Posted:

24 Jun 2021

The questions for Quiz 2.

This quiz has more multiple-choice questions than Quiz 1, but its long-answer section should be shorter. You have 30 minutes to complete this quiz. Once you’ve submitted all work to Gradescope, you’re free to go!

Multiple-choice

Choose all answers that apply. Some questions have only one correct answer.

  1. Which of the following are examples of DAC?

    1. Access control lists

    2. Bell-LaPadula

    3. Biba

    4. Low-water marks

    5. Unix permissions

  2. Which of the following are examples of MAC?

    1. Biba

    2. Domain and type enforcement

    3. Low-water marks

    4. High-water marks

    5. Unix permissions

  3. What does a Unix password file contain?

    1. Login details (e.g., home directory)

    2. Passwords

    3. Password hashes

    4. Usernames

  4. Who can alter file permissions?

    1. The file’s owner

    2. Other users

    3. The superuser

  5. In a system employing the LOMAC policy, a superuser process with Medium integrity attempts to write to a file labelled High integrity. What will happen?

    1. The write will be disallowed

    2. The write will be allowed, but the process will drop superuser privileges

    3. The write will be allowed, but the file will drop to Medium integrity

    4. The write will be allowed only if the process can be raised to High integrity

  6. Which of the following statements concerning cryptographic system design is most accurate? (hint: choose only one)

    1. An attacker learning the details of a system breaks the system’s security

    2. An attacker learning the details of a system helps them in their work

    3. Hiding the system’s design is forbidden by Kerchoffs’s Principles

    4. Hiding the system’s design is important for security

    5. Hiding the system’s design is irrelevant to security

  7. An attacker observes an encrypted message sent by their adversary. The attacker brute-forces the key. What is this an example of?

    1. A ciphertext-only attack

    2. A known-plaintext attack

    3. A chosen-plaintext attack

    4. A chosen-ciphertext attack

  8. An attacker allows a video file to be discovered by their adversary. Later, their adversary encrypts the file to send to a colleague, and the attacker observes the communication. What is this an example of?

    1. A ciphertext-only attack

    2. A known-plaintext attack

    3. A chosen-plaintext attack

    4. A chosen-ciphertext attack

  9. Which of the following can be demonstrated to have perfect security (under specific assumptions)?

    1. Block ciphers with appropriate encryption modes

    2. Hash functions

    3. Random number generators

    4. The one-time pad

    5. The Vigenère cipher

  10. An attacker applies considerable computational power to cracking a stolen password database. After a month, their cracking algorithm gives them information that allows them to recover any password from the database at will. What does this indicate about the password database?

    1. It used encryption rather than hashing

    2. It used a hash function vulnerable to collision attack

    3. It used a hash function vulnerable to preimage attack

    4. It used a hash function without salt

    5. It used a non-iterative hash function

  11. An attacker applies considerable computational power to another password database. After a month, they have learned which users have chosen the password P@assword1 (just like the original Wi-Fi password of the Lower Manhattan Security Initiative — you can read about that after the quiz). What does this indicate about the password database?

    1. It used encryption rather than hashing

    2. It used a hash function vulnerable to collision attack

    3. It used a hash function vulnerable to preimage attack

    4. It used a hash function without salt

    5. It used a non-iterative hash function

  12. An attacker applies considerable computational power to another password database. After a month, they have found several passwords that hash to values in the database, even though those users chose high-quality passwords randomly chosen from a high-entropy distribution.

    1. It used encryption rather than hashing

    2. It used a hash function vulnerable to collision attack

    3. It used a hash function vulnerable to preimage attack

    4. It used a hash function without salt

    5. It used a non-iterative hash function

  13. Which of the following passwords has the highest entropy?

    1. 123456

    2. password

    3. Password1

    4. P@ssword1

    5. The question is invalid

  14. A password is randomly selected from a distribution of passwords containing ten equally-likely alphanumeric characters. What is the entropy of this distribution?

    1. \[ - \sum_{i=0}^{10} \frac{1}{26} \log_2 \frac{1}{26} \]

    2. \[ - \sum_{i=0}^{10} \frac{1}{62} \log_2 \frac{1}{62} \]

    3. \[ - \sum_{i=0}^{26} \frac{1}{10} \log_2 \frac{1}{10} \]

    4. \[ \log_2 \left| 52^{10} \right| \]

    5. \[ \log_2 \left| 10 \times 62 \right| \]

  15. Which of the following are examples of something you know for authentication purposes?

    1. A code texted to you when you log in

    2. A secret key in a TOTP token

    3. A password

    4. Ability to identify photos containing traffic lights

    5. Ability to identify photos containing your friends' faces

  16. Which of the following are examples of something you have for authentication purposes?

    1. A code texted to you when you log in

    2. A PUF device

    3. A TOTP token

    4. A fingerprint

    5. A password

  17. Which of the following security goals are relevant to biometric authentication?

    1. Confidentiality

    2. Integrity

    3. Availability

    4. Authentication

    5. Authorization

  18. Which of the following statements about isolation are true?

    1. Processes cannot access each others' virtual address spaces

    2. Jails/zones/containers cannot access each others' filesystems

    3. Fully-virtualized virtual machines cannot communicate with each other

    4. Paravirtualized virtual machines cannot communicate with each other

  19. Which of the following statements about sandboxing mechanisms are true?

    1. All sandboxing mechanisms require careful thought and design

    2. Applying MAC policy can be done by ordinary users

    3. Attenuating capabilities (reducing their authority) requires system privilege

    4. Capabilities cannot be altered

    5. Dropping Unix privileges requires privilege

  20. Which of the following are examples of object capabilities?

    1. C++ pointers

    2. Java references

    3. https://docs.example.com/ece7420/stuff

    4. https://docs.example.com/shared/MIH1d4+PZq8E2dPJV/r4VfFOO7L65bRrKKllJPKchCE=

Long-answer

  1. (3 pts) Write the Unix commands that can be executed to assign a file to the owner jon and to change its permissions to:

    Owner

    read and write

    Group

    read

    Others

    no access

    You may assume these commands are executed by the superuser.

  2. (4 pts) Give an example of a situation in which a message can be authenticated but not a principal and vice versa.

  3. (3 pts) Give an example of a piece of common but counterproductive password policy guidance and explain why it’s wrong.

  4. Bonus (2 pts): Decrypt the message “Xxd! Tg xzkxzbhnl xxe!”