CS Computer Security

CIA Paradigm The CIA paradigm for information security states three desiderata: Confidentiality...

Identification is when an entity declares its identity ("I am Stefano", "I am Michele", ...) whil...

Reference monitor The reference motior enforces access control policies ("who does what on which ...

Question 0 Consider the phenomenon of identity stealing in social networks (e.g., Facebook, Twitt...

2021-2022 Demo exam exercise 1 (4 points) In a company, each employee works in an open space. We ...

Cryptography is the study of techniques to allow secure communication and data storage in presenc...

A modern practical assumption is to build ciphers such that a successful attack is carried only i...

Our attacker knows a set of plaintexts which can be encrypted and he wants to understand which on...

Confidentiality does not means integrity. Changes in the ciphertext are undetected. Message Authe...

We would like to have the following features: Agreeing on a short secret over a public channel C...

We’d like to be able to verify the authenticity of a piece of data without a pre-shared secret. U...

Both in asymmetric encryption and digital signatures, the public key must be bound to the correct...

Shannon’s information theory is a way to quantify information and to mathematically frame communi...

More exercises aviable at overthewire.org. 2021-2022 DEMO Exam exercise 2 (5 points) You have...

Security is a non-functional requirement of software engineering. Creating inherently secure appl...

The following concepts apply, with proper modifications, to any machine architecture (e.g., ARM, ...

A function foo() allocates a buffer, e.g., char buf[8]. buf is filled without size checking. int ...

A format string is solution to the problem of allowing a string to be output that includes variab...

2022-2021 DEMO Exam exercise 3 (6 points) Assume that: The C standard library is loaded at a kno...

Web application are built on top of HTTP, which is a stateless protocol that has only weak authe...

Cross site scripting is a vulnerability by means of which client-side code can be injected in a p...

SQL injection is a web security vulnerability that allows an attacker to interfere with the queri...

HTTP is stateless and almost uniderectionl. Web application, on the other hand, need to keep a st...

Cross-site request forgery (also known as CSRF) is a web security vulnerability that allows an at...

Freudian slips (information leaks) Dettailed error messages Display user-supplied data in errors...

2021-2022 Demo exam exercise 4 (6 points) LetsComplain is a new website for students and profs. S...

Denial of Service (against availability) Make the service unavailable to legitimate users. Killer...

Firewall: network access control system that verifies all the packets flowing through it. Its mai...

Dual- or Multi-zone Architectures In most cases, the perimeter defense works on the assumption th...

Issues of Transactions Security: Problems of remoteness Trust factor between parties Use of sen...

2021-2022 DEMO Exam exercise 5 (6 points) Consider the above network diagram, describing a compa...

"Malware" is a portmanteau of "malicious software": code that is intentionally written to violate...

Patches: most worms exploit known vulnerabilities Signatures: must be developed automatically ...

2021-2022 Demo exam exercise 6 Our systems have been compromised by very powerful malware. Luckil...