TU Wien:Software Security VU (Weippl)/Midterm Exam 2017-04-24

From VoWi
Jump to navigation Jump to search

25 points possible:

  1. Name two types of injection vulnerabilities (according to OWASP Top 10) and describe them. (2 pts)
  2. Name and briefly describe the basic threat modeling steps according to the MS SDL. (3 pts)
  3. Name two important practises in context of OWASP SAMM and describe them. (2 pts)
  4. Describe the two secure design principles (I) Least Privilege and (II) Fail Secure. (2 pts)
  5. Why is correct disassembly of binaries not always so easy? What are potential problems? (2 pts)
  6. Why do we need obfuscation and can not just rely on cryptography for software protection? (l pt)
  7. Shortly describe the differences between static and dynamic analysis. (1 pt)
  8. What are the characteristics of basic blocks in a control flow graph? (2 pts)
  9. What is the difference between a disassembler and a decompiler? (1 pt)
  10. Explain the obfuscation technique "Opaque Predicates". (1 pt)
  11. What is Packing/Unpacking? Explain this technique. (2 pts)
  12. What is Instrumentation and what can it be used for? (1 pt)
  13. Shortly describe code signing and why it is useful. (1 pt)
  14. Give a short description of the differences between breakpoints, watchpoints and catchpoints. (2 pts)
  15. Give a description of 3 methods that help to prevent exploitation. (2 pts)