This action might not be possible to undo. Are you sure you want to continue?
When we talk about system security we mean Financial security , physical security , Computer security . The computer security means that we are addressing three very important aspects of any computer related system ; confidentiality , integrity , and availability . Confidentiality : ensures that computer related assets are accessed only by authorized parties .It is sometimes called secrecy or policy . Confidentiality is the security property we understand best because its meaning is narrower than the other two .this defines which people or systems are authorized to access the current system? By accessing data do we mean that a authorized party can access a single bit ? pieces of data out of context? Can someone who is authorized disclose those data to other parties ? this is defined by the confidentiality which determines the data access strategies among the users and databases . Integrity : Integrity is much harder to pin down . when we survey the way some people use the term we find several different meanings .
Relationships between confidentiality , integrity , availability . for example , if we say that we have preserved the integrity of an item ,we may mean that the item is Precise Accurate Unmodified Modified only in acceptable ways Modified only by authorized person Modified only by authorized process Consistent Internally consistent Meaningful and usable Availability : Availability applies both to data and to services for example an object or service is thought to be available if: It is present in a usable form It has capacity enough to meet service needs It is making clear progress and if I wait mode it has bounded waiting time The service is completed in an acceptable period of time. We can trust an overall description of availability by combining these goals . We say a data item , service is available if 1. there is a timely response to our request . 2. there is a fair allocation of resources , so that some requestors are not favored over others . 3. the service or system involved follows a philosophy of fault tolerance , whereby hardware or software faults lead to graceful cessation of service or to work a rounds rather than to crashes and abrupt loss of information . 4. th service or system can be used easily and in the way it was intended to be used .
5. there is controlled concurrency ; that is there is support for simultaneous access , deadlock management , and exclusive access as required . These are the various goals of a security systems Q.2: Explain vulnerability of computing system? Ans: Vulnerability is sometimes easier to consider vulnerabilities as they apply to all three broad categories of system resources (hardware, software and data) rather than to start with the security goals themselves. The foll. Fig. shows the types of vulnerabilities:
Interruption Hardware Modification
Interruption Software Interception
Modification Fig.: Vulnerabilities of Computing Systems
Hardware Vulnerabilities: Hardware is more visible than software, largely because it is composed of physical objects. Because we can see what devices are hooked to the system, it is rather simple to attack by adding devices, changing them, removing them, intercepting the traffic to them, or flooding them with traffic until they can no longer function. However, designers can usually put safeguards in place. But there are other ways that computer hardware can be attacked physically. Computers have been drenched with water, burned, frozen, gassed and electrocuted with power surges. People have spilled soft drinks, corn chips, ketchup, beer and many of dust, and especially ash from cigarette smoke, have threatened precisely engineered moving parts. Computers have been kicked, slapped, bumped, jarred, and punched. Although such attacks might be intentional, most are not; this abuse might be considered “involuntary machine slaughter”: accidental acts not intended to do serious damage to the hardware involved. Software Vulnerabilities: Computing equipment is of little use without the software (operating system, controllers, utility programs, and application programs) that users expect. Software can be replaced, changed, or destroyed maliciously, or it can be modified, deleted, or misplaced accidentally. Whether intentional or not, these attacks exploit the software’s vulnerabilities. Sometimes, the attacks are obvious, as when the software no longer runs. More subtle are attacks in which the software has been altered but seems to run normally. Whereas physical equipment usually show some mark of inflicted injury when its boundary has been breached, the loss of a line of source or object code may not leave an obvious mark in a program. Furthermore, it is possible to change a program so that it does all it did before, and then some. That is, a malicious intruder can “enhance” the software to enable it to perform functions you may not find desirable. In this case, it may be very hard to detect that the software has been changed, let alone to determine the extent of the change. Data Vulnerabilities:
Hardware security is usually the concern of a relatively small staff of computing center professionals. Software security is a larger problem, extending to all programmers and analysts who create or modify programs. Computer programs are written in a dialect intelligible primarily to computer professionals, so a “leaked” source listing of a program might very well be meaningless to the general public. Printed data, however, can be readily interpreted by the general public. Because of its visible nature, a data attack is a more widespread and serious problem than either a hardware or software attack. Thus, data items have greater public value than hardware and software, because more people know how to use or interpret data. Q 3] Explain the term ‘Computer Criminals’? Ans : Computer criminals have an access to enormous amounts of hardware, software and data; they have the potential to cripple much of effective business and government throughout the world. In a sense, then the purpose of computer security is to prevent these criminals from doing damage. The general characteristics of computer criminals are :-
a) Amateurs:- Most Amateurs are not career criminals but rather are normal people who observe
weakness in a security system that allows them to access cash or other valuables. In the same sense, most capture criminals are ordinary computer professionals or users doing their jobs when they discover they have access to something valuables.
b) Crackers:- System crackers often high school or university students attempts to access
computing facilities for which they have not been authorized. Cracking a computer defense is seen as the ultimate victimless crime. The perception is that nobody is hurt or even endangered by a little stolen time. Crackers enjoy the simple challenge of trying to login just to see whether it can be done. Most crackers can do their harm without confronting any-body not even making a sound. In the absence of explicit warnings not to trespass in a system, crackers infer that access is permitted.
c) Career criminal:- By contrast the career computer criminals understands the targets of
computer crime. Criminals seldom change fields from murder. More often, criminals begins as computer professionals who engage in computer crime, finding the prospects & pay off good. There is some evidence that organized crime & international groups are engaged computer crime. Recently, electronic spices & information brokers have begun to recognize that trading companies or individuals, secrets can be lucrative. Q5] What are different security controls? Ans.There are three types of security controls. Software controls: Programs must be secure enough to prevent outside attack. They must also be developed and maintained so that we can be confident of the programs dependability. Program controls include the following: Internal program control: Parts of the programs that enforce security restrictions such as access limitations in database management programs. Operating system and network system controls: limitations enforced by the operating system or network to protect each user from other users. Independent control programs: application programs such as password checkers or virus scanners that protect certain types of vulnerability Development controls: Quality standards, under which a program is designed coded, tested and maintained to prevent software faults from becoming exploitable.
Hardware controls: Numerous hardware devices have been created to assist in providing computer security such as Hardware or smart card implementation of encryption Lock or cable limiting access Devises to verify users identity Intrusion detect system Circuit board that control access to storage media
Physical control: some of the easiest, most effective and least expensive controls are physical controls. Physical controls include locks on doors, guard set and entry point, backup copies of important software and data, and physical side planning that reduces the risk of natural disaster. Often the simple system controls are overlooked while we seek more sophisticated approaches.
Q 6] Explain the terms with respect to threats, vulnerabilities, & control in the security system. Ans: A computer system has three separate but vulnerable component hardware, software and data. Each of these assets offers value to different members of community affected by the system. To analyze security, we can brainstorm about the ways in which the system or its information can experience some kind of loss or harm.
Threats:- A threat to a computing system is a set of circumstances that has potential to cause loss or harm. There are many threats to computer system including human initiated and computer initiated ones. We have all experienced the result of inadvertent human errors. Hardware design flows and software failures but natural disasters are threats too. They can bring down a system when computer room is flooded. We can view any threat as being one of four kinds:
1) Interception: Interception threats means that some unauthorized party has gain access to an asset. The outsider party can be a person, program or computing system. 2) Interruption: In an interruption an asset of the system is being lost, unavailable or unstable. An example is malicious instruction of hardware device. 3) Modification: If an unauthorized party not only accesses but also tampers with an asset, the threat is a modification. For example someone may change the values in database. 4) Fabrication: An unauthorized party might create fabrication of counter feet objects on a computing system. The intruder may insert spurious transaction to a network communication system or adds records to existing databases. b) Vulnerability: A Vulnerability is a weakness in the security system. For example, in the procedures, design or implementation that might be exploited to cause loss or harm. For instant a particular system may be Vulnerable to unauthorized data manipulation because system does not verify users identity before allowing data access.
b) Control: How do we address the problem? We use control as protective measures. That is control is
an action, device, procedures or technique that removes or reduces Vulnerabilities. In general we can describe the relationship among threat, Vulnerability, control in this way. A threat is blocked by control of Vulnerability. Q 7.] Distinguish between vulnerabilities, & control in the security system. Ans: A computer system has three separate but vulnerable component hardware, software and data. Each of these assets offers value to different members of community affected by the system. To analyze security, we can brainstorm about the ways in which the system or its information can experience some kind of loss or harm: Threats: - A threat to a computing system is a set of circumstances that has potential to cause loss or harm. There are many threats to computer system including human initiated and computer initiated ones. We have all experienced the result of inadvertent human errors. Hardware design flows and software failures but natural disasters are threats too. They can bring down a system when computer room is flooded. We can view any threat as being one of four kinds:
1) Interception: Interception threats means that some unauthorized party has gain access to an
asset. The outsider party can be a person, program or computing system.
2) Interruption: In an interruption an asset of the system is being lost, unavailable or unstable. 3)
An example is malicious instruction of hardware device. Modification: If an unauthorized party not only accesses but also tampers with an asset, the threat is a modification. For example someone may change the values in database.
4) Fabrication: An unauthorized party might create fabrication of counter fit objects on a
computing system. The intruder may insert spurious transaction to a network communication system or adds records to existing databases.
b) Vulnerability: - Vulnerability is a weakness in the security system. For example, in the procedures,
design or implementation that might be exploited to cause loss or harm. For instance a particular system may be Vulnerable to unauthorized data manipulation because system does not verify users identity before allowing data access. There are three types of vulnerabilities: 1) Hardware vulnerability: Hardware is more visible than software largely because it is composed of physical objects. Because we can see what devices are hooked to the system and it is rather simple to attack by adding devices changing them, removing them, intercepting the traffic to them, or floating them with traffic until they can no longer function. Interruption (Denial of service) Interception (Theft)
Modification Fabrication (Substitution)
2) Software vulnerabilities: Computing equipment is of little use without the software can be
replaced, changed, or destroyed. Whether intentional or not these attacks exploit the software’s vulnerabilities. Interruption (Deletion) Interception
3) Data vulnerabilities: The general public can readily interpret Printed data. Because of its
visible nature a data attack is more widespread and serious problem than hardware or software attack. Thus data items have greater public values than h/w and s/w because more people know how to use data. Interruption (Loss) Interception
c) Control: - How do we address the problem? We use control as protective measures. That is control
is an action, device, procedures or technique that removes or reduces Vulnerabilities. In general we can describe the relationship among threat, Vulnerability, control in this way. A threat is blocked by control of Vulnerabilities. Types of control are as follows: I. Encryption, II. Policies and procedures, III. Hardware control, IV. Physical control, V. Software control.
Q.8] What are the risks involving in software computing? Ans.: Any part of a computing system can be the target of a crime. A computing system is a collection of hardware, software, storage media, data and people that an organization uses to perform computing tasks. An intruder must be expected to use any available means of penetration. The penetration may not necessarily be the most obvious, means, nor is it necessarily the one against which the most solid defense has been installed.
ATTACKS When you test any computer system, one of your jobs is to imagine how the system could malfunction. Then you improve the system’s design so that the system can withstand any of the problems you have identified. Threats, Vulnerabilities, and Controls A computer system has three separate but valuable components: hardware, software, and data. Each of these assets offers value to different members of the community affected by the system. We want security system to make sure that no data are disclosed to unauthorized parties. Neither do we want the data to be modified in illegitimate ways. At the same time, we want to ensure that legitimate users have access to the data. In this way, we can identify weaknesses in the system. A vulnerability is a weakness in the security system, for example, in procedures, design, or implementation, that might be exploited to cause loss or harm. For instance, a particular system may be vulnerable to unauthorized data manipulation because the system does not verify a user’s identity before following data access. A threat to a computing system is a set of circumstances that has the potential to cause loss or harm. There are many threats to a computer system, including human-initiated and computer-initiated ones. We have all experienced the results of inadvertent human errors, hardware design flaws, and software failures. But natural disasters are threats, they can bring the system down when the computer room is flooded or the data center collapses from an earthquake. We use a control as a protecting measure. That is, a control is an action, device, procedure, or technique that removes or reduces vulnerability. A threat is blocked by control of vulnerability. To device controls, we must know as much about threats as possible. We can view any threat as being one of four kinds: interception, interruption, modification, and fabrication.
An interception means that some unauthorized party has gained access to an asset. The outside party can be a person, a program, or a computing system. Examples of this type of failure are illicit copying of program or data files, or wiretapping to obtain data in a network. In an interruption, an asset of the system becomes lost, unavailable, or unusable. An example is malicious destruction of a hardware device, erasure of a program or data file, or malfunction of an operating system file manager so that it cannot find a particular disk file. If an unauthorized party not only accesses but tampers with an asset, the threat is a modification. For example, someone might change the values in a database, alter a program so that it performs an additional computation, or modify data being transmitted electronically. Finally, an unauthorized party might create a fabrication of a counterfeit objects on a computing system. The intruder may insert spurious transactions to a network communication system or add records to an existing database. Sometimes these additions can be detected as forgeries, but if skillfully done, they are virtually indistinguishable from the real thing.
These four classes of threats-interception, interruption, modification and fabrication- describe the kinds of problems we might encounter.
Q.9] Write a short note on Encryption Method? Ans: Encryption is the process of encoding a message so that its meaning is not obvious and nobody able to break the code easily. Encryption method convert the plaintext i.e. the text which is suppose to converted in the encrypted form called ciphertext Various Encryption methods are as follows: 1. SUBSTITUTION CIPHERS
In this encryption method we substitute a character or a symbol for each character of the original message .This technique is called a monoalphabetic cipher or simple substitution. The various substitution cipher are: 1.1 The Caesar Cipher Julius Caesar is said to have been the first to use this scheme,in which each letter is translated to a letter a fixed number of places after it is in the alphabet . Ceasar used a shift of 3. For example plaintext pi enciphered as ciphertext letter ci Ci=E(Pi)=Pi + 3 Example: Plaintext: TREATY IMPOSSIBLE Ciphertext: WUHDWB LPSRVVLEOH 1.2 The Vernam Cipher: The Vernam Cipher is a type of one-time pad davised by Gilbert Vernam for AT&T. This cipher is immune to most cryptanalytic attacks . The basic encryption involves arbitrarily long nonrepeating sequence of numbers that are combine with the sequence of plaintext Example: Plaintext: VERNAM CIPHER Is encoded as Tehrsp itxmab 2. TRANPOSITIONS(PERMUTATIONS) A transposition is a encryption in which the letters of the message are rearranged .With the transposition ,the cryptography aims for diffusion . 2.1 Columnar Transposition: As with the substitution we begin the study of transposition by examining simple example. The columnar transposition is the rearrangement of characters of the plaintext into columns. The following set if characters is a five column transposition C1 C6 C11 The plaintext is as follows: Tssoh oaniw haaso lrsto inghw The resulting ciphertext is as follows: Utpir seeoa mrook istwc nasns. 3. Stream and block ciphers Stream ciphers convert one symbol of plaintext immediately into symbol of ciphertext. The transformation depends only on the symbol, the key and the control information of the encipherment algorithm. The stream cipher works as shown below C2 C7 C12 C3 C8 etc.. C4 C9 C5 C10
fig: stream ciphers Block cipher encrypts a group of plaintext symbols as one block. The columnar transposition and the other transpositions are the examples of block cipher. The block cipher words as shown below.
figure: block encryption Q10] Discuss the role of Encryption in Security System with the help of block diagram. How it differ from enciphering? Ans. Encryption is the process of encoding a message so that its meaning is not obvious; decryption is the reverse process, transforming an encrypted message back into its normal, original form. Alternatively, the terms encode and decode are used instead of encrypt and decrypt. That is, we say that we encode, encrypt or encipher the original message to hide its meaning. Then we decode, decrypt or decipher it to reveal the original message. A system for encryption and decryption called a cryptosystem. The original form of a message is known as plaintext, and the encrypted form is called ciphertext. The relationship is shown in following figure: For convenience in explanation, we denote a plaintext message P as a sequence of individual characters P = (p1, p2, ……….., pn). Similarly, ciphertext is written as C = (c1, c2, ……….cm). For instance, the plaintext message “I want cookies” can be thought of as the message string (I, , w,a,n,t, , c,o,o,k,i,,e,s ).It may be transformed into ciphertext(c1, c2, ………..,c14), and the encryption algorithm tells how the transformation is done. We use this formal information to describe the transformation between plaintext and ciphertext
Encryption For eg., We write C =E(p) and P= D(c), where C represents the ciphertext, E is the encryption rule, P is the plaintext, and D is the decryption rule. What we seek is a cryptosystem for which P =D(E(P)). In other words, we want to be able to convert the message to protect it from an intruder, but we also want to be able to get the original message back so that the receiver can read it properly. There are slight differences in the meanings of these three pairs of words, although they are not significant in this context. Strictly speaking, encoding is the process of translating entire words or phases to other words or phases, whereas enciphering is the translating letters or symbols individually; encryption is the group term that covers both encoding & enciphering. Q11] Define Cryptosystems Cryptosystems ? and Differentiate between symmetric and asymmetric
Ans. A system for encryption and decryption is called a Cryptosystem. Encryption is the process of encoding a message so that its meaning is not obvious. Decryption is the reverse process, transforming an encrypted message back into its normal, original form. Alternatively, the terms encode and decode or encipher and decipher are used instead of encrypt and decrypt. We say that we encode, encrypt, or encipher the original message to hide its meaning. We then decode, decrypt, or decipher it to reveal the original message. A system for encryption and decryption is called a cryptosystem. The original form of a message is known as plaintext, and the encrypted form is called ciphertext.The relationship is shown as follows:
Cipher text Encryption Decryption
The cryptosystems involves a set of rules for how to encrypt the plaintext and how to decrypt the cipher text. The encryption and decryption rules, called algorithms, often use a device called a key, denoted by K, so that the resulting cipher text depends on the original plaintext message, the algorithm, and the key value. We write this dependence as C = E (K,P) where E is a set of encryption algorithms, and the key K selects one specific algorithm from the set. Sometimes the encryption and decryption keys are the same so, P = D(K, E(K,P)). This form is called symmetric encryption because D and E are mirror- image processes. At other times, encryption and decryption keys comes in pairs. Then a decryption key, KD, inverts the encryption of key KE, so that P = D(KD, E(KE, P)). Encryption algorithms of this forms are called asymmetric because converting C back to P involves a series of steps and a key that are different from the steps and key of E. The difference between symmetric and asymmetric encryption is as shown in the figure: Key
Cipher text Encryption Decryption
a) Symmetric Cryptosystem
Decryption Key KD
Cipher text Encryption Decryption
b) Asymmetric Cryptosystem
Low diffusion: each symbol is separately enciphered: Therefore, all the information of that symbol is contained in one symbol of the cipher text. Susceptibility to malicious insertions and modifications: Because each symbol is separately enciphered, an active interceptor who has broken the code can splice together pieces of previous messages and transmit a spurious new message that may look authentic .
Slowness of encryption: the person or machine using a block cipher must wait until an entire block of plaintext symbols has been received before starting the encryption process. Error propagation: An error will affect the transformation of all other characters in the same block.
Q: 13 Write short note on: 1. Key Management 2. Key Distribution 3. Key Exchange 4. Key Generation Ans: Key Exchange: The problem of two previously unknown parties exchanging cryptographic keys is both hard and important to establish an encrypted session. one needs an encrypted means to exchange keys. Public key cryptography can help since asymmetric keys come in pairs one half of the pair can be exposed without compromising other half. Suppose S and R want to derive a shared symmetric key. S and R both have public keys for a common encryption algorithm; KR-s,KU-s, KR-r,KU-r for private and public keys for S and R res. The simplest solution is for S to choose any symmetric key K and send E (KR-r, K) to R. Then only R can decrypt the key, to assure that K came from S. The solution is for S to send R: E (KP-r, E (KR-s, K)) Key Management: In the real world Key Management is the hardest part of the Cryptography. Designing secure cryptographic algorithms and protocols is not easy but one can relay on large body of academic research .keeping key secret is much harder. Cryptanalyst often attack both symmetric and public key Cryptosystems through their key management. If one can spend $1000 bribing a clerk? Why should he spend &10 million building a cryptanalysis machine? If key is not changed regularly, this can be a enormous amount of data. Key management considers following issues: -Key generation: It generates the key hard to guess for eavesdroppers. -Key transfer: Distribution of the key to the communicational parties.
-Updating keys: Updating key for the secure communication. -Storing key: Storing the key securely on storing devices. -Compromised key: It is needed when the key is lost, stolen. -Lifetime of keys: Keys are generated according to their use for particular time after that time security of the key is not necessary.
Key Distribution: It is one of the important issue in the key management. The X9.17 standard specifies 2 types of keys: - Key-encryption key - Data key Key-encryption key encrypts other keys for distribution. data key encrypt message traffic. These are most commonly used concepts in the key distribution. Solution to the distribution problem is split the key into several different parts and send each of these parts over different channels. Key-encryption key shared by pairs works well in small networks, but can quickly get cumbersome if network becomes large. Since every pair of user s must exchange key, total no. of key exchanges required in an ‘n’ person network is n(n-1)/2. In 6 person network, 15 key exchanges are required. In 1000 person network nearly50000 key exchanges are required. In these cases creating central key server makes operation much more efficient. Key Generation: The security of fan algorithm rests in the key, if you are using cryptographically weak process to generate keys, then your whole system is weak. -Reduced key spaces: Longer the key, harder to break it. from time to time analysis it is proven that large size key with large number of characters (e.g. ASCII characters(256)) will generate the secure key. -poor key choices: If the selection of the key is the common names in the dictionary or the name of the relatives or the places are very prone to break. The attack is called Dictionary attack. -Random keys: Random keys are hard to remember hence may be used for key generation. -X9.17 key generation: the ANSI X9.17 standard specifies a method of key generation. this does not generate easy to remember keys, It is more suitable for generating session keys or pseudo-random numbers with a system. available on the market for use as basic components in devices that the DES encryption in an application .Examples of DES are : double DES , Triple DES
Right half text Left half text
substitute permute Add halves New left half text New right half text
Cycles of substitution and Permutation Q.15] Describe Double and Triple DES algorithm and also discuss the security DES. ANS: DOUBLE DES To address the discomfort, some researchers suggest using a double encryption for greater secrecy. The double encryption works in the following way. Take two keys, k1 and k2, and perform two encryption, one on top of the encryption, just as two locks are harder to pick than one. Unfortunately, that assumption is false. Merkle and Hellman showed that two encryption are no better one. The basis of their arguments is that the cryptanalyst works plaintext and ciphertext toward each other. The analyst needs two pairs of plaintext and corresponding ciphertext, c1 and c2, but not keys used to encrypt them. The analyst then tries decrypting c1 with a single key and looking for a match in the saved Ps. A match is a possible pair of double keys, so the analyst checks the match with p2 and c2. TRIPLE DES However, a simple trick does indeed enhance the security of DES. Using two keys and applying them in three operation adds apparent strength. The so-called triple DES procedure is C=E(k1, D(k2, E(k1,m))). That is , you encrypt with the second, and encrypt first again. Although this process is called triple DES, because of the three applications of the DES algorithm, it only doubles the effective key length. But a 112-bit effective key length is quite strong, and it is effective against all feasible known attacks. SECURITY OF THE DES Since its was first announced, DES has been controversial. Many reasearcher have questioned the security it provides. Much of this controversy has appeared in the open literature, but certain DES features have neither been revealed by the designer not inferred by outside analysts. In 1990, Biham and Shamir invented a technique, differential cryptanalysis, that investigates the change in algorithmic strength when an encryption algorithm is changed in some way. In 1991 they applied their technique to DES, showing that almost any change to the algorithm weakens it. Their changes included cutting the number of iteration from 16 to 15, changing the expansion or substitution rule, or altering the order of an iteration. Q17] What is difference between DES and AES, explain in details. i) DES stands for Data Encryption Standard, which was developed by U.S. government in 1976. But after few years it was found to be less efficient as compared to the requirements of the computer systems. Thus in 1999 U.S. National Institute of Standards and Technology designed an algorithm called Advanced Encryption Standards (AES). Both the algorithms are block cipher algorithms and use a key (public key or private key) for encryption. ii) Key Used:
DES uses 56-bit key. AES uses key of length of 128, 192, 256 bits. Thus we can see that key used by AES is almost double in length than key used by DES, and it can be doubled further. Hence AES gives us better encryption and it is more difficult to attack on the code encrypted by AES than that of DES. iii) Block size: DES encrypts 64 bits at a time. AES encrypts 128 bits at a time. Because of larger block size AES is found to be more effective than DES. iv) DES algorithm performs encryption by passing data through processes like substitution and permutation. Whereas AES performs substitution, shifting, and bit mixing processes to encrypt the data. v) DES algorithm was designed to go through 16 rounds precisely. In order to increase this number, the whole algorithm will be required to be redefined. AES, on the other hand, was designed in such a way that, changing the limit on repeat loop can easily change number of cycles of AES.
Q18]: Discuss the application of Encryption in cryptographic hash function? ANS]: With the recent news of weaknesses in some common security algorithms (MD4, MD5, SHA-0), many are wondering exactly what these things are: They form the underpinning of much of our electronic infrastructure, and in this Guide we'll try to give an overview of what they are and how to understand them in the context of the recent developments. Though we're fairly strong on security issues, we are not crypto experts. We've done our best to assemble (digest?) the best available information into this Guide, but we welcome being pointed to the errors of our ways. A "hash" (also called a "digest", and informally a "checksum") is a kind of "signature" for a stream of data that represents the contents. The closest real-life analog we can think is "a tamper-evident seal on a software package": if you open the box (change the file), it's detected. This is a common confusion, especially because all these words are in the category of "cryptography", but it's important to understand the difference. Encryption transforms data from a cleartext to ciphertext and back (given the right keys), and the two texts should roughly correspond to each other in size: big cleartext yields big ciphertext, and so on. "Encryption" is a two-way operation. Hashes, on the other hand, compile a stream of data into a small digest (a summarized form: think "Reader's Digest"), and it's strictly a one way operation. All hashes of the same type - this example shows the "MD5" variety - have the same size no matter how big the inputs are: "Encryption" is an obvious target for attack (e.g., "try to read the encrypted text without the key"), but even the one-way nature of hashes admits of more subtle attacks. We'll cover them shortly, but first we must see for what purposes hashes are commonly used. We'll note here that though hashes and digests are often informally called "checksums", they really aren't. True checksums, such as a Cyclic Redundancy Check are designed to catch datatransmission errors and not deliberate attempts at tampering with data. Aside of the small output space (usually 32 bits), they are not designed with the same properties in mind. We won't mention true checksums again. What's inside a cryptographic hash? The first answer is "it depends on the kind of hash", but the second answer usually starts with "a lot of math". A colloquial explanation is that all the bits are poured into a pot and stirred briskly, and this is about as technical we care to delve into here. There are plenty of resources that show the internal workings of a hash algorithm, almost all of which involve lots of shifting and rotating through multiple "rounds:
One iteration within the SHA-1 compression function. A, B, C, D and E are 32-bit words of the state; F is a nonlinear function that varies; <<< denotes left circular shift. Kt is a constant.
Some of the popular hash algorithms: • • • • • MD4 (128 bits, obsolete) MD5 (128 bits) RIPEMD-160 (160 bits) SHA-1 (160 bits) SHA-256, SHA-384, and SHA-512 (longer versions of SHA-1)
Each has its own advantages in terms of performance, several variations of collision resistance, how well its security has been studied professionally, and so on. Reliably generate collisions in four hash functions much faster than brute-force time, and in one case (MD4, which is admittedly obsolete), with a hand calculation. This has been a stunning development. In the short term, this will have only a limited impact on computer security. The bad guys can't suddenly start tampering with software that can fool published checksums, and they can't suddenly start cracking hashed passwords. Previously-signed digital signatures are just as secure as they were before, because one can't retroactively generate new documents to sign with your matched pair of inputs. What it does mean, though, is that we've got to start migrating to better hash functions. Even though SHA-1 has long been thought to be secure, NIST (the National Institute of Standards and Technology) has standard for even longer hash functions which are named for the number of bits in their output: SHA-224, SHA-256, SHA-384, and SHA-512. Five hundred twelve bits of hash holds 1.34 x 10154 possible values, which is far, far more than the number of hydrogen atoms in the universe. This is likely to be safe from brute-force attacks for quite a while. Q:19] Describe how Digital Signatures are applicable for encryption .Write its properties and explain its requirements with relevant block diagram Another typical situation parallels a common human need an order to transfer funds from one person to another .in other words we want to be able to send electronically the equivalent of a computerized checking . • a check is tangibler object authorizing financial transaction • the signature on the check confirms authenticity since only the legitimate signer can produce that signature • in the case of an alleged forgery , a third party can be called in to judge authenticity • once a check is cashed , it is cancelled so that it cannot be reused • the paper check is not alterable . or most forms of aleration are easily detected Digital signature is a protocol that produces the same effect as a real signature . ti is a mark that only the sender can make but other people can easily recognize as belonging to the sender . just like a real signature , a digital signature is used to confirm agreement to a message. Properties A digital signature must meet 2 primary conditions • It must be forgeable . If person P signs message M with signature S(P,M), it is impossible for anyone else to produce the pair [M,S(P,M)] • It must be authentic. If a person R receives the pair [M,S(P,M)] purposely from P , R can check that the signature is really from P could have created this signature and the algorithm. • It is not alterable .after being transmitted ,M cannot be changed by S,R or any other interceptor. • It is not reusable . a previous message presented again will be again be detected by R
UNFORGEABLE (PROTECTS A) Q.21] What are the point that should keep in mind about any key distribution Protocol? The two basic kinds of encryptions are symmetric (also called “secret key”) and asymmetric (also called “public key”). Symmetric algorithms use one key, which works for both encryption and decryption. Usually, the decryption algorithm is closely related to the encryption one. (For e.g. the Creaser cipher with a shift of 3 uses the encryption algorithm “substitute the character three letters later in the alphabet” with the decryption “substitute the character three latter a earlier in the alphabet”. ) The symmetric systems provide a two-way channel to their user: A and B share a secret key and they can both encrypt information to send to the other as well as decrypt information from other. As long as the key remain secret, the system also provides authentication, proof that a message received was not fabricated by someone other than declared sender, Authentication is ensured because only legitimate sender can produce a message that will decrypt properly with the shared key. The symmetric of this situation is major advantage of this type of encryption, but it also leads to a problem: key distribution. How do A and B obtain their shared secret key? And only A and B can that key for their encrypted communications. If A wants to share encrypted communication with other user C, A and C need a different shared key. Key distribution is major difficulty in using symmetric encrypted. In general, n user who want to communicate in pair need n*(n-1)/2 keys. In other words, the number of keys needed increase at rate proportional to the square of the number of users. So a property of symmetric encryption system is that they required means of key distribution. Public key systems, on other hand, exile at key management. By the nature of the public key approach, you can send a public key in an e-mail message or post it into a public directory. Only the corresponding private key, which presumably kept private, can decrypt what has been encrypted with the public key. But for both kind of encryption, a key must be kept secured. Once symmetric or private key is know by an outsider, all message written previously or in the future can be decrypted (and hence read or modified) by the outsider. So, for all encryption algorithms, key management is major issue. It involves storing, safeguarding and activating keys. Q22] What are the main characteristics of a good cipher? Shannon’s Characteristics of “Good Cipher” 1. The amount of secrecy needed should determine the amount labor appropriate for the encryption and decryption.
Principle 1 is a reiteration of the principle of timeliness and of the earlier observation that even a simple cipher may be strong enough to deter the casual interceptor or to hold off any interceptor for a short time. 2. The set of keys and the enciphering algorithm should be free from complexity. This principle implies that we should restrict neither the choice of keys nor the types of plaintext on which the algorithm can work. For instance, an algorithm that works only on plaintext having an equal number of As and Es is useless. Similarly it would be difficult to select keys such that the sum of the values of the letters of the key is a prime number. Restrictions such as these make the use of encipherment prohibitively complex, it will not be used. Furthermore the key must be transmitted, stored, and remembered, so it must be short. 3. The implementation of process should be as simple as possible. Principle 3 was formulated with hand implementation in mind. A complicated algorithm is prone to error or likely to be forgotten. With the development and popularity of digital computers, algorithms far too complex for hand implementation became feasible. Still the issue of complexity is important. People will avoid an encryption algorithm whose implementation process severely hinders message transmission, there by undermining security. And a complex algorithm is more likely to be programmed incorrectly. 4. Error in ciphering should not propagate and cause corruption of further information in the message. Principle 4 acknowledges that humans make errors in their use of enciphering algorithms. One error early in the process should not throw off the entire remaining cipher-text. For example, dropping one letter in a columnar transposition throws off the entire remaining encipherment unless the receiver can guess where the letter was dropped; the remaining of the message will be unintelligible. By contrast, reading the wrong row or column for a poly alphabetic substitution affects only one character remaining characters are unaffected. 5. The size enciphered text should no larger than the text of the original message. The idea behind principle 5 is that a cipher text that expands dramatically in size cannot possibly carry more information that the plaintext, yet it gives the cryptanalyst more data from which to infer a pattern. Furthermore, a longer cipher text implies more space for storage and more time to communicate. These principles were developed before the ready availability of digital computers, even though Shannon was aware of computers and the computational power they represented. Thus these are the main characteristics of a good cipher. Q.26] What are Modularity, Encapsulation, and Information Hiding? Modularity, Encapsulation, and Information Hiding : Code usually has a long shelf-life, and it is enhanced over time as needs change and faults are found and fixed. For this reason, a key principle of software engineering is to create a design or code in small, selfcontained units, called components or modules; when a system is written this way, we say that it is modular. Modularity offers advantages for program development in general and security in particular. If a component is isolated from the effects of other components, then it is easier to trace a problem to the fault that caused it and to limit the damage the fault causes. It is also easier to maintain the system, since changes to an isolated component do not affect other components. And it is easier to see where vulnerabilities may lie if the component is isolated. We call this isolation encapsulation. Information hiding is another characteristic of modular software. When information is hidden, each component hides its precise implementation or some other design decision from the others. Thus, when a change is needed, the overall design can remain intact while only the necessary changes are made to particular components.
Modularity Modularization is the process of dividing a task into subtasks. This division is done on a logical or functional basis. Each component performs a separate, independent part of the task. The goal is to have each component meet four conditions: • • • • single-purpose: performs one function small: consists of an amount of information for which a human can readily grasp both simple: is of a low degree of complexity so that a human can readily understand the purpose independent: performs a task isolated from other modules
structure and content and structure of the module
Often, other characteristics, such as having a single input and single output or using a limited set of programming constructs, help a component be modular. From a security standpoint, modularity should improve the likelihood that an implementation is correct. In particular, smallness is an important quality that can help security analysts understand what each component does. That is, in good software, design and program units should be only as large as needed to perform their required functions. There are several advantages to having small, independent components. • Maintenance. If a component implements a single function, it can be replaced easily with a
revised one if necessary. The new component may be needed because of a change in requirements, hardware, or environment. Sometimes the replacement is an enhancement, using a smaller, faster, more correct, or otherwise better module. The interfaces between this component and the remainder of the design or code are few and well described, so the effects of the replacement are evident. • • Understandability. A system composed of many small components is usually easier to Reuse. Components developed for one purpose can often be reused in other systems. Reuse comprehend than one large, unstructured block of code. of correct, existing design or code components can significantly reduce the difficulty of implementation and testing. • • Correctness. A failure can be quickly traced to its cause if the components perform only one Testing. A single component with well-defined inputs, output, and function can be tested task each. exhaustively by itself, without concern for its effects on other modules (other than the expected function and output, of course). Security analysts must be able to understand each component as an independent unit and be assured of its limited effect on other components.
A modular component usually has high cohesion and low coupling. By cohesion, we mean that all the elements of a component have a logical and functional reason for being there; every aspect of the component is tied to the component's single purpose. A highly cohesive component has a high degree of focus on the purpose; a low degree of cohesion means that the component's contents are an unrelated jumble of actions, often put together because of time-dependencies or convenience. Coupling refers to the degree with which a component depends on other components in the system. Thus, low or loose coupling is better than high or tight coupling, because the loosely coupled components are free from unwitting interference from other components. Encapsulation Encapsulation hides a component's implementation details, but it does not necessarily mean complete isolation. Many components must share information with other components, usually with good reason. However, this sharing is carefully documented so that a component is affected only in known ways by others in the system. Sharing is minimized so that the fewest interfaces possible are used. Limited interfaces reduce the number of covert channels that can be constructed. An encapsulated component's protective boundary can be translucent or transparent, as needed. The encapsulation is the "technique for packaging the information [inside a component] in such a way as to hide what should be hidden and make visible what is intended to be visible." Information Hiding Developers who work where modularization is stressed can be sure that other components will have limited effect on the ones they write. Thus, we can think of a component as a kind of black box, with certain well-defined inputs and outputs and a well-defined function. Other components' designers do not need to know how the module completes its function; it is enough to be assured that the component performs its task in some correct manner. Information hiding is desirable, because developers cannot easily and maliciously alter the components of others if they do not know how the components work. These three characteristics—modularity, encapsulation, and information hiding—are fundamental principles of software engineering. They are also good security practices because they lead to modules that can be understood, analyzed, and trusted. Q27] Short note on Code Red. Code Red appeared on the middle of 2001; to devastating effect. On the July 29th the U.S. Federal Bureau of Investigation proclaimed in a news that on July 19th the Code Red worm infected more than 250000 systems in just 9hrs. The Code Red includes several kinds of malicious code, it mutated from one version to another. Malicious software that propagate itself on web servers running Microsoft’s Internet Information Server (IIS). Code Red takes two steps: Infection and Propagation. To infect a server the worm takes advantages of a vulnerability in Microsoft’s IIS. It overflows the buffer in the server’s memory. Then to propagate the Code Red checks the IP address of port 80 of the PC to see if that server in vulnerable.
Effect:- The original Code Red’s activities were determined by the data. From day 1 to 19 of the month, the worm spawned 99 threads that scanned for other vulnerable computers, starting at the same IP address. Then on days 20 to 27 the worm launched a distributed Daniel-of-service attacks. A Daniel-ofservice attack floods the site with large numbers of messages in an attempt to slow down or to stop the site Because the site is overwhelmed & cannot handle the message. Finally from day 28 to end of month the worm did nothing. Working:- The worm crashes Windows NT based servers but executed code on Windows 2000 systems. Code Red includes its own copy of file explore.exe, placing it o the C: & D: drivers, so that Windows would run the malicious copy, not the original copy. This Trojan Horse run at the original, untainted version of explore.exe but it modified the system registry to disable certain kind of file protection & ensure that some directories have to read, write, & execute permission. As a result a Trojan Horse had a virtual path that could be followed even when explore.exe was not running. The Trojan Horse continues to run in background resetting the registry in 10 minutes. Thus even if a system administrator notices that the changes & undoes them, the changes are applied again by the malicious code. To propagate the worm, creates 300 or 600 threads depends upon the variant and tried for 24 or 48 hrs to spread to other machines. After that the system was forcibly rebooted, flushing the worm in memory but leaving the backdoor and Trojan Horse is placed. Q28] Explain in brief causes and effects of viruses. Virus attaches itself to program and propagates copies of itself to other program. Virus effects and causes are as follow: Attach to executable program A program virus attaches itself to program, then whenever the program is run, the virus is activated. This kind of attachment is usually easy to program. In the simplest case, a virus inserts a copy of itself into the executable program file before the first executable instruction. Then all the virus instruction execute first, after the last virus instruction, control flows naturally to what used to be the first program instruction.
This kind of attachment is simple and usually effective. The virus writer does not need to know anything about the program to which the virus will attach and often the attached program simply serves as a carrier for virus .The virus perform its task and then transfer to original program.
Virus that surround a program An alternative to attachment is a virus that runs the original program but has control before and after its execution. Integrated viruses and replacements The third situation occurred when the virus replaces some of its target, integrating itself into the original code of the target. The virus can cause due to: • Modify file directory • Write to executable program file Attach to data or control file Currently the most popular virus type is called as document virus, which is implemented within a formatted document , such as a written document ,a database, a slide presentation or a spread sheet. These documents are highly structured file that contain both data and commands. The commands are part of rich programming language, including macros, variables and procedures, file accesses and even system call. The writer of document virus uses any of features of programming language to perform malicious actions. The virus can cause due to: • Modify directory. • Rewrite data • Append to data • Append data to self Remain in memory Some part of operating system and most user programs execute, terminate, and disappear, with their space in memory being available for anything executed later. For very frequently used parts of operating system and for few specialized user programs, it would take too long to reload the program each time it was needed. Such code remains in memory, and is called resident code. Virus writers also like to attach viruses to resident code because the resident code is activated many times while the machine is running. Each time the resident code runs, the virus does too. Once activated the virus can look for and infect the uninfected carriers. • Intercept interrupt by modifying interrupt handler address table. • Load self in nontransient memory area.
Infect disks Most virus attach to program that are store on media such as disks. The attached virus piece is invariant , so that the start of virus code becomes a detectable signature. The attached piece is always located at the same position relative to its attached files. The • • • • virus can cause due to: Intercept interrupt Intercept operating system call Modify system file Modify ordinary executable program short Virus effects Attach to executable program How it is caused 1.modify file directory 2. Write to executable program file. 1.modify directory. 2.Rewrite 3.Append to 4.Append data to self.
Q30.Write note on:
1. Boot Sector Attach to data or control file viruses: data. A special case of data. virus attachment, but formerly a fairly popular one, is the Remain in memory 1.Intercept interrupt by modifying so called boot sector interrupt handler address table virus. When a 2.Load self in nontransient memory computer is started, area control begins with Infect disks 1.Intercept interrupt firmware that 2.Intercept operating system call determines with (to format disk, for example) hardware 3.Modify system file components are Modify ordinary executable program present, tests them, and transfers control Conceal self 1.Intercept system calls that would to an operating Reveal self and falsify result system. A given 2.Classify self as “hidden” file hardware platform Spread infection 1.Infect boot sector can run many 2.Infect systems program different operating 3.Infect ordinary program systems, so the 4.Infect data ordinary program reads to operating system is control its execution not coded in Prevent deactivation 1.Activate before deactivating program firmware but is block deactivation instead invoked 2.Store copy to reinfect after deactivation dynamically, perhaps even by a user’s choice, after the hardware test. The operating system is software stored on disk. Code copies the operating system from disk to memory and transfers control to it; this copying is called the bootstrap load because the operating system figuratively pulls itself into memory by its bootstraps. The firmware does its control transfer by reading a fixed number of bytes from a fixed location on the disk to a fixed address in memory and then jumping to that address. The bootstrap loader then read into memory the rest of the operating system from the disk. To run a different operating system the user must insert a disk with the new operating system and a bootstrap loader. When the user reboot from this new disk, the loader there brings in and runs another operating system. This same scheme is used for personal computers, workstations, and large mainframes. To allow for change, expansion and uncertainty, hardware designers reserve a large amount of space for the bootstrap load. The boot sector on a PC is slightly less than 512 bytes but since the loader is larger than that the designers support ‘chaining’, in which each block of the bootstrap is chained to the next block. This chaining allows big bootstrap but also simplifies the installation. The virus writer simply breaks the chain at any point, inserts a pointer to the virus code to be executed, and reconnects the chain after the virus has been installed. The boot sector is an appealing place to house a virus. The virus gains control early in the boot process, before most detection tools are empty, so that it can avoid or at least complicate detection.
Bootstrap Loader chain
a) Before infection Boot Sector Virus Code Chain Other sector System Initialization Chain Bootstrap Loader
b) After infection
2. Memory Resident Viruses: Some part of the operating system and most user program execute, terminate and disappear. For very frequently used parts of the operating system and for very specialized user programs, it would take too long to reload the program each time it was needed. Such code remains in memory and is called resident code. Examples of resident code are the routine that interprets keys pressed on keyboard, code that handles error condition that arise during program execution, or a program that acts like an alarm clock. Resident routine are sometimes called TSR or “terminate and stay resident” routines. Virus writers also like to attach virus to resident code because resident code is activated many times while the machine is running. Each time the resident code runs the virus does too. Once activated the virus can look for and infect uninfected carriers. For example after activation boot sector might attach itself to a piece of resident code. Then each time the virus was activated it might check whether any removable disk in a disk drive was infected and if not infect it. 3. Document virus: The most popular virus type is document virus which is implemented within a formatted document such as written document, a database, a slide presentation or a spreadsheet. These documents are highly structured files that contain both data and commands. The commands are part of programming language including macros, variables and procedures, file accesses and even system calls. The writer of document virus uses any of the features of programming language to perform malicious action. The ordinary user sees only the content of the document, so virus writer simply includes virus in command part of the document as in integrated program virus Q-31: Explain the time-of-check to time-of-use errors. Access control is the fundamental part in the computer security; we want to make sure that only those who should access an object are allowed an access. Every requested access must be governed by an access policy stating who is allowed an access to what; then the request must be mediated by an access policy enforcement agent. But an incomplete mediation problem occurs when access is not checked universally. The time-of-check to time-of-use flaw concerns mediation that is performed with a “bait and switch” in the middle. It is also known as serialization or synchronization flaw. E.g., suppose a request to access a file were present as a data structure, with the name of the file and the mode of access presented in the structure.
Change byte 4 to “A”
Figure: data structure for file access Normally the access control mediator receives the data structure, determines whether the access should be allowed, and either rejects the access and stops or allows the access and forwards the data structure to the file handler for processing.
To carry out this authorization sequence, the access control mediator would have to look up the file name in tables. The mediator would compare the names in the table to the file name in the data structure and determine whether the access I is appropriate. More likely, the mediator would copy the file name into its own local storage area and compare from there. Comparing from the copy leaves the data structure in the user’s area, under the user’s control. It is at this point that the incomplete mediation flaw can be exploited. While the mediator is checking access rights for the file my_file, the user could change the file name descriptor to your_file. Having read the work ticket once, the mediator would not be expected to reread the ticket before approving; the mediator would approve the access and send the now modified descriptor to the file handler.
Figure: modified data The problem is called a time-of-check to time-of –use flaw because it exploits the delay between the two times. That is, between the time the access was checked and the time the result of the check was used, a change occurred, invalidating the result of the check. Q32. Give a details note on 1. Trapdoors 2. Salami Attack Trapdoors: This is a program that has a secret entry point. It is also called as backdoor. It is a feature in the program by which someone can access the program other than the obvious, direct call, perhaps with special privileges. For e.g., an automated teller program might allow anyone entering the number 990099 on the keypad to process the log of everyone’s transactions on that machine. A trapdoor may be intentional, for maintenance purposes, or it could be an illicit way for the implementer to wipe out any traces of a crime. Sometimes trapdoors are inserted for debugging purposes by the developer, who later forgot to remove it before publishing the product. In other cases, the developer may use the trapdoor for unauthorized access for monetary benefit. Salami Attack: Salami attack is another form of targeted malicious code. Its name comes from the way odd bits of meat and fat are fused together in salami. In the same way, a salami attack merges bits of seemingly inconsequential data to yield powerful results. Programs often disregard small amounts of money in their calculations, as when there are fractional pennies as interest or tax is calculated. These small amounts may be accumulated somewhere else, such as an individual’s bank account. The shaved amount is so small in an individual’s case that it may be unnoticed or ignored, but over a period of time, it may result in a large sum. The reason they are not noticed is that they do not show up in accounts while balancing. Salami attacks are persistent because of rounding errors while computations. Q33. Write a note on the following: 1. Web Bugs 2. Brain Virus
A. Web Bug: A web bug, sometimes called a pixel tag, clear gif, one-by-one gif, invisible gif, or beacon gif, is a hidden image on any document that can display HTML tags, such as a web page, HTML email message, or even a spreadsheet. Its creator intends the bug to be invisible, unseen bu users but very useful since it can track the web activities of an user. E.g. On Blue Nile Home Page, the following big code automatically downloads as a web bug from the site. <img height=1 width=1 Src “http://switch.avenuea.com/action/blenile_homepage/v2/a/AD7029944”> =
Web bugs do not seem to be malicious. They plant numerical data but do not track personal info. They can be used to track the surfing habits of an user. Their profile can be used to direct retailers in whom you are interested. More malicious codes can be clearly used to review the web server’s log files and determine your PC info, e.g. IP Address. The Web Server can capture things such as, IP Address, the kind of web browser used, monitor's resolution, browser settings, connection time, and previous cookie values.
Brain Virus: One of the earliest virus, it was given its name because it changes the label of any disk it attacks, to the word "BRAIN". It attacks PC's running Microsoft Operating System. What it does: The virus first locates itself in the upper memory and executes a system call to reset the upper memory limit to itself. It traps interrupt no. 19 (disk read) by resetting interrupt vector table to point to it. It then sets the address for interrupt no. 6to former address of interrupt no. 9 The Brain Virus appears to have no effect other than to pass the infection. Variants of this virus erase disks or destroys the FAT. How it Spreads: The Brain Virus positions itself in the boot sector and 6 other sectors. One of the sectors will contain the original boot code, moved from the original location, while 2 other contain remaining code of virus. Once installed, the virus intercepts disk read requests for the disk drive under attack. The virus reads the boot sector and inspects the 5 and 6 bytes for hexadecimal value 1234. Q-34. One feature of a capability-based protection system is the ability of one process to transfer a copy to another process. Describe a situation in which one process should be able to transfer a capability to another. Capability is analogous to a ticket or identification card giving permission to a subject to have a certain type of access to an object. Capabilities can be encrypted under a key available only to the access mechanism. One possible access right to an object is transfer or propagate .A subject having this right can pass copies of capabilities to other subjects. In turn each of these capabilities has a list of permitted types of accesses, one of which might also be transfer. In this instance, process A can pass a copy of a capability to B, who can then pass a copy to C.B can prevent further distribution of capability by omitting the transfer right from the rights passed in the capability to C. B might still pass certain access right to C, but not the rights to propagate access rights to other subjects. As a process executes, it operates in a domain. The domain is the collection of objects to which the process has access. As execution continues, the process may call a sub procedure, passing some of the objects to which it has access as arguments to the sub procedure. The domain of the sub procedure is not necessarily the same as that of its calling procedure; in fact, a calling procedure may pas only some of its objects to the sub procedure and the sub procedure may have access rights to other objects not accessible to the calling procedure. The caller may also pass only some of its access rights for the object it passes to the sub procedure. Domain for MAIN
Figure: process execution domain Since each capability identifies a single object in a domain, the collection of capabilities defines the domain. When a process calls a sub procedure and passes certain objects to the sub procedure, the operating system forms a stack of all the capabilities of the current procedure. The operating system then creates new capabilities for the sub procedures, as shown in the figure Domain for MAIN
Domain for Sub
Process Files Devices
Figure: Passing Objects to a Subject. Capabilities are straightforward way to keep rack of the access rights of subjects to objects during execution. The capabilities are backed by more comprehensive table, such as an access control matrix or an access control list. Each time a process seeks to use a new object, the operating system examines the master list of objects and subjects to determine whether the object is accessible. If so, the operating system creates a capability for that object. Capabilities must be stored in memory inaccessible to normal users. One way of accomplishing this is to store capabilities in segments not pointed at by user’s segment table or enclose them in protected memory as from a pair of base/bounds registers. During execution, only the capabilities of objects that have
been accessed by current process are kept readily available. This restriction improves the speed with which access to an object can be checked. They can be revoked. When an subject revokes a capability, no further access under the revoked capability should be permitted. A capability table can contain pointers to the active capabilities spawned under it so that the operating system can trace what access rights should be deleted if a capability is revoked. Q35. Explain why asynchronous I/O activity is a problem with many memory protection scheme including base bound and paging. Suggest a solution to problem. A major advantage of an operating system with fence register is the ability to relocate, this characteristic is important in a multiuser environment. With two or more user, none can know in advance where a program will be loaded for execution. The relocation register solves the problem by providing base or starting address. All address inside programs are offsets from that base address. All address inside programs are offsets from that base address. A variable fence register is known as base register. Fence register provide a lower bound but not an upper one. An upper bound can be useful in knowing how much space is allotted and in checking for overflows into forbidden areas. To overcome this problem a second register is often added. The second register called a bound register is an upper address limit. Each program address is forced to be above the base address because the content of base register is added to address. This technique protects a program address from modification by another user. When execution changes from one user program to another, the operating system must change the content of base and bound register to reflect the true address space for that user. This change is part of general preparation called a context switch. With a pair of base/bound register a user is perfectly protected from outside user. Erroneous address inside a user address space can still affect that program because the base/bound checking guarantees only that each address is inside the user address space. We can solve this problem by using another pair of base/bound registers, one for the instruction of the program and a second for the data space. Then only instruction fetches are relocated and checked with the first register pair and only data accesses are relocated and checked with the second register pair. Although two pair of register does not prevent all program errors, they limit the effect of data manipulating instruction to the data space. The pair of register offers another more important advantage: the ability to split a program into two pieces that can relocated separately. These two features seem to call for the use of three or more pair of registers: one for code, one for read only data and one for modifiable data value. Although two pair of registers are the limit for practical computer design. For each additional pair of registers, something in the machine code of each instruction must indicate which relocation pair into be used to address the instruction operands. That is with more than two pairs each instruction specifies one of two or more data spaces. But with only two pairs the decision can be automatic: instruction with one pair, data with other. Q36. Design protocol by which two mutually suspicious parties can authenticate each other. Protocols are publicly posted for scrutiny by the entire internet community. Each accepted protocol is known by its request for comment (RFC) number. Many problems with protocol have been identified by sharp reviewer and corrected before the protocol was established as standard. Two mutually suspicious parties can authenticate each other by establishing TCP connection through sequence number. The client sends a sequence number to open connection, the server response with that number and the sequence number of its own, and the client responds with server’s sequence number. One can guess client’s next sequence number. Sequence numbers are incremented regularly, so it can be easy to predicate the next number. The user of the service can be assured of any server’s authenticity by requesting an authenticating response from the server. Authentication is effective only when it works .A weak or flawed authentication allows access to any system or person who can circumvent the authentication. The protocol should allow the two parties to authenticate the data that is unique and difficult to guess. If same users to store data and run processes use two computers and if each has authenticated its user on first access, you might assume that computer-to-computer or local user to remote process authentication is unnecessary. Some time the system demands for certain identification of user ,but the user is supposed to trust the system .The programmer can easily write a program that displays the standard prompt for user ID and password. The user can be suspicious of the computing system, just as system is suspicious of the user. The
user can not enter the confidential data until convinced that the computing system is legitimate. The computer acknowledges the user only after passing the authentication process. User authentication is a serious issue that becomes even more serious when unacquainted users seek to share facilities by means of computer network. The traditional authentication device is a password. A plaintext password file presents a serious vulnerability for a computing system. These files are usually heavily protected or encrypted. The problem over here is to choose the strong password for the user. The protocols are needed to perform mutual authentication in an atmosphere of distrust. Q38. Enumerate the different types of attacks on user password. The most common authentication mechanism for user to operating system is user password, a word known to computer and user. Although password protection offers a relatively secure system. But the question is how secure are password itself? Password are somewhat limited as protection devices because of the relatively small number of bit of information they contain. Here are some way user can might be able to determine the User’s password. 1. 2. 3. 4. 5. Try all possible passwords. Try many probable password Try possible password likely for the user. Search for the system list of the password. Ask the user.
1.Exhaustive attack:This is also called as brute force attack. The attacker tries all possible passwords, usually in some automated fashion. The number of possible passwords depends upon the implementation of the particular computing system. The password might from 1 to 8 character hence that number might be tractable. Hence intruder may break the file. But break in time can be made more tractable in number of ways. Searching for a particular password does not necessarily require all passwords to be tried. 2. Probable passwords:Penetrators searching for passwords they realize these very human characteristics and use them to their advantages. Therefore penetrators try techniques that are likely to lead rapid success. If people try short passwords to long once the petnetrators will try all passwords in order by length. Q No 39. Explain various file protection mechanisms. All multi-user operating systems must provide minimal protection to keep one user from maliciously modifying the files of another user. For the reason many file protection mechanisms are used. 1. Basic form of protection a. All-None protection In original IBM OS operating systems, files were by default public, means that any user can do all file operations on files of any other user. Instead of software or hardware based protection involved is trust combined with ignorance. The system designer were supposed that user will not access other users files and he will try to access files for which he/she knows the name of the file. Certain sytems files were sensitive and administrator can control the access of file by means of password to indivisual file. However all this non protection is unacceptable for several reasons? I. Lack of trust. II. All or nothing III. Rise of time sharing IV. Complexity V. File listings.
b. Group Protection The previous has many drawbacks, researchers sought new way of file protection. In this system group of users are identified with common relationship. World is divided into three classes user, group, world. All authorized users are separated into groups. A group may consist of a member working on common project and may be with same motivation. When creating file user defines permission for user, other group member and for the rest of the world. The choices for access rights may be read, write , execute, delete etc. Advantage in this system is implementation of the system. A user is identified by two id’s user id and group id. These identifiers are stored in the file directory entry for each file while creating. When user logs in operating systems can easily identify user by obtaining the permissions. Some disadvantages are I. Group affiliation II. Multiple personalities III. All groups IV. Limited sharing 2. Single Permissions a. Password or Other token We can apply simple form of password protection to file protection by allowing user to assign a password to a file. Accesses are limited to those who provide correct access at the time of file opening. Password access may be given as read-only or modifications. However file password suffer from many difficulties like I. Loss: password may be forgotten II. Use: supplying password at each time is inconvenient and time consuming III. Disclosure: if password is disclosed to authorized access file becomes accessible IV. Revocation: to revoke one user’s access rights to file, someone must change the password, causing same problems as disclosure. b. Temporal Acquired Permission The UNIX operating system provides an interesting scheme based on a three level user-groupworld hierarchy. The UNIX designers added a permissions called set user id (suid). If this protection is set to the file to be executed, the protection level is of file’s owner not of executor. This mechanism is convenient for systems function that general users should be able to perform only in the prescribed way. 3. Per- Object and Per-User Protection The primary limitation of these file protection scheme is the ability to create meaningful groups of related users who should have similar access to one or more data sets. The access control lists or access control matrices described earlier provided very flexible protection. Their disadvantage is for user who wants to allow access to many users and to many different data sets; such user must still specify each data to be accessed by each user. As a new user is added, that user’s special access rights must be specified by all appropriate user. Q 40] What are different methods of protection and protection level of the operating system?
Security Methods of Operating System: The basic protection is separation: keeping one user’s objects separate from other users. Separation in an operating system can occur in several ways: 1) Physical separation 2) Temporal separation 3) Logical separation 4) Cryptographic separation Physical separation: in which different processes use different physical objects, such as separate printers for output requiring different levels of security. Temporal separation: in which processes having different security requirements are executed at different times. Logical separation: in which users operate under the illusion that no other processes exist, as when an operating system constrains a program’s access so that program cannot access objects outside its permitted domain. Cryptographic separation: in which processes conceal their data and computations in such a way that they are unintelligible to outside processes. Combinations of two or more of these forms of separation are also possible. The categories of separation are listed roughly in increasing order of complexity to implement, and, for the first three, in decreasing order of the security provided. Protection levels in Operating System: There are several ways an operating system can assist, offering protection at any of several levels. Do not protect: Operating systems with no protection are appropriate when sensitive procedures are being run at separate times. Isolate: When an operating system provides isolation, different processes running concurrently are unaware of the presence of each other. Each process has its own address space, files, and other objects. The operating system must confine each process somehow, so that the objects of the other processes are completely concealed. Share all or share nothing: With this form of protection, the owner of an object declares it to be public or private. A public object is available to all users, whereas a private object is available only to its owners. Share via access limitation: With protection by access limitation, the operating system checks the allow ability of each user’s potential access to an object. Lists of acceptable actions guide the operating system in determine whether a particular user should have access to particular objects. In some sense, operating system acts as a guard between users and objects, ensuring that only authorized accesses occurs. Share by capability: An extension of limited access sharing, this form of protection allows dynamic creation of sharing rights for objects. The degree of sharing can depend on the owner or the subject, on the context of the computation, or on the object itself. Limit use of an object: This form of protection limits not just the access to an object but the use made of that object after it has been accessed. More powerfully, a user may be allowed access to data in a database to derive statistical summaries, but not to determine specific data values. These modes of sharing are arranged in increasing order of difficulty to implement, but also in increasing order of fineness of protection they provide. A given operating system may provide different levels of protection for different objects, users, or situations. The granularity of control concerns us. The larger the level of object controlled, the easier it is to implement access control. Q.42] What are the various password selection criteria? The various password selection criteria are as follows: 1. Use characters other than A-Z. If passwords are chosen from the letters A-Z, there are only 26 possibilities for each character. Adding digits expands the number of possible characters to 62. Although this change seems small the effect is large when some one is testing a full space of possible
combination of characters. It takes about 100 hours to test all 6-letter words chosen from letters of one case only, but it takes about 2 years is oppressive enough to make this attack far less attractive. Choose long passwords. The combinational explosion of passwords begins at length 4 or 5. Choosing longer passwords makes it less likely that a password will be uncovered. Remember that a brute force penetration can stop as soon as the password is found. Some penetrators will try the easy cases – known words and short passwords – and move onto another target if those attacks fail. Avoid actual names or words. Theoretically, there are 266 or about 300 million “words” of length 6, but there are only about 150,000 words in a good collegiate dictionary, ignoring length. By picking one of the 99.95 percent non-words, you force the attacker to used the longer brute force search instead of the abbreviated dictionary search. Choose an unlikely password. Password choice is a double bind. To remember the password easily, you want one that has a special meaning to you. However, you don’t want someone else to be able to guess this special meaning. One easy to remember password is 2Brn2B. that unlikely looking jumble is a simple transformation of “to be or not to be”. The first letters of a line from a song, a few letters from different words of a private phrase, or a memorable football score are examples of reasonable passwords. But don’t be too obvious. Password-cracking tools also test replacements of 0 (zero) for o or O (letter “oh”) and 1 (one) for 1 (letter “ell”) or $ for S (letter “ess”). So Il0veu is already in the search file. Change the password regularly. Even if there is no reason to suspect that the password has been comprised, change is advised. A penetrator may break a password system by obtaining an old list or working exhaustively on an encrypted list. Don’t write it down. (Note: This time-honored advice is relevant only if physical security is a serious risk. People who have accounts on many different machines and servers, not to mention bank and charge cards PINs, may have trouble remembering all the access codes. Setting all codes the same or using insecure but easy-to-remember passwords may be more risky than writing passwords on a reasonably well protected list.)
Don’t tell anyone else. The easiest attack is social engineering, in which the attacker contacts the system’s administrator or a user to elicit the password in some way. For example, the attacker may phone a user, claim to be “system administrator”, and ask the user to verify the user’s password. Under no circumstances should you ever give out your private password; legitimate administrators can circumvent your password if need be, and others are merely trying to deceive you. Q43. What are some other levels of protection that users might want to apply to code or data in addition to the common read write or execute permissions? There are various protection levels that users might want to apply to code or data in addition to the common read write or execute permissions and they are:Class D- Minimal Protection. This class is applied systems that have been evaluated for a higher category that but have been framed the evaluation no security characteristics are needed for a D rating. Class C1 - Discretionary Security Protection. C1 is intended for an environment of cooperating users processing data at the same level of sensitivity. A system evaluated as C1 provides the separation of users from data. That must be controls that appear Sufficient to implement access. Limitations to allow what used to protect their data. The controls of C1 system may not have been stringently evaluated. The evaluation may be based more on the presence of certain features. To qualify for a C1 system must have a domain that includes security features and that is protected against Tampering. Class C2 - Controlled Access Protection. A C2 system still implements discretionary access control. Although the granularity of the control is finer. The audit trail must be capable of tracking each individual's access (or attempted access) to each object. Class B1- Labeled Security Protection. All certification in the B division include nondiscretionary access control. At the b level, each controlled subject and the object must be a sign the security level (for class b the protection system does not need to control every object).
Each controlled object must be the. Individually labeled for security level and these labels must be used as the basis for access control decisions. That access control must be based on a model employing both hierarchical levels and non hierarchical categories. ( The military model It is an example of system and the hierarchical levels – unclassified, classified, secret , top secret - and non hierarchical categories - need to know category sets) the mandatory access policy is the Bell- la Padula. Controls for all accesses with user discretionary access controls to further limit access. Class B2- The Structured Protection. The major enhancement for B2 is a design requirement. The design and implementation of a B2 system must enable a more thorough testing and review. A verifiable top level. Designed must be presented and testing must confirm that the system implements this design. The system must be internally structured into “well- defined largely independent modules”. The principle of least privilege is to be enforced in the design. Access control policies must be enforced on all objects and subjects including devices. Analysis of covert channels is required. Class B3 - Security Domains. The security functions of a B3 system must be small enough that extensive testing. Higher level design must be complete and conceptually simple and a convincing argument must exist that the system implements is design. The implementation of the design must incorporate significant use of layering, abstractions, and information hiding. The security functions must be tamper proof. Further more the system must be” Highly Resistant to penetration”. There is also a requirement that the system audit facility be able to identify when a violation of security is imminent. Class A1 - Verified Design. Class A1 requires are formerly verified system design. The capabilities of the system are the same as for class B3. But in addition there are five important criteria for class A1 certification: 1) A formal model of the protected system and a proof of its consistency and adequacy .2) A formal top-level specification of the protection system. 3) A demonstration that top level corresponds to the model,4) an implementation “informally” shown to be consistent with the specification and 5) formal analysis of covert channels. The above criteria were developed in the United States of America. However there are other criteria which were developed in Europe. They include:The German Green Book The German information security agency produced a catalog of criteria. Five years after U.S. Keeping with tradition the security community began to call the document the German green book because of its green cover. The German criteria identified eight basic security functions deemed a sufficient to enforce a broad spectrum of security policies: 1. Identification and authentication: - unique and certain association of an identity with the subject or object. 2. Administration of rights: - the ability to control the assignment and revocation. Off to access rights and subjects and objects. . 3. Verification of rights :- the mediation off the attempt at subject to exercise rights with respect to an object 4. Audit:- a record of information on the successful or attempted Unsuccessful exercise their rights 5. Object reuse: - Resetting reusable resources in such a way that no information flows occurs in contradiction to the security policy. 6. Error Recovery:- identification of situations from which to recovery is necessary and invocation of the appropriate action 7. Continuity of services: - identification of functionality that must be available in the system and what degree of delay or loss can be isolated. 8. Data communications security: - Peer entity authentication control of access the communications systems as did confidentiality, integrity and origin authentication. The British Criteria The British developed jointly the first public version of criteria. The original United Kingdom criteria were based on that claims language, a metalanguage by which a vendor could make claims about functionality in a product. The claims language consisted of a list of actions phrases and target phrases with parameter. Information Technology Security Evaluation Criteria
This preserved the German functionality while at the same time preserving the British functionality. A vendor has to define a target of evaluation the item that is the evaluation’s focus. This is considered as to be the operational environment and security enforcement requirements. An evaluation can address a product or a system. These protection level criteria are the ones that can be used by the user to apply to code or data other than the normal read/write/execute permissions. Q. 44 Why should the directory of one user not be generally accessible (for read only) to other user? Every file has a unique owner who possesses “control” access right (include the rights to declare who has what access) and to revoke access to any person at any time. Each user has a file directory, which lists all the files to which that user has access. Clearly, no user can be allowed to write in the file directory because that would be a way to forge access to a file. Therefore, the operating system must maintain all file directories, under commands from the owners of files. The obvious rights to files are the common read, write and execute familiar on many shared system. Furthermore, an other right, owner, is possessed by the owner, permitting that user to grant and revoke access rights. Fig. shows an e.g. of file directory.
File User A Directory File Name Access File Rights Pointer PROG1.C PROG1.EXE BIBLIOG HELP.TET TEMP ORW OX ORW R ORW Files File Name
User B Directory Access File Rights Pointer PROG1.C PROG1.EXE BIBLIOG HELP.TET TEMP ORW OX ORW R ORW
This approach is easy to implement because it uses one list per user, naming all the objects that user is allowed to access. However, several difficulties can arise. First, the list becomes too large if many shared objects, such as libraries of subprograms or a common table of users, are accessible to all users. The directory of each user must have one entry for such shared object, even if the user has no intention of accessing the object. A second difficulty is revocation of access. If owner A has passed to user B the right to read file F, an entry for F is made in the directory for B. This granting of access implies a level of trust between A and B. If A later questions that trust, A may want to revoke the access right of B. The operating system can respond easily to the single request to delete the right of B to access F, because that action involves deleting one entry from a specific directory. But if A wants to remove the rights of everyone to access F, the operating system must search each individual directory for the entry f, an activity that can be time consuming on a large system. For e.g. large timesharing systems or networks of smaller system can easily have 5,000 to 10,000 active accounts. Moreover, B may have passed the access right for F to another user, so A may not know that F’s access exits and should be revoked. This problem is particularly serious in a network. A third difficulty involves pseudonyms .Owner A and B may have two different files named F, and they may both want to allow access by S. Clearly, the directory for S can’t contain two entries under the same name for different files. Therefore, S has to be able to uniquely identify the F for A (or B). One
approach is to include the original owner’s designation as if were part of the file name, with a notation such as A: F (or B: F). Q45] Explain the fence register used for relocating the users programming. The most obvious problem in multiprogramming is preventing one program from affecting the memory of other programs. Fortunately, protection can be built into the hardware mechanism that controls efficient use of memory, so that solid protection can be provided at essentially no additional cost. Fence: The simplest form of memory protection was introduced in single user operating system to prevent faulty user program from destroying part of the resident portion of operating system. As name implies a fence is a method to confine users to one side of a boundary. In one implementation, the fence was a predefined memory address, enabling the operating system to reside on one side and the user to stay the other. An example of this situation is depicted in figure. Unfortunately this kind of implementation was very restrictive because a predefined amount of space was always reserved for operating system, whether it is needed or not. If less that the predefined space is needed then excess space was wasted. Conversely if the operating system needed more space, it could not grow beyond the fence boundary.
Another implementation used a hardware register often called fence register containing the address of the end of operating systems. In contrast a fixed fence, in this scheme the location of the fence could be changed. Each time a user program generated an address for data modification, the address was automatically compared with fence address. If the address was greater than the fence address (that is the users area) the instruction was executed; if it was less that the fence address (that is the operating system area), an error condition was raised. The user fence register is show in following figure.
A fence register protects only in one direction. In other words an operating system can be protected from single user but fence can not protect one user from another user. Similarly a user can not identify certain areas of the program an inviolable (such as the code of the program itself or read only data) Relocation: If the operating system can be assumed to be fixed size, programmers can write their code assuming that the program begins at a constant address. This feature of the operating system makes it easy to determine the address of any object in the program. However it also makes it essentially impossible to change the starting address if, for example the new version of the operating system is larger or smaller than the old. If the size of the operating system is allowed to change, then the program must be written in the way that does not depend on placement at a specific location in memory. Relocation is the process of taking a program written as if it began at address 0 and changing all addresses to reflect the actual address at which the program is located in memory. In many instances the effort merely entails adding a constant relocation factor to each address of the program. That is the relocation factor is the starting address of the memory assigned for the program. Continently the fence register can be used in this situation to provide an extra benefit: the fence register can be hardware relocation device. The contents of the fence are added to each program address. This action both relocates the address and guarantees that no one can access a location lower than the fence address. (addresses are treated as unsigned integers, so adding the value in the fence register to any number is guaranteed to produce a result at or above the fence address) Special instructions can be added for the times when a program legitimately intends to access a location of the operating system. Q.46] If two users share access to a segment , they must do it by same name . must their protection rights to it be same?why or why not ? 1. Segmentation involves the simple notion of dividing segment into separate pieces . each piece has a logical unity ,exhibiting a relationship among all of its code or data values . 2. 3. 4. For example , a segment may be a code of a single procedure , the data of an array ,or the collection data value used by a particular module. Segmentation was developed as a feasible means to produce the effect of the equivalent of a n unbounded number of base/bound registers. In other words segmentation allows a program to be divided into many pieces having different access rights.
5. Of two users share access to a segment , they must do it by d different access rights.for this segmentation processes uses both hardware and software . 6. The overall system can associate the certain levels of protection with certain segments and it uses both the operating system and hardware to check that protection an each access to execute only code and a third might be writeable data . 7. In a situation like this one , segmentation can approximate the goal of separate protection of different pieces of a program
Q47]. Explain why asynchronous I/O activity is a problem with many memory protection scheme including base bound and paging. Suggest a solution to problem. A major advantage of an operating system with fence register is the ability to relocate, this characteristic is important in a multiuser environment. With two or more user, none can know in advance where a program will be loaded for execution. The relocation register solves the problem by providing base or starting address. All address inside programs are offsets from that base address. All address inside programs are offsets from that base address. A variable fence register is known as base register. Fence register provide a lower bound but not an upper one. An upper bound can be useful in knowing how much space is allotted and in checking for overflows into forbidden areas. To overcome this problem a second register is often added. The second register called a bound register is an upper address limit. Each
program address is forced to be above the base address because the content of base register is added to address. This technique protects a program address from modification by another user. When execution changes from one user program to another, the operating system must change the content of base and bound register to reflect the true address space for that user. This change is part of general preparation called a context switch. With a pair of base/bound register a user is perfectly protected from outside user. Erroneous address inside a user address space can still affect that program because the base/bound checking guarantees only that each address is inside the user address space. We can solve this problem by using another pair of base/bound registers, one for the instruction of the program and a second for the data space. Then only instruction fetches are relocated and checked with the first register pair and only data accesses are relocated and checked with the second register pair. Although two pair of register does not prevent all program errors, they limit the effect of data manipulating instruction to the data space. The pair of register offers another more important advantage: the ability to split a program into two pieces that can relocated separately. These two features seem to call for the use of three or more pair of registers: one for code, one for read only data and one for modifiable data value. Although two pair of registers are the limit for practical computer design. For each additional pair of registers, something in the machine code of each instruction must indicate which relocation pair into be used to address the instruction operands. That is with more than two pairs each instruction specifies one of two or more data spaces. But with only two pairs the decision can be automatic: instruction with one pair, data with other.
Base Register N+1
Addresse s 0 N N+1 p p q+1 P+ q q+1
Memor y Operating System User A Program Space User B Program Space User C Program Space
P Bounds Register
User Progra m Space
Hig h Fig: Pair of Base/Bounds Registers.
Q48] List two disadvantages of using physical separation in a computing system. In physical separation different processes use different physical objects. Thus disadvantages associated with this method are listed below: i) This method leads to the poor utilization of resources, which leads to performance degradation of the system. ii) System requirements are much higher as compared to other methods, because of need of separate physical objects for different process.
Q. 50 Explain Two Phase Update technique with examples. 1) Failure of the computing system in the middle of modifying data , is a serious problem. 2) If the data item to be modified was a long field, half of the field might show the new value while the other half would contain the old. Also, a more subtle problem occurs when several fields are updated and no single file appears to be in obvious error. 3) The solution to this problem is – The Two Phase Update technique. 4) During the first, intent phase the DBMS gathers the resources it needs to perform the update including data, create dummy records, open files, lock out other users and calculate. 5) The first phase is repeatable an unlimited number of times, as it takes no permutation actions. If the system fails during execution, no harm is done. All the steps can be restarted and repeated after the system resumes processing. 6) The last event of the first phase, is called commiting, involves the writing of a commit flag, to the database. This means that the changes made are now permanent, after this point. 7) The second phase makes the permanent changes.No actions from before the commit can be repeated.If the system fails during the second phase, the database may contain incomplete data, but the system can repair these data by performing all activities of the second phase. An Example of the Two Phase Update: Suppose a database contains an inventory of a company’s office supplies.The stockroom tores paper, pens, paper, paper clips etc. and the different departments requisition items as they need them. The company buys in bulk and each department has a budget for office supplies.The stockroom monitors quantities of supplies on hand so as to order new supplies when the stock becomes low. Suppose the process begins with a requisition from the accounting department for 50 boxes of paper clips. Assume there are 107 boxes in stock and a new order is placed if the quantity is low (i.e the stock falls below 100). 1. The stockroom checks the database to determine that 50 boxes of paper clips. If not, the requisition is rejected and the transaction is complete. 2. If enough are in stock , the stockroom deducts 50 from the inventory. (107-50=57). 3. The stockroom charges accounting’s supplies budget for 50 boxes of paper clips. 4. The stockroom checks it’s remaining quantity to check if it is below the reord point. 5. A delivery order is prepared, enabling 50 boxes of paper clips to be sent to accounting. Suppose a failure occurs while these steps are processed. If the failure occurs before step1 is complete no harm is done. However, during steps 2,3,4 changes are made to the elements in the database are inconsistent. When a two-phase commit is used, shadow values are maintained for key data points.A shadow data value is computed and stored locally during the intent phase, and it is copied to the actual database during the commit phase. Intent: 1. Check the value of COMMIT-FLAG in the database. If it is set, this phase cannot be performed. Halt or loop , checking COMMIT-FLAG until it is not set. 2. Compare number of boxes of paper clips on hand to number requisitioned,if more are requisitioned than are on hand, halt. 3. Compute TCLIPS= Onhand –REQUISITION. 4. Obtain BUDGET, the current supplies budget remaining for accounting \department. Computer TBUDGET =BUDGET-COST. 5.Check whether TCLIPS is below reorder point; if so set TREORDER=TRUE; else set TREORDER=FALSE. COMMIT: 1. Set COMMIT-FLAG in database. 2. Copy TCLIPS to CLIPS in database. 3.Copy TBUDGET to BUDGET in database. 4. Copy TREORDER to REORDER in database. 5.Prepare notice to delivery paper clips to accounting department. 6. Unset COMMIT-FLAG.
Q 52: What factors make a data sensitive? Give Example? Sensitive data are data that should not be made public.The challenge of access control problem is to limits user’s access so that they can obtain only the data to which they have legitimate access. Several factors can make data sensitive. • Inherently sensitive:The values itself is Sensitive indeed. E.g. The location of defensive missiles or the maiden income of barbers in a town with only one barber. From sensitive sources:The source of data may indicate need for confidentiality. E.g. Information from an informer whose identity would be compromised if information were disclose. Declared Sensitive:The database administrator or the owner of the data may have declared the data to be sensitive. E.g. classified military data.
Part of Sensitive attribute or Sensitive record:In database an entire database or record may be classified as sensitive. For E.g. Salary attribute of personnel database. Sensitive in relation to previously disclosed information:Some data becomes Sensitive in the presence of other data. E.g. Longitude coordinate of secret gold mines reveals little latitude coordinates pinpoints the mines. Q 54] How does DBMS detect inconsistency in database? How does it ensure the concurrency in such cases? Database systems are often multi-user systems. Accesses by two users sharing the same database must be constrained so that neither interferes with other. Simple locking is done by DBMS. If two users attempt to read the same data item, there is no conflict because both obtain the same value. If both users try to modify the same data items, we often assume that there is no conflict because each knows what to write; the value to be written does not depend on the previous value of the data item. However, this supposition is not quite accurate. To see how concurrent modification can get us into trouble, suppose that the database consists of seat reservations for a particular airline flight. Agent A, booking a seat for passenger Mock, submits a query to find what seats are still available. The agent knows that Mock prefers a right aisle seat, and the agent finds that seats 5D, 11D, and 14D are open. At the same time, agent B is trying to book seats for a family of three traveling together. In response to a query, the database indicates that 8A-B-C and 11 D-E-F are two remaining groups of three adjacentunasssigned seats. Agent A submits the update command. SELECT ( SEAT – NO = ‘11D’ ) ASSIGN ‘ MOCK , E ‘ TO PASSENGER- NAME While Agent B submits the update sequence SELECT ( SEAT – NO = ‘11D’ ) ASSIGN ‘EHLERS , P ‘ TO PASSENGER- NAME As well as commands for seats 11E and 11F. Then two passengers have been booked into the same seat. Both agents have acted properly: Each sought a list of empty seats, choose one seat from the list, and updated the database to show to whom the seat was assigned. The difficulty in this situation is the time delay between reading a value from the database and writing a modification of that value. During the delay time , another user has accessed the same data. To resolve this problem, a DBMS treats the entire query update cycle as a single atomic operation. The command from the agent must now resemble “read the current value of the seat PASSENGER- NAME for seat 11D f it is ‘UNASSIGNED’ , modify to ‘ MOCK , E ‘”.The read-modify cycle must be completed as an
Uninterrupted item without allowing any other users access to the PASSENGER-NAME field for seat 11D. The second agents request to book would not be considered until after the first agents had been completed at the same time the value of PASSENGER-NAME would no longer be ‘UNASSIGNED’. Another problem in concurrent access is read-write. Suppose one user is updating a value when a second user wishes to read it. If the read is done while the write is in progress the reader may receive data are only partly updated. Consequently, the DBMS locks any read requests until a write has been completed.
Q55. What is Element Integrity? How does it help to detect and correct manual errors? Element Integrity: It concern that the value of a specific data element is written or changed only by authorized users. Proper access controls protect a database from corruption by unauthorized users. The integrity of the database elements is their correctness or accuracy. Ultimately, authorized users are responsible for entering correct data in databases. However, users and programs make mistakes collecting data, computing results, and entering values. Therefore, DBMS sometimes take special action to help catch errors as they are made and to correct errors after they are inserted. This corrective action can be taken in three ways. Field Checks: A field might be required to be numeric, an uppercase letter, or one of a set of acceptable characters, The check ensures that a value falls within specified bounds or is not greater than the sum of the values in two other fields. These checks prevent simple errors as the data are entered. Access Control: Consider life before databases. Data files may contain data from several sources, and redundant data may be stored in several different places. For eg., a student’ s home address may be stored in several different campus files: at class registration, for dining hall privileges, at the bookstore, and in the financial aid office. If the student moves from one residence to another, each separate file requires correction. Without a database, there are several risks to data’s integrity. First, at a given time, there could be some data files with the old address (they have not yet been updated) and some simultaneously with the new address (they have already been updated). Second, there is always the possibility that the data fields were changed incorrectly, again leading to files with incorrect information. Third, there may be files of which the student is unaware, so he does not know to notify the file owner about updating the address information. These problems are solved by databases. They enable collection and control of this data at one central source, ensuring the student and users of having the correct address. Change Log: The third means for providing database integrity is maintaining a change log for the database. A change log lists every change made to database; it contains both original and modified values. Using this log, a database administrator can undo any changes that were made in error. For eg., a library fine might erroneously be posted against Charles W. Robertson, instead of Charles M. Robertson, flagging Charles W. Robertson as ineligible to participate in varsity athletics. Upon discovering this error, the database administrator obtains Charles W.’s original eligibility value from the log and corrects the database. Q.56] How is access control is implemented in database explain the user authentication and access policies in this context? Access Control: Databases are often separated logically by user access privileges. For examples, all Users can be granted access to general data, but only the personnel department can obtain sales data and only the marketing department can obtain sales data. The database administrator specifies who should be allowed to access to which data, at the view relation ,field ,record or even element level. The DBMS must enforce this policy ,granting access to all specified data or no access where prohibited. Furthermore, the number of modes access to all specified data or no access where prohibited. It is important to notice that you can access data by inference without needing direct access to the secure objects itself .Restricting inferences may mean prohibiting certain access to limit the queries from the users who are not intend unauthorized access values. Moreover, attempts to check requested accesses for possible unacceptable interferences may actually degrade the DBMS’s performance .
Access policies: Integrity: In case of multilevel database integrity becomes both more important more difficult to achieve. Because of the property of access control, a process that reads high level data is not allowed to write a file at lower level. When this applied to databases, however this principle says that high level user should not be able to write a lower-level data element. The problem with this interpretation arises when DBMS must be able to read all records in the database and write new records for any of the following purpose: to do backups, to scan the database to answer queries, to recognize the database according to user’s processing needs, or to update all records of the database. When people encounter this problem, they handle it by using trust and commonsense. People who have access to sensitive information are careful not to convey it to uncleared individuals. In computing systems, there are two choices: either the process cleared at high level cannot write to lower level, or the process must be a “trusted process”, the computer equivalent of a person with security clearance. Confidentiality: User trusts that database will provide correct information, meaning that the data are consistent and accurate. In multilevel databases two users working at two different levels of security might get two different answers to the same query. In order to preserve confidentiality, precision is sacrificed. Enforcing the confidentiality also leads to unknowing redundancy. Suppose a personnel; specialist works at one level of access permission. The specialist knows tha t Bob Hill works for the company. However Bob’s record does not appear on the retirement payment roster. The specialist assumes this omission is an error and creates new record for Bob. The reason that no record for Bob appears is that Bob is the secrete agent, and his employment with the company is not supposed to be public knowledge. There actually is a record on Bob in the file but, because of his special position, his record is not accessible to personnel specialist. The creation of new record means that there are two records on Bob; one sensitive and one not. This situation is called ‘polyinstanntiation’ meaning that one record can appear many times with different level of confidentiality at each time. Thus, merely scanning the database for duplicate is not satisfactory way to find records entered unknowingly by people with only low clearances. Q. 57] Explain different attacks used to determine sensitive data values from a database. The following attacks are used to determine sensitive data values from the database: Direct Attack In a direct attack, a user tries to determine values of sensitive fields by seeking them directly with queries that yield few records. The most successful technique is to form a query so specific that it matches exactly one data item. In table 1 a sensitive query might be List NAME where SEX=M ^ DRUGS=1 The above query discloses that for record ADAMS, DRUGS=1. however, it is an obvious attack because it selects people for whom DRUGS=1
Table 1.Sample database Name Adams Bailey Chin Hill Dewitt Earhart Fein Groff Koch Liu Majors Sex M M F F M F F M F F M Race C B A B B C C C C A C Aid 5000 0 3000 5000 1000 2000 1000 4000 0 0 2000 Fines 45. 0. 20. 10 35 95 12 0 0 10 0 Drugs 1 0 0 2 3 1 0 3 1 2 2 Dorm Holmes Grey West West Grey Holmes West West West Grey Grey
Indirect Attack Another procedure, used by the U.S. Census Bureau and other organizations that gather sensitive data, is to release only statistics. The organizations suppress individual names, addresses, or other characteristics by which a single individual can be recognized. Only natural statistics, such as count, sum, and mean are released. The indirect attack seek to infer a final result based on one or more intermediate statistical results. But this approach requires work outside the database itself. Sum An attack by sum tries to infer a value from a reported sum. For example, with the sample database in table 1, it might seem safe to report student aid total by sex and dorm. Such a report is shown in table 2. this seemingly innocent report reveals that no female living in grey is receiving financial aid. Thus we can infer that any female living in grey is certainly not receiving financial aid. This approach often allows us to determine a negative result. Table 2. Sums of Financial aid by dorm and sex Holmes M F Total 5000 7000 12000 Grey 3000 0 3000 West 4000 4000 8000 Total 12000 11000 23000
Count The count can be combined with the sum to produce some even more revealing results. Often these two statistics are released for a database to allow users to determine average values. Table 3 shows the count of records for students by dorm and sex. This table is innocuous by itself. Combined with the sum table, this table demonstrates that the two males in Holmes and West are receiving financial aid in the amount of $5000 and $4000, respectively. We can obtain the names by selecting the subschema of NAME, DORM, which is not sensitive because it delivers only low-security data on the entire database. Table 3. Count of students by Dorm and Sex
Holmes M F Total 1 2 3
Grey 3 1 4
West 1 3 4
Total 5 6 11
Median By a slightly more complicated process, we can determine an individual value from medians. The attack requires finding selections having one point of intersection that happens to be exactly in the middle. For example, in our sample database, there are five males and three persons whose drug use value is 2. arranged in the order of aid, these lists are shown in table 4. someone working at the Health Clinic might be able to find out that Majors is a White male whose drug use score is 2. That information identifies majors as the intersection of these two lists and pinpoints Majors financial aid as $2000. in this example, the queries q = median (AID where SEX=M) p = median (AID where DRUGS=2) reveal the exact financial aid amount for Majors. Table 4. Inference from Median of Two Lists Name Bailey Dewitt Majors Groff Adams Liu Majors Hill Sex M M M M M F M F Drugs 0 3 2 3 1 2 2 2 Aid 0 1000 2000 4000 5000 0 2000 5000
Attacks: Attacks are the external things which causes the computer system malfunctioning and diminish the value of the software’s assets. Attacks can destroy the system security gradually. There are various attacks which determine sensitive data values from a database. They are given as follows. 1. Threats A threat to a computer system is a set of circumstance that has the potential to cause loss or harm. 2. Vulnerability The vulnerability is a weakness in the security system, for example, in procedures, design, or implementation that might be exploited to cause loss or harm. For instance, a particular system may be vulnerable to unauthorized data manipulation because the system does not verify a user’s identity be fore allowing data access. However, we can see a small crack in the wall-a vulnerability that threatens the man’s security. If the water rises to or beyond the level of the crack it will exploit the vulnerability and harm the man. A human who exploits a vulnerability perpetrates an attack on the system .An attack can also be launched by another system as when one system sends an overwhelming set of messages to another system virtually shutting down second system’s ability to function. 3. Control: A Control is an action, devise, procedure, or technique that removes or reduces vulnerability. For example the man is placing his finger in the hole, controlling the threat of water leaks until he finds a more permanent solution to the problem
Q 58] What is inference problem? Explain with respect to its
vulnerability on database.
The inference problem is a way to infer or derive sensitive date from nonsensitive data. The interference problem is a subtle vulnerability in database security. The database in table-1 can help illustrate the inference problem. Recall that AID is the amount of financial aid a student is receiving. FINES is the amount of parking fines still owed. DRUGS is the result of a drug-use survey:0 means never used and 3 means frequent user. Obviously this information should be kept confidential. We assume that AID, FINES, and DRUGS are sensitive fields, although only when the values are related to specific individual. Name Adams Bailey Chin Dewitt Earhart Fein Groff Hill Koch Liu Majors Sex M M F M F F M F F F M Race C B A B C C C B C A C Aid 500 0 3000 1000 2000 1000 4000 5000 0 0 2000 Fines 45. 0. 20. 35. 95. 15. 0. 10. 0. 10. 0. Drugs 1 0 0 3 1 0 3 2 1 2 2 Dorm Holmes Grey West Grey Holmes West West Holmes West Grey Grey
Table-1 Sample Database. Direct Attack: In a direct attack, a user tries to determine values of sensitive fields by seeking them directly with queries that yield few records. The most successful technique is to form a query so specific that it matches exactly one data item. In Table-1, a sensitive query might be List NAME where SEX = M /\ DRUGS = 1 This query disclose that for record ADAMS, DRUGS = 1. However, it is an obvious attack because it selects people for whom DRUGS = 1. Indirect Attack: Another procedure, used by organizations that gather sensitive data, is to release only statistics. The organizations suppress individual names, addresses, or other characteristics by which a single individual can be recognized. Only neural statistics, such as count, sum, and mean, are released.
• • •
Sum: An attack by sum tries to infer a value from a reported sum. For example, with sample database in Table-1, it might seem safe to report student aid total by sex and dorm. This Highest approach often allows us to determine a negative result. Count: The count can be combined with sum to produce some even more revealing results. Values for Often these two statistics are 1 Attribute released for a database to allow users to determine average values. . Median: By a slightly more complicated process, we can determine an individual value from medians. The attack. requires finding selections having one point of intersection that happens to be exactly in the middle, as shown in fig-1 below:
Lowest Values for . . . Attribute 2
. Attribute 1; . Median for Attribute 2 Lowest
Highest . . . value for Attribute2
Fig-1: Intersecting Medians. Tracker attack: Database management system may conceal data when a small number of entries make up a large proportion of data revealed. A tracker attack can fool the database manager into locating the desired data by using additional queries that produce small result. The tracker adds additional records to be retrieved for two different queries; the two set of records cancel each other out, leaving only the statistics or data desired. The approach is to use intelligent padding of two queries. In other words, instead of trying to identify a unique value, we request n-1 other values. Given n and n-1, we can easily compute the desired single element. For instance, suppose we wish to know how many female Caucasians live in Holmes hall. A query posed might be Count ((SEX = F) /\ (RACE = C) /\ (DROM = Holmes)) Linear System Vulnerability: A tracker is a specific case of a more general vulnerability. With a little logic, algebra, and luck in the distribution of the database contents, it may be possible to determine series of queries that returns results relating to several different sets. This attack can also be used to obtain results other than numerical ones.
Q59) Explain relationship between security and precision with help of Diagram ?
Conceal for Maximum Security Most Sensitive
Concealed-Not Disclosed Reveal for Maximum Precision Cannot be inferred from queries
Figure: Security versus Precision
May be inferred from queries Freely Disclosed in Response to Queries
For reasons of confidentiality we want to disclose only those data that are not sensitive. Such an outlook encourages a conservative philosophy in determining what data to disclose: less is better than more. The conservative philosophy suggests rejecting any query that mentions a sensitive field. We may thereby reject many reasonable and nondisclosing queries. For example: A researcher may want list of grades for all students using drugs. These queries probably do not compromise the identity of any individual. We want disclose as much data as possible so that users of the database have access to the data they need. This goal called Precision, aims to protect all sensitive data while revealing as much non sensitive data as possible. We can depict the relationship between security and precision with help of concentric circles. As figure shows, the sensitive data in the central circle should be carefully concealed. The outside line represents data we willingly disclose in response to queries. But we know that the user may put together piecies of the disclosed data and infer other , more deeply hidden, data. The figure shows us that beneath the outer layer may be yet more nonsensitive data that the user cannot infer. The ideal combination of security and precision allow us to maintain the perfect confidentiality with maximum precision; in other words, we disclose all and on;y the nonsensitive data. But achieving this goal is not as easy as it might seem.
Q.60] What is N item k % rule? How does it help to suppress personal data values? The n-item k- percent rule eliminates certain low frequency elements from being displayed. It is not sufficient to delete them, however, if their values can also be inferred. The data in this table suggest that the cells with counts of 1 should be suppressed, their counts are too revealing.But it does no good to suppress the Male-Holmes cell when the value 1 can be determined by subtracting Female_Holmes (2) from the total (3) to determine 1 as shown in table. Students by Dorm and Sex Sex Holmes M 1 F 2 Total 3 Grey 3 1 4 West 1 3 4 Total 5 6 11
When one cell is suppressed in a table with totals for rows and columns, it is necessary to suppress at least one additional cell on the rows and one on the columns to provide some confusion. Using this logic, all cells would have to be suppressed in this small sample table. When totals are not provided, single cells in a row or column can be suppressed. Q 62] List security requirements for database system. The basic security requirements of database systems are not unlike those of other computing systems. The basic problems-access control, exclusion of spurious data, authentication of users, and reliability –have appeared in many contexts. Following is a list of requirements for database security. a) Physical database integrity :- The data of a database are immune to physical problems, such as power failures, and someone can reconstruct the database if it is destroyed through a catastrophe. b) Logical database integrity :- The structure of the database is preserved. With logical integrity of a database, a modification to the value of one field does not affect other fields. c) Element integrity :-The data contained in each element are accurate. d) Auditability :-It is possible to track who or what has access(or modified) the elements in the database. e) Access control: The user is allowed to access only authorized data and different user can be restricted to different modes of access.(such as read or write). f) User authentication: Every user is positively identified ,both for the audit trail and for permission to access certain data. g) Availability: User can access the database Q.63 1. 2. 3. 4. 5. 6. Ans. 1. Integrity of database The data of a database are immune to physical problems, such as power failures, and someone can reconstruct the database if it is destroyed through a catastrophe. In logical database integrity the structure of the database preserved. With logical integrity of the database, a modification to the value one field does not affect other fields. Integrity of the database as a whole is the responsibility of the DBMS, the operating system, the computing system manager. From the perspective of the operating system and computing system Explain following points with respect to security of the database system? Integrity of database Auditability User Authentication Access control Element integrity Availability
manager, database and DBMSs are files and programs. Therefore, one way of protecting the database as whole is to regularly back up all files on the system.
2. Auditability For all application it ,ay be desirable to generate an audit record of all access to
database. Such a record can help to maintain the database’s integrity, or at least to discover after the fact who had affected what values and when. Another advantage of this is that user can access protected data incrementally. That is no single access reveals the data. User AuthenticationThe DBMS can require authentication, a DBMS might insist that a user pass both specific password and time of day checks. This authentication supplements the authentication performed by the operating system The DBMS runs as an application program on top of the operating system. This sytem design means that there is no trusted path from the DBMS to the operating system. Access ControlDatabase are often prevented and separated logically by the user privileges. All users can be granted access to general data, but only the personal department can obtain salary data only the marketing department can obtain sales data. The database administrator specifies who should be allowed access to which data as the view, relation, field, record, or even element level. The DBMS must enforce this policy granting access to all specified data or no access where prohibited. Element Integrity The integrity of the database is their correctness or accuracy. Authorised users are responsible for entering correct data in database. Users and programs are make mistakes collecting data, computing results. Etc. Avalibility A DBMS has aspects of both programs and a system. It is a program that uses other hardware and software resources so that many users it is the application run. Users often the DBMS for granted employing it as in the only essential tool with which to perform particulars task.
Q. 64] Explain clearly how 3 aspects of security integrity-confidentiality, reliability relate to DBMS . The computer security means that we are addressing three very important aspects of any computer related system ; confidentiality , integrity and availability . Integrity and confidentiality : The three aspects of computer security – integrity , confidentiality availability clearly relate to database management systems. Integrity applies to the individual elements of a database as well as to the database as whole. Thus , integrity is a major concern in the design of database management systems . Confidentiality is a key issue with databases because of the inference problem , whereby a user can access sensitive data indirectly . Inference and access controls strategies are defined in this. Availability is important because of the shared access motivation underlying database development . availability conflicts with confidentiality . Reliability and Integrity :Databases amalgamate data from many sources , users expects a DBMS to provide access to the data in a reliable way . When software engineers say that software is reliable , they mean that the software runs for very long periods of time without failing . Users certainly expects a DBMS to be reliable , since the data usually are key to business or organizational needs . Moreover , users entrust their data to a DBMS and integrity expect it to protect the data from loss or damage .Concerns for reliability and integrity are general security issues , but they are more highly apparent with databases There are several ways that a DBMS guards against loss or damage , and the controls are not absolute : no control can prevent an authorized user from inadvertently entering an acceptable but incorrect value . Database concerns about reliability abd integrity can be viewed from three dimensions as follows : 1. Database integrity : concern that a database as a whole is protected against damage , as from the failure of a disk drive or the corruption of the master database index . these concerns are addressed by operating system integrity controls and recovery procedures . 2. Element Integrity : concern that the value of a specific data element is written or changed only by authorized users . proper access controls protect a database from corruption by un authorized persons .
3. Element Accuracy : Concern that only correct values are written into the elements of a database . checks on the values of elements can help to prevent insertion of improper values . also , constraint conditions can detect incorrect values . For the reliability of data in an database we consider the following issues : 1. Protection features from Operating system . 2. Two phase update 3. redundancy / internal consistency error detection and correction codes - shadow fields 2. recovery 3. monitors for structural integrity 4. Range comparisons 5. state constraints 6. transition constraints etc. Thus , integrity ,confidentiality , reliability are closely related concepts in databases Users trust the DBMS to maintain their data correctly , so integrity issues are very important to database security . Q.65] ”Database concerns about reliability and integrity can be viewed from three dimensions.” – Explain. Databases amalgamate data from many sources, and users expect a DBMS to provide access to the data in a reliable way. When software engineers say that software is reliable, they mean that the software runs for very long periods of time without failing. Users certainly expect a DBMS to be reliable, since the data usually are key to business or organizational needs. Moreover, users entrust their data to a DBMS and rightly expect it to protect the data from loss or damage. Concerns for reliability and integrity are general security issues, but they are more highly apparent with databases. There are several ways that a DBMS guards against loss or damage. However, the controls we consider are not absolute: no control can prevent an unauthorized user from advertently entering an acceptable but incorrect value. Database concerns about reliability and integrity can be viewed from three dimensions:
Database integrity: concern that the database as a whole is protected against damage, as from the failure of a disk drive or the corruption of the master database index. These concerns are addressed by the operating system integrity controls and recovery procedures.
Element integrity: concern that the value of a specific data element is written or changed only by authorized users. Proper access controls protect a database from corruption by unauthorized users. Element accuracy: concern that only correct values are written in to the elements of a database. Checks on the values of elements can help to prevent insertion of improper values. Also, constraint conditions can detect incorrect values. Q.66] What is sensitivity data? Explain several factors that can make data sensitive? Some databases contain what is called sensitive data. As a working definition, let us say that sensitive data are data that should not be made public. Determining which data items and fields are sensitive depends both on individual database and the underlying meaning of the data. Obviously, some databases, such as public library catalog, contain no sensitive data; other database, such as defense- related ones, are totally sensitive These two cases- nothing sensitive and everything sensitive-are the easiest to handle because they can be covered by access controls to the database itself. Someone either is or is not an authorized user. These controls are provided by the operating system. The more difficult problem, which is also the more interesting one, is the case in which some but not all of the elements in the database are sensitive. There may be varying degrees of sensitivity. For example, a university database might contain student data consisting of name, financial aid, dorm, drug use, sex, parking fines, and race. Name and dorm are probably the least sensitivity; financial aid, parking fines, and
drug use the most; sex and race somewhere in between. That is, many people may have legitimate access to name, some to sex and race, and relatively few to financial aid, parking fines, or drug use. Indeed, knowledge of the existence of some fields, such as drug use, may itself be sensitive. Sample Database: Name Sex Adams M Bailey M Chin F Dewitt M Earhart F Fein F Groff M Hill F Koch F Liu F Majors M Race C B A B C C C B C A C Aid 5000 0 3000 1000 2000 1000 4000 5000 0 0 2000 Fines 45 0 20 35 95 15 0 10 0 10 0 Drugs 1 0 0 3 1 0 3 2 1 2 2 Dorm Holmes Grey West Grey Holmes West West Holmes West Grey Grey
Several factors can make data sensitive. 1. Inherently sensitive. The value itself may be so revealing that it is sensitive. Examples are the locations of defensive missiles or the median income of barbers in a town with only one barber. 2. From a sensitive source. The source of the data may indicate a need for confidentially. An example is information from an informer whose identity would be compromised if the information were disclosed. 3. Declared sensitive. The database administrator or the owner of the data may have declared the data to be sensitive. Examples are classified military data or the name of the anonymous donor of a piece of art. 4. Part of a sensitive attribute or a sensitive record. In a database, an entire attribute or record may be classified as sensitive. Examples are the salary attribute of a personnel database or a record describing a secret space mission. 5. Sensitive in relation to previously disclosed information. Some data become sensitive in the presence of other data. For example, the longitude coordinate of a secret gold mine reveals little, but the longitude coordinate in conjunction with the latitude pinpoints the mine. Q.67] Write and explain types of disclosures. Any descriptive information about data when revealed leads to a disclosure. Following are the types of disclosures: 1. Exact Data: The most serious type of disclosure is the exact value of the data item concerned. The user may intentionally request sensitive data, or may request general data unknowingly that some of it is sensitive. 2. Bounds: Disclosing the bounds of a sensitive value is also a form of disclosure. This means indicating that a sensitive value, say y lies between L & H. The user may then use a technique similar to binary search, and issue multiple requests to determine L<=y<=H and then L<=y<=H/2 and so on till the user gets the desired precision. 3. Negative Result: This means determining that z is NOT a value of y. A user can query to determine a negative result. This may provide valuable information such as “0 is not the number of HIV cases in an University” which means at least one case is present in the University. 4. Existence: Sometimes, the existence of a data is itself a sensitive information, regardless of its value. E.g. An employer may not want his workers to know that all long distance lines are being monitored. In that case, discovering a LONG DISTANCE entry in a personal record leads to disclosure. 5. Probable Value: It may be possible to determine the probability that a certain element has a certain value. Q. 68] Write short note on Security versus Precision. Sometimes it is difficult to determine what data are sensitive and how to protect them. The situation is complicated by desire to share no sensitive data. For reasons of confidentiality we want to disclose only
those data that are not sensitive. Such an outlook encourages a conservative philosophy in determining what data to disclose ;less is better than more. On the other hand, consider the users of the data. The conservative philosophy suggests rejecting any query that mentions a sensitive field. We may thereby reject many reasonable and nondisclosing queries. For example, a researcher may want a list of grades for all students using drugs. These queries probably do not compromise the identity of any individual. We want to disclose as much data as possible so that users of the database have access to the data they need. Precision aims to protect all sensitive data while revealing as much non sensitive data as possible where as security allows authorize access to information thereby not allowing the data to get corrupted by intruders. One can depict the relationship between security and precision with concentric circles. As shown in the figure ,the sensitive data in the central circle should be carefully concealed.
Conceal for maximum Security Concealed Reveal for Maximum Precision
Cannot be inferred from queries May be inferred from queries Freely disclosed in response to queries
The outside band represents data we willingly disclose in response to queries .But the user may put together pieces of disclosed data and infer other, more deeply hidden, data. The figure shows that beneath the outer layer may be yet more non sensitive data that the user cannot infer. The ideal combination of security and precision allows us to maintain perfect confidentiality with maximum precision; in other words, we disclose all and only the non sensitive data. But achieving this goal is not as easy . Q.69] Explain following types of attack for db system: a)Direct attack b)Indirect attack c)Tracker attack DIRECT ATTACK: In a direct attack,a user tries to determine values of sensitive fields by seeking them directly with queries that yield few records.The most successful technique is to form a query so specific that it matches exactly one data item. In table below ,a sensitive query might be List NAME where SEX=M^ DRUGS=1 This query discloses that for record ADAMS,DRUGS=1.However,it is an obvious attack because it selects people for whom DRUG=1. Table Sample Database(repeated) Name Sex Race Aid Fines Drugs Dorm
Adams Bailey Chin Dewitt Earhart Fein Groff Hill Koch Liu Majors
M M F M F F M F F F M
C B A B C C C B C A C
5500 0 3000 1000 2000 1000 4000 5000 0 0 2000
45 0 20 35 95 15 0 10 0 10 0
1 0 0 3 1 0 3 2 1 2 2
Holmes Grey West Grey Holmes West West Holmes West Grey Grey
A less obvious query is List NAME where (SEX=M^ DRUGS=1)v (SEX!=M^ SEX!=F)v (DORM=AYRES) On the surface,this query looks as if it should conceal drug usage by selecting other non-drug-related records as well.However,this query still retrieves only one record,revealing a name that corresponds to the sensitive DRUG value.The DBMS needs to know that SEX has only two possible values,so that the second clause will select no records.Even if that were possible,the DBMS would also need to know that no records exist with DORM=AYRES,even though AYRES might in fact be an acceptable value for DORM. The rule of “n items over k percent “ means that data should be withheld if n items represent over k percent of the result reported .In the previous case, the one person selected represents hundred percent of the data reported, so that there would be no ambiguity about which person matches the query. INDIRECT ATTACK : The indirect attack seeks to infer a final result based on one or more intermediate statistical results.But this approach requires work outside the database itself.In particular, a statistical attack seeks to use some apparently anonymous statistical measure to infer individual data. We reprsent several examples of indirect of indirect attacks on databases that reports statistics. Sum: An attack by sum tries to infer a value from a reported sum.For,example with the sample database in table drawn ealier ,it might seem safe to report student aid total by sex and dorm.Such a report is shown in the table drawn below.This seemingly innocent report reveals that no female living in Grey is receiving financial aid.Thus,we can infer that any female living in Grey(such as Liu) is certainly not receiving financial aid.This approach often allows us to determine a negative result. Sums of Financial Aid by Dorm and Sex Holmes 5000 7000 12000 Grey 3000 0 3000 West 4000 4000 8000 Total 12000 11000 23000
M F Total
TRACKER ATTACKS: A tracker attack can fool the database manager into locating the desired data by using additional queries that produce small results,The tracker adds additional records to be retrieved for two different queries; the two sets records cancel each other out,leaving only the statistic or data desired.The approach is to use intelligent padding of two queries.In other words,instead of trying to identify a unique value,we request n-1 other values.Given n and n-1,we can easily compute the desired single element. For instance,suppose we wish to know how many female Caucasians live in Holmes Hall.A query posed might be Count ((SEX=F) ^ (RACE=C) ^ (DORM=Holmes)) The database management system might consult the database,find that the answer is 1,and refuse to answer that query because one record dominates the result of the query. However further analysis of the query allows us to track sensitive data through non-sensitive queries.
Q70] Write a short note on linear system vulnerability. LINEAR SYSTEM VULNERABILITY A tracker is a specific case of a general vulnerability .With a little logic ,algebra ,and luck in the distribution of the database contents, it may be possible to determine a series of queries that returns results relating to several different sets .For example ,the following system of five queries does not overtly reveal any single c value from the database. However ,the queries’ equations can be solved for each of the unknown c values, revealing them all. Q1=c1+c2+c3+c4+c5 Q2=c1+c2+c4 Q3=c3+c4 Q4=c4+c5 Q5=c2+c5 To see how ,use of basic algebra to note that q1-q2=c3+c5, and q3-q4=c3-c5.Then ,subtracting these two equations ,we obtain c5=((q1-q2)-(q3-q4)/2.Once we know c5, We can derive the others . In fact, this attack can also be used to obtain results other than numerical ones . Recall that we can apply logical rules and ,or ,typical operators for database queries ,to derive Values from a series of logical operations . For example ,each expression may represent a query asking for precise data instead of counts . The result of the query is a set of records . Using logic and set algebra in a manner similar to our numerical example , we can carefully determine the actual values for each of the s value. Q.71] Explain different controls for Statistical inference attacks. The controls for all statistical attacks are similar.Eventually there are two ways to protect against inference attacks.Either controls are applied to queries or controls are applied to individual items within the database.Query controls are effective primarily against direct attacks. Suppression and concealing are two controls applied to data items.With suppression sensitive data values are not provided; the query is rejected without response.With concealing the answer provided is close to but not exactly the actual value.examples of suppression and concealing are:Limited response suppression Student by dorm and sex Holmes Grey West Total Male 1 3 1 5 Female 2 1 3 6 Total 3 4 4 11 The n-item k-percent rule eliminates certain low frequency elements from being displayed.the data in the table suggests that the cell with count of one should be suppressed as theit counts are too revealing.But it does no good to suppress the male-holmes cell when the value 1 can be determined by substracting femaleholmes from the total to determine I as shown in the next table. Students by dorm and sex with low count suppression. Holmes Grey West Total Male 3 5 Female 2 3 6 Total 3 4 4 11 When one cell is suppressed in a table with total for rows and columns,it is necessary to suppress at least one additional cell on the row and one on the column to provide some confusion. Combined result Student by sex and drug use Drug use Sex Male Female 0 1 2 1 1 2 2 1 2 3 2 0
Another control combines rows or columns to protect sensitive values.these counts combine with other results such as sum,permit us to infer individual drug use. Suppression by combining revealing values Drug use Sex 0 or 1 2 or 3 male 2 3 female 4 2 To suppress sensitive information it is possible to combine the attributes values for 0 and 1 and ,also for 2 and 3,producing the less sensitive results as shown in the table above. Random sample With random sample control a result is not derived from the whole database;instead the result is computed on arandom sample of the database.The sample chosen is large enough to be valid.thus a result of 5 percent for a particular query means that 5 percent of the record chosen for the sample had the desired property.In this way all equivalent queries will produce the saem result,although the result will be fo the entire database. Query analysis A more complex form of security uses query analysis.Here a query and its implications are analysed to determine whether a result should be provided.Query analysis can be quite difficult.One approach involves maintaining a query history for each user and judging a query in the context of what inferences are possible given previous results. Q. 72] Explain aggregation in relation with inference problem. AGGREGATION : Aggregation is a process of building sensitive result from less sensitive inputs. Addressing the aggregation problem is difficult because it require the database management system to track what results each user had already received and conceal any result that would let the user derive a more sensitive result. Aggregation is especially difficult to counter because it can take place outside the system. For example suppose the security policy is that anyone can have either the latitude or longitude of the mine, but not both. The inference problem is a way to infer or derive sensitive data from non sensitive data .The inference problem is a subtle vulnerability in database security. Aggregation was of interest to database security researchers at the same times as was inference. As we have been few proposals for countering aggregation. Q.73] Explain security issues in multilevel databases. Integrity: In case of multilevel database integrity becomes both more important more difficult to achieve. Because of the property of access control, a process that reads high level data is not allowed to write a file at lower level. When this applied to databases, however this principle says that high level user should not be able to write a lower-level data element. The problem with this interpretation arises when DBMS must be able to read all records in the database and write new records for any of the following purpose: to do backups, to scan the database to answer queries, to recognize the database according to user’s processing needs, or to update all records of the database. When people encounter this problem, they handle it by using trust and commonsense. People who have access to sensitive information are careful not to convey it to uncleared individuals. In computing systems, there are two choices: either the process cleared at high level cannot write to lower level, or the process must be a “trusted process”, the computer equivalent of a person with security clearance. Confidentiality:User trusts that database will provide correct information, meaning that the data are consistent and accurate. In multilevel databases two users working at two different levels of security might get two different answers to the same query. In order to preserve confidentiality, precision is sacrificed. Enforcing the confidentiality also leads to unknowing redundancy. Suppose a personnel; specialist works at one level of access permission. The specialist knows tha t Bob Hill works for the company. However Bob’s
record does not appear on the retirement payment roster. The specialist assumes this omission is an error and creates new record for Bob. The reason that no record for Bob appears is that Bob is the secrete agent, and his employment with the company is not supposed to be public knowledge. There actually is a record on Bob in the file but, because of his special position, his record is not accessible to personnel specialist. The creation of new record means that there are two records on Bob; one sensitive and one not. This situation is called ‘polyinstanntiation’ meaning that one record can appear many times with different level of confidentiality at each time.Thus, merely scanning the database for duplicate is not satisfactory way to find records entered unknowingly by people with only low clearances. Q74. Explain different mechanisms to implement separation in databases? Different mechanisms to implement separation in databases are as follows: Partitioning: The obvious control for multilevel databases is Partitioning. The database is divided into separate databases, each at its own level of sensitivity. This approach is similar to maintaining separate files in separate file cabinets. This control destroys a basic advantage of database: elimination of redundancy & improved accuracy through having only one field to update. Furthermore, it does not address the problem of a high-level user who needs access some low-level data combined with high-level data. Encryption: If sensitive data are encrypted, a user who accidentally receives them cannot interpret the data. Thus, each level of sensitive data can be stored in a table encrypted under a key unique to the level of sensitivity but encryption has certain disadvantages. First a user can mount a chosen plaintext attack. Suppose party affiliation of REP or DEM is stored in encrypted from in each record. A user who achieves access to these encrypted fields can easily decrypt them by creating a new record with party=Dem & comparing the resulting encrypted version to that element in all other records. Worse, if authentication data are encrypted, the malicious user can substitute the encrypted form of his or her own data for that of any other user. Not only does this provide access for the malicious user, but it also excludes the legitimate user whose authentication data have been changed to that of the malicious user. These possibilities are shown below:
D E M
Q Z 7
D E M
Original Record Encryption Mechanism
@ P 9 Encrypted Record
Cryptographic Separation: Different Encryption Keys. Integrity Lock: The integrity Lock is a way to provide both integrity and limited access for a database. A model of the basic integrity lock is shown below. As illustrated, each apparent data item consists of three pieces: the actual data item itself, a sensitivity label, and a checksum. The sensitivity label defines the sensitivity of the data, and the checksum is computed across both data and sensitivity label to prevent unauthorized modification of the data item or its label. The actual data item is stored in plaintext, for efficiency because the DBMS may need to examine many fields when selecting records to match a query.
The third piece of the integrity lock for a field is an error detecting code, called a cryptographic checksum. To guarantee that a data value or its sensitivity classification has not been changed, the checksum must be unique for a given database. Data item Sensitivity Checksum
Sensitivity Mark Checksum Fig:
Sensitivity Lock: A Sensitivity Lock is a combination of a unique identifier and the sensitivity level. Because the identifier is unique, each lock relates to one particular record. Many different elements will have the same sensitivity level. A malicious subject should not able to identify two elements having identical sensitivity levels just by looking at the sensitivity level portion of the lock. Because of the encryption, the lock’s contents, especially the sensitivity level, are concealed from plain view. Thus, the lock is associated with one specific record, and it protects the secrecy of the sensitivity level of that record.
Record Number Key K
Sensitivity Lock Q. 75 Explain Integrity Lock DBMS Design ? The integrity lock was proposed at the U.S. The lock is a way to provide both integrity and limited access for database. A model of the basic integrity lock is shown in the figure below. Data Item Sensitivity Checksum
Sensitivity Mark Checksum
As illustrated, each apparent data item consists of three pieces: the actual data item itself, a sensitivity label, and a checksum. The sensitivity label defines the sensitivity of the data, and the checksum is computed across both data and sensitivity label to prevent unauthorized modification of the data or its label. The actual data item is stored in plain text, for efficiency because the DBMS may need to match a query. The sensitivity label should be
Unforgeable, so that malicious subject cannot create a new sensitivity level for an element. Unique, so that a malicious subject cannot copy a sensitivity level from another level. Concealed, so that malicious subject cannot even determine the sensitivity level of an arbitrary
element. The third piece of the integrity lock for a field is an error-detecting code, called a cryptographic checksum. To guarantee that a data value or its sensitivity classification has not been changed, this checksum must be unique for a given element, and must contain both the elements data value and something to tie that value to a particular position in the database. As shown in the figure below Data Item Sensitivity Checksum
Sensitivity Mark Checksum An appropriate cryptographic checksum includes something unique to the record, something unique to this datafield within the record, the value of this element, and the sensitivity classification of the element. These four components guard against anyone’s changing, copying, or moving the data. The checksum can be computed with a strong encryption algorithm such as the Data Encryption Standard(DES). The integrity lock DBMS was invented as a short-term solution to the security problem for multilevel databases. The intention was to able to use any (untrusted) database manager with a trusted procedure that handles access control. The sensitive data were obliterated or concealed with encryption that protected both a data item and its sensitivity. In this way, only the access procedure would need to be trusted because only it would be able to achieve or grant access to sensitive data. The efficiency of integrity lock’s is a serious drawback. The space needed for storing an element must be expanded to contain the sensitivity label. Because there are several pieces in the label and one label for every element, the space required is significant. Q. 76 Explain the trusted front end design model for multilevel databases? A trusted front end is also know as a guard and operates much like the reference monitor. This approach, originated by Hinke and Schaefer, recognized that many DBMSs have been built and put into use without considerations of multilevel security. Staff members are already trained in using these DBMSs ad they may in fact use them frequently. The front-end concept takes advantage of \existing tools and expertise, enhancing the security of these existing systems with minimal change to the system. The interaction between a user, a trusted front end and a DBMS involves the following steps. 1. 2. 3. 4. 5. 6. 7. 8. 9. A user identifies himself or herself to the front end; the front end authenticates the user’s identify. The user issues a query to the front end. The front end verifies the users, authentication to data. The front end issues a query to the database manager. The data base manager performs I/O access, interacting with low level access control to achieve access to actual data. The database manager returns the result of the query to the trusted front end. The front analyses the sensitivity levels of the data items in the result and selects those items consistent with the user’s security level. The front end transmits selected data to the untrusted front end for formatting. The untrusted front end transmits formatted data to the user.
The trusted front end serves as a one way filter, screening out results the user should not be able to access. But the scheme is inefficient because potentially much data is retrieved and then discarded an inappropriate for the user. Q 77. Explain the use of commutative filters at record, attribute, and element level. A commutative filter is a process that forms an interface between the user and a DBMS. However, unlike the trusted front end, the filter tries to capitalize on the efficiently of most DBMSs. The filter reformats the query so that the database manager does as much of the work as possible, screening out many unacceptable records. The filter then provides a second screening to select only data to which the user has access. Filters can be used for security at record, attribute, or element level. 1. When used at record level , the filter requests desired data plus cryptographic checksum information; it then verifies the accuracy and accessibility of data to be passed to the user. 2. At the attribute level, the filter checks whether all attributes in the user’s query are accessible to the user and if so passes the query to the database manager. On return, it deletes all fields to which the user has no access rights. 3. At the element level, the system requests desired data plus cryptographic checksum information. When these are returned, it checks the classification level of every element of every record retrieved against the user’s level. Suppose a group of physicists in Washington works on very sensitive projects,. So the current user should not be allowed to access the physicist’s names in the database. The restriction presents a problem with this query: retrieve NAME where ((OCCUP= PHYSICIST) ^ (CITY=WASHDC)) Suppose, too, that the current user is prohibited from knowing anything about any people in Moscow. Using a conventional DBMS, the query might access all records, and the DBMS would pass the result on to the user. However we have seen the user might infer things about Moscow employees or Washington physicists working on secret projects without even accessing those fields directly. The commutative filter reforms the original query in a trustable way so that threw sensitive information is never extracted from the database. Our sample query would become Retrieve NAME where ((OCCUP= PHYSICIST) ^ (CITY=WASHDC)) From all records R where (NAME-SECRECY-LEVEL (R) <= USER-SECRECY-LEVEL) ^ (OCCUP-SECRECY-LEVEL (R) < = USER-SECRECY-LEVEL)^ (CITY-SECRECY-LEVEL (R) < = USER-SECRECY-LEVEL)) The filter works by restricting the query to the DBMS and the restricting the results before they are returned to the user. In this instance, the filter would request NAME ,NAME-SECRECY-LEVEL , OCCUP, OCCUPSECRECY-LEVEL, CITY , CITY-SECRECY-LEVEL values and then would filter and return to the user those fields on item that are of secrecy level acceptable for the user. The below is an example of query filtering operation:
Q.79] What is purpose of the encryption in multilevel secure database management system? PURPOSE OF ENCRYPTION IN MULTILEVEL SECURE DATABAS MANAGEMENT SYSTEM If sensitive data are encrypted , a user who accidentally receives them cannot interpret the data. Thus, Each level of sensitive data can stored in a table encrypted under a key unique to the level of sensitivity. But encryption has certain disadvantages. First, a user can mount a chosen plaintext attack. Suppose party affiliation of REP or DEM is stored in encrypted form in each record. A user who achieves access t othese encrypted fields can easily decrypt them by creating a new record with party=DEM and comparing the resulting encrypted version to that element in all other records. Worse , it authentication data are encrypted, the malicious user can substitute the encrypted form of his or her own data for that of any other user. Not only does this provide access for the malicious user, but it also excludes the legitimate user whose authentication data have been changed to that of the malicious user. These possibilities are shown in following fig.
D E M
Q Z 7
D E M
@ P 9
Using a different encryption key foe each record overcomes these defects. Each record’s field can be encrypted with different key , or all fields of a record can be cryptographically linked, as with cipher block chaining. The disadvantage, then each field must be decrypted when users perform standard database operations such as “select all records with SALARY >10,000.” Decrypting the SALARY field, even on rejected records, increases the time to process a query . Thus , encryption is not often used to implement separation on database. Q:80] What are the disadvantages of partitioning The obvious control for multilevel databases is partitioning . the database is divided into separate databases , each at its own level of sensitivity . this approach is similar to maintaining separate files in separate file cabinates .
The disadvantages of partitioning are 1. this control destroys the advantage of datadbases : elimination of redundancy and improved accuracy through having only one field to update . 2. furthermore , it does not address the problem of a high level user who needs access some low lovel data combined with high level data 3. Nevertheless, because of the difficulty of establishing , maintaining and using multilevel databases , many users with mixed sensitivities handle their data by using separate , isolated databases . Q 81] Explain inference by sum, inference by count, & inference by median. The inference problem is a way to infer or derive sensitive date from nonsensitive data. The interference problem is a subtle vulnerability in database security. The database in table-1 can help illustrate the inference problem. Recall that AID is the amount of financial aid a student is receiving. FINES is the amount of parking fines still owed. DRUGS is the result of a drug-use survey:0 means never used and 3 means frequent user. Obviously this information should be kept confidential. We assume that AID, FINES, and DRUGS are sensitive fields, although only when the values are related to specific individual. Name Adams Bailey Chin Dewitt Earhart Fein Groff Hill Koch Liu Majors Sex M M F M F F M F F F M Race C B A B C C C B C A C Aid 500 0 3000 1000 2000 1000 4000 5000 0 0 2000 Fines 45. 0. 20. 35. 95. 15. 0. 10. 0. 10. 0. Drugs 1 0 0 3 1 0 3 2 1 2 2 Dorm Holmes Grey West Grey Holmes West West Holmes West Grey Grey
Table-1 Sample Database. The indirect attack seeks to infer a final result based on one or more intermediate stastical results. But this approach requires work outside the database itself. In particular , a stastical attack seeks to use some apparently anonymous statistical measure to infer individual data. Inference by sum: An attack by sum tries to infer a value from a reported sum. For eg: In the table below showing a report student aid by sex and dorm, reveals that no female living in Grey is receiving financial aid. Thus , we can infer that any female living in Grey( such as Liu) is certainly not receiving financial aid. Sums of Financial Aid by Dorm & Sex Holmes M F Total 5000 7000 12000 Grey 3000 0 3000 West 4000 4000 8000 Total 12000 11000 23000
Inference by Count: The count can be combined with the sum to produce some even more revealing results . Often these two statistics are released for a database to allow users to determine average values. Table below shows the count of records for students by dorm and sex. Combined this table demonstrates that two males in Holmes and West are receiving financial aid in the amount of $5000 and $4000 respectively. Sums of Financial Aid by Dorm and Sex Holmes Grey West Total
M F Total
1 2 3
3 1 4
1 3 4
5 6 11
Inference by Median: By a slightly more complicated process, we can determine an individual value from medians. The attack requires finding selections having one point of intersection that happens to be exactly in the middle, as shown in fig-1 below:
Lowest Values for . . . Attribute 2
Highest Values for Attribute 1 . . Median for
Attribute 1; Median for Attribute 2
Highest . . . value for Attribute2
Fig-1: Intersecting Medians.
. . Lowest Values for
Q82]: Explain different types of network. ANS]: Types of Networking :There are many different types of computer networks. Peer-to-peer, ethernet, token ring, local area network (LAN), and wide area network (WAN) are examples of computer network configurations. Each has its own advantages and disadvantages. Peer-to-peer Networks: Peer-to-peer networks are used when only a few computers need to be linked together to share a printer and files. A networking program ( such as Lantastic) is used to facilitate the operation of the network. Ethernet Networks: Ethernet networks can use a configuration that has a central switching hub with a number of computers all connecting tothe hub. A server or bridge to other networks may also be connected to this central switch. The Ethernet protocol allows each computer to request a data download or upload butonly one at a time. If two computers were to request data at exactly the same time, then both requests would be sent back and they would have to re-apply. Each computer and device within the network must be equipped with an Ethernet card. The card is the physical connection between the computer and the network cabling Token ring Networks: Token-ring networks are networks laid out in a ring configuration. Each computer is connected to the one next to it and the last one in the line is connected back to the first. A server or bridge to other networks may also be connected in this ring. The token-ring protocol requires that a computer request a software "token" to
attach to its request for data. The token travels around the ring in one direction looking for a computer in the ring that needs its services, delivering requests, or returning data. All this happens mat very high speeds so that a computer does not have to wait more than a fraction of a second for a free token. Each computer and device within the network must be equipped with a token-ring card. The card is the physical connection between the computer and the network cabling. The token-ring network is mainly an IBM system. Local Area Networks: Local Area Networks (LANs) are usually located in one building and may consist of several small networks linked together. The small networks may be of the same type or a combination of types. A large computer server may act as a central control centre and storage area; or, each network within the LAN may have its own server, and the LAN may exist just to enable the sharing between the networks. The main function of a LAN is to share information and resources like printers and file servers. Computers within the networks may or may not have hard drives (terminals). The protocol programs control the transfer of data between the networks and the individual computer. Novell and Microsoft NT ServerTM are examples of two network software protocol packages commonly used with LAN systems. Wide Area Networks: Wide Area Networks (WANs) are similar to LANs, but the WAN network usually extends to other buildings and in some cases to other places. The networks may be wired together, but in some cases the links include laser beams, microwaves, and/or radio waves. The main function of a WAN is to share information and resources like printers and file servers. Computers within the network may or may not have hard drives (terminals). Internetworks: Internetwork can be defined as network of networks, and also called as internet. It is connection of two or more separate networks. Internet is physically and logically exposed, i.e. any person or even attacker can access internet. Due to its complex connectivity it practically possible to reach any resource connected to the network.The most significant Internetwork is Internet. It has been spread worldwide and it is impossible to count the number of hosts connected to the internet because hundreds of users are getting added to Internet everyday. There is one more type of the networks called as campus area network or CAN which covers the computers in adjacent buildings and they are generally owned by an university or a company. Q 83] Who attacks networks? The three necessary components of an attack are: method, opportunity, motive. The four important motives are: challenge, power, money, ideology. Based on this we can identify who attacks n/w. Challenge: The single most significant motivation for a n/w attacker is the intellectual challenge. He or she is intrigued with knowing he answers to Can I defeat this network? What would happen if I tried this technique or action. Some attackers enjoy the intellectual stimulation of defeating the supposedly undefeatable. Other attackers seek to demonstrate the weakness in the network so that others may pay attention to strengthening the security. Still other attackers are unknown, unnamed attackers who do it for fun. Fame : Some attackers seek recognition for their activities. That is, part of the challenge is doing the deed and the other part is taking the credit for it. They may not be able to brag too openly , but they enjoy the personal thrill of setting their names written up in new media. Money : Financial gains also thrill some attackers. Some attackers seek industrial espionage , seeking information on a company’s products, clients, or long- range plans. Industrial espionage is illegal but it occurs in part because of the high potential gain. Its existence and consequences can be embarrassing for the target companies. Thus many incidents go unreported. There are a few reliable statistics on how much espionage is going on. Ideology: Many security analysts believe that the Code Red worm of 2001 was launched by a group motivated by the tension in the U.S-China relations. We can distinguish between two types of related behavior Hactivism and cyber terrorism. Hactivism involves operations that use hacking techniques against a target’s (n/w ) with the client of disrupting normal operations but not causing serious damage. Cyber terrorism is more dangerous than above and involve politically motivated hacking operations intended to cause grave harm such as loss of life or severe economic damage. Q84. What are the characteristics of networks? Anonymity: A cartoon image shows a dog typing at a workstation and saying to another dog on the internet no knows you are a dog. A network removes most of the clues such as appearance, voice or contacts by which e recognize acquaintances.
Automation: In some networks, one or both end points, as well as all intermediate points, involved in a given communication may be machines with only minimal human supervision. Distance:Many networks connect end points that are physically far apart. Although not all network connections involve distance, the speed of communication is fast enough that humans usually can not tell whether the remote site is near or far. Opaqueness:Because the dimension of the distance s hidden, users can not tell whether a remote host is in room next door or in a different country. In the same way users can not distinguish whether they are connected to node in an office, school, home or warehouse or whether the nodes computing system is large or small, modest or powerful. In fact the users can not tell the current communication involves the same host with which they communicated last time. Routing diversity:To maintain and improve reliability and performance, routing between two endpoints are usually dynamic. That is the same interaction may follow one path through the network for the first time and the different path through the network or the second time. In fact the query may take different path from the response that follows few seconds later Integrity
• • • • • • • • • • • • •
Protocol flaw Active wiretap Impersonation Falsification of message Noise Web site defacement DNS attack Protocol flaw Transmission or component failure Connection flooding DNS attack Traffic redirection Distributed denial of service
• Confidentiality • • • • • • • • • • • • • • • • • • • •
Malicious typed code Protocol flaw Eavesdropping Passive wiretap Misdelivery Exposure whit in the network Traffic flow analysis Cookies Protocol flaw Active wiretap Impersonation Falsification of message Noise Web site defacement DNS attack Protocol flaw Transmission or component failure Connection flooding DNS attack Traffic redirection Distributed denial of service
Q87.List the various reason for which the networks are attacked. The reasons for which the networks are attacked are as follows: Challenge: Why do people do dangerous or daunting things, like climb mountains or swim across the English Channel or engage in extreme spots? Because of the challenge, the situation is no different for someone skilled in writing or using programs. The single most motivation for a network attacker is the intellectual challenge. He or she is intrigued with knowing the answer to can I defeat this network? What would happen if I tried this approach or that technique? Some attacker enjoys the intellectual stimulation of deleting the supposedly undefeatable. Money & Espionage: The challenge of accomplishment is enough for some attackers. But other attackers perform industrial espionage, seeking information on a company’s product, clients or long range plans. We know industrial espionage, has a role when we read about laptops & sensitive papers having been lifted from hotel room s when other more valuable items were left behind. Some countries are notorious for using espionage to aid their state –run industries. Sometimes industrial espionage is responsible for seemingly strange corporate behavior . Fame: The challenge of accomplishment is enough for some attackers. But other attacker seek recognition for their activities. That is part of the challenge is doing the deed, another pert is taking credit for it. In many cases, we do not know who the attacker really are, but they leave behind a “calling card with a recognizable name, mafiaboy often retain some anonymity by using pseudonym but they achieve fane nevertheless. Ideology: In the fast few years, we are stating to find cases in which attacks perpetrated do advance ideological ends. For example, many security analyses believe that the code Red Worm of2001 was launched by a group motivated by the tension in U.S. China relations. Hactivism involves operation that use hacking techniques against a target with the intent of distrusting normal operations but no causing serious damage. Cyberorism is more dangerous than hactivism: practically motivated hacking operations intended to cause grave harm such as loss of life serve economic danger. Q 88)Write a note on Firewall. What are different types of Firewall ? A firewall is a device that filters all traffic between a protected or “inside” network
and a less trustworthy or “Outside” network. Usually a firewall runs on a dedicated device because it is a single point through which traffic is channeled, performance is important, which means nonfirewall functions should not be done on the same machine. Because a firewall is executable code, the attacker could compromise that code and execute from the firewalls device. The purpose of a firewall is to keep bad things outside a protected Environment To accomplish that , firewalls implement a security policy that is specifically designed to address what bad things may happen. For example, the policy might be to prevent any access from outside ( While still allowing traffic to pass from the inside to outside ). Alternatively, the policy might permit accesses only from certain places, from certain users, or for certain activities. Part of the challenge of protecting a network with a firewall is determining which security policy meets the needs of the installation A firewall is a special form of reference monitor. By carefully positioning a firewall within a network , we can assure that all the network accesses that we want to control must pass through it. This restriction meets the “always invoked” condition. A firewall is typically well isolated, making it highly immune to modification. Usually a firewallis implemented on a separate computer, with direct connections only to the outside and inside networks. This isolation is expected to meet the “tamperproof” requirement. And firewall designers strongly recommend keeping the functionality of the firewall simple. Types of Firewall Firewalls have wide range of capabilities. Types of Firewalls include: 1) Packet Filtering Gateways or Screening Routers. 2) Stateful inspection Firewalls. 3) Application proxies. 4) Guards. 5) Personal firewalls. Packet Filtering Gateways: A Packet Filtering Gateways or screening routers is a simplest and in some situations the most effective type of firewall. A Packet Filtering Gateways controls access to packets based on address or specific transport protocol type (such as HTTP web traffic). Stateful inspection firewall: A stateful inspection firewall maintains state information from one packet to another. A stateful inspection firewall would track the sequence of packets and conditions from one packet to another to thwart an attack. Application Proxy: An application proxy gateway also called as bastion host is a firewall that stimulates the effects of an application so that the application will receive only requests to act properly. A proxy gateway is a two headed device. It looks to the inside as if it is the outside connection while to the outside it responds just as the insider would. Guard: A guard is a sophisticated firewall. It receives protocol data units , interprets them, and passes through the same or different protocol data units that achieve either the same result or modified result. Q90] Write a short note on digital distributed authentication Ans) In the 1980’s ,Digital equipment Corporation organized the problem of needing to authenticate nonhuman entities in a computing system. For example a process might retrieve a user query, which it then reformats, perhaps limits, and submits to a database manager. Both the database manager and query processor want to be sure that a particular communication channel is authentic between the two. Neither of these servers is running under the direct control or supervision of a human. Human forms of access control are thus inappropriate. Digital created a simple architecture for this requirement effective against the following threats. • Impersonation of a server by a rogue process for either of the two servers involved in the authentication. • Interception or modification of data exchange between the servers • Replay of previous authentication The architecture assumes that each server has it’s own private key and the corresponding public key is available to or held by every other process that might need to establish an authenticated channel. To begin an authenticated communication between server A and server B,A sends a request to B, encrypted under B’s public key decrypts the request and replies with a message encrypted under A’s public key. To avoid replay, A and B can append a random number to the message to be encrypted. A and B can establish a private channel by one of them choosing an encryption key and sending it to the other in the authentication message .Once the authentication is complete,all communication between the secret key can be assumed to be as secure as was the original dual public key exchange. To protect the
privacy of the channel, Gasser recommends a separate cryptographic processor , such as a smart card ,so that privacy keys are never exposed outside the processor. Q 92] Write a short note on virtual private network. Link encryption can be used to give a network’s users the sense that they are on the private network, even when it is a part of a private network. For this reason, the approach is called a virtual private network. Or (VPN) Typically, physical security and administrative security are strong enough to protect transmission inside the perimeter of the network. Thus, the greatest exposure for user is between the user’s workstation or client and the perimeter of the host network or server. A firewall is an access control device that sits between two networks or two network segment. It filters all traffic between the protected or inside network and less trustworthy or outside network or segment. Many firewalls can be used to implement a VPN. When a user first establishes a communication with the firewall, the user can request a VPN session with the firewall. The user can request a VPN session with the firewall. The user’s client and the firewall negotiate a session encryption key, and the firewall client subsequently used that key to encrypt all traffic between the two. In this way, the larger network is restricted to those given special access by the VPN . In other word, it feels to user that the network is private, even though it is not. With the VPN, the communication passes through an encrypted tunnel or tunnel. Virtual private network are created when the firewall interact with authentication service inside the perimeter .The firewall may pass user authentication data to authentication server and, upon information of authentication identity, the firewall provides the user with appropriate security privileges. For example: known trusted person such as employee or system administrator may be allow to access resources not available to general user. The firewall implements this access control on the basis of VPN. Exposed Communication media Physically protected perimeter
1 2 3 Internal Server Firewall
User’s Workstation (Client)
1 : Client authentication to firewall 2 : Firewall replies with encryption key 3 : client and server communicate via encrypted key Fig : Establishing virtual private network Q93. Write a short note on Intrusion Detection System ? Ans: Intrusion Detection software builds patterns of normal system usage, triggering an alarm any time the usage seems abnormal. After a decade of promising research result in intrusion detection ,products are now commercially available. Some trusted operating systems include a primitive degree of intrusion detection software. Although the problems are daunting, there have been many successful implementation of trusted operating system. In this case we will consider the three properties: 1. Kernalized Design 2. Isolation
3. Ring structuring Kernalized Design: A kernal is the part of an operating system that performs the lowest-level functions. In standard operating system designs, the kernal implements operation such as synchronization, interprocess communication, message passing, and interrupt handling. The Kernel is also called a nucleus or core. The notion of designing an operating system around a kernel is described by Lampson and Sturgis and by Popek and Kline. A security kernel is responsible for enforcing the security mechanism of the entire operating system . The security kernel provides the security interfaces among the hardware ,operating system and other parts of the computing system. Reference monitor: The most important part of the security kernel is the reference monitor, the portion that controls accesses to objects. A reference monitor is not necessarily a single piece of code; rather, it is the collection of access controls for devices, files, memory,interprocess communication an other kinds of objects. The reference monitor concept has been used for many trusted operating systems and also for smaller pieces of trusted software. Trusted computing base:The trusted computing base or TCB is the name we give to everything in the trusted operating system necessary to enforce the security policy. Following are the functions of TCB: • Hardware: including processors, memory, registers and I/O devices. • Some notion of processes, so that we can separate and protect security critical processes. • Primitive files, such as security access control database and identification / authentication data. • Protected memory • Some interprocess communication. TCB implementation : Security related activities are likely to be performed in different places. Security is potentially related to every memory access, every I /O Operation, every file or program access, every initiation or termination of users and every interprocess communication. Separation/ Isolation There are four ways to separate one process from other: Physical separation, temporal separation, cryptographic separation, logical separation. With physical separation, two different processes use two different hardware facilities. For example: sensitive computation can be performed on the reserved computing system, non sensitive task are performed on public system Hardware separation offers several attractive features including support for multiple independent threads of execution, memory protection, mediation of I/O and at least three different degree of execution privilege. Temporal separation occurs when different processes are run at different times. Encryption is used for cryptographic separation, so two different processes can be run at same time, because unauthorized user can not access sensitive data in a readable form . Logical separation also called isolation is provided when process such as reference monitor separates one user’s objects from those of other user. Secure computing systems have been built with each of these form of separation. Ring structuring:It is an example of open design and complete mediation. Q94. What security problems are faced while using Kerberos in distributed system? Kerberos is a system that supports authentication in distributed system. Originally designed to work with secret key encryption. Kerberos is based on idea that a central server provides authenticated tokens called tickets t requesting application. A ticket is unforgeble, nonreplayable, authenticated objects. That is it is an encrypted data structure naming a user and a service that user is allowed to obtain. It also contains a time value and some control information.
Server access request User Service Ticket
Ticket –Granting Server Unique Keys Other Server Other Server
Security problems faced are as follows: • Kerberos requires continues availability of a trusted ticket granting server: Because the ticket granting server is the basis of access control and authentication, constant access to that server is crucial. Both reliability and performance problems are addressed. • Authenticity of server requires trusted relationship between the ticket granting server and every server: the ticket granting server must share a unique encryption key with each trustworthy server. The ticket granting server must be convinced of the authenticity of that server. In a wildly distributed environment an administrator at one site can seldom justify trust in authenticity of server at other sites. • Kerberos require timely transaction: to prevent reply attack Kerberos limits the validity of ticket. A reply attack could succeed during the period of validity, however. And setting the period fairly is hard: too long increases the exposure to reply attacks, while too short requires prompt user actions and risks providing the user with a ticket that will not be honored when presented to a server. Similarly, subverting a server’s clock allows reuse of an expired ticket. • A subverted workstation can save and later reply user passwords: This vulnerability exists in any system in which passwords, encryption keys, or order constant, sensitive information is entered in the clear on a workstation that might be subverted. • Password guessing works. A user’s initial ticket is returned under the user’s password. An attacker can submit an initial authentication request to the Kerberos server and then try to decrypt the response by guessing at the password. • Kerberos does not scale well. The architectural model of Kerberos, assumes one Kerberos server and one ticket-granting server, plus a collection of other servers, each of which shares a unique key with the ticket-granting server. Adding a second ticket-granting server, for example, to enhance performance or reliability, would require duplicate keys or a second set for all servers. Duplication increases the risk of exposure and complicates key up dates, and second keys more than double the work for each server to act on a ticket. • Kerberos is a complete solution. All application must use Kerberos authentication and access control. Currently, few application use Kerberos authentication, and so integration of Kerberos into an existing environment requires modification of existing applications, which is not feasible. Q-95: What firewalls can and cannot block? Firewalls are not complete solutions to all computer security problems. A firewall protects only the perimeter of its environment against attacks from outsiders who want to execute code or access data on the machines in the protected environment.
Firewalls can protect an environment only if the firewalls control the entire perimeter. That is, firewalls are effective only if no unmediated connections breach the perimeter. If even one inside host connects to an outside address, by a modem for example, the entire inside net is vulnerable through the modem and its host. Firewalls do not protect data outside the perimeter; data that have properly passed (outbound)
Authorization Keys Other Server
through the firewall are exposed as if there were no firewall. Firewalls are the most visible part of an installation to the outside, so they are the most attractive target for attack. For this reason, several different layers of protection, called defense in depth, are better than relying on the strength of just a single firewall. • Firewalls must be correctly configured, that configuration must be updated as the internal and external environment changes, and firewall activity reports must be reviewed periodically for evidence of attempted or successful intrusion. • Firewalls are targets for the penetrators. While a firewall is designed to withstand attack, it is not impenetrable. Designers intentionally keep a firewall small and simple so that even if a penetrator breaks it, the firewall does not have further tools, such as compilers, linkers, loaders, and the like, to continue an attack. • Firewalls exercise only minor control over the content admitted to the inside, meaning that inaccurate data or malicious code must be controlled by other means inside the perimeter. Firewalls are important tools in protecting an environment connected to a network. However, the environment must be viewed as a whole, all possible exposures must be considered, and the firewall must fit onto a larger, comprehensive security strategy. Firewalls alone cannot secure an environment. •
Q97. Describe 4 areas related with administrative and physical aspects? The 4 areas related with administrative and physical aspects are : 1. Planning: What advance preparations and study lets us know that our implementation meets our security needs for today and tomorrow.? Every security plan must address seven issues: a) policy, indicating the goals of computer security effort and willingness of the people involved to work to achieve these goals. b) current state, describing the status of security at the time of plan c) requirements, recommending ways to meet the security goals. d) recommended controls, mapping controls to the vulnerabilities identified in the policy and requirements. e) accountability, describing who is responsible for each security activity f) continuing attention, specify a structure for periodically updating the security plan 2. Risk Analysis: How do we weigh the benefits of controls against their costs, and how do we justify any controls? Risk analysis is a process of examining a system and its operational context to determine possible exposures and its potential harm they can cause There are 3 strategies for risk reduction: a). avoiding a risk, by changing requirements for security or the other system characteristics. b). transferring the risk, by allocating risk to other systems, people, organizations, or assets; or by buying insurance to cover any financial loss should the risk become a reality. c)assuming a risk, by accepting it, controlling it with available resources, and preparing to deal with the loss if it occurs. 3. Policy: How do we establish a framework to see that our computer security needs continue to me met? A security policy is a high level management document to inform all users of thegoals and constraints on using the system. A policy document is written in brod enough terms that it does not change frequently. The policy should articulate senior management decision regarding security as well as asserting management's commitment to security. 4. Physical Control: What aspects of the computing environment have an impact on security? Physical Security is a term used to describe protection needed outside the computer system. Typical physical security includes guards, locks and fences to deter direct attacks. Other protection include protection from natural disasters like fires and floods and power outrages. Physical protection is also endangered by human activities. These 4 areas are essential for understanding computer security completely. Q. 98] Explain briefly contents of security plan ? A security plan identifies and organizes the security activities for a computing system . a plan is both a description of the current situation and a plan for improvement. Every security plan must address seven issues. -Policy -Current state -Requirements -Recommended controls -Accountability -Timetable -Continuing attention Policy : A security plan must state the organization’s policy on security. A security policy is a high level statement of purpose and intent. Basically policy is one of the most difficult sections to write well .This includes eight steps as follows: 1.identify enterprise knowledge 2. identify operational area knowledge 3.identify staff knowledge 4.establish security requirements 5. map high priority information assets 6. Perform infrastructure vulnerability evaluation 7. Conduct multidimensional risk analysis 8. develop a protection strategy
- who should be allowed to access ? - to what system and organizational resources should access be allowed ? - What type of access should be allowed? Current security status : To be able to plan for security an organization must understand the vulnerabilities to which it may be exposed .The organization can determine the vulnerabilities by performing the risk analysis. A careful investigation of the system, its environment, and the things that might go wrong. The status can be expressed as a listing of the organizational assets the security threats to the assets and controls in place to protect the assets. Requirements : The heart of the security plan is the set of requirement analysis: functional or performance demands placed on a system to ensure a desired level of security .The requirements are usually derived from organizational needs .A constraint is an aspect of the security policy that directs the implementation of the requirements .The six requirements can be given as follows: Security policy Identification Marking Accountability Assurance Continuous protection The system requirements have following characteristics: Correctness: are the requirements understandable? Are they stated without error ? Consistency : Are there any ambiguous requirements ? Completeness : Are all possible situations addressed by the requirements ?
Security planning process
Security Techniques & controls
Recommended controls :The security requirements lay out the system needs in terms of what should be protected. The security plan must also recommend what controls should be incorporated into the system to meet those requirements. Responsibility for implementation :A section of the security plan should identify which people are responsible for implementing the security requirements . this documentations assists those who must coordinate their individual responsibilities with those of other developers. At the same time, the plan makes explicit who is accountable should some requirement not be mate or some vulnerabilities not be addressed . that is , the plan notes who is responsible for implementing controls when a new vulnerability is discovered or a new kind of asset is introduced . Consider example the group listed below: 1. Personal computer users 2. Project leaders 3. Managers 4. Database administrators 5. Information officers 6. Personal staff members etc.
Timetable: A comprehensive security plan cannot be executed instantly . the security plan includes a timetable that shows how and when the elements of the plan will be performed . these dates also gives milestones so that management can track the progress of implementation . The plan should specify the order in which the controls are to be implemented so that the most serious exposures are covered as soon as possible . The plan must be extensible . Continuing attention : Good intensions are not enough when it comes to security . We must not only take care in defining requirements and controls , but we must find ways to evaluating a system’s security to be sure that the system is as secure as we intend it to be. Q.99 Explain response team in detail. The evolution of the Internet has been widely chronicled. Resulting from a research project that established communications among a handful of geographically distributed systems, the Internet now covers the globe as a vast collection of networks made up of millions of systems.The Internet has become one of the most powerful and widely available communications mediums on earth, and our reliance on it increases daily. Governments, corporations, banks,and schools conduct their day-to-day business over the Internet. With such widespread use,the data that resides on and flows across the network varies from banking and securities transactions to medical records, proprietary data, and personal correspondence.The Internet is easy and cheap to access, but the systems attached to it lack a corresponding ease of administration. As a result, many Internet systems are not securely onfigured.Additionally the underlying network protocols that support Internet communication are insecure, and few applications make use of the limited security protections that are currently available.The combination of the data available on the network and the difficulties involved in protecting the data securely make Internet systems vulnerable attack targets. It is not uncommon to see articles in the media referring to Internet intruder activities.But, exploitation of security problems on the Internet is not a new phenomenon. In 1988 the “Internet Worm” incident occurred and resulted in a large percentage of the systems on the network at that time being compromised and temporarily placed out of service. Shortly after the incident, a meeting was held to identify how to improve response to computer security incidents on the Internet. The recommendations resulting from the meeting included a call for a single point of contact to be established for Internet security problems that would act as a trusted clearinghouse for security information. In response to the recommendations, the reponse teams were developed to enhance the security of systems.CERT Coordination Center (also known as the CERT/CC and originally named the Computer Emergency Response Team) was formed to provide response to computer security incidents on the Internet [CERT/CC 1997b]. The CERT/CC was one of the first organizations of this type—a computer security incident response team (CSIRT2). Q. 100] Give three controls that could have both positive as well as negative effects. 1)Controls have both positive as well as negative effects. 2) Encryption, for example, protects confidentiality, but it also takes time and introduces key management issues . 3)Thus when selecting controls , we have to consider full impact of the control. 4)The creators of the VAM recognized that sometimes attributes enhance security and other times detract from it . For example, heterogeneity may be useful as a control in preventing the proliferation of the same kind of logic error throughout a system. But heterogeneity can also make the system’s design harder to understand and , therefore harder to maintain. 5)The result can be a fragile design that is easy for an attacker to cause to fail. For this reason, VAM as included a rating scheme to reflect the relationship depicted by each cell of the matrix .A cell relating to vulnerability to a security technique contains a number from -2 to +2, according to this scheme. 2 means that the control mitigates the vulnerability significantly and should be a prime candidate for addressing it. • 1 means that the control mitigates the vulnerability somewhat but not as well as one labeled 2, so it should be secondary candidate for addressing it. • 0 means that the vulnerability may have beneficial side effects that enhance some aspect of security. • -1 means that the control worsens the vulnerability somewhat or incurs new vulnerability. • -2 means that the controls worsens the vulnerability significantly or incurs new vulnerabilities. In VAM rating scheme , the matrix is used to support decisions about the controls in the following way. Beginning with the rows of the matrix , each of which corresponds to the vulnerability. •
We follow the row access to look for instances in which a cell is labeled with 2 . Then we follow the column up to its heading, to see which security techniques are strong controls for this kind of vulnerability. In this way, we can look at the implications of using each control to address known vulnerability. Q101. Characteristics of a good security policy If a security policy is written poorly, it can not guide the developers and users in providing appropriate security mechanisms to protect important assets. Certain characteristics make a security policy a good one. Coverage:A security policy must be comprehensive: It must either apply to a explicitly exclude all possible situations. Furthermore, a security policy may not be updated as each new situation arises, so it must be general enough to apply naturally to new cases that occur as the system is used in unusual or unexpected ways. Durability:A security policy must grow and adapt well. In large measure, it will survive the systems growth the expansion without change. If written in a flexible way, the existing policy will be applicable to new situations. However there are times when the policy must be changed (such as when government regulations mandate new security constraints), so the policy must changeable when it needs to be. An important key to durability is keeping the policy free from ties to specific data or protection mechanism that almost certainly will change. For example, an initial version of a security policy might require a ten character password from anyone requiring access to data on the sun workstation in the room 110. But when that workstation is replaces or moved, the policy’s guidance becomes useless. It is preferable to describe assets needing protection in terms of their function and characteristics, rather than in terms of specific implementation. For example the policy on sun workstations could be reworded to mandate strong authentication for access to sensitive student’s grade or customer’s proprietary data. Better still we can separate the elements of policy, having one policy statement for student grades and another for customers’ proprietary data. Similarly we may want to define one policy that may applies to preserving the confidentiality of relationships, and another protecting the use of system through strong authentication. Realism: The policy must be realistic. That is, it must be possible to implement the stated security requirements with existing technology. Moreover, the implementation must be beneficial in terms of cost time and convenience; the policy should not recommend a control that works but prevents the system or user from performing their activities and functions. It is important to make economically worthwhile investments in security just as for any other careful business investments. Usefulness: The obscure or incomplete security policy will not be implemented properly if at all. The policy must be written in language that can be read, understood and followed by anyone who must implement it or is affected by it. For this reason the policy should be succinct, clear and direct. Q 102] Explain various strategies for risk reduction. Good and effective security planning includes a careful risk analysis. A risk is a potential problem that the system or its users may experience. We distinguish a risk from other project event by looking at the loss associated with an event (risk impact), likehood that event will occur (problem), the degree to which we can change the outcome (risk control). There are three strategies of risk reduction:
1. Avoiding the risk, by changing requirements for security or other system characteristics. 2. Transferring the risk, by allocating the risk to other systems, people, organization, or assets; or by
buying insurance to cover any financial loss should the risk become reality.
3. Assuming the risk, by accepting it, controlling it with available resources, and preparing to deal
with the loss if it occurs. For example: we usually want to weigh the pros and cons of different actions we can take to address each risk. To that end, we can quantify the effects of risk by multiplying the risk impact by the risk probability, yielding the risk exposure. If the like hood of virus attack is 0.3 and the cost to clean up the affected files is $10,000, then the risk exposure is $3,000, since it will prevent a much larger potential loss. Clearly the risk
probabilities can change over time, so it is important t to track them and plan for events accordingly. Q103] What are the various steps of risk analysis Steps in Risk Analysis: Step 1 : Identify AssetsThe first step of risk analysis is to identify the assets of computing system. The assets can be considered in acategories as listed below Hardware : processors, boards, monitors, terminals, workstations, tape drive, printers Sofrware : source programs, object programs, purchased programs, in house programs Data : data used during execution, stored data in various media, printed data and audit records People : skills needed to run the computing system or specific programs Documnetation : on programs, hardware, systems, administrative procedures, and entire system Supplies : paper forms, laser cartridges, and printer fluid It is essential to tailor this list to your own situation. No two organizations will have same assets to protect, and something that is valuable in one organization may not be valuable to other. The VAM methodology (Vulnerability Assessment and Mitigation) is a process supported by a tool to help people identify assets , vulnerabilities and counter measures. Step 2 : Identify Vulnerabilities The next step of risk analysis is to identify the vulnerabilities of this assets.. This step requires imagination; we want to predict what damage might occur to the assets and from what sources. We can enhance our imaginative skills by developing a clear idea the nature of the vulnerabilities. This nature derives from the need to ensure the three basic goals of computer security: confidentiality, integrity and availability. Thus, a vulnerability is any situation that could cause loss of any of the three. We have to use a organized approach to consider situations that could cause these losses for a particular object. To organize the way we consider threats and assets we can use a matrix, as shown in table.
Asset Hardware Software Data People Documentation Supplies
In considering the contents of each column, we ask the following questions. What are the effects of unintentional errors ? What are the effects of willfully malicious insiders ? What are the effects of outsiders ? What are the effects of natural and physical disasters ? There is no simple checklist or easy procedure to list all vulnerabilities. But tools can help us conceive of vulnerabilities by providing a structured way to think. Step 3 : Estimate Likelihood of exploitation
The third step is conducting a risk analysis is determining how often each exposure is likely to be exploited. Likelihood of occurrence relates to the stringency of the existing controls and likelihood that someone and something will evade the existing controls . In controls, it is often not possible to directly evaluate an events probability by using observed data for a specific system. Local failure rates are fairly easy to record, and we can identify which failures resulted in security breaches or created new vulnerabilities. In particular, operating system can track data or hardware failures, failed login attempts, number of access. Step 4 : Compute Expected Loss We must determine the likely loss if the exploitation does indeed occur ,this value is difficult to determine .Some costs ,such as the cost to replace a hardware item ,are easy to obtain .The cost to replace apiece of software can be approximated reasonably well from the initial cost to buy it(or specify, design and write it). However, we must take care to include hidden casts in out calculations. These costs are substantially harder to measure. There may be hidden costs that involve legal fees if certain events take place. If a computing system, a piece of software, or a key person is unavailable, causing a particular computing task to be delayed, there may be serious consequences. If a program that prints pay checks is delayed, employee’ confidence in the company may be shaken, or some employees may face penalties from not being able to pay their own bills. If customers cannot make transactions because the computer is down, they may choose to rake their business to a competitor. For some time critical services involving human lives, such as a hospitals life support system or a space station guidance systems, the cost of failure are infinitely high. Thus, we must analyze the ramifications of a computer security failure. Step 5 : Survey and select new controls. We next turn to an analysis of the controls to see which ones address the risk we have identified. Each vulnerability has to be matched with atleast one appropriate security technique. Once it is done we can use our expected loss estimates to help us decide which controls, alone ar in concert, are most cost effective for given situation. While selecting the controls the following questions are answered: What Criteria are used for Selecting Controls ? How do controls affect the way they control ? Which controls are best? Step 6:Project Savings The next step is to determine whether the cost outweighs the benefits of preventing or mitigating the risks. We multiply the risk probability by the risk impact to determine the risk exposure. The effective cost of a given control is the actual cost of the control (such as purchase price, installation costs, and training costs) minus any expected loss from using such controls (administrative or management). Thus, the true cost of a control may be positive in the control is expensive to administer or introduces new risk in another area of the system. Or the cost can even be negative if the reduction in risk is greater than the cost of control Q105. Why should anyone perform a risk analysis in preparation for creating security plan? Effective security planning includes a careful risk analysis. A risk is a potential problem that the system or its users may experience. We distinguish a risk from other project events by looking for three things. A loss associated with an event. The event must generate a negative effect; compromised security, lost time, diminished quality, lost money, lost control, lost understanding & so on. This loss is called the risk impact. The likelihood that the event will occurred there is probability of occurrence associated with each risk, measured from 0 to 1. When risk probability is 1 we say we have problem. The degree to which we can change the outcome we must determine what if anything, we can do to avoid the impact or at least reduce its effects. Risk control involves a set of action to reduce or eliminate the risk. Many of the security controls are the example of risk control. We usually warn to weigh the pro and cons of different actions we take to address each risk. To end we can quantify the effects of risk by multiplying the risk impact by the risk probability, yielding the risk exposure. Clearly risk probability can change overtime, so it is important to track them and plan for events accordingly. In general there are 3 strategies for risk reduction . 1. Avoiding the risk by changing the requirements for security or other system characteristics 2. Transferring the risk, by allocating the risk to other system by people organizations or assets ; or by buying insurance company financial lost should risk become reality
Write a short note on :Security Policies Commercial enterprises have significant security concerns. They worry that industrial espionage will reveal their information to competitors about new products under development. Likewise, corporations are often eager to protect information about the details of their corporate finance. So even the commercial world is usually less rigid, and less hierarchically structured than the military world we still find many of the same concepts in security policies. For example a large organization such as university may be divide into various groups or departments, each responsible for a number of disjoint projects. There may also be some corporate level responsibilities such as accounting and personnel activities. Data items at any level may have different degrees of sensitivity, such as, public, proprietary, or internal; here the names may vary according to the organizations, and no hierarchy applies. Let us assume that public information is less sensitive than proprietary, which in turn is less sensitive than internal. Projects and departments tend to be fairly separated, with some overlap as people work on two or more projects. Corporate level responsibilities tend to overlie projects and departments, as people throughout the organization may have the need for accounting and personnel data. However, even corporate data may have degrees of sensitivity. Projects themselves may include a degree of sensitivity: Staff members on project old-standby have no need to know about new-product, while staff members on new-product may have access on all data on oldstandby. Accounting Personnel
Commercial Security Policies:
3. Assuming the risk, by accepting it, controlling it with available resources and preparing to deal with loss if occurs. Thus cost associated not only with risk potential impact but also reducing it. Risk leverage is difference in risk exposure divided by the cost of reducing the risk. Risk analysis is the process of examining the system and its operational to determine possible exposure and the potential harm they can cause, thus, first step in risk analysis is to identify and list all exposures in the computing system of interest. Then for each exposure we identify possible controls and there cost. The last step is cost benefit analysis: Thus it causes less to implement a control and to accept the cost of the loss? In the remainder of risk section, we describe the risk analysis, present examples of risk analysis methods, and discuss some of the drawback to performing risk analysis. Q110]: Explain the details of hazard analysis techniques 1. Hazard analysis is a set of systematic techniques intended expose potentially hazardous system states. In particular , it can help us expose security concerns and then identify prevention or mitigation strategies to address them . 2. That is hazard analysis ferrets out likely causes of problems so that we can apply appropriate technique for preventing the problem or softeneing its likely consequences . 3. Thus , it usually involves developing hazard lists , as well as procedures for exploring “what if” scenarios to trigger consideration of nonobvious the sources of problems can be lurking in any artifacts of the development or maintainence process , not just in the code , so a hazard analysis must be broad in its domain of investigation :in other words , hazard analysis is a system issue , not just a code issue .
4. Similarly , there re many kinds of problems , ranging from incorrect code to unclear code to unclear consequences of a particular action . a good hazard analysis takes all of them into account . 5. Although hazard analysis is a generally good practice an any project , it is required in some regulated and critical application domains , and it can be invaluable for finding security flaws . it is never too early to be thinking about the sources of hazards : 6. The analysis should begin when you first start thinking about sources of hazards :the analysis should begin when you first start thinking about building a new system or when someone proposes a significant upgrade to an existing system . hazard analysis should continue throughout the system life cycle: 7. You must identify potential hazards that can be introduced during system design installation , operation and maintainence.A variety of a techniques support the identification and maintainence of potential hazards . 8. Among the most effective are hazard and operability studies (HAZOP), failure modes and effects analysis (FMEA) and fault tree analysis (FTA). 9. HAZOP is a structured analysis techniques originally developed for the process control and chemical plant industries . over the last few years it has been adapted to discover potential hazards in the safety critical software system . 10. FMEA is a bottom –up technique applied at the system component level . a team identifies each component ‘s possible faults or fault modes ;then , it determines what could trigger the fault and what systemwide effects each fault might have . by keeping system consequences in mind , the team often finds possible system failures that are not made visible by other analytical means . 11. FTA cmplements FMEA . it is a top –down technique that begins with a postulated hazardous system malfunction . then the FTA team works backwards to identifythe possible precursor to the mishap. By tracing back from a specific hazardous malfunction , we can locate unexpected contributors to mishap and then we look for opportunities to mitigate the risks Known Cause Known effect Unknown effect Description behaviour of system , Unknown Cause deductive analysis including fault tree analysis Exploratory analysis including hazard and operability studies
Inductive analysis including failure modes and effect analysis
Q111] Explain in detail the economics of information security policy Anderson asks that we consider carefully the economic aspect of security when we device our security policy. He points out that the security engineering community tends to overstate security problem because it is in their best interest to do so. “The typical infosec professional is a firewall vendor struggling to meet quarterly sales targets to prop up a sagging stock price, or a professor trying to mine the ‘cyber terrorism’ industry for grants or a policeman pitching for budget to build up a computer crime agency. Moreover the security community is a subject to fads as in other disciplines. Anderson says that the security is trendy in 2002 which means that vendors are pushing firewalls and encryption products that have been oversold and address only part of typical security organization problems. He says that rather on focusing on what is fashionable we focuss on asking for a reasonable return on our investment in security. Soo Hoo’s research indicates that a reasonable number is 20% at the time when companies usually expect 30% return from their investment in IT. It may be more worthwhile to implement more inexpensive measures such as enabling screen locking than larger more complex and expensive measures such as PKI and centralized access control. Q112 ) How are copyrights important in computer security? How do they differ from patents? Copyrights are designed to protect expression of ideas. The right to copy an expression of idea (not an idea) is protected by copyrights. An idea and expression of idea differ from each other. For example an algorithm is as idea. On the other hand code (program) written to implement an algorithm is an expression of idea. So copyright protect the right of copying code i.e. no one else is allowed to use the code with his name, but algorithm can be used by anybody in the world.
A programmer or developr translates an algorithm in to a program i.e. he writes a code to implement an algorithm. A programmer hopes to earn a living by presenting his program in such manner that other people would like to use this software and will pay to use it. The law of copyright protects individuals right to earn living by saying that particular way of expressing an idea belongs to its author. Copyright gives a programmer an exclusive right to make copies of software and only developer (author) can sell his software. In short we can say that copyright does not allow piracy. The law of copyright prevents the others from selling or using pirated copies of software. Patents protect the inventions and ideas. It does not allow others to use the idea or objects, which ware developed newly or invented by some one. An inventor can have a patent of his invention if the invention is new i.e. if nobody else has developed similar objects before. Patents differ from copyrights because they ware developed to protect newly developed items or newly invented ideas, whereas copyrights ware designed to protect the expression of the idea. There is difference between idea and implementation of an idea. Unlike copyrights patent can protect new and useful process, machines, software, etc. Q.113] What is trade secret? List various characteristics of trade secret. TRADE SECRET A trade secret is unlike a patent or copyright in that it must be kept a secret. The information has value only as a secret, and an infringer is one who divulges the secret. Once divulged, the information usually cannot be made secret again. CHARACTERIDTICS OF TRADE SECRETS Reverse Engineering Through reverse engineering someone might discover how a telephone is built; the design of the telephone is obvious from the components and how they are connected. Therefore, a patent id the appropriate way to protect an invention such as a telephone .However, something like a soft drink is not just the combination of its ingredients. Making a soft drink may involve time, temperature, presence of its oxygen or other gases, and similar factors that could not be learned from a straight chemical decomposition of the product. The recipe of a sot drink is a closely guarded trade secret. Trade secret protection works best when the secret is not apparent in the product. Applicability to computer Objects Trade secret protection applies very well to computer software. The underlying algorithm of a computer program id novel, but its novelty depends on nobody else’s knowing it. Trade secret protection allows distribution of the result of a secret while still keeping the program design hidden. Trade secret protection does not cover copying a product, so it cannot protect against a pirate who sells copies o someone else’s program without permission. Difficulty of Enforcement Trade secret protection is of no help when someone infers a program’s design by studying its output or, worse yet, decoding the object code. Both of these are legitimate activities, and both cause trade secret protection to disappear. Q114] Explain various legal issues relating to information. Source code, object code and even the “look and feel” of a computer screen are recognizable,if not tangible objects. Legal issues relating to Information: Information can be related to trade secrets in that information is the stock in trade of the information seller.While the seller has the information trade secret protection applies naturally to the sellers legitimate ability to profit from the information.Thus, the courts recognize that the information has value. The trade secret is not secure if someone else can derive or infer from it. Other forms of protection are offered by copyrights and patents. Neither of these applies perfectly to computer hardware or software, and they apply even less to information. Criminal and Civil Law: Statutes are laws that state explicitly that certain actions are illegal.Often,a violation of a statute ill result in a criminal trial in which the government argues for punishment because an illegal act has harmed the desired nature of society. Civil law is a different type of law not requiring such a high standard of proof of guilt.In a civil case an individual claims damages. The goal of a civil case is restitution. Tort Law: A tort is a harm not occurring from violation of a statute or from being counter to the accumulated body of precedents. Computer information is perfectly suited to tort law.The court merely has to decide what is reasonable behaviour. Contract Law: A third form of protection for computer objects is contracts. A contract is an agreement between two parties. A contract must involve three things: An Offer; An Acceptance A Consideration
Information is often exchanged under contract. Contracts are ideal for protecting the transfer of information because they can specify any conditions.” You have the right to use , to view, but not to sell or modify this information”. Q.115] List issues involved in software vulnerability reporting argument. What are technical issues? Select a vulnerability reporting process that you think is appropriate and explain why It meet more requirements from any other process ? From rule based ethical theory attackers are wrong to perform malicious attacks. Notoriety or credit for finding the flaws is a small interest. Following are issues involved in software vulnerability reporting argument. Full Disclosure: It helps user’s asses the seriousness of vulnerability and apply appropriate protection. But it also gives attackers more information with which to formulate attacks. Early full disclosure before the vendor has countermeasures ready may actually harm users by leaving them vulnerable to a now widely known attack. Partial Disclosure:One can argue that the vulnerability details are there to be discovered; when vendor announces a patch for an unspecified flaw in a product, the attacker will then spread a complete description of vulnerability to other attackers through an underground network and attack will start against users who may not have applied the vendors fix. No Disclosure:Users are best served by a scheme in which every so often new code is released, sometimes fixing security vulnerabilities, sometime adding new features. But without sense of significance or urgency, users may not install this new code. Of all the vulnerability reporting process ‘Responsible’ vulnerability reporting seems best. Other reporting such as Users Interest is more favor to users and Venders Interest is more favors to vendors. In case of ‘Responsible’ vulnerability reporting compromisation between these two is achieved. This process meets constraints of timeliness, fair play and responsibility. User report a suspected vulnerability a ‘reporter’ and the manufacturer the ‘Vendor’. A third party such as a computer emergency response center called ‘Coordinator’ is required when there is a conflict of power issues between reporter and vendor. Basically process requires reporter and vendor to do the following: • The vendor must acknowledge vulnerability report confidentiality to the reporter. • The vendor must agree that the vulnerability exists confidentially to the reporter. • The vendor must inform users of vulnerability and any available countermeasure within 30 days or request additional time from the reporter as needed. • After informing user, the vendor may request from the reporter a 30 days quit period to allow users tie to install pitchers. • At the end of the quit period the vendors and reporter should agree upon a date at which time the vulnerability information may be released to general public. • The vendor should credit reporter with having located the vulnerability. • If the vendor does not follow these steps, the reporter should work with a co-coordinator to determine responsible way to publicize the vulnerability. Q 116: Is cracking a benign practice? Explain in details. Ans :Many people argue that cracking is an acceptable practice because lack of protection means that the owners of systems or data do not really value them. Spafford questions this logic by using the analogy of entering a house. Consider the argument that an intruder who does no harm and makes no changes is simply learning about how computer systems operate.” Most of these people would never think to walk down a street, trying every door to find one unlocked, then search through the drawers or the furniture inside .Yet, these same people seem to give no second thought to making repeated attempts at guessing passwords to accounts they do not own, and once onto a system, browsing through the files on disk.” How would you feel if you knew your home had been invaded, even if no harm was done? Spafford noted that breaking into a house or a computer system constitutes trespassing. To do so in an effort to make security vulnerabilities more visible is “presumptuous and reprehensible”. To enter either a home or a computer system in unauthorized way, even with benign intent can lead to unintended consequences. “Many systems have been damages accidentally by ignorant intruders.” Q118. Compare copyright, patent and Trade secret protection. Ans: Comparison of copyright, patent & Trade Secret protection is as follows:
COPYRIGHT Protects Expression of idea, not idea itself
PATENT Invention – the way something works
TRADE SECRET A secret, competitive advantage No
Protected object made public
Yes; intention is to promote publication
Design filled at Patent Office
Requirement distribute Easy of filling
yes Very easy, do- it- yourself
No Very complicated; specialist lawyer suggested
No No filling
Life of human originator plus 70 years, or total of 95 years for a company
Sue if unauthorized copy sold
Sue if invention copied
Sue if improperly obtained
Q.119 Explain the Codes of Ethics? Ans: Various Computer groups like ACM, IEEE and DPMA have developed there codes of ethics they are as follows: IEEE The IEEE has produce codes of ethics for its members. The IEEE is an organization of engineers,not limited to computing.There codes of ethics are given below We the members of the IEEE, in reorganization of the importance of ours technologies in affecting the quality thought of the world. 1.to accept responsibility in making engineering decisions consistent with the safety, health and welfare of the public, and to disclose promptly factors that might endanger the public or the envoirment; 2.to avoid real or perceived conflicts of interest whenever possible. 3. to be honest and realistic in stating claims or estimates based on available data 4. to reject bribery in all of its forms 5. to improve understanding of technology 6. to maintain and improve our technical competence and to undertake or after full disclosure of pertinent limitations; 7.to avoid injuring others, their property, reputation, or employment by false or malicious action; 8. to assist colleagues and coworkers in their professional development and to support them in the following this code of ethics. ACM: The ACM codes of ethics recognizes three kinds of its members.The code ethics has three sections(plus fourth commitment section) as shown below As an ACM member I will… 1.1 Contribute to society and human well-being 1.2 Avoid harm to others 1.3 Be honest and trustworthy 1.4 Be fair and take action not to discriminate 1.5 Honor property rights including copyright and patterns
1.6 Respect the privacy of the others 1.7 Honor the confidentiality As an ACM computing professtional I will…. 2.1 Strive to achieve the highest quality,effectiveness and dignity in both the process and products of the professional work 2.2 know and respect existing laws pertaining to professional work 2.3 Accept and provide appropriate professional review 2.4 Honor the contracts,agreements, and assigned responsibilities 2.5 Improve public understanding of computing and its consequences 2.6 Access computing and communication resources only when authorized to do so As an ACM member and an organization leader, I will… 3.1 Articulate the social responsibilities of members of the organizational unit and encourages full acceptance of those responsibilities 3.2 Manage personnel and resources 3.3 Articulate and support policies that protect the dignity of users and others affected by the a computing system 3.4 Create the opportunities for members of the organization to leran the principles and limitations of computer systems As an ACM member, I will… 4.1 Uphold and promote the principal of this code 4.2 treat the violations of this code as inconsistent with membership in the
Computer Ethics Institute The Computer Ethics Institute is a nonprofit group that aims to encourage people to consider the ethical aspects of their computing activities. They are as follows: 1. Thou shalt not use a computer to harm the other people. 2.Thou shalt not interfere with others people’s computer work. 3.Thou shalt not snoop around others people computers. 4.Thou shalt not use a computer to steal. 5.Thou shalt not use a computer to bear false witness. 6 Thou shalt not use or copy the computer software for which you have not paid. 7.Thou shalt not appropriate other peoples intellectual output 8.Thou shalt think about the social consequences of the program you are writing or the system you are designing. 9. Thou shalt not use a computer in the ways that insure consideration and respect for yur fellow humans . 120. Compare and contrast Law & Ethics. LAW: As we know that Law is not always the appropriate way to deal with issues of human behavior. It is difficult to define a law to preclude only the events we want it to. For example, a law that restricts animals from public place must be refined to permit guide dogs for the blind. ETHIC:-An Ethic is objectively defined standards of right or wrong .Ethical standard are often idealistic principles because they focus on one objective. In a given situation , however , several objective may be involved, so people have to determine an action that is appropriate, considering all the objectives .Therefore, through our choice, each of us defines a personal set of ethical practices set of ethical principles is called an ethical system. An ethic is different from Law in several important ways. Hence they are given a follows:Serial no. 1 2 3 4 5 6 7 Law Describe by formal, written documents Interpreted by courts Established by Legislatures representing all people. Applicable to everyone Priority determined by courts if two law conflicts. Court is final arbiter of “right” Enforceable by police and courts Ethic Describe by written principles Interpreted by each individuals Presented by philoshopers,religions, Professional groups. Applicable to personal. Priority determined by an individual if two principles conflicts. No external arbiter. Limited enforcement.
Law can be enforced to rectify wrong done by unlawful behavior
In ethic, two people may have different framework for making moral judgments.
Q121) Why is computer crime is hard to prosecute? Ans.: Even when everyone acknowledges that the computer crime has been committed, computer crime is hard to prosecute for the following reasons. • Lack of understanding. Courts, lawyers, police agents, or jurors do not necessarily understand computers. Many judges began practicing law before the invention of computers, and most began before the widespread use of the personal computer. Fortunately, computer literacy in the courts is improving as judges, lawyers, and police officers use computers in their daily activities. • Lack of physical evidence. Police and courts have for years depended on tangible evidence, such as fingerprints. As readers of Sherlock Holmes know, seemingly minuscule clues can lead to solutions to the most complicated crimes. But with many computer crimes there simply are no fingerprints and no physical clues of any sort. • Lack of recognition of assets. We know what cash is, or diamonds, or even negotiable securities. But are twenty invisible magnetic spots really equivalent to a million dollars? Is computer time an asset? What is the value of stolen computer time if the system would have been idle during the time of the theft? • Lack of political impact. Solving and obtaining a conviction for a murder or robbery is popular with the public, and so it gets high priority with prosecutors and police chiefs. Solving and obtaining a conviction for an obscure high-tech crime, especially one not involving obvious and significant loss, may get less attention. However, as computing becomes more pervasive, the visibility and impact of computer crime will increase. • Complexity of case. Basic crimes that everyone understands, such as murder, kidnapping, or auto theft, can be easy to prosecute, a complex money-laundering or tax fraud case may be more difficult to present to a jury because jurors have a hard time following a circuitous accounting trail. But the hardest crime to present may be a high-tech crime, as root access by a buffer overflow in which memory was overwritten by other instructions, which allowed the attacker to copy and execute code at will and then delete the code, eliminating all traces of entry. • Juveniles. Many computer crimes are committed by juveniles. Society understands immaturity and disregards even very serious crimes by juveniles because the juveniles did not understand the impact of their actions. A more serious, related problem is that many adults see juveniles computer crimes as childhood pranks, the modern equivalent of tipping over an outhouse. Even when there is clear evidence of a crime, the victim may not want to prosecute because of possible negative publicity. Banks, insurance companies, investment firms, the government, and the health care groups think their trust by the public will be diminished if a computer vulnerability is exposed. Also, they may fear repetition of the same crime by others: so-called copycat crimes. For all of these reasons, computer crimes are often not prosecuted. Q 122] Why do we need separate category for computer crime? Why is it hard to define? Crimes can be organized into certain categories including murder, robbery, and littering. We do not separate crime into categories for different weapons such as gun crime or knife crime but we separate crime victims into categories depending on whether they are people or other objects. Consider an example to see why these categories are not sufficient and why we need special laws relating to computers as subject and object of crime. Rules and property: Parker and Nycom describe the theft of a trade secret proprietary software package. The theft occurred across state boundaries by means of telephone lines; this aspect is important because it means that the crime is subject to federal law as well as state law. The legal system has explicit rules about what constitutes property. Generally property is tangible unlike magnetic impulses. For example authorized use of a neighbor’s lawn mower constitutes theft, even if the lawn mower was returned in the same condition as it was when taken. To a computer professional taking a copy of computer package without permission is clear cut theft. A similar problem arises with computer services. We would generally agree that unauthorized access to a computing system is a crime. Rules and evidence:
Computer printouts have been used as evidence in much successful fraud prosecution. Under the rules of evidence courts prefer an original source document to a copy, under the assumption that the copy may be inaccurate or may be modified in the copying process. However magnetic and optical media are often the primary means of storing data today. The biggest difficulty with computer based evidence in court is being able to demonstrate the authenticity of the evidence law enforcement officials operate under a chain of custody requirement: from the moment a piece of evidence is taken until it is presented in the court, they track clearly and completely the order and identities of the people who had personal custody of that object. The reason for that chain custody is to ensure that nobody has had the opportunity to alter the evidence. With computer based evidence it can be difficult to establish chain of custody. Threats to integrity and confidentiality: The integrity and secrecy of data are also many issues in many court cases. The computing system contains confidential records about people and integrity of data was important. The prosecution of this case had to be phrased in terms of theft of computer time and valued as such, even though that was insignificant compared with loss of privacy and integrity. However several federal and state laws recognize the privacy of data about individuals. Acceptance of computer terminology: The law is also lagging behind technology in its acceptance of definition of computing terms. For example according to federal statute it is unlawful to commit arson within federal enclave. Part of that act relates to “machinery or building materials” in the enclave, but court decision have ruled that a motor vehicle located within a federal enclave at the time of burning was not included under this statute. So it is not clear whether computer hardware constitutes “machinery”, “supplies” almost certainly does not include software. Computer crime is hard to define because: Some people in the legal process do not understand computers and computing so crime involving computers are not always treated properly. Creating and changing laws are slow processes. This process is very much out of space with a technology that is progressing as fast as computing. Adding to the problem of a rapidly changing technology, a computer can perform many roles in a crime. A computer can be the subject, object, or a medium of crime. A computer can be attacked, used to attack and as a means to commit crime Q 123] Briefly discuss laws around the world that differ from U.S.laws & that should be of interest of computer security. There are some laws from U.S. which defines aspect of crime against or using the computer. These laws include: 1) U.S.Computer fraud and Abuse Act. The primary federal statute prohibits: a) unauthorised access to a computer containing data protected for national defense or foreign relations concerns b) unauthorised access to a computer containing certain banking or financial information c) unauthorised access, use, modification, destruction or disclosure of a computer or information ina computer operated on behalf of US govt. d) accessing without permission a "protected computer" which the courts now interpret to include any computer connected to the Internet. e) Computer Fraud 2) U.S.Economics Espionage Act. The 1996 Act outlaws use of computer for foreign espionage to benefit a foreign country or business or theft of trade secrets 3) U.S. Electronic Funds Tranfer Act This law prohibits use, transport, sale, receipt, or supply of counterfeit, stolen, altered, lost or fraudently obtaineddebit instruments in the interstate or foreign commerce. 4) U.S. Freedom of Information Act This Act provides public access to information collected by the executive branch of the federal Govt. The Act requires disclosure of any available data, unless the data fall under one of the several specific exceptions, such as national security or personal privacy. The law's original intent was to release to individual any information the Govt. had collected on them. Even foreign Govt.'s can file for information. This Act applies only to the Govt. agencies although similar laws could require disclosure from private resources. 5) U.S. Privacy Act
The privacy Act of 1974 protects the privacy of personal data collected by Govt. An individual is allowed to determine what data have been collected on him or her, for what purpose, and to whom such information has been desseminated. The additional use of the law is to prevent one Govt. agency from accessing data collected from another purpose. Q 125] Explain the taxonomy of ethical theories? There are two bases of ethical theories, each applied in two ways. The two bases are consequences-based and rule-based, and the applications are either individual or universal. The taxonomy of ethical issues includes following points:a) Difference between the laws & Ethics: It is impossible or impractical to develop laws to describe and enforce all forms of behavior acceptable to society. Instead society relies on ethics or morals to prescribe generally accepted standards of proper behavior. Ethics are an objectively defined standard of right and wrong. The study of ethics is not easy because the issues are complex. We can analyze a situation from an ethical perspective and reach ethical conclusions without appealing to any particular religion or religious framework. b) Ethical Principle Are Not Universal : Ethical values vary by society, and from person to person within a society. Although these aspects of ethics are quite reasonable and understandable, they lead people to destruct ethics because it is not founded on basis principles all can accept. Also, people from scientific or technical background except precision and universality. c) Ethics Does Not Provide Answers : Ethical pluralism is recognizing or admitting that more than one position may be ethically justifiable even equally so in a given situation. Pluralism is another way of noting that two people may legitimately disagree on issues of ethics. However in the scientific and technical fields, people except to find unique, unambiguous, and unequivocal answers. Science has provided life with fundamental explanations. Ethics is rejected or misunderstood by some scientists because it is “soft, “meaning that it has no underlying framework or it does not depend on fundamental truths. d) Ethical Reasoning : Most people make ethical judgment often, perhaps daily. Because we all engage in ethical choice, we should clarify how we do this so that we can learn to apply the principles of ethics in professional situations, as we do in private life. Study of ethics can yield two positive results. First, in situation where we already know what is right and what is wrong, ethics should help us justified our choice. Second, if we do know the ethical action to take in a situation, ethics can help us identify the issues involved so that we can make reasoned judgment.