King’s College London
This paper is part of an examination of the College counting towards the award of a degree. Examinations are governed by the College Regulations under the authority of the Academic Board.
Degree Programmes
Module Code Module Title Examination Period
MSc, MSci
7CCSMSEN (Mock Exam) Security Engineering
Mock Exam 2019
Time Allowed Rubric
Two hours
ANSWER THREE OF FOUR QUESTIONS.
All questions carry equal marks. If more than three ques- tions are answered, the three answers with highest marks will count.
THIS IS A MOCK EXAM.
Calculators are not permitted
Books, notes or other written material may not be brought into this examination
Calculators Notes
PLEASE DO NOT REMOVE THIS PAPER FROM THE EXAMINATION ROOM
2019 King’s College London
Mock Exam 2019 7CCSMSEN (Mock Exam)
1. Consider the following C code fragment:
1
2
3
4
5
6
7
int func(int i, double *data1, double data2) {
double *p = &global_double;
double *vec[10];
if ((i<0) || (i>10)) return;
vec[i] = data1;
*p = data2;
8}
a. Explain why this code is vulnerable to a control hijacking attack. Briefly
explain how your attack works.
[8 marks]
b. If this code is compiled with StackGuard, will the overflow attack be prevented? If so explain why, if not explain why not.
[8 marks]
c. The above program is vulnerable to a basic buffer overflow attack. Such attacks use the fact that the return address is at a higher memory address than the local variables (buffer). Explain how to carry out a buffer overflow attack if the stack layout is reversed. In the reversed layout, the stack grows from lower-numbered memory locations to higher ones, and the return address is at a lower memory address than the local variables allocated in the same stack activation record. (You may assume that byte ordering—endianness—remains the same.)
[9 marks]
QUESTION 1 CONTINUES ON NEXT PAGE
Page 2
SEE NEXT PAGE
Mock Exam 2019 7CCSMSEN (Mock Exam)
2. Cross Site Scripting and SQL Injection attacks.
a. Cross Site Scripting is often abbreviated as XSS.
i. Briefly describe how Cross Site Scripting (XSS) works.
ii. State what information an attacker can steal using XSS and why is it useful.
[3 marks]
iii. How can the effects of XSS be mitigated? Please outline limitations as well, if any.
[3 marks]
b. SQL Injection is a popular way of attacking applications that use SQL databases.
i. Briefly describe how SQL Injection works.
[4 marks]
ii. Apart from username and password input fields, which variables are candidates for SQL Injection?
[3 marks]
iii. What techniques can an application programmer use to mitigate the effects of SQL injection attacks? Please outline limitations as well, if any.
[4 marks]
QUESTION 2 CONTINUES ON NEXT PAGE
Page 3
SEE NEXT PAGE
[4 marks]
Mock Exam 2019 7CCSMSEN (Mock Exam)
iv. An online shopping site www.example.com/shop.php takes a name from an URL parameter and constructs an SQL query as follows:
$query = “SELECT * FROM Users WHERE username = ’$name’”
Construct an URL and the corresponding SQL query that delete all entries from the customers table1. The following character codes may be useful:
Encoding ASCII value
%20 %27 %3b %3d
space ’
; =
1In SQL, DELETE works just like SELECT.
Page 4
SEE NEXT PAGE
[4 marks]
Mock Exam 2019 7CCSMSEN (Mock Exam)
3. Consider the following x86 assembly code fragment:
1 jmp ahead
2 back:
3 popl %esi
4 xorl %eax, %eax
5
6 # … missing instruction … 7
8 leal
9 movl
10 movl 11
12 movb
13 movl
14 leal
15 leal
16 int
17
$0x0b,%al
%esi,%ebx
8(%esi),%ecx
12(%esi),%edx
$0x80
# and store null in to this location (3rd arg)
# syscall 0x0b represents execve
# again: argument one -> /bin/sh
# argument two -> pointer to /bin/sh
# argument three -> pointer to NULL
(%esi), %ebx
%ebx,8(%esi)
%eax,12(%esi)
# place address of string ’/bin/sh’ in %ebx
# … and copy it to this memory location (2nd arg)
18 ahead:
19 call
20
21 .string “/bin/sh#AAAABBBB”
a. Clearly, this is shellcode that tries to execute /bin/sh by means of the execve system call. The string /bin/sh will be the argument to execve. Explain how the shellcode finds this address.
[6 marks]
b. Why do you think the shellcode writer put “AAAABBBB” after the /bin/sh string (after all these bytes will all be overwritten – could the attacker could have omitted them)?
[6 marks]
back
QUESTION 3 CONTINUES ON NEXT PAGE
Page 5
SEE NEXT PAGE
Mock Exam 2019 7CCSMSEN (Mock Exam)
c. The shellcode will not work. Why not?
[6 marks]
d. Can you remedy the shellcode by adding 1 instruction (on line 6)?
[7 marks]
Page 6
SEE NEXT PAGE
Mock Exam 2019 7CCSMSEN (Mock Exam)
4. Describe in detail TCP SYN flooding (3 marks), TCP hijacking (3 marks), and IP spoofing attacks (3 marks). Explain how they can represent a threat for the security of Internet users (6 marks) and how they can be mitigated (10 marks).
[25 marks]
Page 7
FINAL PAGE