SC Manual

Least Privilege

code/processes/users should only have the permissions needed for their job.

Defence in depth

use multiple layers of protection, not one single control.

Secure by default

default settings should be safe unless the user/admin deliberately weakens them.

CWE

Common Weakness Enumeration: category list of software weakness types, e.g. buffer overflow, SQL injection.

CVE

Common Vulnerabilities and Exposures; catalogue of specific publicly known vulnerabilities.

ASLR

Address Space Layout Randomisation; randomises memory locations to make exploitation harder.

TOCTOU

Time-of-Check to Time-of-Use; race where a checked resource changes before it is used.

Four coding practices

• Validate input.

• Check bounds.

• Avoid unsafe library functions.

• Check return values / handle errors.

• Use compiler warnings/static analysis.

• Use safe APIs.

C “not precisely defined” behaviour

• Implementation-defined: compiler must document what it does.

• Unspecified: several valid behaviours; compiler does not need to say which one.

• Undefined behaviour: no requirements at all; compiler can assume it never happens.

Dangling pointer

A pointer that still points to memory after that memory has been freed or gone out of scope. Example: free(p); then later using p.

Always unsafe string functions

• gets() — no bounds checking.

• strcpy() — copies until null terminator; destination may overflow.

• strcat() — appends without knowing remaining space.

• sprintf() — can overflow output buffer.

Authentication vs authorization

• Authentication: proving who you are.

• Authorization: deciding what you are allowed to do.

Static vs dynamic analysis

• Static: inspect code without running it. Example: compiler warnings, clang-tidy, Coverity.

• Dynamic: run program and observe behaviour. Example: AddressSanitizer, Valgrind, fuzzing.

Race condition vs data race

• Race condition: program result depends on timing/order of events.

• Data race: multiple threads access same memory concurrently, at least one write, without synchronisation.

• Data race is a specific type of race condition.

Cryptographic hash function

preimage resistance, second-preimage resistance, and collision resistance.

Password storage

Store salted, slow password hashes, e.g. bcrypt/Argon2/scrypt.

Sandboxing

Running code in a restricted environment so even if it is malicious or compromised, it has limited access to the wider system.

Signed integer overflow

In C, signed overflow is undefined behaviour. You cannot safely check overflow after doing the overflowing operation because the compiler may assume it never happened.

The C11 standard distinguishes between implementation-defined, unspecified, and undefined behaviour. Explain the key differences between them and describe why undefined behaviour is particularly dangerous from a security perspective. (Hint: think about what the compiler is permitted to assume.)

• Implementation-defined: compiler chooses and documents.

• Unspecified: compiler chooses but need not document.

• Undefined: anything can happen.

Undefined behaviour is dangerous because the compiler may optimise based on the assumption that the undefined case is impossible. Security checks can be removed or changed.

ASLR purpose and limitations

ASLR makes addresses unpredictable, so attackers cannot easily jump to known code/data locations.

Limitations:

• Information leaks can reveal addresses.

• It does not remove the underlying overflow.

• Low entropy or repeated attempts can defeat it.

• Non-PIE binaries/libraries may still be predictable.

DAC vs MAC

• DAC: owner controls access. Example: Unix file owner decides permissions.

• MAC: system policy controls access. Example: military/classified systems or SELinux.

system() vs exec*

system() invokes a shell, so metacharacters, PATH, environment variables, quoting, and command injection become dangerous.

execve() executes a specific program with explicit argv/envp. Arguments are passed as data, not shell code.

Canonicalization

Converting input into a standard form before checking it. Important because attackers can encode the same path/value multiple ways.

Example: ../secret.txt, URL encoding, symlinks, case differences.

Explain the concept of memory isolation as provided by modern operating systems. What problem does it solve, and what mechanism (hardware or OS) enables it?

Modern OSes give each process its own virtual address space. This prevents one process directly reading/writing another process’s memory. Enabled by hardware MMU + OS page tables.

Economy of Design

Keep security-critical code simple. Complex custom parsing or auth logic is more likely to contain bypasses.

Complete mediation

Every access should be checked. If a system checks permission only at login but not when files are accessed, stale permissions may allow unauthorised access.

signed vs unsigned integer

signed is both positive and negative while unsigned can only be positive.