Search Results

Tomasulo implements an implicit register renaming: the code is not changed and there is dynamic loop unrolling. But there are other possible techniques for register renaming Compiler transformation: loop unrolling The compiler unrolls a loop n number of times,...

Hardware-based Speculation Extends the ideas of dynamic scheduling beyond branches combining 3 concepts: Dynamic branch prediction Speculation to enable the execution of instructions before the control dependences are solved by undoing the effects of an incor...

The main goal of caches is to increase the performance of a computer through the memory system in order to: Provide the user the illusion to use a memory that is simultaneously large and fast Provide the data to the processor at high frequency For this reaso...

$$\text{AMAT} = \text{Hit Time} + \text{Miss Rate} \times \text{Miss Penalty}$$ In order to improve the AMAT we need to: Reduce the miss rate Reduce the miss penalty Reduce the hit time The overall goal is to balance fast hits and few misses. 1) Reducting th...

Complete course name: 055633 - COMPUTER SECURITY - UIC 587 (ZANERO STEFANO) Profesor: Stefano Zanero Tutor: Armando Bellante Accademic year: 2021-2022 Recordings: link to webeep Webeep: link to recman Topics Introduction to computer security Cryptog...

CIA Paradigm The CIA paradigm for information security states three desiderata: Confidentiality: information should be accessed only by authorized entities. Integrity: information should be modifies only by authorized entities, and only in the way such enti...

Identification is when an entity declares its identity ("I am Stefano", "I am Michele", ...) while authentication is whene the entity provides proof that verifies its identity. The threee factors of authentication To know: something that the entity knows. Ex...

Reference monitor The reference motior enforces access control policies ("who does what on which resource"). All modern kernels have a reference monitor implementation. The requirements of the reference monitor are: Tamper proof Connot be bypaased Small enout...

2021-2022 Demo exam exercise 1 (4 points) In a company, each employee works in an open space. We need to design proper policies to minimize the risk that passwords get compromised. Such policies will be enforced whenever a user chooses a new password. Also, as...

"Malware" is a portmanteau of "malicious software": code that is intentionally written to violate a security policy. Several categories can be defined: Viruses: code that self-propagate by infecting other files, usually executables. Therefore, viruses are no...

Patches: most worms exploit known vulnerabilities Signatures: must be developed automatically to keep up Intrusion and anomaly detection: notice suspicious activity Antivirus and antimalware The basic strategy is a signature-based detection: database of b...

2021-2022 Demo exam exercise 6 Our systems have been compromised by very powerful malware. Luckily, we managed to collect a sample of the malware. Its code is reported below. .text 0x08048046<do_stuff>: 0x08048046: push ebp 0x08048047: mov esp, ebp 0x080480...

Question 0 Consider the phenomenon of identity stealing in social networks (e.g., Facebook, Twitter), which happens when a cyber criminal steals the username and password of a user and uses them to impersonate that user (e.g., post content, send messages to fr...

Web application are built on top of HTTP, which is a stateless protocol that has only weak authentication built in. State and authentication are emulted by the application, they are not embedded in the protocol. In this environment the golden rule is that the...

Cross site scripting is a vulnerability by means of which client-side code can be injected in a page. For example, suppose we have a blog app which lets user post anything they want. A malicious user could embed some javascript in the post and this javascript ...

SQL injection is a web security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. It generally allows an attacker to view data that they are not normally able to retrieve. This might include data bel...

Freudian slips (information leaks) Dettailed error messages Display user-supplied data in errors Side-channels (e.g. "user not found" vs "password mismatch") Debug in production Url parameter tampering Directory/Path traversal

HTTP is stateless and almost uniderectionl. Web application, on the other hand, need to keep a state. Cookies is a client side information storage, a reliable mechanism to keep stateful information. Cookies are used for session creation: The cookie will also ...

Cross-site request forgery (also known as CSRF) is a web security vulnerability that allows an attacker to induce users to perform actions that they do not intend to perform. It allows an attacker to partly circumvent the same origin policy, which is designed ...

2021-2022 Demo exam exercise 4 (6 points) LetsComplain is a new website for students and profs. Students here can complain about exams and professors can handle the complaints and register their exams. Get ready to hack this website. The relevant pseudo-code o...