When & Where

The final exam will be held in our regular classroom on Monday, December 15, 2025. It will start promptly at 8:00 pm and you will have until 10:00 pm to complete it.

Exam rules

Be sure to arrive on time. If you arrive after the exam starts, you will not be allowed to take it.

This will be a closed book, closed notes exam. Calculators, phones, augmented reality glasses, laptops, and tablets are neither needed nor permitted. If you have these devices, you must turn them off, put them out of sight, and not access them for the duration of the exam.

No other electronic devices are permitted except for hearing aids, pacemakers, electronic nerve stimulators, other implanted medical devices, or electronic watches that function only as timekeeping devices or chronographs.

Bring a couple of pens or pencils with you. Plan to use a pen only if you are supremely confident in not changing your mind about your answers. . Check here for information about pencils, sharpeners, and the craft of pencil sharpening.

Past exams

The exam will be similar in structure to mid-semester exams but will cover material for the entire course.

You can use my past exams as a guide to what this exam may look like, but realize there are differences in topics and in the sequencing of the topics. Expect around 25 multiple-choice questions. I do not refer to old exams when I come up with a new one, so it is likely that many of the topics that I considered important in past exams will show up on future exams. Some material may have changed, however, so do not worry about questions that appear to relate to topics we have not covered.

Get past 419 exams here.

Study guide

You are responsible for the material from the first four lectures and recitations.

The final exam study guide is a concatenation of the previous three study guides along with the last lecture and attempts to cover most of the material you should know. It is not a substitute for the lectures, lecture material, and other reading matter. My goal is to put most of the information you need to know in as concise a form as possible.

→ Get the study guide

Topics

Topics that you should know and may be on the exam include:

Introduction

• What is computer security? Know the terms

  • CIA Triad

  • Confidentiality

  • Privacy, Anonymity, Secrecy

  • Understand how privacy relates to confidentiality

  • Integrity

    • Data integrity

    • Origin/destination (endpoint) integrity

    • System integrity

  • Availability

• Security goals

  • Prevention

  • Detection

  • Recovery

• Policy vs. Mechanism

• Security engineering

• Risk Analysis

• Trustworthy components

• Assurance

• Defense in Depth (from homework 1)

• Supply Chain Attack

• Trusted Computing Base (TCB)

  • You don't have to know Meldown, Spectre, Rowhammer

• Definitions

  • Exfiltration

  • Principal

  • Subject

  • Vulnerability

  • Exploit

  • Attack, attack vector, attack surface

  • Threat, threat actor

• Purpose of a threat model

• Threat categories (know but don't memorize)

  • Disclosure

  • Deception

    • Disruption

    • Usurpation

• Examples of threats

  • Snooping

  • Modification

  • Alteration

  • Repudiation of origin

  • Denial of receipt

  • Delay

  • Denial of service (DoS)

• You don't have to know internet-enabled threats

• Black hat, gray hat, white hat hackers

• Types of attackers:

  • opportunistic, targeted

  • script kiddies, advanced persistent threat (APT)

  • You don't need to know APT naming conventions

• Purpose of CVE (Common Vulnerabilities and Exposures)

• Purpose of CVSS

Symmetric cryptography

• Terms:

  • authentication, integrity, nonrepudiation, confidentiality

  • plaintext, encryption, ciphertext, decryption, cipher

  • secret algorithm, symmetric cipher, key

• Schneier's Law

• Kerckhoffs's principle

• Recognize these properties:

  • Randomness (high entropy)

  • Non-invertible without a key

  • Large keys

  • No weak keys

  • Ciphertext size is the same magnitude as plaintext

  • Extensively analyzed

  • Impact of key length

• Shannon entropy? (You don't need to know the formula, just the concept)

• Classic cryptography

  • Monoalphabetic substitution cipher; shift cipher (Caesar cipher)

  • Attacks: frequency analysis

    • digraphs, trigraphs

  • Polyalphabetic substitution cipher: Alberti, Vigenère cipher

    • Why is it better than a monoalphabetic substitution cipher?

• What is a rotor machine?

  • Know it's a symmetric polyalphabetic cipher

  • Understand what each rotor does

• Transposition cipher: Have a basic idea of what it does

  • What's a scytale?

  • Columnar transposition cipher

• You don’t have to know ADFGVX or Playfair

• One-time pad: why is it so secure?

• What is perfect secrecy and what is needed to achieve it?

• What is a stream cipher and a keystream?

• CSPRNG (cryptographically secure pseudorandom number generator)

• Confusion and diffusion

• What is a block cipher?

  • What is meant by an iterative cipher and multiple rounds?

  • What is a subkey?

  • What is meant by substitution-permutation?

  • What is an s-box?

  • What is the general idea behind a Feistel cipher?

  • What is an SP-Network?

  • I will not ask you how DES works but know it's a Feistel cipher

  • DES vs. 3DES

  • I will not ask you how AES works but know it's an SP-Network

• Block cipher modes

  • Electronic Code Book mode (ECB) - problems with using it

  • Cipher Block Chaining mode (CBC)

  • Counter mode (CTR)

• Initialization Vector (IV)

• Know the basic idea of AEAD (Authenticated Encryption with Associated Data) concept

• ChaCha20

• I will not ask about cryptoanalytic attacks

Public Key Cryptography & Integrity

• Key distribution problem

• One-way function

  • Definition

  • Examples: discrete logarithms, middle squares

• Trapdoor function

• Public-key cryptography

• Roles of public and private keys

• RSA

  • You don’t have to know the RSA algorithm

  • Know that its difficulty is based on not knowing any efficient methods to factor a product of two prime numbers

  • Know that encryption and decryption are operations of the form m^emod n.

• ECC

  • You don’t have to know elliptic curves or the algorithm

  • Know that its difficulty is based on computing discrete logarithms

  • Advantages over RSA

• Cryptographic hash functions

• Understand the properties of a hash function:

  • Fixed-length

  • Preimage resistance

  • Second preimage resistance

  • Collision resistance

  • Avalanche effect

• Recognize these as hash functions SHA-1, MD5, SHA-2 (SHA-256, SHA-512), bcrypt

• You don’t need to know the implementations of any hash functions

• Hash collisions

• Pigeonhole principle

• Main point from the birthday paradox

• Message Authentication Code (MAC, keyed hash)

• HMAC: you don’t need to know the formula but just the basic idea that the hash is f(key, message)

• CBC-MAC

• Authenticated Encryption with Associated Data (AEAD) - just the concept (as in the week 2)

  • Recognize GCM and Poly1305 as the integrity components to encryption

• Digital signature

• What’s the general concept of signing? (Encrypt a hash of a message with a private key.)

• What’s the general concept of verifying? (Compare a hash of a message with the signature decrypted with a public key.)

• a hash with a private key)?

• X.509 Certificates

  • What is the purpose of a digital certificate?

  • What is a Certificate Authority (CA)?

• I won’t ask about code integrity

• Diffie-Hellman Key Exchange (DHKE)

  • What is the purpose?

  • How are its public & private keys used?

  • What one-way function is it based on? a^xmod. p

  • You don't have to know the Elliptic Curve Diffie-Hellman (ECDH) algorithm. Just know it behaves just like the regular Diffie-Hellman algorithm

• What is a hybrid cryptosystem?

  • What is a long-term key?

  • What is a session key?

  • What is forward secrecy?

  • What is an ephemeral key used for?

• Quantum attacks

  • I won’t ask about post-quantum cryptography algorithms

  • Understand why they were developed

  • Which algorithms are at risk of quantum attacks?

• Transport Layer Security (TLS)

  • You don’t have to know the flow but know what it uses: Diffie-Hellman Key Exchange, X.509 certificates, public key cryptography, HMAC, symmetric cryptography with AEAD

  • Purpose of HKDF (HMAC-based Key Derivation Function)

Data Integrity

• What is meant by a one-way function?

• What is a cryptographic hash function?

  • What are the properties of a cryptographic hash function?

  • What is pre-image resistance?

  • What is the avalanche effecct

  • What does it mean to be collision resistant?

  • How do the birthday paradox and the pigeonhole principle tell us about hash functions? (You don't need to know the probability formula)

  • I will not ask you about the difference between strong and weak collision resistance

• I will not ask you how SHA-1 or SHA-2 work (or any hash functions)

• Message Authentication Codes

  • What is a Message Authentication Code (MAC, or keyed hash)?

  • I will not ask you the formula for HMAC but understand it's based on hashing the message and a secret key

  • Understand what a CBC-MAC is

• Digital signatures

  • What is a digital signature (logically)? How can you create one?

  • What are the properties of a digital signature?

  • What are the three basic operations you need to create and use digital signatures?

• What is a session key?

• How can a public key serve as an anonymous identity?

• X.509 Certificates

  • How do certificates serve as non-anonymous identities?

  • Understand that a certificate contains identifying information, a public key, the CA's identification, and CA's signature

  • What is a CA (Certification Authority)?

  • What is certificate revocation?

• Signed software

  • Understand the principle

  • Advantage of per-page signatures

Combined authentication and key exchange protocols

• Security protocol notation

• How does a trusted third party play a role in combined authentication and key exchange?

• What is mutual authentication?

• Challenge-response concept and use of nonces for authenticating

• What is a replay attack?

• How is challenge-response used to authenticate via public keys?

• Diffie-Hellman key exchange (see earlier notes)

• Needham-Schroeder: understand the value of adding a nonce

• Understand the value of adding a timestamp (you don't have to remember the names Denning-Sacco or the steps of the protocol

• Understand the value of using session IDs (you don't have to remember the names Otway-Rees or the steps of the protocol)

• Kerberos

  • You don't have to know the protocol in detail but understand the phases and data you get

  • Role of the Kerberos Authentication Server (AS)

  • Role of the Kerberos Ticket Granting Server (TGS)

  • Why was Kerberos split into AS+TGS?

  • Understand that you get an encrypted session key and a ticket

  • Understand what a ticket is (basically, the same session key encrypted for the service)

  • You don't have to know the kinit command

Authentication

• Distinction between identification, authentication, & authorization

• What are the three factors of authentication?

• What is multi-factor authentication (MFA)?

• Password Authentication Protocol

  • How does it work?

  • What are the security problems?

  • You don't have to know the NIST recommendations for passwords

  • Hashed passwords

  • Dictionary vs. brute force attacks

  • Rainbow tables (Precomputed hashes)

  • Salt

  • Credential stuffing & password spraying attacks

• Challenge Handshake Authentication Protocol (CHAP) - what problem does it solve?

• One-time Passwords

  • Sequence-based

    • S/key: understand how one-way functions can be used to create a list of one-time passwords

    • You don't have to know OPIE (One-time Passwords In Everything)

  • Challenge-based

    • (same steps as CHAP)

    • What makes it secure over a network?

    • Passkey authentication - how does it work and use public keys?

  • Time-based and hash-based

    • Have a basic understanding of how time-based one-time passwords (TOTP) work: f(time, key)

    • I will not ask about Yubikey or SecurID (we didn't cover those)

    • The difference between TOTP and HOTP (note that they really should have called HOTP counter-based one-time passwords since both TOTP and HOTP use hashing or one-way functions).

• Second factor issues

  • Push authentications

  • MFA fatigue (Push authentication fatigue)

  • Number matching authentication (NMA)

• What is an Adversary in the Middle (AitM) attack?

• I won’t ask about risk-based authentication

Biometric Authentication

• How does pattern recognition apply to biometrics?

• How do _thresholds apply to biometrics?

• False accept rate (FAR) vs. false reject rate (FRR)

• Receiver Operator Characteristic (ROC) plot

• Behavioral factors

• Fingerprint minutiae

• Robustness vs. distinctiveness

• Authentication process: enrollment, sensing, feature extraction, pattern matching, decision

• Challenges:

  • trusted devices and data path

  • human liveness

  • tamper-proof devices and secure communications

  • thresholds

  • compartmentalization

  • theft of biometric

• Cooperative vs. non-cooperative systems

Hash Pointers, Bitcoin, and Blockchain

• Cryptographic foundations

  • Hash pointers vs. normal pointers

  • Blockchains as tamper-evident linked lists

  • Merkle trees: efficient verification and role in Bitcoin blocks

• Core concepts

  • Distributed ledger: thousands of nodes storing complete copies

  • Double-spending problem and how Bitcoin solves it

  • UTXOs (Unspent Transaction Outputs) as Bitcoin's current state

• Transactions

  • Transaction components: inputs, outputs, change output, fee

  • Public/private keys and digital signatures

  • Addresses as hashes of public keys (not derivation steps)

• Mining and consensus

  • What mining is and why miners do it

  • Proof of Work: finding nonce so block hash < target hash

  • Target hash: determines mining difficulty

  • Difficulty Adjustment Algorithm: maintains 10-minute blocks

  • Block rewards and halving

• Security

  • Chain selection: longest valid chain (most cumulative work)

  • Competing chains/forks: how they occur and resolve

  • Confirmations: why transactions need multiple blocks

  • 51% attack: what it is and why it's impractical

CAPTCHA and Human Verification

• Core concepts

  • Purpose

• Why CAPTCHAs work(ed)

• Evolution of CAPTCHA systems

  • Text-based CAPTCHAs (distorted words)

  • Image-based CAPTCHAs (object recognition, grids)

  • reCAPTCHA (digitizing books and Street View)

  • NoCAPTCHA reCAPTCHA (v2) - "I'm not a robot" checkbox

  • Behavioral analysis (mouse movements, timing)

  • Invisible reCAPTCHA (v3) - trust scores

• Problems and limitations

  • Accessibility issues

  • User frustration

  • CAPTCHA farms (human outsourcing)

• Modern threats

  • AI

  • Fake CAPTCHAs as social engineering attacks

• New approaches

  • IllusionCAPTCHA (AI-generated optical illusions)

  • Biometric verification

Access control

• Foundation mechanisms

  • Hardware timer and preemptive multitasking

  • Memory Management Unit (MMU) and page tables

  • Kernel mode vs. user mode

• Core concepts

  • Access control matrix

  • Subjects and objects

  • Access Control Lists (ACLs)

  • Capability lists

  • Principle of least privilege

  • Privilege separation

• Discretionary Access Control (DAC)

  • Owner-controlled access

  • UNIX/POSIX permissions (owner, group, other)

  • Read, write, execute (rwx)

  • chmod, chown, chgrp

  • umask

  • Real user ID (ruid) vs. effective user ID (euid)

  • setuid and setgid bits

• Mandatory Access Control (MAC)

  • Concept of MAC

  • Multilevel security

  • Bell-LaPadula model (confidentiality)

    • Simple Security Property (no read up)

    • Star Property (no write down)

    • Remember the rules but you don't have to remember the terms "simple security property" or "star property"

  • Biba model (integrity)

    • Simple Integrity Property (no read down)

    • Star Integrity Property (no write up)

  • Compartments and multilateral security

  • Type Enforcement (TE)

    • Domains and types

• Role-Based Access Control (RBAC)

  • Permissions assigned to roles

• Attribute-Based Access Control (ABAC)

  • Just the basic idea

  • User, object, and environmental attributes

  • Context-aware access decisions

• Chinese Wall model

  • Conflict of interest prevention

  • Conflict classes

  • History-based access restrictions

  • Dynamic separation of duties

• Key comparisons

  • Strengths and weaknesses of each model

  • When to use each model

Memory Vulnerabilities and Code Injection

• Memory corruption types

  • Buffer overflow (stack and heap)

  • Integer overflow

  • Off-by-one errors

  • Use-after-free

  • Double-free

  • Format-string vulnerabilities

• Exploitation techniques

  • Shellcode injection

  • Heap spraying

  • Return-to-libc attacks

  • Return-oriented programming (ROP), gadgets

• Defensive mechanisms

  • Non-executable memory (NX, DEP)

  • Address Space Layout Randomization (ASLR)

  • Stack canaries

  • Heap canaries

  • Double-free detection

• Development-time protections

  • AddressSanitizer (ASan)

  • Fuzzing (coverage-guided)

  • Safer library functions (fgets vs. gets, strncpy vs. strcpy)

  • Compiler runtime checks

• Hardware mechanisms

  • Control-flow integrity

  • Shadow stack

  • Pointer authentication

  • Memory tagging (e.g., ARM MTE)

• Key principles

  • Defense-in-depth

  • How code reuse (like return-to-libc, ROP) attacks bypass NX

  • Why ASLR makes ROP harder

  • Relationship between vulnerabilities and their corresponding defenses

Command Injection and Input Validation Attacks

• SQL injection

  • Embedding SQL syntax in user input

  • Parameterized queries (prepared statements)

  • Stored procedures

  • Input validation

  • You don't have to know NoSQL injection except that the attack principles are similar.

• Shell command injection

  • Shell metacharacter issues (;, |, $(), backticks)

  • Avoiding shells (use system APIs directly): execve() vs. system()

• Environment variable manipulation

  • PATH, LD_PRELOAD, LD_LIBRARY_PATH

  • DLL search paths

• Package and dependency attacks

  • Typosquatting

  • Dependency confusion

• Path traversal

  • Relative path elements (..)

  • Symbolic links

  • Canonicalization

  • Resolving to absolute paths

• Character encoding attacks

  • Overlong UTF-8 encodings

  • Decode before validating

• Race conditions

  • Time-of-check to time-of-use (TOCTTOU)

  • File descriptor operations vs. filename operations

• File descriptor misuse

  • Standard file descriptors (0, 1, 2)

  • Descriptor reuse vulnerabilities

• Defense in depth

Containment and Isolation

• Application sandboxing

  • Purpose: restrict individual processes

  • Filesystem-based containment (chroot)

  • chroot jail and its limitations

  • FreeBSD Jails

• System call-based sandboxes

  • System call interface as enforcement point

  • User-level interposition (e.g., ptrace, janus, interposition)

  • Time-of-check-time-of-use (TOCTTOU) vulnerabilities

  • seccomp-BPF (Berkeley Packet Filter)

  • BPF actions (ALLOW, ERRNO, TRAP, KILL)

  • AppArmor: what its main goal is

• Language-based sandboxing

  • Process virtual machines

  • Examples: JVM, .NET CLR, JavaScript engines

  • Bytecode verification

  • Memory safety in managed environments

• OS-level isolation primitives

  • Namespaces (what processes can see)

  • Control groups/cgroups (resource limits)

  • Capabilities (dividing root privileges)

• Containerization

  • How containers combine namespaces, cgroups, and capabilities

  • OS-level virtualization

  • Security limitations (shared kernel)

• Virtualization

  • Virtual machines (VMs): concept

  • Hypervisor/Virtual Machine Monitor (VMM)

  • Type 1 (bare-metal) vs. Type 2 (hosted) hypervisors

  • Hardware virtualization support

  • Guest vs. host operating system

• Containers vs. Virtual Machines

  • Isolation strength differences

  • Performance trade-offs

  • Kernel sharing vs. separate kernels

• Security considerations

  • VM escape

  • Hypervisor vulnerabilities

Malware

• General ideas behind how malware operates, spreads, hides, and communicates.

• Understand how to classify malware, how it gains access, how it persists, and how defenders detect or block it.

• Do not try to memorize long technical lists; focus on concepts and why they work.

• Malware types and functions

  • Virus vs. worm

  • Ransomware, spyware, keyloggers, wipers, information stealers, backdoors, RATs

  • Bots and botnets; what they are used for

  • Rootkits at a high level (user mode, kernel mode, and why hypervisor-level rootkits are powerful)

• Exploits and entry vectors

  • Zero-day, N-day, and zero-click exploits

  • Drive-by downloads, malicious attachments, macro malware

  • Social engineering, phishing variants, domain deception (typosquatting, combosquatting, homograph attacks), malicious QR codes

  • Credential stuffing and stolen credentials

  • Supply chain attacks

  • USB attacks: dropped drives, malicious firmware, keystroke-injection devices

  • High-level idea of compiler subversion (Reflections on Trusting Trust)

• Where malware hides and how it persists

  • Startup mechanisms (registry keys, Launch Agents/Daemons, cron/systemd)

  • Bootkits and boot-sector infections

  • Backdoors and remote-access tools

  • Rootkits and basic evasion goals

• Information gathering and covert leakage

  • Keyloggers and information-stealing tools

  • Basic side-channel ideas (such as LED-based exfiltration)

  • Covert communication over DNS at a conceptual level

• Command and control

  • Direct C2 over HTTPS

  • Use of cloud services or social platforms for C2

  • DNS tunneling for low-bandwidth communication

  • Peer-to-peer C2 and why it is resilient

  • Periodic beaconing to blend with normal update traffic

  • Evasion techniques (domain fronting, fast flux, VPN/proxy routing)

• Evasion and anti-analysis techniques

  • Crypters, packers, and the goal of obfuscation

  • Polymorphic vs. metamorphic mutation at a high level

  • Sandbox, VM, and debugger detection

  • Delayed execution and trigger-based activation

• Defenses

  • Signature-based, heuristic, and behavioral detection

  • Sandboxing as a containment and analysis tool

  • Least privilege and removing admin rights

  • Containerization and isolation techniques

  • Honeypots as early-warning and observation systems

  • The general purpose of SPF, DKIM, and DMARC (no need to memorize details)

• You do not need to memorize:

  • Acronyms like DGA or LoTL

  • Fileless malware internals or OS-specific paths

  • AutoRun specifics, JavaScript-based attacks, and repository-level compromises

  • Virtualization tricks such as Blue Pill/Red Pill

  • Historical case studies like Stuxnet

  • Vendor-specific tools or configuration details

Network Security

• Understand why many network protocols were built on trust, how attackers exploit those assumptions, and the general idea behind common defenses.

• Focus on conceptual mechanisms rather than packet layouts or configuration details.

• Concentrate on the vulnerability and why the defense works.

• Link-layer attacks

  • CAM overflow: limited table size causes fallback to flooding

  • ARP cache poisoning (ARP spoofing): no authentication, unsolicited replies accepted

  • VLAN hopping: trunk negotiation abuse or double-tagging

  • DHCP starvation and rogue servers: clients trust the first response

  • How managed switches enforce policies like port security, DHCP snooping, and Dynamic ARP Inspection

• Network-layer issues

  • IP spoofing and how it enables concealment and reflection

  • Router attacks: denial of service, route table poisoning, malware installation

  • BGP hijacking: Autonomous Systems, prefix (route) advertisements, more-specific-prefix preference

• Transport-layer attacks

  • TCP session hijacking with predictable sequence numbers

  • SYN flooding and backlog exhaustion

  • TCP reset attacks via forged RST packets

  • UDP spoofing and its use in reflection and impersonation

• DNS security issues

  • DNS pharming via altered DNS settings or compromised infrastructure

  • DNS cache poisoning by racing resolvers with forged replies

  • That DNSSEC provides authentication of DNS data (not encryption)

  • DNS rebinding and how browsers can be tricked into reaching internal systems

  • Risks from abandoned or misconfigured DNS delegations

• Distributed denial of service (DDoS)

  • Volumetric attacks, packet-per-second floods, and application-layer request floods

  • Reflection and amplification: attackers spoof the victim and trigger larger responses

  • Common amplification sources to be aware of: open DNS resolvers, NTP, and memcached

  • Botnets and why IoT devices expand attack capacity

• Key themes

  • Many protocols lack authentication by design

  • Spoofing and resource asymmetry drive many attacks

  • DNS and BGP weaknesses spread across the Internet

  • Effective defense requires layered protections

• You do not need to memorize:

  • Details of RPKI, ROAs, or BGPsec

  • Packet formats or header fields

  • Vendor-specific switch or router configuration

  • DNSSEC record types

  • Historical case studies

VPNs

• Understand why the Internet’s core protocols lack strong security and how VPNs provide confidentiality, integrity, and authenticated endpoints over untrusted networks.

• Focus on what VPNs do and how they are used, not low-level cryptographic or negotiation details.

• Do not memorize protocol internals, algorithm names, or implementation-specific mechanisms.

• Why VPNs exist

• TLS vs. VPNs

• What is a VPN?

• VPN deployment models

  • Site-to-site VPNs connecting private networks

  • Remote-access VPNs for off-site users

  • Consumer “privacy VPNs” routing all user traffic through a provider

• Tunneling concepts

  • Packet encapsulation

  • Use of virtual interfaces such as TUN for IP-layer tunneling

• IPsec (conceptual overview only)

  • High-level idea: protects IP traffic with encryption, integrity, and authentication

  • Difference between transport mode and tunnel mode

  • What the Authentication Header (AH) provides integrity vs. what the Encapsulating Security Payload (ESP) provides

• OpenVPN

  • Runs in user space and uses TUN interfaces

  • Uses TLS for authentication and key negotiation

  • Encrypts all traffic flowing through the tunnel

  • Flexible in protocol choice (TCP or UDP) and port usage

• WireGuard

  • Designed with a small, auditable codebase

  • Uses a fixed modern cryptographic suite (details not required for the exam)

  • No cipher negotiation; intentionally minimal design

  • Efficient key handling and very low protocol overhead

• VPN security limitations

  • VPNs secure traffic only between the tunnel endpoints

  • Malware on endpoints can still inspect traffic

  • Privacy VPNs require trusting the provider with exit traffic

  • VPNs do not provide anonymity if identification occurs at higher layers

• VPN performance factors

  • CPU overhead from encryption and decryption

  • Tunnel encapsulation overhead and context switching

  • Latency introduced by routing through VPN endpoints

  • WireGuard generally performs better due to its streamlined design

• You do not need to memorize:

  • AEAD mode names such as AES-GCM or ChaCha20-Poly1305

  • Details of IKE or how it negotiates keys

  • NAT-Traversal (NAT-T) mechanisms

  • Specific algorithms used by WireGuard

  • Internal packet formats of AH, ESP, TLS, or OpenVPN

  • Vendor-specific commands or configuration syntax

  • IKE (Internet Key Exchange, used by IPsec, which uses Diffie-Hellman); MOBIKE (mentioned in the lecture notes)

Firewalls

• General purpose of firewalls and why networks need them

• How NAT interacts with firewalls and why NAT blocks unsolicited inbound traffic

• Packet filtering

  • What packet filters examine (IP addresses, ports, protocol, flags)

  • Why rule order matters

  • Ingress and egress filtering

• Stateful firewalls

  • What connection state means

  • What stateful inspection adds beyond stateless filtering

• Security zones and DMZs

  • Purpose of a DMZ as an isolated zone for Internet-facing systems

  • Typical systems placed in a DMZ (public web servers, mail gateways, reverse proxies)

• Network segmentation and why it limits lateral movement

• Deep Packet Inspection (DPI)

  • Ability to look above Layer 4

  • Limits when traffic is encrypted

• Deep Content Inspection

• IDS vs IPS

  • Signature-based, protocol-based, and anomaly-based detection

  • Strengths and weaknesses at a high level

• Next-Generation Firewalls (NGFWs)

  • Application awareness (sort of)

  • Identity-based and policy-based filtering

• Application proxies

  • Why terminating connections allows more powerful inspection

• Host-based firewalls and their role alongside network firewalls

• Zero Trust

  • What's meant by zero trust?

  • Application to firewalling

  • Microsegmentation as fine-grained internal isolation

• Defense in depth: firewalls as one layer among many

• You do not need to memorize:

  • Vendor feature sets or rule syntax

  • Proprietary detection engines or configuration steps

Web Security

• Focus on the major threats we covered in class: XSS, CSRF, CORS, session handling issues, cookie flags, clickjacking, input sanitization, and common deception techniques.

• You are not expected to memorize niche attacks, low-level browser behaviors, or security headers we did not emphasize.

• Understand the high-level browser security model rather than implementation details.

• Core browser concepts

  • Same-Origin Policy, SOP (what it restricts, why it exists)

  • What HTTPS protects and what it does not protect

• Cookies and session management

  • Purpose of cookies

  • HttpOnly and Secure flags

  • Session hijacking and fixation at a conceptual level

• CORS

  • What is it and why it exists

  • Why browsers block cross-origin responses without CORS

  • High-level idea of preflight checks

• Input sanitization

  • Why server-side validation is essential

  • Why client-side validation is insufficient

• Cross-Site Scripting (XSS)

  • Reflected and stored (persistent) XSS

  • Why input sanitization and output encoding are necessary defenses

• Cross-Site Request Forgery (CSRF)

  • Why SOP does not prevent CSRF

  • Why sites relying solely on cookies are vulnerable

  • Anti-CSRF tokens and SameSite cookies as conceptual defenses

• Clickjacking

  • High-level idea of UI redressing

  • You don't need to know X-Frame-Options / frame-ancestors

• Tracking and deception

  • Tracking pixels and how they reveal user or email activity

  • Typosquatting and combosquatting (covered earlier in malware)

• You do not need to memorize:

  • MIME sniffing attacks

  • Screen-sharing or tab-switch spoofing attacks

  • WebAssembly details

  • CSP directive syntax or detailed configuration

  • Full CORS header list or preflight structure

  • Full set of cookie attributes beyond HttpOnly, Secure, and SameSite

  • Internal browser mechanisms (event loops, parser quirks, preload scanners)

  • TLS handshake behavior

  • Specific iframe sandbox attributes

  • DOM-based XSS

  • SSRF details (covered minimally; not required for exam)

  • Fingerprinting techniques beyond the idea that they exist

  • Any niche or historical browser quirks not covered explicitly

Steganography

• What is steganography?

• How does it differ from watermarking?

• What is a null cipher?

• What is chaffing and Winnowing?

• Some techniques to add data to images that users will not detect?

• What is network steganography?

Onion routing

• Surface web, deep web, dark web

• Unobservability

• What's a circuit in tor?

Last update: Thu Dec 04 21:13:06 2025