CEG4420/6420 Final Exam
- This exam is a traditional closed book, closed notes exam. Once
you click the exam link, you are honor bound
- not to surf, not to access any content already existing,
- not to take longer than 120 minutes,
- not to give or take help from others until you turnin your answers.
- Every sentence and figure submitted is your own work produced during the two hours.
- This exam permits the use of a Linux/ Mac/ Windows laptop/ PC/ VCSL running Ubuntu/ Knoppix/ Kali/ … distros, gcc, ps, splint, etc. but not man pages.
- Submit one PDF file named
answers.pdf
into the Pilot dropbox for Final.
1 Part I (5 points each)
The following statements may or may not be (fully or partially) valid. (i) Explain the underlined technical terms occurring in each statement. (ii) Explain/ discuss/ dispute the statement. It is possible to write no more than, say, ten, sentences each, and yet receive full score.
- Code signing uses symmetric key encryption and guarantees the integrity of the software by verifying that the software has not been modified.
- AlephOne describes the eggshell program as "usage: eggshell [-a <alignment>] [-b <buffersize>] [-e <eggsize>] [-o <offset>]\n". Why do we need these arguments?
- There are several log files within
/var/log/
directory in all Linux systems. These are for performance monitoring. None of them is useful in improving security. - ROP gadgets and stack top randomization help prevent machine code injection.
- "A chroot jail is a way to isolate a process and its children from the rest of the system. It should only be used for processes that don't run as root, as root users can break out of the jail very easily."
2 Part II (15 points each)
- An attacker has acquired root privileges on a Linux system with
10000 users. His/her primary goal was to obtain one hundred
userid-password combinations (in clear text). A secondary goal was
to do this without being noticed. How will you verify that this
attack has happened? How will you discover files that were
changed, and perhaps later replaced with originals? Is it possible
to discover how the attack was carried out? Give your answers
first (i) (5 points) in English prose, then (ii) (10 points) as a
bash
script. - One of the hardening actions taken in modern Linux kernels is to
remove abstract devices
/dev/mem
and/dev/kmem
. (i) Explain the purpose of these devices. (ii) Using an example or two, describe an exploit that uses these devices. (iii) Discuss if these devices can be resurrected in a running Linux system, with a modern kernel even though the kernel is compiled without them. - Describe the functionality of any five security related entries in
/proc/sys/kernel
- Describe any three of the Principles of Robust Programming of Matt Bishop's article.
- In the lectures on SELinux, an example on the
passwd
program was discussed.allow passwd_t passwd_exec_t : file entrypoint; allow user_t passwd_exec_t : file { getattr execute }; type_transition user_t passwd_exec_t : process passwd_t; allow user_t passwd_exec_t : file { getattr execute };
In the context of the above four rules, answer the following:
- (3 points) What is context, role, and type?
- (2 points) What is the problem of domain transitions?
- (10 points) How did the MAC rules above improve the standard Linux (DAC) passwd security?