Paxson Spring 2017 CS 161 Computer Security Final Exam: (Last) (First)
Paxson Spring 2017 CS 161 Computer Security Final Exam: (Last) (First)
Paxson Spring 2017 CS 161 Computer Security Final Exam: (Last) (First)
You may consult two sheets of notes (each double-sided). You may not consult other notes,
textbooks, etc. Calculators, computers, and other electronic devices are not permitted.
Please write your answers in the spaces provided in the test.
You have 180 minutes. There are 9 questions, of varying credit (600 points total). The
questions are of varying difficulty, so avoid spending too long on any one question. Parts of
the exam will be graded automatically by scanning the bubbles you fill in, so please do
your best to fill them in somewhat completely. Don’t worry—if something goes wrong with
the scanning, you’ll have a chance to correct it during the regrade period.
If you have a question, raise your hand, and when an instructor motions to you,
come to them to ask the question.
Do not turn this page until your instructor tells you to do so.
Question: 1 2 3 4 5 6 7 8 9 Total
Points: 80 74 48 72 64 54 96 56 56 600
Score:
Page 1 of 35
Problem 1 True/False (80 points)
For each of the following, FILL IN THE BUBBLE next to True if the statement is
correct, or next to False if it is not. Each correct answer is worth 4 points. Incorrect
answers are worth 0 points. Answers left blank are worth 1 point.
(a) Thanks to strong cryptography, a TLS connection to your bank is secure even if
their web server’s TCP/IP implementation has a buffer overflow vulnerability.
True False
(b) Thanks to strong cryptography, a TLS connection to your bank is secure even if
your home router’s TCP/IP implementation has a buffer overflow vulnerability.
True False
(c) To protect against Kaminsky blind spoofing attacks requires servers to implement
a new version of the DNS protocol.
True False
(d) Using DNSSEC to resolve example.com guarantees authenticity and integrity on
subsequent HTTP connections to example.com, but not confidentiality.
True False
Solution: DNSSEC provide authenticity and integrity for DNS results, but not
for any subsequent use of those results. The subsequent connections will have
to achieve security separately, such as by using TLS.
(e) A properly configured firewall can prevent any DDoS attack from disrupting the
ability of remote users to access your network.
True False
(f) Using a prepared statement to feed user input to an SQL query ensures that nothing
the user enters will be treated as an SQL command.
True False
(g) VPN can enable you to safely connect to your company when using an untrusted
public WiFi network.
True False
Solution: The certificate authority only knows example.com’s public key, not
its private key, which it would need for passive decryption. A certificate binds
a public key to an identity (in this case the domain name example.com).
(s) Consider a worm that spreads by each infected instance uniform randomly selecting
a 32-bit IP address. We would expect the worm to initially spread exponentially
fast, but then slow down its spread during the later part of its propagation.
True False
(t) The Slammer worm spread extra-fast because each infected instance of the worm
kept increasing its scanning speed.
True False
Decrypt recorded past TLS sessions Decrypt recorded past TLS sessions
that used RSA key exchange. that used Diffie–Hellman key ex-
change.
Successfully perform a MITM attack
on future TLS sessions. None of these.
(b) (6 points) DNSSEC provides which of the following security properties for DNS
responses? Mark ALL that apply.
Confidentiality Authentication
Integrity Availability
None of these
(c) (8 points) “Mixing program control and user data” is a class of vulnerabilities where
a program/application accidentally treats user input as code and executes it. Which
of the following attacks exploit this class of vulnerabilities? Mark ALL that
apply.
None of these
(d) (6 points) To verify that she is visiting the correct website, Alice is told to make
sure to check that the URL in the browser’s address bar is the URL she actually
wants to visit. Which of the following statements are true? Mark ALL of the
following statements that apply.
Of relevance for this situation is the This will help Alice defend herself
principle of Least Privilege against some DNS spoofing attacks
Of relevance for this situation is the This will help Alice defend herself
principle of Consider Human Factors against some phishing attacks
This will help Alice defend herself
None of these
against CSRF attacks
(f) (8 points) Gandalf is surfing the web and visits the URL http://gondor.berkeley.edu.
Assume that neither his machine nor his local resolver have any entries in their DNS
caches, and that berkeley.edu is the authoritative name server for all berkeley.edu
subdomains. Assuming global deployment and use of DNSSEC, and that DNS zones
use Key Signing Keys (KSKs) and Zone Signing Keys (ZSKs), which of the following
are True? Mark ALL that apply.
(h) (8 points) Which of the following attacks might allow an attacker to steal one of
your browser cookies (Mark ALL that apply):
Clickjacking DDoS
None of these
(i) (6 points) Alice and Bob want to communicate over an insecure channel using one
of the following schemes, where M is the message in plaintext. Which scheme
should they use in order to avoid padding oracle attacks? Assume that (1) all of
the algorithms are secure, and (2) MAC and Sign do not leak anything about M .
Mark ALL that apply.
None of these
Solution: Recall from Project 2 that in padding oracle attacks, the attacker
modifies the ciphertext in some cleverly chosen fashion, asks the client to decrypt
it, and then observes whether the decryption process caused an invalid-padding
error. If the attacker can observe whether such an error occurred, then this
leaks partial information; after repeating this many times, an attacker can piece
together all of these clues to deduce what the original message must have been.
To defend against padding oracle attacks, the recipient must be able to verify
the integrity of the ciphertext before decrypting it. That is, the MAC / signature
must be computed over the ciphertext, and not the plaintext. Hence, only the
option on the top right is correct; in the others, the integrity of the message can
only be verified after decrypting the ciphertext.
In step 1, Alice sends along her identity A and asks S for Bob’s public key. In step
2, S responds by returning Bob’s public key KB along with his identity B, and
signs the message.
Which of the following attacks is this protocol vulnerable to? Mark ALL that
apply.
Mallory can tamper with S’s re- Since S’s response is not encrypted,
sponse so as to substitute her own Mallory can use KB to decrypt any
public key KM instead of KB . messages Alice sends to Bob in the
future.
(k) (8 points) For the same situation as in the previous question, which of the following
modifications to step 2 would defend against the attacks that the protocol in that
question is vulnerable to? Mark ALL that apply.
(b) (8 points) What is the probability that Mallory will succeed if she has 1 chance to
perform her return-to-libc attack?
Solution: If there is one byte of randomness, than the probability for a single
1
attack to succeed is 256 . There might even be less randomness; in the output
Mallory saw, the high bit in the bottom byte of the address never varied, so the
1
probability might be as much as 128 .
1
If the probability is 256 , then it will take Mallory an expected 128 tries to guess
correctly if her failed guesses do not cause re-randomization due to crash-and-
restart; or an expected 256 tries if it does.
strcpy(buf2, data);
strcpy(buf1, data);
}
double_copy(argv[1]);
}
Give an input that will cause “sudo rm -rf /” to be run on the victim machine
with probability equal to what you answered in the previous part.
Use the following assumptions about the victim system:
1. It is an IA-32 platform with 4-byte words (recall it’s also little endian).
2. The stack is aligned at word granularity.
3. Local variables of each function are placed on the stack in the order they appear
in the source code.
4. ASLR is enabled for the stack segment.
5. argv[1] == 0x07070707 will always evaluate to true.
Hint: # is the shell comment character.
You can use \x** (where the *s are replaced by hex digits) to represent a character
in hexadecimal form. Fill in the answer below:
Solution: Note 1: the write to buf2 doesn’t matter for the purposes of this
problem. Any overflow will be immediately rewritten by the write to buf1.
Note 2: we don’t use any 0 characters in our solution since these would be
interpreted as NUL-terminators and cause the strcpy() to stop.
"sudo rm -rf / ##AAAA\x14\x7f\x9d\xbfDUMM\x07\x07\x07\x07"
Client Server
1 ClientHello
1. Client sends a 256-bit random number Rb
2 ServerHello and supported cipher suites C
2. Server sends a 256-bit random number Rs
and chosen cipher suite Cser
3 Certificate 3. Server sends certificate
ha nge
4 ServerKeyExc 4. DH: Server sends [g, p, g a mod p]Kserver
−1
one
5 ServerHelloD 5. Server signals end of handshake
6 ClientKeyExc
ha 6. DH: Client sends g b mod p
nge
RSA: Client sends {P S}Kserver
Client and server derive cipher keys Cb , Cs
7 ChangeCiphe and integrity keys Ib , Is from Rb , Rs , P S
rS pec, Finished
7. Client sends MAC(dialog, Ib )
rSpec, Finished
8 ChangeCiphe 8. Server sends MAC(dialog, Is )
9 Application
Data
Data 9. Client data takes the form {M1 , MAC(M1 , Ib )}Cb
10 Application 10. Server data takes the form {M2 , MAC(M2 , Is )}Cs
(a) (24 points) Suppose the client and server use RSA to exchange the premaster secret.
Mallory intercepts the ClientKeyExchange message and replaces P S with a fake
value P S 0 . Assume that Mallory can modify the messages after ClientKeyExchange
as well, if required. Which of the following are true? Mark ALL that apply.
Mallory will be able to decrypt the Mallory can avoid detection until the
application data sent by the client to server receives Finished from the client,
the server. at which point she’ll be detected.
Mallory will be able to decrypt the Mallory can avoid detection until the
application data sent by the server to client receives Finished from the server,
the client. at which point she’ll be detected.
The server will detect the tampering
when it receives ClientKeyExchange. None of these
(b) Now suppose the client and server use Diffie-Hellman for exchanging the premaster
secret. Mallory wants to decrypt the data sent by the server to the client by
downgrading the cipher suites. She doesn’t care about the data sent by the client
to the server. If the server always picks the strongest cipher suite and parameters
available, specify whether Mallory’s attack will succeed in the following scenarios
(Yes/No).
If yes, then list the handshake messages Mallory will need to necessarily modify. If
not, explain why.
Assume that unless specified, all cryptographic algorithms supported by the client
and server are secure.
i. (12 points) Suppose the client and server support 3DES in addition to AES.
Mallory is aware of an attack on 3DES that allows her to learn any message
encrypted using it. She therefore wishes to force the client and server to use
3DES instead of AES as the encryption algorithm.
ii. (12 points) Suppose the client and server support a weak variant of Diffie-
Hellman (DHweak ). Mallory is aware of an attack on DHweak that allows her to
learn the exchanged secret. She therefore wishes to force the client and server
to use DHweak instead of standard Diffie-Hellman.
(c) (24 points) Recall that ClientHello contains a nonce Rb , along with C, the cipher
suites supported by the client. ServerHello contains a nonce Rs along with Cser ,
the cipher suite chosen by the server. Which of the following modifications to the
TLS protocol would prevent Mallory from conducting any downgrade attacks on
the cipher suites? Mark ALL that apply.
ServerKeyExchange includes
ServerKeyExchange includes [C]Kserver
−1
[Rb || C || Cser ]Kserver
−1
Solution: The attack won’t work if the client can verify that the cipher suites
C received by the server were altered by Mallory. To this end, the server can
send the client a signature over C after binding it with Cser (as in Options 6
and 7). The client can then verify the signature, validate C, and be assured
that the server chose Cser after receiving the correct cipher suites. (Including
Rb as in Option 7 is unnecessary, but doesn’t cause any problems.)
Options 1, 2 and 3 (lefthand column) don’t work because Mallory can obtain
the necessary signature by launching her own separate TLS session with the
server and sending C in the ClientHello message. Including Rb in the signature
doesn’t help because Mallory can still MITM the connection as follows:
1. Pause the client’s ClientHello message
2. Launch a separate TLS session using the client’s Rb and C, obtaining a
valid signature over these
(b) (16 points) What email Subject: could you send that would tell you whether or
not there is a user called dbadmin on the spellcheck server? The list of users is
stored in the file /etc/passwd.
Subject:
(c) (32 points) State one way that you could fix the vulnerability? (If you name more
than one, we will only grade the first.)
(b) (24 points) Turns out that Brewed Awakening’s network has no encryption. Al-
ice warns Bob that its not safe to use this connection, but Bob disagrees. Bob
connects to the WiFi, and tests that he has Internet connectivity by going to
https://kewlsocialnet.com. It loads without issues. Bob says the Alice: “See,
no problem! That access was totally safe!”
If Bob is correct and the access to kewlsocialnet.com was safe, explain why he is
correct. If he is not correct, provide a network attack against Bob.
Answer:
(c) (24 points) Now that he has tested his WiFi access, Bob then tells Alice: “I want
to buy that last muffin at the counter. Let me check if I have enough money
in my bank account.” Eve hears this and panics! She wants the last muffin too
but is waiting for her friend Mallory to bring enough cash to buy it. She is now
determined to somehow stop Bob from buying that last muffin by preventing him
from checking his bank account. Through the corner of her eye, Eve sees Bob start
to type https://bank.com in his browser URL bar . . .
Describe two network attacks Eve can do to prevent Bob from checking his bank
account. For each attack, describe clearly in one or two sentences how Eve performs
the attack.
Attack #1:
Attack #2:
Solution:
Note that Eve cannot do an ARP or DHCP spoofing attack as Bob has already
connected to the WiFi network, so already knows the IP and hardware addresses
of the local network’s gateway and DNS resolver. (This assumes that extraneous
ARPs are not accepted by Bob’s system. ARP spoofing is a viable answer for
this problem if accompanied by specific mention of this consideration.)
1. TCP RST injection attack — Eve can sniff Bob’s transmitted (and re-
ceived) packets, so she can observe the sequence numbers of TCP packets.
Thus, Eve can send a valid TCP RST packet to Bob’s browser (or to the
bank website), resetting the TCP connection.
2. DNS response spoofing — When Bob tries to load the bank website, his
browser will generate a DNS request for the bank’s domain. Eve can
spoof a response with an incorrect answer, preventing Bob from loading
the bank website properly.
3. DoS attack on either Bob’s system or the coffee shop network. This can be
done through various means, such as DNS amplification attacks directed
at Bob.
Physical Transport
Link Application
Solution: Because the GC operated in-line, it can see all of the packet header
values it needed in order to construct its bogus reply. Because the fetch used
HTTP and not HTTPS, it could in addition see the germane application-layer
values.
(b) (6 points) Which layer was this attack meant to particularly stress regarding Github’s
servers? Mark the BEST choice.
Physical Network
Link Transport
Solution: The queries redirected to Github all used fully established TCP con-
nections. This means they did not particularly stress the Transport layer or any
lower layers. The attack imposed load on Github’s web server process, i.e., at
the Application layer.
(c) (4 points) Whose traffic contributed to the DDOS attack? Mark the BEST
choice.
(d) (4 points) Which packets would the implementers of this attack need to inspect?
Mark the BEST choice.
(e) (12 points) Why doesn’t the Same Origin Policy prevent this attack? (Limit your
answer to no more than 2 sentences.)
Solution: The SOP prevents one origin from accessing another’s DOM. Here,
the issue is instead that an origin can still load another site (e.g., in an iframe),
which in this case will trigger a request to Github and increase load on the
Github server.
(f) (12 points) For this and the next question, suppose that after the attack began,
Github installed a NIPS to deal with this particular attack. Assume the NIPS
is deployed on the Ethernet link connecting the github.com server to the public
Internet. What kind of detection is MOST LIKELY to be effective under the
circumstances? Mark the BEST choice and provide a short explanation.
Signature-based Behavioral
Anomaly-based Honeypots
Explanation:
(g) (12 points) Suppose that the attack caused Github to receive 50 times as many
bogus requests as legitimate requests, and that Github will consider a defense suc-
cessful if it reduces the volume of flooding requests by at least a factor of 50, so the
flooding is no larger than the volume of legitimate requests. Suppose further that
Github found that their NIPS had a precision of 0.999 and a recall of 0.99 when
detecting this attack. To what degree would this represent a successful defense?
Mark ONE of the following and BRIEFLY explain (≤ 2 sentences) your
answer.
Yes, the NIPS provided a successful No, the NIPS did not provide a suc-
defense. cessful defense.
Explanation:
(h) (8 points) This attack occurred for sets of HTTP requests. Which of the following
changes would have prevented the attack? Consider each choice in isolation (i.e.,
assess whether it prevents the attack assuming none of the other choices are in
effect). Mark ALL that apply. For each choice, assume that the content that
the site serves remains the same.
Every website that uses Baidu’s an- Baidu switches its analytics server
alytics switches to serve its content over to only be accessible using an
using HTTPS instead of HTTP. HTTPS URL.
(i) (8 points) Which of the following techniques could Github have used to make the
attack ineffective? Mark ALL that apply.
Blacklist any packets from Chinese Move the affected Github server to a
IP addresses new IP address
Use SYN cookies for all new Remove all use of Baidu analytics
connections from Github web pages
None of these
(j) The remainder of this problem concerns a Web security feature called Subresource
Integrity (SRI). It works by adding an attribute to the script tag for externally
loaded scripts:
<script src="http://example.com/script.js" integrity="[CRYPTOGOOP ]">
Browsers then validate the integrity of the script retrieved from the given src=
location.
i. (8 points) What should CRYPTOGOOP contain for it to achieve its goal of
assuring integrity, while minimizing the effort required by web developers to
adopt it? Mark the BEST answer.
A MAC of the script being loaded A hash of the URL of the script
ii. (8 points) Suppose every website with Baidu’s analytics starts using SRI. Given
GC’s capabilities, could it still redirect some Baidu analytics traffic to Github?
Yes No
Explanation (1 sentence):
iii. (8 points) Name ONE drawback to a website’s owner from deploying SRI. (If
you name more than one, we will only grade the first.)
Drawback:
Solution: Website owners will have to manually update the SRI tag if the
external script changes. This will require coordination between the website
and the external site to pick up any new features, bug fixes, or security
updates. We allowed partial credit for answers that did not identify this
consideration but did flag that the website owner would have to do some
initial work to securely gather the CRYPTOGOOP.
We allowed partial credit for answers stating that the use of SRI would slow
down web page load times. This is a very modest effect, since hashes are
quick to compute.
No credit was given for answers that discussed the cost of servers having
to generate CRYPTOGOOP in response to incoming requests for a script.
The generation would be done offline, since it’s only needed one time per
change to a script.
No credit was given for answers that discussed leveraging the cost of cryp-
tography for DoS. That would not be a drawback for the website owner,
since it would only be relevant for them if they themselves wanted to use
SRI to induce a DoS on other sites.
For each arithmetic operation you select, write down the equation that someone
can use to compute C3 using the components of C1 , C2 (i.e., s1 , t1 , s2 , t2 ), and the
public key. Or if none of the computations is possible, explain why not.
Equation(s) or Explanation:
(b) (24 points) Suppose Alice sends Bob a message M0 after encrypting it with Bob’s El
Gamal public key. Let C0 = (s0 , t0 ) be the corresponding ciphertext. Mallory wants
to learn the message M0 . Bob agrees to decrypt a single ciphertext C1 = (s1 , t1 ) of
Mallory’s choice, as long as C1 6= C0 . Explain how Mallory can take advantage of
Bob’s offer in order to learn M0 .
Hint: Mallory observes that she can manipulate C0 in a way that allows her to
obtain another valid ciphertext that also decrypts to M0 .
C2 = C1 × C0
= (s0 s1 mod p, t0 t1 mod p)
= (g r g s mod p, M0 M1 × hr hs mod p)
= (g r+s mod p, M0 M1 × hr+s mod p)
(c) (8 points) Which of the following best describes the attack in the previous ques-
tion?
Mallory in addition notices that the site uses a framework for which the below Python
code at the server validates authentication attempts:
def CheckPassword(account, submitted_password):
if len(submitted_password) != len(account.password):
return False
for i in range(len(submitted_password)):
if submitted_password[i] != account.password[i]:
return False
return True
Assume that the code is compiled without any optimization, and that all comparison
operators take a single instruction to execute. Also assume that len(x) always takes
103 attempts
Mallory can do this but will need
more than 1012 attempts
106 attempts
Solution: The key observation to this problem is that the web server’s answer
leaks information about the amount of computation done to validate the pass-
word for the account. This provides a side channel. The server’s reply provides
5 types of such potential information:
1. The server’s software version. This won’t change between answers, so does
not provide any additional information.
2. The time the job began and finished, to one-second granularity. As indi-
cated in the example, the resolution of these times (here, resulting in an
elapsed time of 0 seconds) is too coarse to provide a useful timing channel.
3. The number of instructions executed. This provides a very fine-grained
indication of how much computation was done, analogous to (and in fact
even better than) the timing channel discussed in lecture.
4. The amount of memory required. This could provide fine-grained infor-
mation about the amount of computation that’s done, but the checking
routine (and the one in the next part of the problem) doesn’t vary its
memory consumption based on the progression of the password-matching
process. (But see below.)
5. The disk storage required. As indicated in the example, this does not
appear to provide any useful information.
Note that the problem is framed in terms of Mallory using her browser to access
the server: thus, Mallory is not operating on the same system as the server,
(b) (16 points) How many authentication attempts will suffice for Mallory to determine
the exact value of Alice’s password? Choose the MINIMUM such number of
attempts that guarantees success for Mallory:
103 attempts
Mallory can do this but will need
more than 1012 attempts
106 attempts
Solution: Mallory first determines the length of Alice’s password. This requires
at most 6 attempts, each of a distinct length. (Because even if all 6 fail, then
she knows that the length she didn’t try is the correct one.)
Because the checking routine exits immediately upon finding a mismatch, Mal-
lory can know how many instructions correspond to a mismatch in the 1st, 2nd,
(c) (12 points) Suppose www.lamesec.com instead uses the following code to validate
authentication attempts:
def CheckPassword(account, submitted_password):
if len(submitted_password) != len(account.password):
return False
num_correct = 0
num_incorrect = 0
for i in range(len(submitted_password)):
if submitted_password[i] == account.password[i]:
num_correct = num_correct + 1
if submitted_password[i] != account.password[i]:
num_incorrect = num_incorrect + 1
return num_incorrect == 0
Given this change, now how many authentication attempts will suffice for Mallory
to determine the length of Alice’s password? Choose the MINIMUM such number
of attempts that guarantees success for Mallory:
103 attempts
Mallory can do this but will need
more than 1012 attempts
106 attempts
Solution: For the revised code, the check for length at the beginning hasn’t
changed. Thus, the same logic applies as before; it takes 6 attempts to determine
the length.
(d) (16 points) Continuing with the new version of CheckPassword, now how many
authentication attempts will suffice for Mallory to determine the exact value of Al-
ice’s password? Choose the MINIMUM such number of attempts that guarantees
success for Mallory:
103 attempts
Mallory can do this but will need
more than 1012 attempts
106 attempts
Solution: Once the execution has proceeded beyond the length test, the re-
vised code completely eliminates the instruction-counter side channel: no mat-
ter whether any of the characters match or do not match, the same number of
instructions are executed.
Thus, all Mallory can do at this point is resort to brute force. This requires
327 = (25 )7 = 235 attempts. Approximating 210 ≈ 103 , this corresponds to
25 · 109 . So 109 attempts won’t suffice, but 1012 will.