Reference Monitors & OS Security

Question 1

what is the security kernel (rmb that CO guy from 2018)

Answer 1

He’s a fast runner, he plays soccer maybe, and he creates the referee,

Hardware, firmware and
software elements of a TCB
that implement the reference
monitor concept.

Question 2

TCB (trusted computer base)

Answer 2

The totality of protection
mechanisms within a computer
system – including hardware,
firmware, and software – the
combination of which is
responsible for enforcing a
security policy.

Question 3

What are the requirements of reference monitors. RM is implemented by kernel (colonel) so it represents SAF. That leads to total vehicular control.

Answer 3

Function Requirement: Complete meditation
Security Requirement: Tamper Proof
Assurance Requirement: Verifiable
I mean this is kinda intuitive also

Question 4

Complete mediation

Answer 4

The reference validation mechanism must

always be invoked.

Question 5

Tamper-proof

Answer 5

The reference validation mechanism must

be tamper-proof.

Question 6

Verifiable

Answer 6

The reference validation mechanism must
be small enough to be analysed and
tested

Question 7

placing RM hardware

Answer 7

access control mechanisms in microprocessors

Question 8

placing RM OS kernel

Answer 8

hypervisor, i.e. a virtual machine that

emulates the host computer it is running on. Referee with sunglasses.

Question 9

placing RM Services layer

Answer 9

access control in database systems, Java Virtual Machine, .NET Common Language Runtime, or CORBA middleware architecture.

Referee sips an 8 bit coffee shaped like a computer

Question 10

placing RM Operating system

Answer 10

access control in Unix and Windows 2000

Question 11

placing RM Application

Answer 11

security checks in the application code to address application specific requirements

Question 12

AllFather Speaks: Orphan Kills Heimdallr

Answer 12

Application, services, operatingsystem, kernel (wear killer sunglasses/vizors), hardware

Question 13

Operating System Integrity

Answer 13

Assume that your O/S prevents unauthorized access to resources (as long as it works as intended)

Question 14

Ey say more about tamper proof requirement

Answer 14

• To bypass protection, an attacker may try to disable the security controls by
modifying the O/S.
• An integrity problem: the O/S is not only the arbitrator of access requests, it
is itself an object of access control.
• Users must not be able to modify the operating system.

don’t fuck with the boy,ogre. the boy controls weapons but the boy is a weapon

Question 15

What are the 2 competing requirements in OS integrity, and what are the concepts used to achieve these goals

Answer 15

Users should be able to use (invoke) the O/S. Solved by status information
Users should not be able to misuse the O/S/ Solved by controlled invocation or restricted privilege.

Question 16

What is the status flag

Answer 16

To protect itself, an O/S must be able to distinguish computations ‘on behalf’ of
the O/S from computations ‘on behalf’ of a user.

Status flag allows system to work in different modes

the computer lady from little britain goes up to the entrance to a different party. the butler asks, are you for yourself or bill gatees.

Intel 80x86: two status bits and four modes
 Unix distinguishes between user and superuser (root)

For example, to stop users from writing directly to memory and corrupting the logical file structure, the OS grants write access to memory locations only if the processor is in supervisor mode.

Question 17

If a user wants to write to memory (requires supervisor mode) then the system has to switch between nodes. How is this done

Answer 17

Changing the status bit to supervisor mode would give all supervisor privileges to the user

Controlled invocation: Invocation of a function that executes privileged instructions to provide a limited, well defined functionality, and then
return to user mode.

So the computer lady, me in a dress, looks my ben ten watch. see it glow 0 in a faint green glow in the night sky. the air is humid. Option 1, I turn the watch to 1. I hear the click of the watch, bill gates’ silhouette appears on it and I turn into it. I am in supervisor mode now.
Option 2, I bring out my phone, with confidence and ego i call bill gates and he gives me the functionality to write to memory (enter the orange ball).

Question 18

why is there a need for security mechanisms at the core

Answer 18

 Security mechanisms in a given layer can be compromised from a layer
below.
 To evaluate security, you must check that security mechanisms cannot
be bypassed.
 The more complex a system, the more difficult this check becomes. At
the core of a system you may find simple structures which are amenable
to thorough analysis.

tldr: you create a very skinny man with a body shape like an apple core. his heart’s poking out, it’s quite terrifying, like the seed in the apple core. he’s in charge of the base layer of the system

Question 19

what are the benefits for putting security mechanisms at the core

Answer 19

Putting security mechanisms into the core of the system can reduce performance overheads caused by security

Processor performance depends on the right choice and efficient implementation of a generic set of operations that is most useful to the majority of users. The same holds for security mechanisms

Some sources assume that TCBs and security kernels must enforce multi-level security policies.

The skinny man with the core body has a sniper. see him somehow carry the weight of the barret. his eyes are bloodshot. he takes aim at UAVs flying overhead and shoots them. the people living above cheer.
he does not smile.

Question 20

RAM. Also sum up security characteristics of different types of memory.

Answer 20

reads and writes memory, no guarantee of confidentiality

There’s a goat-person with hooves. he has those weird goat eyes. you can both see and fuck with the goat person, like push him over.
The goat person is making what it thinks are heart eyes at edward cullen. edward cullen can’t be fucked with obviously. But he can be seen and whoops he sparkles and he’s got bill gates in his hands
Edward Cullen is distracted, checking out lil huddy. lil huddy keeps getting attacked by kpop tiktok bot stans.
Lil huddy is playing with a worm in between his fingers. the worm holds the secret to all existence, and has a wise face.
the worm drops, it shits. audit log

Question 21

ROM (read only memory)

Answer 21

Provides integrity but not confidentiality, the ROM may store part of the OSq

Question 22

EPROM (erasable and programmable read only memory)

Answer 22

could store parts of the OS or crypto keys; high tech attacks can soften this

Question 23

WROM

Answer 23

Memory contents are frozen once and for all, by blowing a fuse placed on the write line, WROM could hold crypto keys or audit logs

Question 24

Volatile memory

Answer 24

Volatile memory loses its contents when power is switched off.
• Memory contents still present after a short power
loss.
• Can be reconstructed by special electronic techniques if power has been switched off for some time.
• To counter such attacks, memory has to be overwritten repeatedly with suitable bit patterns.

When you reboot derek, he still remembers some things. You can hack into him to try to reconstruct his old memories a while after he dies (his ghost), but erm, q hard. To solve this, derek repeatedly has his memory changed when alive.

Question 25

Non-volatile (permanent) Memory

Answer 25

Non-volatile (permanent) memory keeps its content when power is switched off; if attacker can directly access memory bypassing the CPU, cryptographic or
physical measures are needed to protect sensitive data.
• E.g., a light sensor in a tamper resistant module may
detect an attempted manipulation and trigger the deletion of the data kept in the module.

Jianyu remembers all things when he sleeps, shiva waking sleep something. If you try to peek inside, he self detonates.

Question 26

what is confidential

Answer 26

you can’t see my shit

Question 27

what is integrity

Answer 27

you can’t fuck with my shit.
integrity, cant fuck w me
confi, cena y’cant see me

Question 28

What is IPC

Answer 28

A process has its own address space and
communicates with other processes only
through O/S primitives (Inter-Process
Communication).
 Logical separation of processes as a basis for security.
 A context switch between processes can be an expensive operation.

Question 29

is the context switch expensive

Answer 29

yes

Question 30

what is a process

Answer 30

A program in execution, consisting of executable code, data, and the execution context, e.g. the contents of certain CPU registers.

Question 31

what is a thread

Answer 31

Strands of execution within a process. Threads share an address space to avoid the overheads of a full context switch, but they also avoid potential security controls

Question 32

Processes and threads are important units of control for the OS, and for security. They are the :

Answer 32

subjects of access control

Question 33

how does the CPU deal with interruptions of executions created by errors

Answer 33

through exceptions, interrupts, and traps. Bill gates shaves his head and wears a tie why?

Question 34

what is a trap.

Answer 34

special input to the CPU that includes an address (interrupt vector) in an interrupt vector table giving the location of the program (interrupt handler) that deals with the condition specified in the trap.

satya nadella in a dress serves a list of IV bags in a table to bill gates. he raises an eyebrow. One of the IV bags is bloodied and has a torn off human hand on it.

Bill gates pushes a small copy of himself onto a stack then gives a nod to the hand. the hand moves the watch of some fake bill gates to remove the supervisor bit. then it returns control of the world to the User. bill gates continues doing his own thing.

Question 35

What does the OS have to do

Answer 35

1. Separate user space from OS space,
2. Logically separate users,
3. Restrict the memory objects a process can access

at the Microsoft garden party, bill gates has a whole bar to himself that he doesn’t let people enter. he then tells me that I can go to this bar table but not this other bar table. i can’t go there, erm, there’s a forcefield. I look at my ben ten watch. I don’t do anything yet. I also feels my hot hair (sunny day) and look at the row of wigs in the classroom/bar over there that I can’t access cos I don’t have position. I tear my hair off.

Question 36

What is the logical separation of users

Answer 36

1. File management

2. Memory management

Question 37

Segmentation Security

Answer 37

Segmentation divides memory into logical units of variable lengths.
• A division into logical units is a good basis for enforcing a security policy.
• Units of variable length make memory
management more difficult.

Question 38

Paging Security

Answer 38

Paging divides memory into pages of equal length.
• Fixed length units allow efficient memory
management.
• Page faults may create a covert channel

Question 39

Why is paging not a good basis for access control

Answer 39

 Paging is not a good basis for access control as pages are not logical units.
 One page may contain objects requiring different protection.
 When a process accesses a logical object stored on more than
one page, a page fault occurs whenever a new page is requested.
 A covert channel exists if page faults are observable.

Question 40

Covert Channel

Answer 40

Consider a password scheme where the password entered is compared character by character with the reference password stored in memory.

Access is denied the moment an incorrect match is found.

If a password is stored across a page boundary, then observing a page fault indicates that the piece of the password on the first page has been guessed correctly.

If the attacker can control where the password is stored on the page, password guessing becomes easy

Question 41

how does the OS control access to data objects in memory

Answer 41

1 Operating system modifies the addresses it receives from user processes; e.g., address
sandboxing.

2 Operating system constructs the effective addresses from relative addresses it receives from user
processes;

3 Operating system checks whether the addresses it receives from user processes are within given
bounds.

Question 42

Address consists of

Answer 42

Segment identifier Offset

Question 43

When the operating system receives an address, it sets the correct segment identifier as follows:

Answer 43

Bitwise AND of the address with mask_1 clears the segment identifier;
bitwise OR with mask_2 sets the segment identifier to the intended value SEG_ID.

look at tutorial notes

Question 44

RELATIVE ADDRESSING

Answer 44

The address is specified by an offset relative to a given base address.

Question 45

Fence registers

Answer 45

Base register addressing keeps users out of O/S space; fence register points to top of user space.

Question 46

Bounds register

Answer 46

Define the bottom of the user space. Base and bounds registers allow to separate program from data space.

Question 47

cybercrime Zoom

Answer 47

Zoom’s randomly-generated meeting ID No. could be predicted (and even brute-forceable), allowing bad actors to intrude, disrupt and eavesdrop on meetings.
The company subsequently replaced meeting IDs with “cryptographically strong” one and made passwords default for users to join a meeting.
 Security flaws in the app could let websites hijack
Mac cameras. The company subsequently patched its software and uninstalled a local webserver that created the vulnerability.
 The app sent data about a user’s time zone and city,
as well as details about the user’s device to Facebook, even if the user did not have a Facebook account.
 The company tightened their privacy policy after concerns surfaced about user’s personal information
being used to target ads.
 Zoom allegedly leaked user information because of an issue with how the app grouped contacts.
 Zoom allegedly misled users to believe video meetings were secured with end-to-end encryption instead of transport encryption.

Question 48

THE COVID-19 PANDEMIC HAS INCREASED THE

IMPORTANCE OF GOOD CYBER HYGIENE

Answer 48

Uptick in number of cases involving
cybercriminals attempting to capitalise on
COVID-19 to steal personal information and credentials which will allow them to gain access
to networks and/or make financial gains.
 There are fake contact tracing apps that are embedded with malware that can be used to conduct malicious activities, such as monitoring users’ activities on their devices or stealing personal data.
 Some malware strains deployed* include known credential-stealing malware such as AZORult, Cerberus, Lokibot, and TrickBot.
 These threats have proliferated across many sectors, including healthcare, manufacturing, pharmaceutical and transportation.

Question 49

OVERVIEW OF CYBER THREATS IN SINGAPORE 2019

Answer 49

PHISHING 47500
WEBSITE DEFACEMENT 873
RANSOMWARE 35

Question 50

OMMONLY SPOOFED GOVERNMENT

ORGANISATIONS

Answer 50

70%
of incidents reported to SingCERT
by SMEs and members of the
public occurred through phishing
attacks

Question 51

COMMAND AND CONTROL SERVERS (C&C) AND

BOTNET DRONES

Answer 51

530
unique C&C servers were
observed in Singapore, a
73% increase from 2018.

2,300
botnet drones (compromised computers
infected with malicious programs) with
Singapore IP addresses were observed daily,
on average (20% decrease from CSA’s
observations in 2018).

Question 52

CYBERCRIME IN SINGAPORE

Answer 52

Refers to cyber-extortion, online cheating cases, and offences under the Computer Misuse Act (CMA), such as unauthorised access of computer material and unauthorised use of computer service.

Question 53

Point-of-Sale (POS)

Attacks

Answer 53

Refers to compromise of
touchpoints (e.g. online
shopping sites and cash
terminals in brick-and-mortar
stores). Active since 2016,
Magecart cybercrime
operators have been
conducting POS attacks by
injecting malicious codes into
e-commerce websites to skim
credit card details. They have
stepped up their activities in
recent years, targeting both
SMEs and MNCs.

Question 54

Supply Chain Attacks

Answer 54

Supply chain attacks target the
less secure components of
systems, and could be aimed
at accessing and stealing
confidential information, or
gaining a foothold to
springboard attacks into other
parts of the system and
connected networks. Thirdparty service providers with
access to an organisation’s
data are often the weak links
targeted by threat actors.

Question 55

Data Breaches

Answer 55

2019 witnessed an exponential
increase in data breaches
around the world, with the
total number of records
exposed registering a near 300
per cent increase, compared to
2018.
[2] The large amounts of
personal and financial
information held in
organisations such as
governments, healthcare
institutions and technology
firms serve as attractive
targets for threat actors.

Question 56

Mobile Attacks

Answer 56

Threat actors are shifting
towards targeting mobile
devices such as smartphones
and tablets to conduct
credential theft, surveillance
and malicious advertising. A
major factor behind this spike
in mobile attacks is likely due
to the increased usage of
mobile banking applications,
which provide lucrative
avenues for threat actors to
gain access to and steal
sensitive information.

Question 57

Spear Phishing

Answer 57

Threat actors have been
observed to adapt the writing
styles of spoofed individuals
and organisations, as well as
use information from publicly
available sources, such as
social media posts, so that
their e-mails appear more
convincing to their victims.
Business e-mail compromise
(BEC) is another form of spear phishing on the rise

Question 58

SYSTEM SECURITY

Answer 58

1. computer security : provide a protected environment for data and their processing
2. single user: physical security
3. process protection
4. data protection
5. networked computer (yeah idk)

Question 59

Security issues

Answer 59

Inter-process
communication
• Storage protection

Question 60

Communication security

Answer 60

• Tampering of message data
• Identification of sender
• Disclosure of data to
unauthorized parties

Question 61

Storage security

Answer 61

• Control of access to
storage/file manager
• Identification of data
owner and user

Question 62

DISTRIBUTED SYSTEM SECURITY computer security

Answer 62

Addresses security of the end

systems

Question 63

DISTRIBUTED SYSTEM SECURITY Application security

Answer 63

Relies on both to provide services

securely to end users.

Question 64

RISK-BASED SECURITY APPROACH

Answer 64

1. Computing power (could be technology-dependent)
2. Value of the encrypted data e.g. payment (target-specific)
3. Nature of the system e.g. government, bank, SCADA, etc

Question 65

Practical security is about risk management which depends on a number of factors

Answer 65

11. business nature:
    Public confidence: Government, Banks, …
    Critical infrastructure: SCADA, Healthcare, Aviation, …
12. Potential Rewards for the Attacker
    Business secret, reputation of competitors
    Government policy, Economic forecast
    Industrial control (ICS), etc
13. Resources needed to protect the system and to break the system

Question 66

Risk-based security system is a balance between

Answer 66

Risk
Potential loss of owner &
potential reward of enemy
Cost
Security design and
implementation, computing
overheads

Convenience
Users may be tempted to
bypass the security control or
breach security if too
inconvenient to use

Question 67

SYSTEM SECURITY FAILURES

Answer 67

Cryptographic algorithms are broken
 Security features are not designed correctly
 Security features are not used correctly
 Security components are not implemented correctly
 Security components are not configured properly
 Security is not managed properly
 Threat environment may change and assumption invalid

Question 68

Prerequisite of Security Technology Framework:

Answer 68

1. Security requirements
2. Security policies
3. Security mechanisms

Question 69

Prevention:

Answer 69

take measures that prevent
your assets from being
damaged.

Question 70

Detection:

Answer 70

take measures so that you can
detect when, how, and by
whom an asset has been
damaged.

Question 71

Reaction:

Answer 71

take measures so that you can
recover your assets or to
recover from a damage to
your assets.

Question 72

Confidentiality:

Answer 72

prevent unauthorised disclosure of information

Question 73

Integrity:

Answer 73

prevent unauthorised modification of information

Question 74

Availability:

Answer 74

prevent unauthorised withholding of information

or resources

Question 75

Authenticity:

Answer 75

“know whom you are talking to”

Question 76

Accountability (nonrepudiation):

Answer 76

prove that an entity was involved in some event

Question 77

Anonymity ensures that a

Answer 77

a user may use a resource or service without disclosing the user’s identity.
Anonymity requires that other users or subjects are unable to determine the identity of a user
bound to a subject or operation.

Question 78

Unlinkability ensures that a

Answer 78

user may make multiple uses of resources or services without others
being able to link these uses together. Unlinkability requires that users and/or subjects are unable
to determine whether the same user caused certain specific operations in the system.

Question 79

confidentiality subgroups

Answer 79

Anonymity and unlinkability

Question 80

reasons for confidentiality

Answer 80

1. One may want to hide not just
secrets, but also their
existence.
2. Traffic analysis, “meta-data”,
can reveal sensitive
information.
3. Anonymity and unlinkability;
in general privacy-related
properties

Question 81

Data Integrity

Answer 81

The state that exists when computerized data is the same as that in the source document and has not been exposed to
accidental or malicious alteration or destruction.

Question 82

Data Integrity Purposes n

Answer 82

Prevent unauthorised modification of
information (prevent unauthorised writing).

Detection (and correction) of intentional and
accidental modifications of transmitted data.
• Typically enforced via (cryptographic)
checksums and other coding
techniques.

Question 83

Integrity is a prerequisite for many other security services;

Answer 83

• In operating systems, integrity of the bootstrap process (kernel, device drivers, system files) is critical to prevent
persistent viruses/malwares.
• Windows Vista and above allows only “signed drivers” to be installed.

Question 84

AVAILABILITY

Answer 84

The property of being accessible and usable upon demand by an authorised entity

affected by Denial of Service DoS attacks

Question 85

THE “SMURF” ATTACK

Answer 85

Attacker sends ICMP (Internet
Control Message Protocol) echo
requests to a broadcast address in
a network

Victim’s address spoofed as sender
address.

The echo request is distributed to
all nodes in the network

Each node replies with an echo to
the victim.

The victim is flooded with many
incoming messages.

Note the amplification: the
attacker sends one message, the
victim receives many

Question 86

Accountability is the property that ensures that the actions of an entity can be

Answer 86

traced solely to this entity.
Accountability guarantees that all operations carried out by individuals, systems or processes can be identified (identification) and that the trace to the author and the operation is kept (traceability).
• To be effective, one needs:
– Audit trails: eg, in the OS level, this could be system/authentication logs,
etc.
– A link between a user and a “user identity”, so the user can be held
accountable.

Question 87

In distributed systems

Answer 87

cryptographic non-repudiation mechanisms can be used
to achieve accountability
\
Delegation is an important issue in accountability and non-repudiation

Question 88

NON- REPUDIATION

Answer 88

Non-repudiation services provide
unforgeable evidence that a specific
action occurred

Non-repudiation of origin: protects
against a sender of data denying that
data was sent.

Non-repudiation of delivery: protects
against a receiver of data denying that
data was received.

Enforcement typically relies on publickey cryptographic techniques.

Question 89

SECURITY AND RELIABILITY

Answer 89

To make software more reliable, it is tested against typical usage patterns:
– “It does not matter how many bugs there are, it matters how often they are triggered.”
• To make software more secure, it has to be tested against ‘untypical’ usage patterns (but there are typical
attack patterns).

Question 90

Computer security deals with the

Answer 90

prevention and detection of unauthorized actions by users of a computer
system.
2. Computer security is concerned with the measures we can take to deal with intentional actions by parties
behaving in an unwelcome fashion.

Question 91

FUNDAMENTAL DILEMMA OF SECURITY

Answer 91

Security unaware users have specific
security requirements but no
security expertise.

• A security unaware user will rely on standard
‘best practices’ solutions, which may not meet
his requirements.
• To provide the ‘right’ security solution to a
user requires the user to be ‘security aware’…

Question 92

Design Decisions

Answer 92

I. What to focus the protection mechanism
on?
II. Where to place the security mechanism at?
III. Complexity (of security properties) vs
assurance
IV. Centralized vs decentralized security
control
V. Protection of the ‘layer below’

Question 93

The man-machine scale for security mechanisms combines our first two design decisions

Answer 93

What to focus on?
Where to place at?

Specific
Complex
Focus on users

Generic
Simple
Focus on data

Question 94

Data are a

Answer 94

representation of certain aspects of our

conceptual and real world.

Question 95

The meanings we assign to data are called

Answer 95

information.

Question 96

Information and data lie on the

Answer 96

two ends of the manmachine scale.
The distinction between data and information can be
subtle but causes some of the more difficult problems
in computer security.

Question 97

Covert channel is a type of c

Answer 97

computer security attack that creates a capability to transfer information objects between processes
through channels “not intended for information transfer at all”, such as the service program’s effect on system load.

Question 98

Covert channel elaborate

Answer 98

Controlling access to
information may be
elusive and need to be
replaced by controlling
access to data

But controlling data may
not always yields control
of information.

Covert channels:
response time or
memory usage may
signal information.

nference in statistical
databases: combine
statistical queries to get
information on
individual entries.

Question 99

Side channel:

Answer 99

Side-channel attack is any attack based on information gained from the implementation of a system. For example,
timing information, power consumption, electromagnetic leaks or even sound can provide an extra source of
information, which can be exploited to break the system.

Question 100

Component-level security VS System-level security

Answer 100

Often, the location of a security mechanism on the
man-machine scale is related to its complexity.
• Generic mechanisms are simple, applications
clamour for feature-rich security functions