Unit 4 - Practice Quiz

The four necessary conditions for deadlock are Mutual Exclusion, Hold and Wait, No Preemption, and Circular Wait. Preemption, the act of taking a resource away from a process, is a method to prevent deadlocks, not a condition that causes them.

The 'Hold and Wait' condition describes a situation where a process is currently holding one or more resources while simultaneously waiting for another resource that is currently held by a different process.

By enforcing a strict order in which resources must be requested (e.g., always request resource R1 before R2), a circular chain of requests becomes impossible, thus preventing the 'Circular Wait' condition.

The Banker's Algorithm is a classic deadlock avoidance algorithm. It checks if granting a resource request to a process will lead the system into an 'unsafe' state, where a deadlock might occur. If the resulting state is safe, the request is granted; otherwise, it is denied.

A direct way to break a deadlock is to abort one or more of the processes involved. This frees up the resources held by the terminated process, allowing other processes in the deadlock cycle to proceed.

Starvation, or indefinite blocking, occurs when a process is ready to run but is continuously passed over by the scheduler, perhaps due to a low priority. As a result, it never gets the resources (like the CPU) it requires to make progress.

The CIA Triad consists of Confidentiality (preventing unauthorized disclosure of information), Integrity (preventing unauthorized modification of information), and Availability (ensuring information and resources are accessible to authorized users when needed).

The Principle of Least Privilege is a security best practice that dictates that a user, process, or program should only have the bare minimum permissions required to perform its function. This minimizes the potential damage from a security breach.

A backdoor (or trapdoor) is a hidden method of bypassing security controls, authentication, or encryption in a computer system, product, or embedded device. It is often created for legitimate purposes but can be exploited if discovered by attackers.

Authentication is the process of confirming that a user, device, or entity is who or what it claims to be. It is the first step in providing secure access to a system.

The defining characteristic of a computer virus is its ability to replicate itself and spread from one computer to another by attaching itself to a host program or file.

A protection domain is an abstract concept that defines a set of objects and the types of operations that may be invoked on each object. A process executes in a specific domain and can only access resources within that domain.

An access matrix is a model where the rows represent subjects (e.g., processes) and the columns represent objects (e.g., files). The entry at [row i, column j] specifies the access rights that subject i has on object j.

A Denial-of-Service (DoS) attack aims to disrupt the normal functioning of a server, service, or network by flooding it with an overwhelming amount of traffic, rendering it inaccessible to legitimate users.

Reusing the same password across multiple services is a significant security risk. If one service is breached and the password is stolen, attackers can use it to gain access to all other accounts where that password was used.

A buffer overflow occurs when the volume of data exceeds the storage capacity of the memory buffer. This can cause data to overwrite adjacent memory locations, which can be exploited by attackers to run malicious code.

The core purpose of OS security is to control who can access the system and its resources, ensuring the confidentiality and integrity of user and system data against unauthorized actions.

Phishing is a type of social engineering attack where attackers impersonate a trustworthy entity in an electronic communication to lure victims into revealing sensitive data.

An Access Control List (ACL) corresponds to a column in the Access Matrix. For each object (like a file), the ACL specifies all the subjects (users) that have access to it and what their specific permissions are.

A Trojan Horse is a type of malware that disguises itself as a legitimate program. Unlike a virus or worm, it does not self-replicate, but it can create a backdoor for an attacker or steal sensitive information.

First, calculate the total allocated resources by summing the Allocation columns: (2+4+1, 1+0+1, 3+2+2) = (7, 2, 7). Next, calculate the Available vector by subtracting the total allocated resources from the total instances: (12-7, 7-2, 10-7) = (5, 5, 3). Now, use the Banker's algorithm to check for a safe state. We need the Need matrix (Max - Allocation):

• P0 Need: (6, 3, 2)
• P1 Need: (2, 2, 0)
• P2 Need: (2, 2, 1)
  With Available = (5, 5, 3), we can satisfy the need of P1 or P2. Let's choose P1. P1 runs and releases its resources. New Available = (5, 5, 3) + (4, 0, 2) = (9, 5, 5). Now, with the new Available vector, we can satisfy P2's need. P2 runs and releases its resources. New Available = (9, 5, 5) + (1, 1, 2) = (10, 6, 7). Finally, we can satisfy P0's need. Since a safe sequence like <P1, P2, P0> exists, the system is in a safe state.

The 'Hold and Wait' condition states that a process must be holding at least one resource and waiting to acquire additional resources that are currently being held by other processes. By forcing a process to release its held resources (R1) when its new request (for R2) cannot be immediately granted, the system ensures that a process cannot hold a resource while waiting for another. This directly breaks the 'Hold and Wait' condition.

While a buffer overflow can cause a crash (Denial of Service), the more sophisticated goal is to gain control of the program's execution flow. By overflowing a buffer on the stack, an attacker can overwrite the saved return address. When the function attempts to return, it will instead jump to a memory location specified by the attacker, which typically contains malicious shellcode, allowing for arbitrary code execution.

Access Control Lists (ACLs) are stored with the objects (e.g., files). An ACL for a file is a list of users/groups and their corresponding permissions for that file. To verify if user U can write to file F, the system only needs to look up the ACL for file F and check for an entry for user U with write permission. This is a direct and efficient lookup. In contrast, finding all files a user can access would require iterating through the ACL of every file in the system, which is very inefficient.

The Principle of Least Privilege dictates that a process or user should be given only those privileges that are essential to perform its intended function. Running a web server as root gives it far more power than it needs (e.g., the ability to modify any system file, install software, or shut down the machine). If the web server is compromised, the attacker gains full control of the system. The correct approach would be to grant the server only the specific permissions it requires.

While enforcing a resource ordering effectively prevents circular wait, it can lead to poor resource utilization and process delays. A process might need a resource with a high number (e.g., R5) and a resource with a low number (e.g., R1). Even if R5 is available, the process must first request and acquire R1, even if it doesn't need R1 until much later. This artificial ordering can force processes to acquire and hold resources long before they are actually needed, reducing overall system efficiency.

Starvation, or indefinite blocking, occurs when a process is perpetually denied necessary resources to complete its work. In this scenario, the CPU is the resource, and the low-priority process is starved because higher-priority processes are always chosen by the scheduler. This is different from deadlock, where processes are in a circular wait for resources held by each other. Here, the low-priority process is simply never selected to run.

A salt is a unique, random value added to each user's password before it is hashed. This means that two users with the same password will have different hashes stored in the database. An attacker who steals the password database cannot use a rainbow table (a pre-computed list of hashes for common passwords) to crack all passwords at once, because they would need a separate rainbow table for every unique salt. This makes brute-force attacks against the entire database significantly more difficult.

A Man-in-the-Middle (MITM) attack occurs when an attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other. The attacker intercepts all messages passing between the two victims and injects new ones, making it appear as if a normal conversation is taking place. Public Wi-Fi is a common environment for such attacks.

When selecting a victim process to break a deadlock, the OS considers several factors to minimize the impact of the termination. These include the process's priority (low-priority processes are better victims), how much work it has already done (a process close to completion is a poor choice), and which resources it holds (terminating a process that holds resources needed by many other processes can break the deadlock effectively). The username of the owner is generally irrelevant from a technical, algorithmic standpoint, although system policy might sometimes factor it in.

The fundamental distinction lies in their method of propagation. A virus attaches itself to an executable file or document (the host) and spreads when that host is transferred to and executed on another computer. A worm is a self-contained program that can propagate across networks from one computer to another without requiring any user interaction or a host file.

Integrity refers to the trustworthiness and accuracy of data. It ensures that data has not been modified in an unauthorized manner. By altering financial records, the employee has directly compromised the integrity of the data. Confidentiality (preventing unauthorized disclosure) and Availability (ensuring data is accessible) were not the primary goals violated in this specific action.

A cycle in a Resource Allocation Graph is a necessary but not sufficient condition for deadlock when there are multiple instances of resource types. A cycle indicates that there is a circular wait, but deadlock only occurs if the processes in the cycle are waiting for resources for which there are no available instances that can be allocated. It's possible for a process outside the cycle to release its instance of a needed resource, allowing a process in the cycle to proceed and break the cycle.

The standard access matrix model can be extended with special rights like owner, copy, and transfer that allow domains to modify the matrix itself. The copy right allows a process to grant a right it possesses to another process. The transfer right is similar but revokes the right from the original process. The owner right typically includes both. In this context, if P1's entry for F1 was read, copy, it could then add the read right to P2's entry for F1.

A backdoor is a covert method of bypassing normal authentication or security controls. It is intentionally designed and implemented by someone familiar with the system (like the original programmer) to allow for secret, unauthorized access in the future. A trapdoor is a similar concept but is often used to refer to a secret entry point left for legitimate debugging purposes that was not removed, whereas a backdoor is explicitly malicious.

Direct calls from user mode to kernel mode are prohibited by the hardware protection mechanism. To request a kernel service, a user process must execute a special instruction (often called a TRAP, SYSCALL, or INT). This instruction causes a hardware interrupt that switches the CPU from user mode to kernel mode and transfers control to a specific, predefined entry point in the operating system's kernel. The kernel then validates the request and performs the privileged operation on behalf of the user process.

In a DNS cache poisoning attack, an attacker tricks a DNS server into caching an incorrect IP address for a legitimate domain name (e.g., www.mybank.com). When users query this DNS server, they are given the attacker's malicious IP address instead of the real one. This redirects users to a fraudulent website, where they might be tricked into revealing sensitive information like passwords or credit card numbers.

A logic bomb is a piece of code intentionally inserted into a software system that will set off a malicious function when specified conditions are met. The condition in this case is a specific date and time. It is often delivered via a Trojan horse, which is the legitimate-seeming software that carries the malicious payload, but the payload's trigger-based nature is the defining characteristic of a logic bomb.

In a challenge-response system, the server sends a random, one-time value (the challenge) to the client. The client uses its secret (like a password) to compute a response based on the challenge and sends it back. Since the challenge is different for each login attempt, an attacker who captures the response cannot reuse it for a future login (a replay attack). Even capturing a hashed password could be a vulnerability if the attacker can simply replay that same hash to the server to authenticate.

Since capabilities are held by user processes, a major challenge is preventing those processes from creating or modifying their own capabilities to gain unauthorized access. The operating system must ensure that capabilities are unforgeable. This is typically achieved by keeping the capabilities within the kernel's protected memory space and having processes refer to them via secure handles, or by using cryptographic techniques. The other options are generally not true; for instance, revocation is a known challenge but not necessarily the most significant, and checking access is very efficient.

First

This question analyzes the operational complexity of two common access matrix implementations.

• Access Control Lists (ACLs) store permissions with the object. To revoke a user's access to many objects, the system must access the ACL of each of the thousands of objects and remove the entry for that user. This is a highly distributed and I/O intensive operation.
• Capability Lists (C-Lists) store permissions with the subject (user/process). To revoke all of a user's rights, the operating system can manage and invalidate the user's central capability list, which is far more efficient. However, direct C-List revocation is complex. A common way is indirect revocation via pointers or proxies, but even then, the core issue with pure C-lists is that the capabilities are distributed. The most common solution to the revocation problem in C-list systems is to have the OS maintain control over the C-lists, so it can destroy the user's list. Compared to traversing thousands of ACLs, managing a central list for the user is more direct. The statement that ACLs require iterating through thousands of objects is the most accurate description of the high complexity involved for that method.

This question requires understanding modern exploit mitigation and the techniques to bypass them.

• The NX bit (or DEP) prevents code execution from the stack, defeating simple stack smashing attacks (Option A).
• ASLR randomizes the memory locations of libraries and the stack, making it difficult to guess the address of required functions or shellcode (defeating naive ROP and heap spraying).
• Return-Oriented Programming (ROP) is the advanced technique that chains together small sequences of existing code (called 'gadgets'), which are already in executable memory regions (bypassing NX). These gadgets typically end in a ret instruction. By carefully crafting a stack of return addresses pointing to these gadgets, an attacker can piece together complex operations. To bypass ASLR, attackers often need an additional information leak vulnerability to find the base address of a library (like libc) from which they can then calculate the addresses of all their needed gadgets.

This question requires synthesizing knowledge of deadlocks and database concurrency protocols.

• Mutual Exclusion cannot be violated as data items need exclusive access for writes to ensure consistency.
• Hold and Wait is essential to 2PL's growing phase. Requiring all locks upfront (Option B) is a valid prevention strategy, but it severely reduces concurrency and is often impractical as the full lock set may not be known in advance.
• No Preemption is critical for transaction atomicity. Forcibly taking a lock would require the preempted transaction to be aborted and rolled back. While this is a form of recovery, it's not the primary prevention method integrated with 2PL.
• Circular Wait is the most common condition to attack for prevention in this context. Schemes like timestamp-based protocols (Wait-Die, Wound-Wait) or graph-based protocols ensure that a cycle of waiting transactions can never form. For example, in Wait-Die, an older transaction will never wait for a younger one; instead, the younger one is aborted. This prevents a circular dependency from ever forming while still allowing the hold-and-wait behavior of 2PL.

The use of a unique salt for each user (PerUserSalt) is a critical security measure. A rainbow table is a precomputed table of hashes for common passwords. It is only effective if the hash is computed on the password alone (or with a common, non-unique salt). Because each user has a different salt, the attacker would need a separate rainbow table for every single user, which is computationally infeasible. Thus, rainbow table attacks are rendered ineffective. However, since the attacker has the salt and the final hash for each user, they can perform an offline dictionary or brute-force attack against individual users. For a specific user (e.g., 'admin'), the attacker can take a list of common passwords, prepend the user's known salt, hash the result, and compare it to the stored hash. This must be done one user at a time, but it is still a very potent threat for users with weak passwords.

• P1: High priority and 80% done. Very expensive to kill.
• P2: Low priority and only 10% done. Very cheap to kill in terms of work lost.
• P3: Low priority but 90% done. Killing it would waste a lot of computation.
• P4: Medium priority, 50% done, holds many resources. Killing it is beneficial for resource release, but the cost is moderate.
  Comparing P2 and P3, both are low priority. P2 has only done 10% of its work, while P3 has done 90%. It is almost always better to terminate P2 and lose only 10% of the work than to terminate P3 and lose 90% of its work. The number of resources held is also a factor, but progress and priority are often weighted more heavily. Higher is more expensive.
• Cost(P1) = 80 * 3 = 240.
• Cost(P2) = 10 * 1 = 10.
• Cost(P3) = 90 * 1 = 90.
• Cost(P4) = 50 * 2 = 100.
  With this standard cost heuristic, P2 is by far the cheapest process to terminate. I'll rephrase the question to be less about a formula and more about these standard heuristics.
  New Question: "...Which process is the optimal victim to terminate to resolve the deadlock based on common heuristics that seek to minimize wasted computation and respect process priority?"
  The correct answer is P2. The explanation: "Common heuristics for victim selection prioritize terminating processes that have consumed the least amount of CPU time (i.e., are least complete) and have the lowest priority. P2 fits both criteria perfectly: it is low priority and only 10% complete, meaning terminating it wastes the least amount of work. While P4 holds more resources, the computational cost of restarting it is much higher. P1 is a very poor candidate due to its high priority and progress."

This question targets a specific, advanced hardware protection mechanism. While all options are security features, the IOMMU is the most direct and appropriate answer. The Principle of Least Privilege dictates that a component should only have access to the resources it strictly requires. The network card, via Direct Memory Access (DMA), could potentially write to any physical memory location. An IOMMU acts like a regular MMU but for I/O devices. It creates a separate I/O address space and translates device-visible addresses to physical addresses. The OS can configure the IOMMU to only allow the network card to 'see' and write to the specific physical memory pages corresponding to the designated buffer, thus preventing it from corrupting the kernel or other processes. The other options are less relevant: separating address spaces protects processes from each other, not the kernel from a malicious/faulty device; system calls are for user-space to kernel-space transitions; and privilege rings separate software components, but don't directly control a hardware device's DMA access.

Let's assume R2 has only 1 instance.

1. P1 gets R1. 2. P2 gets R2. 3. P3 gets R1. 4. P1 requests R2 and waits (correct, P2 holds it). 5. P2 requests R1 and waits (correct, P1 and P3 hold them).
   Now, the state is: P1 holds R1, wants R2. P2 holds R2, wants R1. P3 holds R1, is not waiting. A cycle P1 → R2 → P2 → R1 exists. Is it a deadlock? No. P3 is not part of the cycle and can continue execution. Eventually, P3 will finish and release its instance of R1. This released instance can be allocated to P2. P2 can then run to completion and release R1 and R2. P1 can then get R2 and complete. Therefore, no deadlock exists. The system can follow the execution path <P3, P2, P1> to resolve the waits.

This question requires distinguishing between specific types of program threats based on their trigger mechanism and behavior.

• A Trojan Horse is malware disguised as a legitimate program. While this code is hidden within a legitimate application, its defining characteristic is its trigger.
• A Logic Bomb is a piece of code intentionally inserted into a software system that will set off a malicious function when specified conditions are met. The trigger condition here ('employee's user account is deleted') is a specific logical condition, not just the execution of the host program. This is the classic definition of a logic bomb.
• A Worm is a standalone malware that replicates itself to spread to other computers. This code does not self-replicate.
• A Rootkit is designed to conceal its own presence or the presence of other malware, often by modifying the host operating system. This code does not attempt to hide itself in this manner.

This is a subtle question about the interplay between CPU scheduling and resource locking, which is a common cause of starvation. While priority inversion (Option C) is a real problem, the question states the mutex queue is fair. The core issue here is CPU starvation, not lock starvation. With a strict priority scheduler, as long as there is any P_high process ready to run, P_low will never be scheduled. If the stream of P_high processes is dense enough, P_low will not even get the CPU cycles needed to execute its code up to the point where it would lock(R). It is starved of CPU time itself, making its need for the resource moot. The other options describe related problems, but not the primary cause of starvation in this specific scenario.

This question explores the difficult problem of revocation in capability systems. In a pure capability system, capabilities are like keys; once you have a key, it works. When D1 exercises its copy right, it essentially forges a new, independent capability (a read right for O) and places it in D2's list. This new capability has no backward reference or dependency on D1's original read* capability. Therefore, revoking the right from D1 has no effect on the right that D2 now possesses. This is a major security challenge in such systems and is why managing revocation is complex, often requiring indirect capabilities (where the OS can invalidate an intermediate object) rather than direct ones.

This question tests a crucial concept in modern cryptography. Perfect Forward Secrecy (PFS) is a property of key agreement protocols that ensures that a session key derived from a set of long-term public and private keys will not be compromised if one of the long-term private keys is compromised in the future. Protocols like Ephemeral Diffie-Hellman (DHE/ECDHE) provide PFS. They generate a new, temporary private key for every session, use it to negotiate the symmetric session key, and then discard it. The server's long-term RSA key is only used for signing the ephemeral parameters to authenticate itself. Therefore, even if the long-term key is later stolen, it cannot be used to derive the discarded session keys of past communications. In contrast, if the session key was directly encrypted with the server's long-term RSA key, compromising that key would compromise all past sessions.

The setuid mechanism in UNIX is a classic example of a temporary domain switch.

• The Real User ID (RUID) identifies the user who actually launched the process. It remains alice. This is important for accounting and for the process itself to know who its owner is.
• The Effective User ID (EUID) is used by the kernel for most permission checks. Because the setuid bit is set on an executable owned by root, the kernel sets the process's EUID to root.
  This means that for operations like opening files, the process is treated as if it were root, thereby granting it elevated privileges. The process can, and for security reasons should, drop its effective privileges (e.g., by setting EUID = RUID) as soon as the privileged operation is complete, adhering to the principle of least privilege.

This describes the classic TCP SYN Flood, a type of Denial of Service (DoS) attack. It specifically exploits the stateful nature of the TCP three-way handshake. By sending SYN packets from spoofed IPs, the attacker forces the server to allocate resources (a TCB entry and memory) for a half-open connection. Because the final ACK never arrives from the non-existent source, these resources remain tied up until a timeout occurs. By sending these packets at a high rate, the attacker can fill the server's backlog queue or TCB table, preventing it from accepting new, legitimate connections.

• A Smurf attack uses spoofed ICMP requests to a broadcast address.
• A Teardrop attack involves sending fragmented IP packets that are impossible to reassemble.
• A Man-in-the-Middle attack involves intercepting and relaying communication between two parties.

This question requires analyzing the algorithm used for deadlock avoidance. The safety algorithm works as follows:

1. Initialize a Work vector of length m and a Finish vector of length n.
2. Find a process i such that Finish[i] is false and its Need vector is less than or equal to the Work vector. This search loop runs up to n times. The comparison of the Need and Work vectors takes O(m) time. So, one full scan for a suitable process is O(n * m).
3. If such a process is found, update the Work vector and mark the process as finished. Then, go back to step 2.
   In the worst case, we might have to scan the entire list of n processes to find one that can run. After we find one, we have to repeat the scan for the remaining n-1 processes, and so on. This leads to a complexity of roughly (n + (n-1) + (n-2) + ... + 1) scans, each taking O(m) time. The sum is O(n^2). Therefore, the total complexity is O(m * n^2).

The terms Trapdoor and Backdoor are often used interchangeably, but in a strict academic sense, they have a subtle difference. A Trapdoor is a secret entry point intentionally implemented by the original developers, often for debugging or maintenance purposes (as described in the question). A Backdoor is more general and can be a trapdoor, but often refers to a mechanism of access installed by an attacker after a system has been compromised, or any other unauthorized method of access. Given that it was intentionally built in by the original developer, 'Trapdoor' is the more precise and correct term for this scenario.

This question analyzes the performance trade-offs of a specific access matrix implementation. A global table is simple but does not scale well. When a process switches from Domain A to Domain B, the system needs to know all of B's permissions. With a global table structured as <domain, object, rights>, there is no direct way to look up a domain and get all its rights. The system must perform a linear search through the entire table, picking out all the entries where the domain is 'B'. If the table and the number of objects are very large, this search becomes a significant performance bottleneck for the domain switch operation. The storage overhead (A) is a problem, but the search time (C) is the critical operational bottleneck. Revocation (B) is also difficult, but the question specifically asks about the impact of domain switching.

This question requires a precise understanding of the security goals.

• Confidentiality means preventing the unauthorized disclosure of information. While a MITM attacker can violate this by reading messages, their defining action is modification.
• Integrity means ensuring that data is not altered in an unauthorized manner. By modifying messages in transit, the attacker directly violates data integrity.
• Authenticity is the verification of the identity of a user or system. The MITM attack fundamentally breaks authenticity because each party believes they are communicating directly with the legitimate partner, when in fact they are communicating with the attacker. The attacker is impersonating each party to the other.
• Availability is ensuring that systems and data are accessible when needed. A MITM attack does not necessarily cause a denial of service.
  Therefore, Integrity (the what) and Authenticity (the who) are the two goals most directly and fundamentally violated by this attack.

This technique, known as a multi-stage payload or a 'dropper/downloader', is a common evasion tactic. Static antivirus scanners work by looking for known patterns or 'signatures' of malware within files. By keeping the initial infected portion (the dropper) very small and simple, with minimal suspicious code, the malware author can more easily evade these signature-based checks. The dropper's main job is just to download the next stage. Furthermore, the main payload can be easily updated on the server, allowing the attacker to change tactics without needing to re-infect the target. This makes the malware polymorphic and much harder to stamp out. The small, innocuous-looking initial stage is the key to evading initial detection.

The four necessary conditions are Mutual Exclusion, Hold and Wait, No Preemption, and Circular Wait. The 'No Preemption' condition states that a resource can only be released voluntarily by the process holding it, after that process has completed its task. The scenario described directly violates this principle. The operating system is forcibly taking a resource (memory) from a process. However, it does so in a controlled manner by saving the process's state (rolling it back) so it can be resumed later. This is a practical relaxation of the strict 'no preemption' rule. It's not breaking mutual exclusion (the memory is for one process at a time), hold and wait (the process still holds other resources while waiting for memory to be paged back in), or circular wait (this action doesn't impose an ordering on requests).