TU Wien:Foundations of System and Application Security VU (Lindorfer)/Exam 2024-11-28

Aus VoWi
Zur Navigation springen Zur Suche springen
  1. iOS
    1. iOS is based on Darwin (a Unix-like OS for mobile devices)
    2. Apps on iOS run via the iOS Runtime (IRT)
    3. iOS apps need to ask for permission before getting access to the internet
    4. Apps in iOS are sandboxed
  2. Android
    1. Android is based on Darwin
    2. Apps on Android run via the Android Runtime (ART)
    3. Android apps need to ask for permission before getting access to the internet
    4. Apps in Android are sandboxed
  3. iOS
    1. iOS apps are uniquely identified by their package name, both on the app store and on the device.
    2. Since the DMA only browsers using WebKit are allowed on iOS
    3. It is not possible to embed a website in an iOS app, like on Android where it is possible
    4. iOS devices don't contain special Hardware to ensure physical integrity like TRNGs
  4. Android
    1. If the OS cannot be verified, the system will have a constant red/orange/yellow border around it to notify the user
    2. Since Android 11 an app gets all the permissions set in its Manifest file
    3. The OS is only checked when the bootloader is locked
    4. Unless there is a bug or a backdoor it is not possible to extract fingerprint information from the fingerprint component of a mobile device
  5. Linux
    1. -
    2. The kernel reads the executables header to find out which interpreter/loader to use
    3. Capabilities are lost when the file is changed
    4. -
  6. Coordinated disclosure
    1. Is when you sell your bug/vulnerability to the highest bidder
    2. You can keep your identity anonymous by reporting the bug via your national CERT (i.e. CERT.at in Austria)
    3. The organisation should make sure to fix the bug as soon as possible
    4. You should be able to find contact information for CVD on the organisations website
  7. M4: Insufficient Input/Output Validation: Name one vulnerability under this category for mobile devices and what can be done to prevent it.
  8. M5: Insecure Communication: Name one vulnerability under this category for mobile devices and what can be done to prevent it.
  9. Describe what a UAF (use after free) vulnerability is and how it can be exploited to achieve arbitrary code execution?
  10. You have gotten shell access to a linux system. Unfortunately the `ps` command is disabled. Name four types of (meta-)information you can find in the pseudo-file system `/proc`
Abgerufen von „https://vowi.fsinf.at/index.php?title=TU_Wien:Foundations_of_System_and_Application_Security_VU_(Lindorfer)/Exam_2024-11-28&oldid=191017