CSCI262 – System Security

(Wollongong Campus)
Examination Paper
Spring Session 2016
Part A
1) Examples of each of the main authentication bases are
password, PIN, or secrete for what a subject knows, a
____________________________________________
____________________________________________
card, badge, or device for what a subject has,
biometrics such as fingerprints or retinal
____________________________________________
characteristics for what a subject is,
______________________________and___________ in front of a
particular terminal or in a specific room
____________________________________________for where an
entity is.
________
Part A
2) Two security properties of a cryptographic hash
one-way, that is, it is infeasible to
function are _____________________________
generate the preimage from the hash digest, and
_____________________________________
collision resistance, that is, it is infeasible to have
________________________________________
two different messages with the same hash value.
_________________________________________
Part A
3) “Online” and “offline” attacks differ in that
online require the connection to be active which
__________________________________________
may impose certain restriction while attempting to
__________________________________________
break the password while offline attack have
__________________________________________
unlimited chances to break the password.
___________________________________
Part A
4) Two possible consequences of a buffer overflow
exploitation by attacker to inject malware to
are ______________________________________
cause an attack against availability such as denial
_________________________________________
of service and ___________________________
__________ run some arbitrary code to
modify data (attack data integrity) as well as
_________________________________________
stealing information (attack on data
_____________________________________
confidentiality).
Part A
5) The principle of least privilege is reflected via
a partial order ≤ (generally a reflexive,
_____________________________________
antisymmetric, and transitivity relation), so that for
_________________________________________
every two elements a, b ∈ L there exists a least
_________________________________________
upper bound u ∈ L and _____________________
________________ a greatest lower bound l
∈___
L in a lattice.

SIM-2016-S3-CSCI262-S3b, Slide 22
Part A
7) Each row of the authorization table of Sandhu &
access triplet (Subject, Object,
Samarti contains _________________________
Action). It is also known as the capabilities which is
____________________________________________
from the point of view of the subject’s action on
____________________________________________
_________________
the various objects.

SIM-2015-S4-CSCI262-S3a, Slide 36
Part A
8) Two resources that can be targeted in a DOS attack
network bandwidth (for network) and ______
are _____________________________
memory storage as well as processor capacity (for
__________________________________________
computer).
_________

SIM-2016-S3-CSCI262-S4a, Slide 5
Part A
9) Random seeding a password generator with time
if an attacker knows
alone is a bad idea because _________________
the time, the attacker can use the same time as the
________________________________________
seed to the random generator to regenerate the
________________________________________
same sequence of password.
________________________________________

SIM-2016-S3-CSCI262-S3a, Slide 34, 37

Part A
Sensitive
10) Inference is the derivation of _________________
information non-sensitive, typically
__________ from ________________________
aggregate data.
_____________

SIM-2016-S3-CSCI262-S6a, Slide
Part A
11) Spear phishing differs from general phishing in that
Spear phishing is targeting a specific person while
__________________________________________
general phishing is targeting all the people and
__________________________________________
expecting some to be fooled.
_________________________

SIM-2015-S4-CSCI262-S6b, Slide 39
Part A
Error messages
12) Error-based SQL injection uses ________________
thrown by the database server to obtain
_________________________________________
information about the structure of the database.
_________________________________________

SIM-2016-S3-CSCI262-S, Slide
Part A
13) An event being “Not known to be bad” likely refers
to not being on a event description of activities
___________________________
considered to be violating security policies in the
___________________________________
context of _________________________________
Intrusion detection system.
Part A
14) To be stateless meansa_______________________
server has not committed
any resources and is relevant in the context of
_____________
client puzzle connection protocol.
____________________________
Part A
15) A chain of custody provides assurances that
evidences collected during digital forensics are un-
__________________________________________
altered???
_____________________________

SIM-2016-S3-CSCI262-S8c, Slide 13
Part A
16) Units are relevant in digital forensics and logging
because ___________________________________

SIM-2016-S3-CSCI262-S, Slide
Part B – Question 1 …1
1) Describe three distinct types of attacks against password systems.
Briefly discuss appropriate countermeasures against one of those
types of attacks.

SIM-2016-S3-CSCI262-S2a, Slide21
Part B – Question 1 …2
• The three distinct attacks are dictionary attack, brute-force attack and
hybrid attack. A dictionary attack uses a “dictionary” of all known
words and try to find the password. Brute-force attack is trying all the
possible combination of the password until it is correct. Hybrid attack
is combination of brute-force and dictionary attack where we use
dictionary as the basis but take variants on each of the words tested.
We can protect against dictionary attack if we use words that are not
commonly found in the dictionary or random words. Alternatively,
use salt and regularly change the password.

SIM-2016-S3-CSCI262-S2a, Slide21
Part B – Question 2 ...1
2) Describe in detail how the one-time password system of Lamport
works.
One-time password refers to a password that can be used only for
one session or one transaction. Lamport’s one-time password is one
example of such password. Lamport’s one-time password consists of
two parts, the setup and the process as follows:
Setup:
• In the setup process, a user is selecting a password that is secret to
him/her.
• The system will then use this password, together with some value,
say n, generate a sequence of passwords 𝑝1 , 𝑝2 , … 𝑝𝑛 .
Part B – Question 2 ...2
Process:
• A user, let’s say Alice, request for connection to a server.
• The server issues a challenge n;
• The user responds with one-time password which is generated as
ℎ𝑛−1 𝑝𝑎𝑠𝑠𝑤𝑜𝑟𝑑
• The server checks if ℎ ℎ𝑛−1 𝑝𝑎𝑠𝑠𝑤𝑜𝑟𝑑 = ℎ𝑛 𝑝𝑎𝑠𝑠𝑤𝑜𝑟𝑑
• If it matches, then server accepts the communication request. If it
does not, the server rejects the communication request.
• Once the user has been authenticated, the server needs to update its
information.
Part B – Question 2 ...3
Process: (cont…)
• The system will then replace 𝑥𝑛 = ℎ𝑛 𝑝𝑎𝑠𝑠𝑤𝑜𝑟𝑑 with the one-time
password sent by the user’s, that is, 𝑥𝑛−1 = ℎ𝑛−1 𝑝𝑎𝑠𝑠𝑤𝑜𝑟𝑑 .
• The value 𝑛 is replaced by 𝑛 − 1.
• When 𝑛 reaches 0, the system will have run out of passwords in the
hash chain and will have to run a new setup process, with a new base
password.
Part B – Question 2 ...4
• Lamport’s one-time password works because the system define 𝑝𝑖 to
be 𝐻 𝑛−1 𝑝 where H is a hash function known to all, e.g., MD5() in
our Assignment 1. In this way, attacker cannot derive future password
from a past password. For example, after 𝑝6 , which is equals
𝐻 𝑛−6 𝑝 , the attacker can compute 𝐻 𝑝6 , which equals 𝐻 𝑛−5 𝑝 ,
the already used password 𝑝5 . The attacker cannot compute 𝑝7
because 𝑝7 equals 𝐻 𝑛−7 𝑝 , and computing 𝐻 7 𝑝 from 𝐻 6 𝑝
would require the attacker to computer the inverse of 𝐻 or to know
p, but H is a cryptographic hash function.
Part B – Question 3
3) A company has three departments A, B and C, and has determined
that it is appropriate to have two levels of sensitivity, in increasing
order: L and H. Draw a BLP lattice system to represent this scenario.
Part B – Question 4 …1
4) Explain what positive validation of user input is and why positive it
is important, and usually more appropriate than negative validation
of user input. You need to explain what is meant by positive
validation and negative validation. Give examples to support your
argument.
Positive validation concern a situation where we try to distinguish between
authorized and unauthorized entities. A true positive and false positive may be
the result of positive validation. A true positive refers to a situation when we
make a match, and it is correct. A false positive refers to a situation when we
make a match (a positive match) but which is actually not. Positive validation, in
particular, a false positive, of user input is important because it affects the false
acceptance rate.
Part B – Question 4 …2
A false acceptance rate is the proportion of authentication attempts
resulting in false acceptances, which means the number of matches
is accepted which we should not.

In a negative validation, of course there are true negative and false

negative. A true negative refers to a situation when the match
should be rejected and we did. A false negative, on the other hand,
refers to a situation when we did not make a match, but we should
have. A negative validation, in particular false negative, affects the
false rejection rate, which means the number of matches is rejected
which we should not.
Part B – Question 5
5) Pharming is considered to be more technical and social engineering
than deceptive phishing. Explain how pharming and phishing are
related and why this statement is reasonable. You should note both
the technical and social engineering aspects of each.
Part B – Question 6
6) Explain how the three classes of IDS attacker: clandestine,
masquerade and misfeasor, differ from each other. Give example
illustrating how the methods used to detect a masquerade might
differ from those used to detect a misfeasor.
Masqueraders are those illegitimate users who are trying to imitate
legitimate users while misfeasor are those authorized user who
misuse their power.
Clandestine refers to someone who try to avoid the intrusion
detection or auditing system.
Part B – Question 7
7) Describe factors used in differentiating between types of malware.
Specify the main types of malware and illustrate how those factors
apply to them.
Part C – Question 1 ...
1. The following questions relate to authentication and access control:
a. Explain what salting is, where we use it, and why we use it.
b. Assuming the attacker knows the method we use to choose a
password, which of the following two methods of generating a
password is better? Justify your answer. In every instance the
choosing is uniformly random.
A. Choosing a six digit number.
B. Choosing a lower case letter, followed by two digits, followed
by an upper case letter, followed by two digits.
Part C – Question 1 ...
c. Name and describe two list representations corresponding to an
access control matrix. If we want to efficiently determine all the
actions available to a subject, which of the two list
representation is appropriate and why?
d. Name and describe the two types of error rates that occur in
authentication systems.
Part C – Question 1 …
a. Explain what salting is, where we use it, and why we use it.

The “Salt” is a value randomly generated. It is used in hashing

where instead of only the password is hashed, the password is
combined with the salt and then hashed. The salt it stored
somewhere too. This is used so that the adversary have many
combination to try the password with many salts and delays the
adversary from finding the correct password hash.
Part C – Question 1 ...
b. Constructing a password by choosing a six-digit number.

𝐸𝑛𝑡𝑟𝑜𝑝𝑦 = 𝑙𝑜𝑔2 𝑁 𝑙
𝑙𝑜𝑔10 10
= 𝑙𝑜𝑔2 106 = 6𝑙𝑜𝑔2 10 = 6 × = 19.93 𝑏𝑖𝑡𝑠
𝑙𝑜𝑔10 2

𝐶𝑜𝑚𝑝𝑙𝑒𝑥𝑖𝑡𝑦 𝑜𝑓 𝑡ℎ𝑒 𝑝𝑎𝑠𝑠𝑤𝑜𝑟𝑑 = 219.93 ≈ 998,913.34

Part C – Question 1 ...
B. Constructing a password by choosing a lower case letter, followed
by two digits, followed by an upper case letter, and followed by two
digits
𝐸𝑛𝑡𝑟𝑜𝑝𝑦

• One lower case letter: 261 = 26 𝑙𝑜𝑔10 26 × 100 × 26 × 100

=1×
• Two digit: 102 = 100 𝑙𝑜𝑔10 2
• One upper case letter: 261 = 26
𝑙𝑜𝑔10 6760000
• Two digits: 102 = 100 =1×
𝑙𝑜𝑔10 2
= 22.69

𝐶𝑜𝑚𝑝𝑙𝑒𝑥𝑖𝑡𝑦 𝑜𝑓 𝑡ℎ𝑒 𝑝𝑎𝑠𝑠𝑤𝑜𝑟𝑑 = 222.69 ≈ 6,766,601.52

Part C – Question 1 ...
• From the previous computation, it is concluded that method two
provide a stronger password. This is because the number of possible
combination in method two is higher. This is in accordance to theory
that suggest a complex password would provide a higher entropy.
However, it is important that the order/pattern of creating the
password is not known to attacker, otherwise, the attacker is able to
break the password easier, because of the pattern.
Part C – Question 1 …
c. Name and describe two list representations corresponding to an
access control matrix. If we want to efficiently determine all the
actions available to a subject, which of the two list
representation is appropriate and why?
Access control matrix is used to restrict subject from accessing objects
that the subject is not authorized to act on.
Capabilities is from the perspective of subject, and access control list
is from the perspective of objects.
If we want to efficiently determine all the available actions to a
subject, the capabilities list is more efficient because capabilities list
shows/list all the objects the subject is able to access and the
operations/authorization to access those objects.
Part C – Question 7 …2
d. Name and describe the two type of error rates that occur
in authentication systems.
• The two type of error rates that occur in authentication
systems are False Acceptance Rate (FAR) and False
Rejection Rate (FRR). False Acceptance Rate (FAR) is the
proportion of authentication attempts resulting in false
acceptances, and False Rejection Rate (FRR) is the
proportion of authentication attempts resulting in false
rejections.
Part C – Question 2 …1
2) Consider the diagram to the right and answer the following
questions:
a. What is the context of this diagram?
b. What is sent to the client and how is this
generated?
c. What should the client respond with?
d. What is the role of k?
e. How much work would we expected the
client to do?
f. Is the answer from the client unique? Justify
your answer.
Part C – Question 2 …2
a. What is the context of this diagram?

The diagram refers to the construction of client

puzzles.
Part C – Question 2 …3
b. What is sent to the client and how is this generated?
X[j](k+1,L) is sent to the client. This is generated
by taking a sub-puzzle and taking k bit as the
solution of the puzzle
Part C – Question 2 …4
c. What should the client respond with?

The client should respond with x[j](1,k) to be

joined with x[j](k+1,L) to get y[j].
Part C – Question 2 …5
d. What is the role of k?

𝑘 is the number of bits that are missing from

the puzzle. It determines the complexity
(efforts) that a client needs to put in to solve
the puzzle.
Part C – Question 2 …6
e. How much work would we expected the client to do?

The client is expected to do minimal work so

that the authentication can be fast.
Part C – Question 2 …7
f. Is this process stateless? Explain your answer.

Yes, the puzzle stores no information. The

solution itself contains all the information the
server needs other than their own server
secret.
Part C – Question 3
3. The following questions relate to DoS attacks:
a. What are the possible consequences or damages caused by a
DoS attack?
b. Describe the difference(s) between a quantity attack and a
quality attack.
c. Which DoS attack does Syncookie aim to resist? Briefly describe
how Syncookie works.
d. Describe 2 common techniques use by amplification attacks.
Part C – Question 4
4. Explain what each of the following is/are, explaining the motivation
and/or context for each as part of your answer:
a. Master passwords
b. CAPTCHA
c. XSS
d. TOCTOU
Part C – Question 4 …
a. Master password:
Master password is a single password where all the properties are
applied to that password instead of many other passwords that
are less secured. Typically it is used as the main password used to
protect sensitive information such as other passwords and
certificates.
Part C – Question 4 …
c. XSS:
XSS is an abbreviation for cross site scripting. It exploits
vulnerabilities in using dynamic web content, in particular, it
involves the use of those vulnerabilities to gather data from a user
that should not be gathered. XSS enables attackers to inject client-
side scripts into web pages viewed by other users.
Part C – Question 4 …
d. TOCTOU
It is an abbreviation for Time Of Check, Time Of Use. It is an
attack that targets a race condition occurring between the
time of check (state) for a resource and the time of use of
the resource. This attack is possible when two or more
concurrent processes are operating on a shared file. For
example, the first access is a check to verify some attribute
of the file, followed by a call to use the file. An attacker can
alter the file between the two accesses.
Part C – Question 5
5. The following questions relate to intrusion detection:
a. Explain the ideas of threshold models in the context of an
intrusion detection system. Use a specific example to help in
explaining.
b. The lecture notes describe the 5+1 related goals of intrusion
detection, the +1 being assurance. State and briefly describe the
5 goals. For each of those goals, give an example of what may
happen if the goal is not met.
c. What are honeypots? What role do they have in detecting and
managing intrusions?
Part C – Question 5
b. The lecture notes describe the 5+1 related goals of intrusion
detection, the +1 being assurance. State and briefly describe the 5
goals. For each of those goals, give an example of what may happen
if the goal is not met.
The 5 goals of intrusion detection systems:
1. Detect all intrusions, both internal as well as external.
2. Dynamic in the sense of capable of learning or taking into account
current attacks and/or user behaviour.
3. Timely, in the sense of providing information at a point in time at which it
is still useful.
4. Clear and concise – reports of the results of the analysis
5. Accurate – an incorrect report is not good, but a correct report that we
do not believe is not good either.
Part C – Question 5
c. What are honeypots? What role do they have in detecting and
managing intrusions?
A honey pot is a decoy that lures attackers away from production systems.
It’s usually a computer attached to the network that runs special software to
emulate services, applications, protocols. A honey pot should not contain
any data other than the information specifically created to trick the attacker.
Nor should it be allowed to connect to any other system except other honey
pots, to prevent the attacker from using the honey pot to launch an attack.
We can use honeypots to rule the attacker to stay on the system long
enough for the administrators to respond to the attack. In this case, the
honeypots act as decoys in the intrusion detection and prevention system.
Part C – Question 6
6. This is a collection of mixed questions.
a. Describe what a timing side-channel attack is, illustrate how it
might work, and describe a countermeasure to protect against
such timing attacks.
b. Describe a typical phishing process.
c. What is Trojan Horse? Describe two distinct methods of
identifying a Trojan Horse and explain when and why each of
those methods might be appropriate.
Part C – Question 6
b. Describe a typical phishing process.
A typical phishing process involves deception where the
user is fooled into believing that there are issue with his
account and enter his account details to fix the issue but is
actually stored and collected by the phisher to cause harm.
Part C – Question 6 …
c. What is a Trojan Horse? Describe two distinct methods of
identifying a Trojan Horse and explain when and why each of those
methods might be appropriate.
Trojan Horse are non-replicating program that openly exhibit one
desirable behaviour, it might be a game for example, but have some
real intent hidden from the user. This real intent could, for example,
be to open ports on a machine to allow attackers access. A Trojan
horse renames itself to the name of a valid system file. It can also
be encrypted and polymorphic, and could install themselves in
different ways to escape detection.
Part C – Question 6 …
Two methods of detecting Trojan Horses:
• Monitoring – Make use of virus monitors to monitor known methods
of virus activities, such as attempts to write to a boot sector, modify
interrupt vectors, write to system files, etc. and detect abnormal
behaviour of the system. This technique is able to detect the Trojan
Horse before complete infection. The disadvantages is that to detect a
high percentage of viruses, the sensitivity of the monitor must be set
high and this may generate many false alarms.
Part C – Question 6 …
Two methods of detecting Trojan Horses: (cont…)
• Signature scanning – the simplest and the most common approach to
virus detection. With this technique, signature extraction is a non-
trivial process. The infection is disassembled and the key portions are
identified. Next, the key portions are combined to form a signature.
The signature is then checked against a large library of programs to
reduce the chance of false positives occurring when signature
accidentally matches some library code. The advantage of this
technique is that other than detecting Trojan Horse, it can also be
used to detect logic bombs and other malicious software. The
disadvantage is that scanning cannot find new viruses before their
patterns are known. In addition, this technique is also ineffective
against polymorphic viruses.
Part C – Question 7
7. This is a collection of mixed questions.
a. Name and describe two methods of protecting, at the query
level, against inferential attacks in statistical interfaces. For each
of those methods describe a potential problem.
b. Describe two distinct scenarios or applications domains where
we may use reverse engineering for legitimate and distinct
purposes. Be sure to explain how reverse engineering may help.
c. A Biba based system is used in some Windows operating
systems. What purpose does it’s use serve and why would a BLP
based system be inappropriate?
Part C – Question 7 …6
a. Name and describe two methods of protecting, at the query level,
against inferential attacks in statistical interfaces. For each of those
methods describe a potential problem.
i. Try to design a database in such a way that inferences is
reduced.
ii. Attempt to reject specific/sequence of queries which may lead
to inference attack.