Your organization hired an external security team to conduct penetration testing to assess the security and privacy controls in organizational information systems. Which of the following is your organization least concerned in terms of the penetration test?
A. Thoroughly document all activities performed during the test.
B. Produce results indicating the risk exposure for exploited and validated vulnerabilities.
C. Validate existing security and privacy controls.
D. Provide actionable results with information about possible remediation measures.

Continue reading


Your organization is planning for penetration testing to assess the security and privacy controls in organizational information systems. Which of the following is not the best timing to conduct penetration testing?
A. Before any newly developed system is authorized for operation
B. When legacy systems were undergoing a major upgrade.
C. After important changes are made to the environment in which the system operates.
D. When a well-known type of attack, rated as high risk, is retained in the risk register.

Continue reading

Detecting Virtual Machines

Software Runtime Environment

VMware is a proprietary, closed-source, reduced privilege guest virtual machine emulator. It supports guest-to-host and host-to-guest communication. Since it relies on the underlying hardware for execution of instructions, it must relocate sensitive data structures, such as the Interrupt Descriptor Table and the Global Descriptor Table. VMware also makes use of the Local Descriptor Table which is not otherwise used by Windows. Thus, a simple detection method for VMware is to check for a non-zero Local Descriptor Table (LDT) base on Windows.


The more common method for detecting VMware is to check the value of the Interrupt Descriptor Table, using the “RedPill” method. For the “RedPill” method, if the value of the Interrupt Descriptor Table base exceeds a certain value, a virtual machine emulator is assumed to be present. However, as the LDT paper shows, this method is unreliable on machines with multiple CPUs.

Scooby Doo

The “Scooby Doo” method uses the same basic idea as the RedPill method but it compares the Interrupt Descriptor Table base value to specific hard-coded values in order to identify VMware specifically. While the Scooby Doo method is less likely to trigger false positives, compared to the RedPill method, there is still the chance that some false positives will occur.

Source: Peter Ferrie


You are implementing a security kernel that aligns with the reference monitor concept to enforce the access control policy prohibiting unauthorized information disclosure. Which of the following is correct about your implementation?
A. Information as constrained data items is well-formed to prevent conflict of interest.
B. Lipner’s model is a formal model that can support your design and enforce the policy.
C. A subject with a confidential clearance can not write to a file classified as top secret.
D. All information flows from high to low-security level is blocked with no exceptions per the Bell-Lapadula model.

Continue reading

Programming, Processing, and Computing

Computer Architecture

It’s not uncommon we use terms like multiprogramming, multitasking, multithreading, multiprocessing, etc., but often without consistent definitions. This post shares my definitions and perspectives on these terms.


  • The term software may refer to a program or process.
  • A program is the static image of code at rest or in storage. It can be a text-based script or binary-coded executable and the target of static software testing.
  • A script is typically executed by an interpreter.
  • An executable refers to the object code transformed from the source code by a compiler.
  • A process is a program loaded into the memory and in execution. It is the target of dynamic software testing.
  • A task is a scheduling job, as a work unit, of the operating system.
  • A thread is the smallest execution unit of modern processors. A single-threaded process contains one thread, commonly known as the UI thread; a multi-threaded process comprises two or more threads.
  • Scheduling means the arrangement of tasks to be executed by the processor.
Continue reading

CVE and Vulnonym

Do you know “Heartbleed” is a bug from the TLS implementation in OpenSSL, coded CVE-2014-0160? The CVE Identifier is not friendly; people love names. However, the bug named by security companies may be too sensational and cause fear, uncertainty, and doubt.

CERT/CC Vulnonym

CERT/CC: ‘Sensational’ bug names spark fear, hype – so we’ll give flaws our own labels… like Suggestive Bunny




The Bell-LaPadula (BLP) model is a formal security model based on the state machine and prevents information flow from a higher security level to a lower one. Which of the following is correct about the BLP model?
A. The BLP model provides mandatory protection from unauthorized information alternation.
B. The BLP model doesn’t rely on infinite states to avoid attacks that might predict its behavior.
C. The BLP model prescribes all subjects at a higher security level shall not write to an object at a lower level.
D. The BLP model maintains both secure and insecure states and enforce secure transition between states.

Continue reading