographically distributed systems, the Internet now
covers the globe as a vast collection of networks made up of millions of systems.The Internet has become
one of the most powerful and widely available communications mediums on earth, and our reliance on it
increases daily. Governments, corporations, banks,and schools conduct their day-to-day business over the
Internet. With such widespread use,the data that resides on and flows across the network varies from
banking and securities transactions to medical records, proprietary data, and personal correspondence.The
Internet is easy and cheap to access, but the systems attached to it lack a corresponding ease of
administration. As a result, many Internet systems are not securely onfigured.Additionally the underlying
network protocols that support Internet communication are insecure, and few applications make use of the
limited security protections that are currently available.The combination of the data available on the
network and the difficulties involved in protecting the data securely make Internet systems vulnerable
attack targets. It is not uncommon to see articles in the media referring to Internet intruder activities.But,
exploitation of security problems on the Internet is not a new phenomenon.
In 1988 the “Internet Worm” incident occurred and resulted in a large percentage of the systems on the
network at that time being compromised and temporarily placed out of service. Shortly after the incident, a
meeting was held to identify how to improve response to computer security incidents on the Internet. The
recommendations resulting from the meeting included a call for a single point of contact to be established
for Internet security problems that would act as a trusted clearinghouse for security information. In
response to the recommendations, the reponse teams were developed to enhance the security of
systems.CERT Coordination Center (also known as the CERT/CC and originally named the Computer
Emergency Response Team) was formed to provide response to computer security incidents on the Internet
[CERT/CC 1997b]. The CERT/CC was one of the first organizations of this type—a computer security incident
response team (CSIRT2).

Q. 100] Give three controls that could have both positive as well as negative effects.

1)Controls have both positive as well as negative effects.

2) Encryption, for example, protects confidentiality, but it also takes time and introduces key management
issues .
3)Thus when selecting controls , we have to consider full impact of the control.
4)The creators of the VAM recognized that sometimes attributes enhance security and other times
detract from it . For example, heterogeneity may be useful as a control in preventing the proliferation of the
same kind of logic error throughout a system. But heterogeneity can also make the system’s design harder
to understand and , therefore harder to maintain.
5)The result can be a fragile design that is easy for an attacker to cause to fail. For this reason,
VAM as included a rating scheme to reflect the relationship depicted by each cell of the matrix .A cell
relating to vulnerability to a security technique contains a number from -2 to +2, according to this scheme.

• 2 means that the control mitigates the vulnerability significantly and should be a prime candidate for
addressing it.
• 1 means that the control mitigates the vulnerability somewhat but not as well as one labeled 2, so it
should be secondary candidate for addressing it.
• 0 means that the vulnerability may have beneficial side effects that enhance some aspect of
security.
• -1 means that the control worsens the vulnerability somewhat or incurs new vulnerability.
• -2 means that the controls worsens the vulnerability significantly or incurs new vulnerabilities.
In VAM rating scheme , the matrix is used to support decisions about the controls in the following way.

Beginning with the rows of the matrix , each of which corresponds to the vulnerability.
 We follow the row access to look for instances in which a cell is labeled with 2 . Then we follow the column
up to its heading, to see which security techniques are strong controls for this kind of vulnerability.
In this way, we can look at the implications of using each control to address known vulnerability.

Q101. Characteristics of a good security policy

If a security policy is written poorly, it can not guide the developers and users in providing appropriate
security mechanisms to protect important assets. Certain characteristics make a security policy a good one.

Coverage:A security policy must be comprehensive: It must either apply to a explicitly exclude all possible
situations. Furthermore, a security policy may not be updated as each new situation arises, so it must be
general enough to apply naturally to new cases that occur as the system is used in unusual or unexpected
ways.

Durability:A security policy must grow and adapt well. In large measure, it will survive the systems growth
the expansion without change. If written in a flexible way, the existing policy will be applicable to new
situations. However there are times when the policy must be changed (such as when government
regulations mandate new security constraints), so the policy must changeable when it needs to be.
An important key to durability is keeping the policy free from ties to specific data or protection
mechanism that almost certainly will change. For example, an initial version of a security policy might
require a ten character password from anyone requiring access to data on the sun workstation in the room
110. But when that workstation is replaces or moved, the policy’s guidance becomes useless. It is
preferable to describe assets needing protection in terms of their function and characteristics, rather than in
terms of specific implementation. For example the policy on sun workstations could be reworded to mandate
strong authentication for access to sensitive student’s grade or customer’s proprietary data. Better still we
can separate the elements of policy, having one policy statement for student grades and another for
customers’ proprietary data. Similarly we may want to define one policy that may applies to preserving the
confidentiality of relationships, and another protecting the use of system through strong authentication.
Realism: The policy must be realistic. That is, it must be possible to implement the stated security
requirements with existing technology. Moreover, the implementation must be beneficial in terms of cost
time and convenience; the policy should not recommend a control that works but prevents the system or
user from performing their activities and functions. It is important to make economically worthwhile
investments in security just as for any other careful business investments.
Usefulness: The obscure or incomplete security policy will not be implemented properly if at all. The policy
must be written in language that can be read, understood and followed by anyone who must implement it or
is affected by it. For this reason the policy should be succinct, clear and direct.

Q 102] Explain various strategies for risk reduction.

Good and effective security planning includes a careful risk analysis. A risk is a potential problem that the
system or its users may experience. We distinguish a risk from other project event by looking at the loss
associated with an event (risk impact), likehood that event will occur (problem), the degree to which we can
change the outcome (risk control).

There are three strategies of risk reduction:

1. Avoiding the risk, by changing requirements for security or other system characteristics.
2. Transferring the risk, by allocating the risk to other systems, people, organization, or assets; or by
buying insurance to cover any financial loss should the risk become reality.
3. Assuming the risk, by accepting it, controlling it with available resources, and preparing to deal
with the loss if it occurs.
For example: we usually want to weigh the pros and cons of different actions we can take to address each
risk. To that end, we can quantify the effects of risk by multiplying the risk impact by the risk probability,
yielding the risk exposure. If the like hood of virus attack is 0.3 and the cost to clean up the affected files is
$10,000, then the risk exposure is $3,000, since it will prevent a much larger potential loss. Clearly the risk
probabilities can change over time, so it is important t to track them and plan for events accordingly.

Q103] What are the various steps of risk analysis

Steps in Risk Analysis:
Step 1 : Identify AssetsThe first step of risk analysis is to identify the assets of computing system. The
assets can be considered in acategories as listed below
Hardware : processors, boards, monitors, terminals, workstations, tape drive, printers
Sofrware : source programs, object programs, purchased programs, in house programs
Data : data used during execution, stored data in various media, printed data and audit records
People : skills needed to run the computing system or specific programs
Documnetation : on programs, hardware, systems, administrative procedures, and entire system
Supplies : paper forms, laser cartridges, and printer fluid
It is essential to tailor this list to your own situation. No two organizations will have same assets to protect,
and something that is valuable in one organization may not be valuable to other.
The VAM methodology (Vulnerability Assessment and Mitigation) is a process supported by a tool to help
people identify assets , vulnerabilities and counter measures.
Step 2 : Identify Vulnerabilities The next step of risk analysis is to identify the vulnerabilities of this
assets.. This step requires imagination; we want to predict what damage might occur to the assets and from
what sources. We can enhance our imaginative skills by developing a clear idea the nature of the
vulnerabilities. This nature derives from the need to ensure the three basic goals of computer security:
confidentiality, integrity and availability. Thus, a vulnerability is any situation that could cause loss of any of
the three. We have to use a organized approach to consider situations that could cause these losses for a
particular object.
To organize the way we consider threats and assets we can use a matrix, as shown in table.

Asset Confidentiality Integrity Availability

Hardware

Software

Data

People

Documentation

Supplies

In considering the contents of each column, we ask the following questions.

What are the effects of unintentional errors ?

What are the effects of willfully malicious insiders ?

What are the effects of outsiders ?

What are the effects of natural and physical disasters ?

There is no simple checklist or easy procedure to list all vulnerabilities. But tools can help us
conceive of vulnerabilities by providing a structured way to think.

Step 3 : Estimate Likelihood of exploitation

 The third step is conducting a risk analysis is determining how often each exposure is likely to be
exploited. Likelihood of occurrence relates to the stringency of the existing controls and likelihood
that someone and something will evade the existing controls .
In controls, it is often not possible to directly evaluate an events probability by using observed data
for a specific system. Local failure rates are fairly easy to record, and we can identify which failures
resulted in security breaches or created new vulnerabilities. In particular, operating system can track
data or hardware failures, failed login attempts, number of access.
Step 4 : Compute Expected Loss
We must determine the likely loss if the exploitation does indeed occur ,this value is difficult to
determine .Some costs ,such as the cost to replace a hardware item ,are easy to obtain .The cost to
replace apiece of software can be approximated reasonably well from the initial cost to buy it(or
specify, design and write it). However, we must take care to include hidden casts in out calculations.
These costs are substantially harder to measure.
There may be hidden costs that involve legal fees if certain events take place. If a computing
system, a piece of software, or a key person is unavailable, causing a particular computing task to be
delayed, there may be serious consequences. If a program that prints pay checks is delayed,
employee’ confidence in the company may be shaken, or some employees may face penalties from
not being able to pay their own bills. If customers cannot make transactions because the computer is
down, they may choose to rake their business to a competitor. For some time critical services
involving human lives, such as a hospitals life support system or a space station guidance systems,
the cost of failure are infinitely high.
Thus, we must analyze the ramifications of a computer security failure.
Step 5 : Survey and select new controls.
We next turn to an analysis of the controls to see which ones address the risk we have identified.
Each vulnerability has to be matched with atleast one appropriate security technique. Once it is done
we can use our expected loss estimates to help us decide which controls, alone ar in concert, are
most cost effective for given situation.
While selecting the controls the following questions are answered:
What Criteria are used for Selecting Controls ?
How do controls affect the way they control ?
Which controls are best?
Step 6:Project Savings
The next step is to determine whether the cost outweighs the benefits of preventing or mitigating the risks.
We multiply the risk probability by the risk impact to determine the risk exposure.
The effective cost of a given control is the actual cost of the control (such as purchase price, installation
costs, and training costs) minus any expected loss from using such controls (administrative or
management). Thus, the true cost of a control may be positive in the control is expensive to administer or
introduces new risk in another area of the system. Or the cost can even be negative if the reduction in risk
is greater than the cost of control

Q105. Why should anyone perform a risk analysis in preparation for creating security plan?
Effective security planning includes a careful risk analysis. A risk is a potential problem that the system or
its users may experience. We distinguish a risk from other project events by looking for three things.
A loss associated with an event. The event must generate a negative effect; compromised security, lost
time, diminished quality, lost money, lost control, lost understanding & so on. This loss is called the risk
impact.
The likelihood that the event will occurred there is probability of occurrence associated with each risk,
measured from 0 to 1. When risk probability is 1 we say we have problem.

The degree to which we can change the outcome we must determine what if anything, we can do to avoid
the impact or at least reduce its effects. Risk control involves a set of action to reduce or eliminate the risk.
Many of the security controls are the example of risk control.
We usually warn to weigh the pro and cons of different actions we take to address each risk. To end we
can quantify the effects of risk by multiplying the risk impact by the risk probability, yielding the risk
exposure. Clearly risk probability can change overtime, so it is important to track them and plan for events
accordingly.
In general there are 3 strategies for risk reduction .
1. Avoiding the risk by changing the requirements for security or other system characteristics
2. Transferring the risk, by allocating the risk to other system by people organizations or assets ; or
by buying insurance company financial lost should risk become reality
Q.106]
Ans. Write a short note on :Security Policies

Commercial Security Policies:

Commercial enterprises have significant security concerns. They worry
that industrial espionage will reveal their information to competitors about new products under
development. Likewise, corporations are often eager to protect information about the details of their
corporate finance. So even the commercial world is usually less rigid, and less hierarchically
structured than the military world we still find many of the same concepts in security policies. For
example a large organization such as university may be divide into various groups or departments,
each responsible for a number of disjoint projects.

There may also be some corporate level responsibilities such as accounting and personnel activities.
Data items at any level may have different degrees of sensitivity, such as, public, proprietary, or
internal; here the names may vary according to the organizations, and no hierarchy applies.
Let us assume that public information is less sensitive than proprietary, which in turn is less
sensitive than internal. Projects and departments tend to be fairly separated, with some overlap as
people work on two or more projects. Corporate level responsibilities tend to overlie projects and
departments, as people throughout the organization may have the need for accounting and
personnel data. However, even corporate data may have degrees of sensitivity. Projects themselves
may include a degree of sensitivity: Staff members on project old-standby have no need to know
about new-product, while staff members on new-product may have access on all data on old-
standby.

Accounting Personnel

Old New Project

Standby Project A

3. Assuming the risk, by accepting it, controlling it with available resources and preparing to deal with
loss if occurs.
Thus cost associated not only with risk potential impact but also reducing it.
Risk leverage is difference in risk exposure divided by the cost of reducing the risk.
Risk analysis is the process of examining the system and its operational to determine possible
exposure and the potential harm they can cause, thus, first step in risk analysis is to identify and list
all exposures in the computing system of interest. Then for each exposure we identify possible controls
and there cost.
The last step is cost benefit analysis: Thus it causes less to implement a control and to accept the cost
of the loss? In the remainder of risk section, we describe the risk analysis, present examples of risk
analysis methods, and discuss some of the drawback to performing risk analysis.

Q110]: Explain the details of hazard analysis techniques

1. Hazard analysis is a set of systematic techniques intended expose potentially hazardous system
states. In particular , it can help us expose security concerns and then identify prevention or
mitigation strategies to address them .
2. That is hazard analysis ferrets out likely causes of problems so that we can apply appropriate
technique for preventing the problem or softeneing its likely consequences .
3. Thus , it usually involves developing hazard lists , as well as procedures for exploring “what if”
scenarios to trigger consideration of nonobvious the sources of problems can be lurking in any
artifacts of the development or maintainence process , not just in the code , so a hazard analysis
must be broad in its domain of investigation :in other words , hazard analysis is a system issue , not
just a code issue .
 4. Similarly , there re many kinds of problems , ranging from incorrect code to unclear code to unclear
consequences of a particular action . a good hazard analysis takes all of them into account .
5. Although hazard analysis is a generally good practice an any project , it is required in some
regulated and critical application domains , and it can be invaluable for finding security flaws . it is
never too early to be thinking about the sources of hazards :

6. The analysis should begin when you first start thinking about sources of hazards :the analysis
should begin when you first start thinking about building a new system or when someone proposes
a significant upgrade to an existing system . hazard analysis should continue throughout the system
life cycle:
7. You must identify potential hazards that can be introduced during system design installation ,
operation and maintainence.A variety of a techniques support the identification and maintainence of
potential hazards .
8. Among the most effective are hazard and operability studies (HAZOP), failure modes and effects
analysis (FMEA) and fault tree analysis (FTA).
9. HAZOP is a structured analysis techniques originally developed for the process control and chemical
plant industries . over the last few years it has been adapted to discover potential hazards in the
safety critical software system .
10. FMEA is a bottom –up technique applied at the system component level . a team identifies each
component ‘s possible faults or fault modes ;then , it determines what could trigger the fault and
what systemwide effects each fault might have . by keeping system consequences in mind , the
team often finds possible system failures that are not made visible by other analytical means .
11. FTA cmplements FMEA . it is a top –down technique that begins with a postulated hazardous
system malfunction . then the FTA team works backwards to identifythe possible precursor to the
mishap. By tracing back from a specific hazardous malfunction , we can locate unexpected
contributors to mishap and then we look for opportunities to mitigate the risks

Known Cause Unknown Cause

Known effect Description of system deductive analysis
behaviour including fault tree
analysis
Unknown effect Inductive analysis , Exploratory analysis
including failure modes including hazard and
and effect analysis operability studies

Q111] Explain in detail the economics of information security policy

Anderson asks that we consider carefully the economic aspect of security when we device our security
policy. He points out that the security engineering community tends to overstate security problem because
it is in their best interest to do so. “The typical infosec professional is a firewall vendor struggling to meet
quarterly sales targets to prop up a sagging stock price, or a professor trying to mine the ‘cyber terrorism’
industry for grants or a policeman pitching for budget to build up a computer crime agency.
Moreover the security community is a subject to fads as in other disciplines. Anderson says that the security
is trendy in 2002 which means that vendors are pushing firewalls and encryption products that have been
oversold and address only part of typical security organization problems. He says that rather on focusing on
what is fashionable we focuss on asking for a reasonable return on our investment in security.

Soo Hoo’s research indicates that a reasonable number is 20% at the time when companies usually expect
30% return from their investment in IT. It may be more worthwhile to implement more inexpensive
measures such as enabling screen locking than larger more complex and expensive measures such as PKI
and centralized access control.

Q112 ) How are copyrights important in computer security? How do they differ from patents?

Copyrights are designed to protect expression of ideas. The right to copy an expression of idea (not an idea)
is protected by copyrights. An idea and expression of idea differ from each other. For example an algorithm
is as idea. On the other hand code (program) written to implement an algorithm is an expression of idea. So
copyright protect the right of copying code i.e. no one else is allowed to use the code with his name, but
algorithm can be used by anybody in the world.
A programmer or developr translates an algorithm in to a program i.e. he writes a code to implement an
algorithm. A programmer hopes to earn a living by presenting his program in such manner that other
people would like to use this software and will pay to use it. The law of copyright protects individuals right
to earn living by saying that particular way of expressing an idea belongs to its author. Copyright gives a
programmer an exclusive right to make copies of software and only developer (author) can sell his software.
In short we can say that copyright does not allow piracy. The law of copyright prevents the others from
selling or using pirated copies of software.
Patents protect the inventions and ideas. It does not allow others to use the idea or objects, which ware
developed newly or invented by some one. An inventor can have a patent of his invention if the invention is
new i.e. if nobody else has developed similar objects before.
Patents differ from copyrights because they ware developed to protect newly developed items or newly
invented ideas, whereas copyrights ware designed to protect the expression of the idea. There is difference
between idea and implementation of an idea. Unlike copyrights patent can protect new and useful process,
machines, software, etc.
Q.113] What is trade secret? List various characteristics of trade secret.
TRADE SECRET A trade secret is unlike a patent or copyright in that it must be kept a secret. The
information has value only as a secret, and an infringer is one who divulges the secret. Once divulged, the
information usually cannot be made secret again.

CHARACTERIDTICS OF TRADE SECRETS

Reverse Engineering Through reverse engineering someone might discover how a telephone is built; the
design of the telephone is obvious from the components and how they are connected. Therefore, a patent id
the appropriate way to protect an invention such as a telephone .However, something like a soft drink is not
just the combination of its ingredients. Making a soft drink may involve time, temperature, presence of its
oxygen or other gases, and similar factors that could not be learned from a straight chemical decomposition
of the product. The recipe of a sot drink is a closely guarded trade secret. Trade secret protection works
best when the secret is not apparent in the product.
Applicability to computer Objects Trade secret protection applies very well to computer software. The
underlying algorithm of a computer program id novel, but its novelty depends on nobody else’s knowing it.
Trade secret protection allows distribution of the result of a secret while still keeping the program design
hidden. Trade secret protection does not cover copying a product, so it cannot protect against a pirate who
sells copies o someone else’s program without permission.
Difficulty of Enforcement Trade secret protection is of no help when someone infers a program’s design
by studying its output or, worse yet, decoding the object code. Both of these are legitimate activities, and
both cause trade secret protection to disappear.

Q114] Explain various legal issues relating to information.

Source code, object code and even the “look and feel” of a computer screen
are recognizable,if not tangible objects.
Legal issues relating to Information:
Information can be related to trade secrets in that information is the stock in trade of the information
seller.While the seller has the information trade secret protection applies naturally to the sellers legitimate
ability to profit from the information.Thus, the courts recognize that the information has
value. The trade secret is not secure if someone else can derive or infer from it.
Other forms of protection are offered by copyrights and patents. Neither of these applies perfectly to
computer hardware or software, and they apply even less to information.
Criminal and Civil Law:
Statutes are laws that state explicitly that certain actions are illegal.Often,a violation of a statute ill result in
a criminal trial in which the government argues for punishment because an illegal act has harmed the
desired nature of society. Civil law is a different type of law not requiring such a high standard of proof of
guilt.In a civil case an individual claims damages. The goal of a civil case is restitution.
Tort Law:
A tort is a harm not occurring from violation of a statute or from being counter to the accumulated body of
precedents.
Computer information is perfectly suited to tort law.The court merely has to decide what is reasonable
behaviour.
Contract Law:
A third form of protection for computer objects is contracts. A contract is an agreement between two
parties. A contract must involve three things:
An Offer;
An Acceptance
A Consideration
Information is often exchanged under contract. Contracts are ideal for protecting the transfer of information
because they can specify any conditions.” You have the right to use , to view, but not to sell or modify this
information”.

Q.115] List issues involved in software vulnerability reporting argument. What are technical
issues? Select a vulnerability reporting process that you think is appropriate and explain why It
meet more requirements from any other process ?

From rule based ethical theory attackers are wrong to perform malicious attacks. Notoriety or credit for
finding the flaws is a small interest.
Following are issues involved in software vulnerability reporting argument.
Full Disclosure: It helps user’s asses the seriousness of vulnerability and apply appropriate
protection. But it also gives attackers more information with which to formulate attacks. Early full disclosure
before the vendor has countermeasures ready may actually harm users by leaving them vulnerable to a now
widely known attack.
Partial Disclosure:One can argue that the vulnerability details are there to be discovered; when
vendor announces a patch for an unspecified flaw in a product, the attacker will then spread a complete
description of vulnerability to other attackers through an underground network and attack will start against
users who may not have applied the vendors fix.
No Disclosure:Users are best served by a scheme in which every so often new code is released,
sometimes fixing security vulnerabilities, sometime adding new features. But without sense of significance
or urgency, users may not install this new code.
Of all the vulnerability reporting process ‘Responsible’ vulnerability reporting seems best. Other reporting
such as Users Interest is more favor to users and Venders Interest is more favors to vendors.
In case of ‘Responsible’ vulnerability reporting compromisation between these two is achieved. This process
meets constraints of timeliness, fair play and responsibility. User report a suspected vulnerability a ‘reporter’
and the manufacturer the ‘Vendor’. A third party such as a computer emergency response center called
‘Coordinator’ is required when there is a conflict of power issues between reporter and vendor.

Basically process requires reporter and vendor to do the following:

• The vendor must acknowledge vulnerability report confidentiality to the reporter.
• The vendor must agree that the vulnerability exists confidentially to the reporter.
• The vendor must inform users of vulnerability and any available countermeasure within 30 days or
request additional time from the reporter as needed.
• After informing user, the vendor may request from the reporter a 30 days quit period to allow users
tie to install pitchers.
• At the end of the quit period the vendors and reporter should agree upon a date at which time the
vulnerability information may be released to general public.
• The vendor should credit reporter with having located the vulnerability.
• If the vendor does not follow these steps, the reporter should work with a co-coordinator to
determine responsible way to publicize the vulnerability.

Q 116: Is cracking a benign practice? Explain in details.

Ans :Many people argue that cracking is an acceptable practice because lack of protection means that the
owners of systems or data do not really value them. Spafford questions this logic by using the analogy of
entering a house.
Consider the argument that an intruder who does no harm and makes no changes is simply learning about
how computer systems operate.” Most of these people would never think to walk down a street, trying every
door to find one unlocked, then search through the drawers or the furniture inside .Yet, these same people
seem to give no second thought to making repeated attempts at guessing passwords to accounts they do
not own, and once onto a system, browsing through the files on disk.” How would you feel if you knew your
home had been invaded, even if no harm was done?
Spafford noted that breaking into a house or a computer system constitutes trespassing. To do so in an
effort to make security vulnerabilities more visible is “presumptuous and reprehensible”. To enter either a
home or a computer system in unauthorized way, even with benign intent can lead to unintended
consequences. “Many systems have been damages accidentally by ignorant intruders.”

Q118. Compare copyright, patent and Trade secret protection.

Ans: Comparison of copyright, patent & Trade Secret protection is as follows:
 COPYRIGHT PATENT TRADE SECRET

Protects Expression of idea, not idea Invention – the way A secret,

itself something works competitive
advantage

Protected object Yes; intention is to promote Design filled at Patent No

made public publication Office

Requirement to yes No No
distribute

Easy of filling Very easy, do- it- yourself Very complicated; No filling
specialist lawyer
suggested

Duration Life of human originator plus 70 19 years Indefinite

years, or total of 95 years for a
company

Legal Protection Sue if unauthorized copy sold Sue if invention copied Sue if secret
improperly
obtained

Q.119 Explain the Codes of Ethics?

Ans: Various Computer groups like ACM, IEEE and DPMA have developed there codes of ethics they are as
follows:
IEEE The IEEE has produce codes of ethics for its members. The IEEE is an organization of engineers,not
limited to computing.There codes of ethics are given below
We the members of the IEEE, in reorganization of the importance of ours technologies in affecting the
quality thought of the world.

1.to accept responsibility in making engineering decisions consistent with the safety, health and welfare of
the public, and to disclose promptly factors that might endanger the public or the envoirment;
2.to avoid real or perceived conflicts of interest whenever possible.
3. to be honest and realistic in stating claims or estimates based on available data
4. to reject bribery in all of its forms
5. to improve understanding of technology
6. to maintain and improve our technical competence and to undertake or after full disclosure of pertinent
limitations;
7.to avoid injuring others, their property, reputation, or employment by false or malicious action;
8. to assist colleagues and coworkers in their professional development and to support them in the following
this code of ethics.
ACM: The ACM codes of ethics recognizes three kinds of its members.The code ethics has three
sections(plus fourth commitment section) as shown below

As an ACM member I will…

1.1 Contribute to society and human well-being
1.2 Avoid harm to others
1.3 Be honest and trustworthy
1.4 Be fair and take action not to discriminate
1.5 Honor property rights including copyright and patterns
1.6 Respect the privacy of the others
1.7 Honor the confidentiality

As an ACM computing professtional I will….

2.1 Strive to achieve the highest quality,effectiveness and dignity in both the process and products of the
professional work
2.2 know and respect existing laws pertaining to professional work
2.3 Accept and provide appropriate professional review
2.4 Honor the contracts,agreements, and assigned responsibilities
2.5 Improve public understanding of computing and its consequences
2.6 Access computing and communication resources only when authorized to do so

As an ACM member and an organization leader, I will…

3.1 Articulate the social responsibilities of members of the organizational unit and encourages full
acceptance of those responsibilities
3.2 Manage personnel and resources
3.3 Articulate and support policies that protect the dignity of users and others affected by the a computing
system
3.4 Create the opportunities for members of the organization to leran the principles and limitations of
computer systems

As an ACM member, I will…

4.1 Uphold and promote the principal of this code
4.2 treat the violations of this code as inconsistent with membership in the ACM

Computer Ethics Institute The Computer Ethics Institute is a nonprofit group that aims to encourage
people to consider the ethical aspects of their computing activities. They are as follows:
1. Thou shalt not use a computer to harm the other people.
2.Thou shalt not interfere with others people’s computer work.
3.Thou shalt not snoop around others people computers.
4.Thou shalt not use a computer to steal.
5.Thou shalt not use a computer to bear false witness.
6 Thou shalt not use or copy the computer software for which you have not paid.
7.Thou shalt not appropriate other peoples intellectual output
8.Thou shalt think about the social consequences of the program you are writing or the system you are
designing.
9. Thou shalt not use a computer in the ways that insure consideration and respect for yur fellow humans .

120. Compare and contrast Law & Ethics.

LAW: As we know that Law is not always the appropriate way to deal with issues of human behavior. It is
difficult to define a law to preclude only the events we want it to. For example, a law that restricts animals
from public place must be refined to permit guide dogs for the blind.
ETHIC:-An Ethic is objectively defined standards of right or wrong .Ethical standard are often idealistic
principles because they focus on one objective. In a given situation , however , several objective may be
involved, so people have to determine an action that is appropriate, considering all the objectives
.Therefore, through our choice, each of us defines a personal set of ethical practices set of ethical principles
is called an ethical system.
An ethic is different from Law in several important ways. Hence they are given a follows:-

Serial Law Ethic

no.
1 Describe by formal, written documents Describe by written principles
2 Interpreted by courts Interpreted by each individuals
3 Established by Legislatures representing Presented by philoshopers,religions,
all people. Professional groups.
4 Applicable to everyone Applicable to personal.
5 Priority determined by courts if two law Priority determined by an individual if two principles
conflicts. conflicts.
6 Court is final arbiter of “right” No external arbiter.
7 Enforceable by police and courts Limited enforcement.
8 Law can be enforced to rectify wrong In ethic, two people may have different framework for
done by unlawful behavior making moral judgments.

Q121) Why is computer crime is hard to prosecute?

Ans.: Even when everyone acknowledges that the computer crime has been committed, computer crime is
hard to prosecute for the following reasons.
• Lack of understanding. Courts, lawyers, police agents, or jurors do not necessarily understand
computers. Many judges began practicing law before the invention of computers, and most began
before the widespread use of the personal computer. Fortunately, computer literacy in the courts is
improving as judges, lawyers, and police officers use computers in their daily activities.
• Lack of physical evidence. Police and courts have for years depended on tangible evidence, such as
fingerprints. As readers of Sherlock Holmes know, seemingly minuscule clues can lead to solutions to
the most complicated crimes. But with many computer crimes there simply are no fingerprints and
no physical clues of any sort.
• Lack of recognition of assets. We know what cash is, or diamonds, or even negotiable securities. But
are twenty invisible magnetic spots really equivalent to a million dollars? Is computer time an asset?
What is the value of stolen computer time if the system would have been idle during the time of the
theft?
• Lack of political impact. Solving and obtaining a conviction for a murder or robbery is popular with
the public, and so it gets high priority with prosecutors and police chiefs. Solving and obtaining a
conviction for an obscure high-tech crime, especially one not involving obvious and significant loss,
may get less attention. However, as computing becomes more pervasive, the visibility and impact of
computer crime will increase.
• Complexity of case. Basic crimes that everyone understands, such as murder, kidnapping, or auto
theft, can be easy to prosecute, a complex money-laundering or tax fraud case may be more difficult
to present to a jury because jurors have a hard time following a circuitous accounting trail. But the
hardest crime to present may be a high-tech crime, as root access by a buffer overflow in which
memory was overwritten by other instructions, which allowed the attacker to copy and execute code
at will and then delete the code, eliminating all traces of entry.
• Juveniles. Many computer crimes are committed by juveniles. Society understands immaturity and
disregards even very serious crimes by juveniles because the juveniles did not understand the
impact of their actions. A more serious, related problem is that many adults see juveniles computer
crimes as childhood pranks, the modern equivalent of tipping over an outhouse.
Even when there is clear evidence of a crime, the victim may not want to prosecute because of possible
negative publicity. Banks, insurance companies, investment firms, the government, and the health care
groups think their trust by the public will be diminished if a computer vulnerability is exposed. Also, they
may fear repetition of the same crime by others: so-called copycat crimes. For all of these reasons,
computer crimes are often not prosecuted.

Q 122] Why do we need separate category for computer crime? Why is it hard to define?
Crimes can be organized into certain categories including murder, robbery, and
littering. We do not separate crime into categories for different weapons such as gun
crime or knife crime but we separate crime victims into categories depending on
whether they are people or other objects. Consider an example to see why these
categories are not sufficient and why we need special laws relating to computers as
subject and object of crime.
Rules and property:
Parker and Nycom describe the theft of a trade secret proprietary software package. The theft occurred
across state boundaries by means of telephone lines; this aspect is important because it means that the
crime is subject to federal law as well as state law.
The legal system has explicit rules about what constitutes property. Generally property is
tangible unlike magnetic impulses. For example authorized use of a neighbor’s lawn mower
constitutes theft, even if the lawn mower was returned in the same condition as it was when taken.
To a computer professional taking a copy of computer package without permission is clear cut theft.
A similar problem arises with computer services. We would generally agree that unauthorized access
to a computing system is a crime.

Rules and evidence:

 Computer printouts have been used as evidence in much successful fraud prosecution. Under
the rules of evidence courts prefer an original source document to a copy, under the assumption that
the copy may be inaccurate or may be modified in the copying process. However magnetic and
optical media are often the primary means of storing data today.
The biggest difficulty with computer based evidence in court is being able to demonstrate the
authenticity of the evidence law enforcement officials operate under a chain of custody requirement:
from the moment a piece of evidence is taken until it is presented in the court, they track clearly and
completely the order and identities of the people who had personal custody of that object. The
reason for that chain custody is to ensure that nobody has had the opportunity to alter the evidence.
With computer based evidence it can be difficult to establish chain of custody.
Threats to integrity and confidentiality:
The integrity and secrecy of data are also many issues in many court cases. The computing
system contains confidential records about people and integrity of data was important. The
prosecution of this case had to be phrased in terms of theft of computer time and valued as such,
even though that was insignificant compared with loss of privacy and integrity. However several
federal and state laws recognize the privacy of data about individuals.

Acceptance of computer terminology:

The law is also lagging behind technology in its acceptance of definition of computing terms.
For example according to federal statute it is unlawful to commit arson within federal enclave. Part of
that act relates to “machinery or building materials” in the enclave, but court decision have ruled
that a motor vehicle located within a federal enclave at the time of burning was not included under
this statute.
So it is not clear whether computer hardware constitutes “machinery”, “supplies” almost certainly
does not include software.
Computer crime is hard to define because:
Some people in the legal process do not understand computers and computing so crime
involving computers are not always treated properly. Creating and changing laws are slow processes.
This process is very much out of space with a technology that is progressing as fast as computing.
Adding to the problem of a rapidly changing technology, a computer can perform many roles in a
crime. A computer can be the subject, object, or a medium of crime. A computer can be attacked,
used to attack and as a means to commit crime

Q 123] Briefly discuss laws around the world that differ from U.S.laws & that should be of
interest of computer security.
There are some laws from U.S. which defines aspect of crime against or using the
computer. These laws include:
1) U.S.Computer fraud and Abuse Act.
The primary federal statute prohibits:
a) unauthorised access to a computer containing data protected for national defense or foreign
relations concerns
b) unauthorised access to a computer containing certain banking or financial information
c) unauthorised access, use, modification, destruction or disclosure of a computer or information
ina computer operated on behalf of US govt.
d) accessing without permission a "protected computer" which the courts now interpret to
include any computer connected to the Internet.
e) Computer Fraud
2) U.S.Economics Espionage Act.
The 1996 Act outlaws use of computer for foreign espionage to benefit a foreign country or
business or theft of trade secrets
3) U.S. Electronic Funds Tranfer Act
This law prohibits use, transport, sale, receipt, or supply of counterfeit, stolen, altered, lost or
fraudently obtaineddebit instruments in the interstate or foreign commerce.
4) U.S. Freedom of Information Act
This Act provides public access to information collected by the executive branch of the federal
Govt. The Act requires disclosure of any available data, unless the data fall under one of the
several specific exceptions, such as national security or personal privacy. The law's original intent
was to release to individual any information the Govt. had collected on them. Even foreign
Govt.'s can file for information. This Act applies only to the Govt. agencies although similar laws
could require disclosure from private resources.
5) U.S. Privacy Act
 The privacy Act of 1974 protects the privacy of personal data collected by Govt. An individual is
allowed to determine what data have been collected on him or her, for what purpose, and to
whom such information has been desseminated. The additional use of the law is to prevent one
Govt. agency from accessing data collected from another purpose.

Q 125] Explain the taxonomy of ethical theories?

There are two bases of ethical theories, each applied in two ways. The two bases are
consequences-based and rule-based, and the applications are either individual or
universal.
The taxonomy of ethical issues includes following points:-
a) Difference between the laws & Ethics: It is impossible or impractical to develop laws to describe and
enforce all forms of behavior acceptable to society. Instead society relies on ethics or morals to prescribe
generally accepted standards of proper behavior. Ethics are an objectively defined standard of right and
wrong. The study of ethics is not easy because the issues are complex. We can analyze a situation from an
ethical perspective and reach ethical conclusions without appealing to any particular religion or religious
framework.

b) Ethical Principle Are Not Universal :

Ethical values vary by society, and from person to person within a society. Although
these aspects of ethics are quite reasonable and understandable, they lead people to
destruct ethics because it is not founded on basis principles all can accept. Also,
people from scientific or technical background except precision and universality.
c) Ethics Does Not Provide Answers :
Ethical pluralism is recognizing or admitting that more than one position may be
ethically justifiable even equally so in a given situation. Pluralism is another way of
noting that two people may legitimately disagree on issues of ethics. However in the
scientific and technical fields, people except to find unique, unambiguous, and
unequivocal answers. Science has provided life with fundamental explanations. Ethics
is rejected or misunderstood by some scientists because it is “soft,
“meaning that it has no underlying framework or it does not depend on fundamental
truths.
d) Ethical Reasoning :
Most people make ethical judgment often, perhaps daily. Because we all engage in
ethical choice, we should clarify how we do this so that we can learn to apply the
principles of ethics in professional situations, as we do in private life.
Study of ethics can yield two positive results. First, in situation where we already
know what is right and what is wrong, ethics should help us justified our choice.
Second, if we do know the ethical action to take in a situation, ethics can help us
identify the issues involved so that we can make reasoned judgment.