Study Guide for Midterm

This is simply a guide of topics that I consider fair game for the midterm. I don't promise to ask you about them all, or about any of these in particular; but I may very well ask you about any of these.

  1. Fundamentals
    1. Basics of risk analysis
    2. Relationship of security policy to security
  2. Robust Programming
  3. Security in Programming
    1. Unknown interaction with other system components
    2. Overflow (both numeric and buffer)
    3. Race conditions (TOCTTOU flaw)
    4. Environment (shell variables, UIDs, file descriptors, etc.)
    5. Not resetting privileges
  4. Vulnerabilities Models
    1. RISOS
    2. PA
    3. Uses
  5. Penetration Studies
    1. Flaw Hypothesis Methodology
    2. Using vulnerabilities models
  6. Policies
    1. Mandatory Access Control (MAC)
    2. Discretionary Access Control (DAC)
    3. Originator-Controlled Access Control (ORCON)
    4. Role-Based Access Control (RBAC)
    5. Policy languages
  7. Confidentiality Models
    1. Bell-LaPadula Model
    2. Lattices and the BLP Model
  8. Integrity Models
    1. Biba's model
    2. Clark-Wilson Integrity Model
  9. Cryptography
    1. Types of attacks: ciphertext only, known plaintext, chosen plaintext
    2. Types of ciphers: substitution, transposition, product (both substitution and transposition)
    3. Goal of ciphers; what makes a cipher theoretically unbreakable
    4. Caesar cipher, Vigenère cipher, one-time pad, DES
    5. Public key cryptosystems
    6. RSA
    7. Confidentiality and authentication with secret key and public key systems

ECS 153, Introduction to Computer Security
Winter Quarter 2002