Topics for Midterm Exam in CIS 6614 $Date: 2022/10/11 02:31:16 $ This examination covers homeworks 1-3 REMINDERS This test will be for the entire period in class (for those registered for the in class and reduced seat time sections) and will be open book and notes, but no electronics. READINGS See the syllabus for related papers and a few videos. CONCEPTS/TOPICS Topics marked + below are more important than topics marked - below. In general, conceptual questions, and questions that connect topics, techniques, examples, and ideas will be more important than details, so the exam may be somewhat of a different flavor than the homework sets. * Basic Terminology It's important to know and understand these terms, so that you understand the questions and can write sensible answers, but the exam will not be directly asking for definitions. ** static vs. dynamic + What is a static property of a program? + What is a dynamic property of a program? ** static program analysis + What is static program analysis? + What does it mean for a static analysis to be sound? - What does it mean for a static analysis to be complete? - Why is usually impossible for a static analysis to be both sound and complete? - What are the goals of static analysis? - What is precision? - What is recall? * Real World Security Bugs ** overview + What makes a bug a security bug? + How are security bugs different from normal bugs? + What are the advantages of negative testing? + Do manual code reviews usually find all security bugs? ** Apple Goto Fail Bug (CVE-2014-1266) + Summarize what the bug was and its effect on security. - What was the cause of the bug? - What were the consequences? + How could the bug have been detected statically? dynamically? - How could the bug have been prevented? ** Heartbleed Bug (CVE-2014-0160) + Summarize what the bug was and its effect on security. - What was the cause of the bug? - What were the consequences? + How could the bug have been detected statically? dynamically? - How could the bug have been prevented? * Threat Modeling ** Basics of Threat Modeling + What is a threat? How is a threat different from a vulnerability or an attack? + What is the goal of threat modeling? + What is threat modeling? + What are the basic questions that threat modeling tries to answer? + What is a trust boundary? - What does STRIDE stand for? ** Process for Attack Simulation and Threat Analysis (PASTA) - How does the PASTA threat modeling technique work? - How does the PASTA threat modeling differ from STRIDE? * Static Analysis (i.e., static program analysis) ** benefits of static analysis + How does static analysis differ from (human) code inspection? + How is static analysis different from testing? - What kind of static analysis would have helped discover the Apple goto fail bug? - How does static analysis differ from program verification? + What is a safety property? How does it differ from a liveness property? + Which security properties are safety properties? + Which security properties are liveness properties? - What are the goals of static analysis? + How does the way that static analysis works influence its use in security? ** design of a static analysis + What does it mean to "err on the safe side" or be "conservative" in a static analysis? + What does it mean for a static analysis to be sound? Complete? - How does one design a sound static analysis to be conservative? - What is an intraprocedural analysis? An interprocedural analysis? - How does an intraprocedural analysis differ from an interprocedural one? - What is a "may analysis"? What does it track? - What is a "must analysis"? What does it track? ** implementing static analysis + What is a control flow graph (CFG)? - Why are CFGs used in static analysis? - How are CFGs used in static analysis? - What is a property space? - What is a monotone framework? - What is a transfer function? - When would one use a backwards analysis? A forward analysis? - How does not solve a set of recursive dataflow equations? - What tools can be used for static analysis? * Symbolic Execution ** fundamentals + What is symbolic execution? - How does symbolic execution differ from static analysis? - What are the advantages of symbolic execution vs. program analysis? + How does symbolic execution differ from testing? + What are the advantages of symbolic execution vs. testing? - What are some tools for symbolic execution currently in use? - How does symbolic execution work? - What is a path condition? How is it expressed? - How are if-statements handled in symbolic execution? + How can symbolic execution help improve software security? ** model checking + What is model checking? - How is model checking related to finite state automata? - How are finite state automata related to security properties? - What are the advantages of model checking? - What are the disadvantages of model checking? - How does model checking relate to software security? ** SAT Solvers and SMT Solvers + What does an SAT solver do? - How do SAT solvers work? + What does an SMT solver do? - How does an SMT solver relate to SAT solving? - How are SMT solvers used in symbolic execution tools? - How does one use a SMT solver to prove a logical formula? * Concolic Testing ** Fundamentals + What is concolic testing? - How does concolic testing differ from symbolic execution? - How does concolic testing differ from (normal) testing? + How does concolic testing address problems with symbolic execution? + How does concolic testing help with software security? - What is the concolic testing algorithm? + In what way does concolic testing help improve code coverage? * Fuzz testing ** Fundamentals + What is fuzz testing? - How does a fuzz tester work? - How does fuzz testing differ from regression testing? + What are the different kinds of fuzz testing? How do they differ? + What kinds of faults can fuzz testing find? + How does fuzz testing help find software vulnerabilities? + What are the advantages and disadvantages of fuzz testing? + What does a user need to do to use fuzz testing on different kinds of programs? ** Mutation-based fuzz testing + What is the goal of mutation-based fuzz testing? + How does mutation-based fuzz testing involve human input? + How does the algorithm for mutation-based fuzz testing work? - What are some examples of mutation-based fuzz testing tools? + What are the advantages of mutation-based fuzz testing? + What are the disadvantages of mutation-based fuzz testing? + What kinds of software are resistant to mutation-based fuzz testing? ** Generation-based fuzz testing + How does generation-based fuzz testing work? + What information does generation-based fuzz testing need? + How does generation-based fuzz testing overcome the problems of mutation-based fuzz testing? + What are the advantages and disadvantages of each kind of fuzz testing? ** Evaluating fuzz testing + What is code coverage? + What are the different kinds of code coverage? - What code coverage tools are available? + What are the benefits of measuring code coverage? + Is it possible to cover every line of a program? Is it possible to cover every branch? Every path? + How can code coverage be used to guide fuzz testing? + What does AFL do (in general terms)? * Taint Analysis ** Code injection attacks + What is a code injection attack? + When is software vulnerable to code injection attacks? + What other kinds of injection attacks are there, besides SQL? - What are the recommended steps that developers should use to prevent code injection attacks? ** Taint analysis fundamentals + How is taint analysis supposed to prevent code injection attacks? + Is taint analysis a static or dynamic technique, or can it be either one? + Which is better for preventing injection attacks: static taint analysis or dynamic taint analysis? Why? - What attack model is used in taint analysis (papers)? Why is that realistic? - How does taint analysis differ from information flow security? ** Taint analysis implementation + What are the rules for basic tainting? + Be able to tell if an expression's value is tainted at some point in a program's execution. + What is the overhead for basic tainting? + How should pointers be handled in taint checking? What are the options and advantages of each option? - Does the C programming language make it easy to find pointers? ** evaluation + What are the advantages and disadvantages of taint checking? * Information flow security ** fundamentals + How does the problem of information flow security differ from taint checking? + What is an implicit flow? + What is access control and why does it not protect information completely? + Why is encryption not a complete solution for keeping information confidential? - Is information flow security a static or dynamic problem? - What is the dual of confidentiality of information? ** Covert channels + What are examples of covert channels? - Are covert channels considered in the attack model of information flow security? ** formalization + What is noninterference? How does it help define information flow security? - Explain the type rules for formalizing information flow security * Memory Attacks ** Fundamentals + What are the goals of an attacker in a memory attack? + What kinds of attack are examples of memory attacks? + Do all memory attacks on C programs depend on buffer overflows? + What are the overall steps of a buffer overflow attack? - How does a "smashing the stack" attack work in detail? + What can a memory attack accomplish? - Which C library functions are particularly vulnerable to buffer overflows? + What features (or lack of features) in C make buffer overflow a problem in C but not in Java or Rust? + What is a memory safe programming language? + Is C memory safe? + Why isn't all systems software written in a memory safe programming language? - What is a nop slide? + If a program's stack is protected, could there still be memory attacks that take over its execution (flow of control)? ** Stack Canaries + What is the goal of a "stack canary"? + How should stack canaries work? + Can stack canaries prevent all buffer overflow attacks from taking over a program's execution flow? + What is an "electric fence" and how does it differ from a stack canary? ** Bounds checking - What does bounds checking mean in C for pointers? + Is compiler support needed for bounds checking in C? + What are the expenses of bounds checking for C? *** Fat pointers + How do fat pointers work? + Why are fat pointers not considered upward compatible with C code? *** Baggy Bounds checking + How does the Baggy Bounds checking system address the problems with fat pointers (esp. for the 32 bit architecture)? + What sizes of allocations are used in baggy bounds checking? + How is bounds information stored in baggy bounds checking? - How does Baggy Bounds compute the length of an allocation from a pointer? - How does Baggy Bounds compute the base address of an allocation? + In general terms, how does Baggy Bounds do bounds checking, given a length and base for a pointer? - How does Baggy Bounds handle pointers that are illegal? + Does the Baggy Bounds checker need to recompile code or edit binaries? - How does Baggy Bounds interact with code it did not have a chance to recompile or edit (i.e., with uninstrumented code)? - How does Baggy Bounds work differently on 64 bit architectures? + Can there still be memory attacks when using Baggy Bounds? How? ** Non-executable memory + How does the policy of letting memory pages be either writable or executable, but not both, protect against memory attacks? ** Address Space Layout Randomization (ASLR) + How does ASLR make it harder for attackers to carry out memory attacks? * Return-oriented Programming ** Fundamentals + In what way does return-oriented programming help to defeat (W xor X) memory and ASLR? + What is (are) the basic idea(s) that makes return-oriented programming work? - What role does the stack pointer play in return-oriented programming? ** Details of Return-oriented Programming - What is a gadget? What is a pop-ret gadget? - How can stack canaries be defeated? - What are the steps of blind return-oriented programming? ** Defenses + What defenses would work against blind return-oriented programming? SKILLS * Threat Modeling ** fundamentals + What is a threat compared to an attack or vulnerability? [HW1, HW2] + What a trust boundary? [HW2] + What is an attack surface? [HW2] ** Creating and Justifying a Threat Model + Describe threats to the security of a distributed, online system. [HW1] + State why certain threats to such a system are important. [HW1] + Describe how to mitigate certain threats. [HW1] - Describe one compliance issue for online banking. [HW2] - Describe the components of a distributed, online banking system. [HW2] + How do typical components of a distributed, online system relate to that system's assets? [HW2] + Create a dataflow diagram for a distributed, online system that shows trust boundaries. [HW2] + Use a threat model to plan mitigations. [HW2] + Use a threat model (especially threats and mitigations) to estimate remaining risks in a system's design. [HW2] ** finding vulnerabilities in software + Which is better for finding security vulnerabilities in software: static program analysis, symbolic execution, concolic execution, or fuzz testing? [HW3] + Determine whether an assertion always holds at a program point. [HW3] + What kind of tool would be best for finding whether an assertion always holds at a given program point? [HW3]