(Review Questions) Midterm 2: OS, Software, Virtualization, Tor, and ML

Due No Due Date
Points 0

OS and low-level software security

What's the difference between Bell-LaPadula (BLP) and Biba Integrity model? Which of them is violated by the covert channel, and which one by side-channel?
What is the difference between euid and uid? What setuid and seteuid system calls do? Similarly what are setgid and setegid?
We have studied buffer overflows in the context of architectures whose stacks grow downwards, such as on x86. Consider a variant of x86 in which stacks grow upwards. The stack and heap might be “swapped” in terms of where they exist in process memory. Now the push instruction increments ESP by four, pop decrements ESP by four. Local variables are placed on the stack above (at higher addresses) than return addresses. Buffers are laid out in memory as in regular x86. Consider the program from targe1 in Homework 4.
Consider compiling and executing target1.c on this stack-upwards architecture. Give a diagram depicting the stack, at the time bar is entered, and be sure to at least include: (1) the saved EBP and EIP for main (put on the stack when calling foo); (2) foo’s local buffer buf; and (3) the saved EBP and EIP for foo’s call to bar. You need not include absolute addresses, but rather show positions of these values relative to one another. Indicate higher versus lower addresses, and where buf will overflow into should an attacker give an argv[1] that is longer than 160 bytes on the command line.
1. In stack-upwards x86, is target1.c still vulnerable? If so, explain why and how an exploit would work. If not, explain why not. State any assumptions you make about the stack-upwards x86 architecture.
Why is the access control matrix? Why it is just an “abstract model” (not used in practice), instead access control lists (ACLs) are used?
What is stack canaries? Can it be set during compile time, that is it is the same for all execution of the binary? Can it be different for every execution of the binary? Where are the stack canaries stored?
What is control-flow integrity (CFI)? StackShield tries to enforce CFI by copying the EIP to a different location on the stack, and checking it when the function returns. What are the limitations of this approach?
How can W^X protection be violated to launch buffer-overflow attacks? What is return-oriented programming (ROP)?
How can one read stack remotely?
ASLR randomly shifts the stack by a certain amount. What is the restriction on how many bits the shift can be? How can you circumvent ASLR protection?
How to bypass the protection of return address encryption (RAE)? In RAE the return address is encrypted with a key initialized during process start. The key is stored in a safe location that is not easy to be read by any buffer overflow.
Finding vulnerabilities:
1. What are the benefits and challenges with static analysis vs dynamic analysis?
2. How would you design a fuzzing scheme to detect buffer overflow vulnerabilities?
(Not a question) Make sure you understand all the problems in the HW4, in particular, double free, string formatting, and integer overflow vulnerabilities.

Virtualization and Cloud Security

What is system call interposition?
What are the possible threats if an attacker VM is placed beside the victim’s VM in the same physical machine?
What is resource freeing attack?
What are the security considerations of publishing to Amazon AMI, and using public AMIs?
Software manufacturers often do not want their software to be run on VM for the same reason malware developers do --- to avoid being reverse engineered. How can a process find out that it is being run on a VM environment?

Censorship and Tor

What is the fundamental difference between a onehop anonymizing proxy server and the Tor anonymity network?
Assuming no cooperation between any relay nodes, what is the minimum number of Tor relays that must be used in a circuit to provide anonymity even if relay nodes are spying on traffic passing through that node? Explain why this is the minimum number.
One proposal for the Hoolibits anonymizing service is that a client installs a program on their computer and, when anonymizing mode is activated, all TCP traffic is routed through the anonymizing network; other IP traffic is routed normally. Does this design provide anonymity for web browsing? Under what threats does it provide anonymity and under what threats does it fail?
What does TLS protect and what it does not?

ML

Give one-line descriptions of these attacks: machine evasion attack, model stealing, membership inference? What are the attacker’s capabilities and goals? Give realistic examples of scenarios for the feasibility of these attacks.
What is black-box vs white-box? What is a targeted vs untargeted adversarial example?
What is the challenge with learn-as-you-go?
Given a simple linear SVM model, give two inputs that are within a very small distance and one will be be considered benign while another will be considered an attack. Linear SVM model is f((x1, x2)) := a1x1 + a2x1 + b >= 0. Where a and b are parameters trained from the training data. Give two x_a = (x1,x2) and x_b = (x1’, x2’), such that f(x_a) > 0 and f(x_b) < 0, and dist(x_a, x_b) <= e. Here, x_a and x_b are to be expressed in terms of a1, a2, b, and e.

Rubric

Title:

Find a Rubric

Title

Title
Criteria	Ratings	Pts
Description of criterion threshold: 5 pts Edit criterion description Delete criterion row	5 to >0 pts Full Marks blank 0 to >0 pts No Marks blank_2 This area will be used by the assessor to leave comments related to this criterion.	pts / 5 pts --
Description of criterion threshold: 5 pts Edit criterion description Delete criterion row	5 to >0 pts Full Marks blank 0 to >0 pts No Marks blank_2 This area will be used by the assessor to leave comments related to this criterion.	pts / 5 pts --