Ensure you write your exam number on any sheets which are to be handed in. This paper consists of THREE pages and FOUR questions.

Transcription

1 UNIVERSITY OF HERTFORDSHIRE Academic Year: 2012/13 Semester: B SCHOOL OF COMPUTER SCIENCE [Click here and type Department Title] 7COM1010 SECURE SYSTEMS PROGRAMMING DURATION OF EXAM: 2 Hours THE FOLLOWING IS PROVIDED FOR THIS EXAMINATION: One answer book. Extra paper as required. INSTRUCTIONS TO CANDIDATES: This paper consists of FOUR questions. Answer THREE of the following FOUR questions Ensure you write your exam number on any sheets which are to be handed in. This paper consists of THREE pages and FOUR questions Question 1 (25 Marks) Page 1 of 5

2 From a theoretical perspective it has been argued that the first line of defence for a secure system is cryptography and that the second is that of detection. From a developers perspective one could argue that this view is completely inappropriate. a) State the dining cryptographers problem and its solution. a) Problem definition (3 marks). Solution (5 marks). (6 Marks) b) To what extent do you agree with the theoretical and developers viewpoints stated at the beginning of the question? Using the dining cryptographers problem (or another of your own choosing) construct an argument for and against each of the viewpoints presented. Include at least three points. What role, if any, do you feel that risk plays in the development of a secure system? (7 marks) b) Various arguments possible. Give 2 Marks for each point made (up to a maximum of 5 Marks) At least 2 marks are to be reserved for the discussion involving risk. Mark to a maximum of 7 marks. c) Using examples of your own explain how a security team could employ tools such as data flow diagrams, threat trees, STRIDE and DREAD in the development of a secure system. Include an explanation for each of the acronyms STRIDE and DREAD in your discussion. (7 marks) c) DFD s to identify flow of data and points for attack (1mark), threat trees for strategies that could be employed to achieve particular attacks(1mark), STRIDE to categorise the types of attack (1mark) and DREAD to rank the attacks using risk analysis. (1mark). Acronyms (4 Marks) Examples (1marks each). Mark to a maximum of 7 Marks) d) Describe modifications that you feel should be made to Royce s life cycle model in order for it to fit for use as a life cycle model for the development of a secure system. d) Arguments along the lines of adding risk assessments to each stage of the life cycle model along the lines of Boehm s life cycle model or the McGraw van Wyk life cycle model. 1 mark for each point made to a maximum of 5 Marks. Page 2 of 5

3 Question 2 (25 Marks) a) Explain what is meant by the Base Rate Fallacy. Include examples to support your any claims made. Include a description for the relationship between conditional probability, Bayes Theorem and the base rate fallacy. (8 Marks) False negatives, false positives, (1 mark each). Examples (2 Marks each). Relationship (4 Marks). Mark to a maximum of 8 Marks) b) State and prove Bayes Theorem. (7 Marks) b) PB ( A) PA ( B) PA ( B). PB ( ) / P ( A B)... PAB ( ). PB ( ) ( ). PB ( ) n i i i i i i = = j = = n PA ( ) PB ( i ) j= 1 PA Bj j= 1 1 mark for each step to a maximum of 7 Marks. c) A network intrusion detection scheme gives a positive result, suggesting that there is an intruder on the system. The accuracy of the scheme is stated as 90% and the incidence of intrusion for networks of this type is given as 2%. How likely is it that the network does not have an intruder? (5 marks) c) P(not an intruder test positive) = (1 0.9) (1 0.02) = to 3 d.p. (1 0.9) (1 0.02) mark for each step to a maximum of 5 Marks. d) To what extent do you feel that the base rate fallacy proves that one cannot have a completely accurate intrusion detection scheme. Justify any claims made. d) Accept the closer the base intrusion rate is to 1, the closer the numerator is to 0 (2 marks), with a non zero denominator (2 marks); suggesting probability of error tending to zero. (1 mark). Mark to a maximum of 5 marks. j Page 3 of 5

4 Question 3 (25 marks) a) Give examples of a malicious type of program that exists independent of host programs. Which of the examples that you have given will replicate? Explain how malicious type of program that REPLICATE and exist INDEPENDENT of host programs operate. (8 marks) a) Independent: worms, zombies 1 mark for each. Both replicate. 1 mark for each. Explanations 2 Marks each. Mrk to a maximum of 8 marks. b) The lifetime of a virus may be described using either a 3 or 4 phase model. Describe each part of a 4 phase model. In order to illustrate points made in your discussion, include a pseudo code description for the general structure of a virus. (12 marks) b) 4 phases: dormant, infection, trigger and delivery (2 marks each). Pseudo code for general structure of a virus (4 marks) 1 Mark extra for each direct link to Pseudo code given. Mark to a maximum of 12 marks. c) Give two measures that could be employed by antivirus software to detect a virus. Describe a countermeasure that could be employed by subsequent viruses to circumvent your measures. Explain why you believe the measures and their related countermeasures would work. (5 marks) c) Examples include signature, length of program, code fragment recognition heuristic), integrity check, hash, activity traps, 2 marks for each measure. 2 marks for each countermeasure and 2 marks for explanation. Mark to a maximum of 5 Marks. Page 4 of 5

5 Question 4 (25 marks) a) Describe the difference between a Clandestine user and a Masquerader. Give one example of each and describe another form of intruder that one could meet. (8 Marks) a) Definitions (2 Marks each). Examples (2 Marks each). Other form: Misfeasor (2 Marks). Mark to a maximum of 8 Marks. b) Compare and contrast the concept of a profile based intrusion detection scheme with another of your own choosing. Include in your discussion at least two components that may be employed for each approach and explain how each of these lead to metrics that may be employed in evaluating the presence or absence of an intruder. (12 Marks) b) Statistical based using profiles for users. Employs use of audit records (2 marks) for profiles of old (1 mark) and current users (1 mark) to measure for significant differences (2 Marks). Diagrams for profiles (2 Marks each) Similarities (2 Marks each) and differences (2 Marks each) subject to other method selected. Mark to a maximum of 12 Marks c) Describe those issues that you feel are significant in order that an intrusion detection scheme is effective in a distributed environment. Justify your claims. c) 1 mark for each issue. 2 marks for justification. Mark to a maximum of 5 Marks. Page 5 of 5