Some probable midterm questions DISCLAIMER These questions are

Some probable midterm questions

DISCLAIMER These questions are models only. Some of these questions may or may not appear in the midterm. Questions in the midterm may or may not be in this presentation. This presentation is strictly in

Some questions for chapter 1 Why is static analysis necessary? What is the difference between security features and secure features? Why is testing not enough to determine whether a program is secure?

Questions for chapter 2 Is it possible to produce a perfect static analysis tool? Why or why not? What is the difference between a static analysis tool and a bug finder?

Questions for Chapter 3 Is the “number of possible vulnerabilities per line of code” a useful metric? Somebody believes that doing a security analysis is a waste of time. What arguments would yo

Questions for chapter 4 How can data-flow analysis impact static analysis? What is the importance of parsing in static analysis?

Questions for Chapter 5 Give an example of input handled badly which resulted in a computer take-over. What data should be validated? Why is blacklisting not a good idea? How would you validate an input which is supposed to be a person's full name?

Questions for chapter 6 Why are buffer overflows dangerous? How can we avoid buffer overflows? How can we detect buffer overflows?

Questions for chapter 7 How can integer overflows lead to vulnerabilities? What problems are there with integer arithmetic that can cause vulnerabilities?

Questions on Chapter 8 What kinds of error handling can a programmer use? How can an exception vanish? What problems can be introduced with error handling? What are some good practices for error logging? What are Easter Eggs?

Questions on Chapter 9 What is wrong with get vs post? What is XSS and why is it bad? Howw can it be stopped? What other problem are there with web sites?

Questions for Chapter 10 What is XML? What is its use? Should XML input be validated? If yes, how? If no, why?

Questions for Chapter 11 How can secrets be protected? How can private data be protected in transit? What software needs to be used? Why is random() not a good function to use in security? What are your chances of finding useful information that a program left behind a week earlier in

Questions on Chapter 12 Does the admin user on MACs have absolute privileges? Why or why not? What is the difference between the effective UID and the real UID? How can chroot() be used? Why is it dangerous? What are race conditions? What is a safe directory?

Questions on Secure Design Principles How many Design principles are not being fulfilled in Windows? Which are they? How would yo What is a covert channel?