Study Guide for Final

This is simply a guide of topics that I consider fair game for the final. I don't promise to ask you about them all, or about any of these in particular; but I may very well ask you about any of these.

  1. Fundamentals
    1. Basics of risk analysis
    2. Saltzer and Schroeder's design principles
    3. Relationship of security policy to security
    4. Basics of robust programming
  2. Cryptography
    1. Types of attacks: ciphertext only, known plaintext, chosen plaintext, chosen ciphertext
    2. Types of ciphers: substitution, transposition, product (both substitution and transposition)
    3. Goal of ciphers; what makes a cipher theoretically unbreakable
    4. Caesar cipher, Vigenère cipher, one-time pad
    5. What the DES is, characteristics
    6. Public key cryptosystems
    7. RSA
    8. Confidentiality and authentication with secret key and public key systems
  3. User and System Authentication
    1. One-way hash functions (cryptographic hash functions)
    2. UNIX password scheme, what the salt is and its role
    3. Password selection, aging
    4. Challenge-response schemes
    5. Attacking authentication systems: guessing passwords, spoofing system, countermeasures
    6. UNIX real, effective, saved, audit UIDs
  4. Privileges
    1. Setuid, setgid
    2. Role accounts
    3. Nesting programm units
  5. Access Control
    1. Multiple levels of privilege
    2. UNIX protection scheme
    3. ACLs, capabilities, lock-and-key
    4. MULTICS ring protection scheme
    5. MAC, multilevel (military) security model; lattices
    6. Differences between MAC, DAC, ORCON
    7. Bell-LaPadula model
  6. Integrity Models
    1. Biba's model
    2. Clark-Wilson model
    3. Chinese Wall model
    4. File signature generation (integrity checksumming, etc.) and checking
    5. Safe practises ("safe hex")
    6. Type checking
  7. Computerized Vermin
    1. Trojan horse
    2. Computer virus
    3. Computer worm
    4. Bacteria
    5. Logic bomb
  8. UNIX Practises
    1. Programming environment: PATH, IFS
    2. Checking software for potential problems
  9. Trust
  10. Network Security
    1. Privacy Enhanced Electronic Mail, PGP
    2. Public key management, including certificates, the binding of a name to a principal (user), and certificate management schemes
    3. Digital signatures (what it is)
  11. Security in Programming
    1. Unknown interaction with other system components
    2. Overflow (both numeric and buffer)
    3. Race conditions (TOCTTOU flaw)
    4. Environment (shell variables, UIDs, file descriptors, etc.)
    5. Not resetting privileges
  12. Vulnerabilities Models
    1. RISOS
    2. PA
    3. Uses
  13. Penetration Studies
    1. Relationship to formal verification and testing
    2. Flaw Hypothesis Methodology
    3. Using vulnerabilities models
  14. Intrusion Detection Systems
    1. Anomaly detection
    2. Misuse detection
    3. Specification detection

You can also see this document in its native format, in Postscript, in PDF, or in ASCII text.
Send email to

Department of Computer Science
University of California at Davis
Davis, CA 95616-8562

Page last modified on 3/18/98