Sample Midterm

These are sample questions that are very similar to the ones I will ask on the midterm.

  1. Why is a precise statement of security requirements critical to the determination of whether a given system is secure?

  2. This function’s purpose is to copy a string from one buffer to another. It is not robust. Find the problems and say how to fix them. Note that the passing of pointers here is defined in the specification of the interface, and so cannot be changed. 
    
void mystrcpy(char *s, char *t)
{
	while(*t != ’\0’)
		*s++ = *t++;
	*t = ’\0’;
}

  3. Which of the following demonstrate violations of the principle of least privilege? Please justify your answer.
    1. The Linux root account?
    2. A user whose function is to maintain and install system software. This user has access to the source files and directories, access to only those programs needed to build and maintain software, and can copy executables into system directories for other users. This user has no other special privileges.

    1. As any process running as root can do anything, whether or not it be related to the particular task that the process is to perform, the root account demonstrates a violation of the privilege of least principle.
    2. In this case, the user can only perform system tasks related to the installation of software. Hence this does not demonstrate a violation of the principle of least privilege.

  4. How does the Clark-Wilson model require authentication of users to be done?
    1. A trusted user must vouch for the new user
    2. Two-factor authentication must be used
    3. If passwords are used, they must be at least 12 characters long, and use a mixture of letters, digits, and other characters
    4. None of the above

  5. The following was enciphered using a Cæsar cipher with a shift of 5. Please decipher it.
    YMNXNXFSJFXDVZJXYNTS

  6. Represent an integrity compartment label using the notation (integrity level; set of categories), where the integrity levels are “high”, “medium”, “low”, or “unknown” (in decreasing order of trust) and the integrity categories are “dog”, “cat”, and “pig”. Can a user cleared for (medium; { dog, cat }) have read or write access (or both or neither) to documents classified in each of the following ways under the Biba model?
    1. (high; { dog })
    2. (low; { dog })
    3. (medium; { dog, cat })
    4. (unknown; { pig })
    5. (high; { dog, pig, cat })

UC Davis sigil
Matt Bishop
Office: 2209 Watershed Sciences
Phone: +1 (530) 752-8060
Email: mabishop@ucdavis.edu
ECS 153, Computer Security
Version of April 26, 2018 at 8:40PM

 You can also obtain a PDF version of this.

Valid HTML 4.01 Transitional Built with BBEdit Built on a Macintosh