2020
CS 161 Computer Security
Final Exam
For questions with circular bubbles, you may select exactly one choice on Gradescope. Unselected option
Only one selected option
For questions with square checkboxes, you may select one or more choices on Gradescope.
You can select
multiple squares
For questions with a large box, you need to write your answer in the text box on Gradescope.
There is an appendix at the end of this exam, containing descriptions of all C functions used on this exam.
You have 170 minutes, plus a 10-minute buffer for distractions or technical difficulties, for a total of 180 minutes. There are 11 questions of varying credit (200 points total).
The Gradescope answer sheet assignment has a time limit of 180 minutes. Do not click “Start Assignment” until you’re ready to start the exam. The password to decrypt the PDF is at the top of the answer sheet.
The exam is open note. You can use an unlimited number of handwritten cheat sheets, but you must work alone.
Clarifications will be posted at https://cs161.org/clarifications.
Q1 MANDATORY – Honor Code (5 points)
Read the following honor code and type your name on Gradescope.
I understand that I may not collaborate with anyone else on this exam, or cheat in any way. I am aware of the Berkeley Campus Code of Student Conduct and acknowledge that academic misconduct will be reported to the Center for Student Conduct and may further result in, at minimum, negative points on the exam and a corresponding notch not on Nick’s staff but on his demolition tool.
Solution: Don’tworryifyouforgottofillinyourname.Everyonegets5freepointsforembracing the suck this semester.
We won’t take any points off if you entered something for a subpart that doesn’t exist, or if you filled in a text box on a multiple-choice question, or vice-versa. To be consistent, we will not consider any unnecessary writing/bubbling on your exam during grading (pretend it’s scratch work).
This is the end of Q1. Leave the remaining subparts of Q1 blank on Gradescope, if there are any. Proceed to Q2 on your answer sheet.
Page 1 of 35
Q2 True/false (34 points) Each true/false is worth 2 points.
Q2.1 True or False: A cookie with the Secure flag set cannot be exploited in an XSS attack. True False
Q2.2 True or False: A stack canary is placed above the local variables but below the rip of a given stack frame in order to defend against buffer overflow vulnerabilities.
Clarification during exam: “below the rip” means “somewhere below the rip,” not necessarily directly below the rip.
True False
Q2.3 True or False: Secure cryptographic hash functions provide IND-CPA confidentiality on a message because they are irreversible.
True False
Solution: False. The Secure flag prevents a cookie from being sent over an unencrypted HTTP connection, which is unrelated to XSS vulnerabilities. Cookies with the HttpOnly flag are secure against XSS attacks, however.
Solution: True. Stack canaries defend against buffer overflows because stack buffers reside in the local variables, so an overflow would have to overwrite the stack canary before it overwrites the rip.
Solution: False.Thesimplestwaytoreasonaboutthisistonotethathashesaredeterministic, so they cannot be IND-CPA secure.
More formally, IND-CPA confidentiality provides a stricter sense of security in that nothing about the message is learned other than its length. Let H be a secure hash function. Define H′(x) = H(x)||x0—that is, H′ produces the output of H plus the first bit of x0. Because of the properties of H, H′ is still one-way (since reversing H′ would reverse H) and collision resistant (since a collision on H′ is a collision on H), but the first bit of x is learned, violating confidentiality.
Q2.4 Let E be an IND-CPA secure encryption scheme, and E′(x) = E(x)||len(x). In other words, E′(x) is the ciphertext E(x) concatenated with the length of the plaintext x.
Final Exam
Page 2 of 35
CS 161 – Fall 2020
True or False: E′ is IND-CPA secure. True
False
Solution: True.ThedefinitionofIND-CPAallowsIND-CPAsecureschemestoleakthelength of the plaintext. (Recall that in the IND-CPA game, the pair of messages in the challenge are of equal length.) Therefore, exposing the length directly is still secure.
Keep in mind that for many IND-CPA schemes, such as AES-CBC or AES-CTR, the attacker can estimate the length of the plaintext using the length of the ciphertext.
Q2.5 True or False: Modern, freely-available computer vision programs have become powerful enough to make CAPTCHAs obsolete.
True False
Q2.6 True or False: The Great Firewall of China can inject TCP RST packets to censor connections. True False
Q2.7 True or False: Modern systems enable stack canaries, WˆX, ASLR, and pointer authentication to defend against buffer overflow attacks. This is an example of defense-in-depth.
True False
Q2.8 True or False: It is possible to inspect encrypted HTTPS traffic with a HIDS. True False
Q2.9 True or False: It is easier for an off-path attacker to inject messages into a TCP connection if the initial sequence numbers were derived from the current time (with second precision) than if the initial sequence numbers were generated randomly.
Solution: False. CAPTCHAs are most vulnerable to outsourcing attacks, where attackers use real human labor, not computer vision programs, to solve them. CAPTCHAs are also still widely used.
Solution: True. The Great Firewall is an on-path adversary, so it can see TCP packets and spoof RST packets.
Solution: True. Even if your exploit defeats one of the defenses, it may not defeat all of them. This is an example of defense-in-depth.
Solution: True. The HIDS is installed on the end host and can see unencrypted application- layer data.
Final Exam Page 3 of 35 CS 161 – Fall 2020
True False
Q2.10 True or False: TLS is vulnerable to RST injection attacks during the handshake, but not after the handshake is completed.
True False
Q2.11 True or False: Input sanitation helps defend against some SQL injection and XSS attacks. True False
Q2.12 TrueorFalse:RandomizingthesourceIPandportisacommondefenseagainstDNSspoofing. True False
Solution: True. An off-path attacker must guess sequence numbers to inject messages in a TCP connection. Non-random sequence numbers make TCP more vulnerable to an off-path attacker, since the attacker has a greater chance of predicting the sequence numbers.
Solution: False. A TCP RST packet can still be injected during a TLS connection, since TLS is built on top of TCP.
Solution: True. SQL injection and XSS rely on user input being treated as code, so input sanitation would stop some (but not all) attacks.
Solution: False. Randomizing the source IP would break the functionality of DNS, because you will not be able to receive the DNS response.
Randomizing the port is okay because you still receive the response. Your computer would just need to remember what random port it sent the request with and look for the answer at the same port.
Q2.13 True or False: Of the security principles covered in class, two factor authentication is best described as an example of defense in depth.
True False
Q2.14 True or False: DNS (without DNSSEC) is secure against an on-path attacker, but not a MITM attacker.
Solution: True. 2FA means that even if one layer of your security is compromised (e.g. your password is stolen), other defenses remain in place to protect your account.
Final Exam Page 4 of 35 CS 161 – Fall 2020
True False
Q2.15 True or False: ASLR prevents all buffer overflow attacks. True False
Q2.16 True or False: Log analysis is effective at detecting attacks in real-time. True False
Q2.17 True or False: Clickjacking can help an attacker execute reflected XSS attacks. True False
Q2.18 True or False: EvanBot is a real bot. (0 points)
Final Exam
Page 5 of 35
CS 161 – Fall 2020
Solution: False. The on-path attacker can see the ID field and race the legitimate response.
Solution: False. ASLR can’t prevent overwriting local variables.
Solution: False. Logs are usually checked offline afterwards, so they usually detect attacks after they’ve already happened.
Solution: True. Clickjacking can cause the victim to click on an attacker-crafted link, and reflected XSS requires the victim to click on an attacker-crafted link.
True
False
Solution: True. See http://isevanbotreal.com to learn more.
This is the end of Q2. Leave the remaining subparts of Q2 blank on Gradescope, if there are any. Proceed to Q3 on your answer sheet.
Q3
1 2 3 4 5 6 7 8 9
10
11
12
13
14
15
16
17
Indirection
Consider the following vulnerable C code:
(24 points)
#include
#include
struct log_entry { char title [8];
char ∗msg;
};
void log_event(char ∗title , char ∗msg) {
size_t len = strnlen (msg, 256) ;
if (len == 256) return; /∗ Message too long. ∗/
struct log_entry ∗ entry = malloc ( sizeof ( struct log_entry ) ) ;
entry−>msg = malloc(256);
strcpy(entry−>title , title);
strncpy ( entry −>msg , msg , len + 1) ;
add_to_log ( entry ) ; /∗ Implementation not shown . ∗/
}
Assume you are on a little-endian 32-bit x86 system and no memory safety defenses are enabled. Q3.1 (3 points) Which of the following lines contains a memory safety vulnerability?
(A) Line 10 (D) Line 15
(B) Line 13 (C) Line 14
(E) (F)
Solution: Line 14 uses a strcpy, which is not a memory-safe function because it only ter- minates when it sees a null byte. The attacker could provide a string that is longer than the buffer or not properly null-terminated, and strcpy would still copy the entire string into the buffer, overwriting other variables in the process.
Note that line 15 uses a strncpy whose length parameter comes from strnlen, so it is safe.
Q3.2 (3 points) Seeing an opportunity to exploit this program, you fire up GDB and step into the log_event function. Give a GDB command that will show you the address of the rip of the log_event function. (Abbreviations are fine.)
Final Exam
Page 6 of 35
CS 161 – Fall 2020
Enter your answer in the text box on Gradescope.
(G) (H) (I)
( J) (K) (L)
Q3.3 (3 points) Fill in the numbered blanks on the following stack and heap diagram for log_event. Assume that lower-numbered addresses start at the bottom of both diagrams.
Clarification during exam: The stack diagram shown is incorrect. The values 1 and title should should be swapped on the stack.
Stack Heap
title 3 12
(A) 1 = entry->msg (B) 1 = entry->msg (C) 1 = msg
(D) 1=msg
(E) (F)
rip
sfp
len entry
2 = entry->title 2 = msg
2 = entry->title 2=entry->msg
3 = msg
3 = entry->title 3 = entry->msg 3=entry->title
Solution: We messed up the stack diagram for this part. Arguments are pushed on the stack in reverse order, so 1 (msg) should actually be above title, not below title. Since it’s our mistake, we are giving full credit to everyone on this subpart.
The two arguments, title and msg, must be on the stack, so 1 = msg.
Structs are filled from lower addresses to higher addresses, so 2 = entry->title and 3 = entry->msg.
Using GDB, you find that the address of the rip of log_event is 0xbfffe0f0.
Let SHELLCODE be a 40-byte shellcode. Construct an input that would cause this program to execute
shellcode. Write all your answers in Python 2 syntax (just like Project 1). Q3.4 (6 points) Give the input for the title argument.
Final Exam
Page 7 of 35
CS 161 – Fall 2020
Solution: info frame (abbreviated i f) would be the easiest command to use. Other solu- tions exist.
Enter your answer in the text box on Gradescope.
(G) (H) (I)
( J) (K)
(L)
Solution: The strcpy at line 14 lets us write as much data as we want into entry->title, which is a buffer on the heap.
The strncopy at line 15 lets us write as much data as we want into entry->msg, which is a pointer on the heap. Note from the stack diagram that entry->msg is directly above entry->title, which is a buffer that we can overflow! Thus we can also overflow the entry->msg pointer and make it point wherever we want our data to be written.
The overarching idea is to use line 14 to overflow the entry->msg pointer to point to the rip, and then use line 15 to overwrite the rip (which entry->msg is now pointing to) with the classic buffer overflow exploit.
The title input should overflow entry->msg with the rip. We write 8 bytes of garbage to overwrite entry->title, then overwrite entry->msg with the rip.
‘A’ * 8 + ‘\xf0\xe0\xff\xbf’
Q3.5 (6 points) Give the input for the msg argument. Enter your answer in the text box on Gradescope.
(A) (B) (C) (D) (E) (F)
Solution: Now that entry->msg is pointing at the rip, our input for msg will be directly written to the rip (thanks to line 15).
Thus we can write the classic buffer overflow exploit (project 1, question 1): we overwrite the rip with the address directly above it (rip + 4), then write the shellcode. This causes the rip to point to shellcode.
‘\xf4\xe0\xff\xbf’ + SHELLCODE
Q3.6 (3 points) Which of the following defenses on their own would prevent your exploit?
Note: If stack canaries are enabled, you can assume 0xbfffe0f0 is still the correct address of the RIP.
(G) Stack canaries (H) W^X
(I) ASLR
(J) None of the above
(K) (L)
Solution: Stackcanarieswouldnotdefendagainstthisattackbecausewearenotconsecutively writing from the local variables to the rip. Instead, we are overflowing a heap variable (no canaries on the heap) and then directly writing above the canary.
Final Exam
Page 8 of 35
CS 161 – Fall 2020
W^X defends against your exploit by preventing the shellcode on the stack from being executed.
ASLR defends against your exploit by randomizing the address of the rip that you use in your exploit.
This is the end of Q3. Leave the remaining subparts of Q3 blank on Gradescope, if there are any. Proceed to Q4 on your answer sheet.
Final Exam Page 9 of 35 CS 161 – Fall 2020
Q4 Malcode (12 points) Q4.1 (3points)MalcodeXspreadsbymakingacopyofitsownbinaryonanothermachineandexecuting
it. Which intrusion detection technique is best for detecting this malcode? (A) Signature-based detection (D) Behavioral detection
(B) Anomaly-based detection
(C) Specification-based detection
(E) (F)
Solution: Becausethemalcodedoesnotchangeeachtimeitreplicates,wecanaddasignature for the malcode binary to detect and block it.
Q4.2 (3 points) Malcode X connects to other machines using TLS. Which intrusion detection method is best for detecting this malcode?
Select one option, and briefly justify your answer (1 sentence) in the text box.
(G) NIDS (H) HIDS (I) (J) (K) (L)
Solution: Because TLS is encrypted, the NIDS does not have the necessary host context in order to decrypt and inspect the traffic for the malcode. Thus, only the HIDS can defend against the malcode.
We may consider accepting NIDS if you explain that you can give the NIDS the server’s private keys and let it actively intercept every connection.
Q4.3 (3 points) Malcode Y spreads by encrypting its binary, copying the encrypted binary and a de- cryption script to another machine, and executing the decryption script to run the malcode. The encryption key and the IV/nonce (if needed) are randomly generated each time the malcode replicates. Which encryption schemes would cause every copy of the malcode to look different?
Clarification during exam: “Cause every copy of the malcode to look different” means that the encrypted copies of the malcode differ in at least 1 byte.
(A) AES-ECB (B) AES-CBC
(C) AES-CTR (E)
(D) None of the above
(F)
Solution: In all of these AES ciphers, the ciphertext looks different as long as the key is different each time.
Note that AES-ECB is deterministic with the same key, but changing the key still causes the ciphertext to look different.
Final Exam
Page 10 of 35
CS 161 – Fall 2020
Q4.4 (3points)MalcodeZspreadsthesamewayasMalcodeY.However,insteadofrandomlygenerating the encryption key and the IV/nonce (if needed), they are hard-coded into the binary and the decryption script. Which encryption schemes would cause every copy of the malcode to look different?
(G) AES-ECB (H) AES-CBC
(I) AES-CTR (K)
(J) None of the above
(L)
Solution: A static key and IV means that the encrypted payload always remains the same.
Note that AES-CBC and AES-CTR are both deterministic if you use the same key and IV/nonce every time.
Final Exam
Page 11 of 35
CS 161 – Fall 2020
This is the end of Q4. Leave the remaining subparts of Q4 blank on Gradescope, if there are any. Proceed to Q5 on your answer sheet.
Q5 CalCentral Security (20 points) Given your performance as a skilled attacker of the UnicornBox website, university administrators have asked you to assess the security of the CalCentral platform.
The CalCentral website is set up as follows:
• CalCentral is located at https://calcentral.berkeley.edu/.
• The Central Authentication Service (CAS) is located at https://auth.berkeley.edu/.
• CalCentral uses session tokens stored in cookies for authentication, similar to Project 3. The session token cookie has domain berkeley.edu, and the Secure and HttpOnly flags are set.
• CalCentral does not use CSRF tokens or any form of CSRF protection. Each subpart is independent.
Q5.1 (3 points) When a user attempts to sign in on CalCentral, the CAS login portal appears in a pop-up window.
True or false:BecauseCalCentralandCAShavethesameorigin,CAScanupdatetheCalCentral webpage when a user signs in successfully.
(A) True, because CalCentral and CAS are managed by the same organization.
(B) True, because windows with the same origin can interact with each other.
(C) False, because pop-up windows can never affect other windows, regardless of the origin. (D) False, because CalCentral and CAS don’t have the same origin.
(E)
(F)
Q5.2 (3 points) When a user attempts to sign in on CalCentral, the CAS login portal appears in an iframe embedded on the CalCentral page.
True or false: This design allows CalCentral to modify the text field on the CAS website to autofill the username field.
(G) True, because CalCentral and CAS are managed by the same organization.
(H) True, because the inner frame is loaded with the same origin of the outer frame. (I) False, because Javascript is needed to autofill form fields.
(J) False, because the outer frame cannot affect the contents of the inner frame.
(K)
Final Exam
Page 12 of 35 CS 161 – Fall 2020
Solution: False. These pages might be able to communicate in other ways, but they have different origins under the same-origin policy.
(L)
Q5.3 (3 points) If a user is logged into CalCentral (has a valid session token cookie), a GET Request to https://calcentral.berkeley.edu/api/photo/ will contain a response with their CalCen- tral photo. The website https://evil.com/ loads an image with the following HTML snippet:
True or false: If a user is currently signed into CalCentral, the https://evil.com/ website
will be able to successfully display their photo.
(A) True, because the browser attaches the session token in the request to CalCentral.
(B) True, because the referer in the request is https://calcentral.berkeley.edu.
(C) False, because the browser does not attach the session token in the request to CalCentral. (D) False, because the referer in the request is https://evil.com.
(E)
(F)
Q5.4 (3 points) You find a reflected XSS vulnerability on CAS. https://berkeley.edu has a footnote that says “UC Berkeley.”
True or false: Using this vulnerability, you can cause the victim to see “CS 161 Enterprises” in the footnote when they visit https://berkeley.edu.
Clarification during exam: The footnote on https://berkeley.edu/ is part of the static HTML page.
(G) True, because the script runs with the same origin as https://berkeley.edu. (H) True, because XSS subverts the same-origin policy.
(I) False, because the script runs with a different origin from https://berkeley.edu. (J) False, because the script only affects the browser’s local copy of the site.
(K)
Solution: False. Frame isolation states that the outer page cannot change the contents of the inner page, and inner pages cannot change the content of the outer page.
Solution: True.Thebrowserwillattachtheuser’ssessioncookieforCalCentral,duetocookie policy (domain matches). Because CSRF protection is disabled, the server doesn’t check for a CSRF token or validate the referer, so any requests with a valid session token will be sent back the appropriate profile picture.
Final Exam
Page 13 of 35 CS 161 – Fall 2020
(L)
Q5.5 (3 points) You find a stored XSS vulnerability on CalCentral.
True or false: Using this vulnerability, you can cause the victim to load CalCentral with the
“My Academics” button changed to link to https://evil.com/.
(A) True, because Javascript on a page can change that page’s HTML
(B) True, because CalCentral does not implement CSRF tokens.
(C) False, because Javascript on a page cannot change that page’s HTML
(D) False, because https://evil.com has a different origin from CalCentral (E)
(F)
Q5.6 (5points)WhenaGETRequestismadetohttps://calcentral.berkeley.edu/api/classes/, the server checks if the request’s cookies contain the user’s CalCentral session token. If a valid session cookie is found, the response contains a list of that user’s classes. Otherwise, the server responds with Error.
Assume that you control each of the domains below. Select all domains where you’d be able to retrieve the class list of a victim who’s currently signed in to CalCentral.
Hint: Recall that CalCentral does not use CSRF tokens or any form of CSRF protection.
Clarification during exam: “Retrieve the class list” means that the attacker is able to learn the class
list.
(G) https://evil.edu/
(H) https://berkeley.edu/
(I) https://auth.berkeley.edu/
(J) https://evil.calcentral.berkeley.edu/ (K) http://calcentral.berkeley.edu/
Solution: False. Even with a reflected XSS vulnerability, all injected scripts would run with the origin of CAS (https://auth.berkeley.edu, which is different from the origin of https://berkeley.edu/. Thus, according to the the same-origin policy, CAS wouldn’t be able to modify the https://berkeley.edu site.
Final Exam
Page 14 of 35
CS 161 – Fall 2020
Solution: True. A stored XSS vulnerability on CalCentral would allow an attacker to modify any of the contents of the CalCentral page.
(L) None of the above
Solution:
Update, December 19, 2020 7:00pm PT: We dropped this question and gave everyone full
points.
The original intended solution was all of the above. Because CSRF protection is disabled, all outbound requests made to https://calcentral.berkeley.edu/api/classes/ will contain the session cookie. Since the attacker controls the website, they can add some malicious Javascript to read the response from the request and send the class data to the attacker.
Final Exam
Page 15 of 35 CS 161 – Fall 2020
This is the end of Q5. Leave the remaining subparts of Q5 blank on Gradescope, if there are any. Proceed to Q6 on your answer sheet.
Q6 To Believe or Not To Believe (15 points) You are a detective at the Universal Conflict-resolution Bureau (UCB). You have been presented with a new case: Alice claims that Bob agreed to pay her $100. As evidence, she has a message from Bob, “I, Bob, owe Alice $100,” along with some cryptography applied to the message.
Decide whether each piece of cryptographic evidence below is sufficient to believe her claim that this message is from Bob.
• m is the message from Bob.
• PK, SK is a public-private key pair.
• MAC is a cryptographically secure message authentication code function.
• k1 and k2 is a secret key shared between Alice and Bob.
Clarification during exam: k1 and k2 are both secret keys shared between Alice and Bob.
• H is a cryptographically secure hash function.
• Sign(SK, m) is a digital signature algorithm signing a message m with secret key SK.
• Enc, Dec is an IND-CPA secure symmetric encryption scheme.
Clarification during exam: For all parts, you verify any signature you are presented with against the corresponding public key.
Clarification during exam: For all parts, Alice is not capable of stealing other people’s private keys.
Clarification during exam: All subparts are independent. Q6.1 (3 points) Alice presents you with Sign(SK, m) and PK.
You obtain Sign(SKCA, “Bob’s public key is PK”) from a certificate authority you trust. SKCA is the secret key of the CA, and you know the corresponding public key.
(A) m must be from Bob. (D)
(B) m is not necessarily from Bob. (C)
Q6.2 (3 points) Alice presents you with H(m). (G) m must be from Bob.
(H) m is not necessarily from Bob. (I)
(E) (F)
(J) (K) (L)
Final Exam
Page 16 of 35
CS 161 – Fall 2020
Solution: Since you trust the certificate authority, you trust that the public key PK actually belongs to Bob. Then you can use Bob’s public key to verify that the signature is valid.
Solution: Alice can compute the hash herself on any message.
Q6.3 (3 points) Alice presents you with MAC(k1, m) and the secret key k1. (A) m must be from Bob. (D)
(B) m is not necessarily from Bob. (C)
(E) (F)
Solution: Alice can compute a MAC on any message, since she has possession of the secret key k1.
Q6.4 (3 points) Alice presents you with MAC(k1, Enc(k2, m)) and the secret keys k1 and k2. (G) m must be from Bob. (J)
(H) m is not necessarily from Bob. (I)
(K) (L)
Solution: Alice can compute the MAC and the encryption since she has the secret key k1.
Q6.5 (3 points) Alice presents you with Sign(SK, m), PK.
Additionally, Alice generates a certificate with her public key, Sign(SKAlice , “Bob’s public key is PK”)
and presents you with the certificate and her public key PKAlice.
Clarification during exam: Alice generates a certificate with her private key, not her public key.
Final Exam
Page 17 of 35
CS 161 – Fall 2020
(A) m must be from Bob.
(B) m is not necessarily from Bob. (C)
(D) (E) (F)
Solution: Alice can be lying about Bob’s public key PK.
This is the end of Q6. Leave the remaining subparts of Q6 blank on Gradescope, if there are any. Proceed to Q7 on your answer sheet.
Q7 DKIM (20 points) DKIM (DomainKeys Identified Mail) is an email integrity scheme that prevents an attacker from forging the sender (From:) field and thus spoofing an email.
In DKIM, each mail server has a domain, such as 1e100.net1, and many public-private key pairs for signing emails. Each key pair has a unique numerical key ID.
To send an email, the sending mail server first verifies the sender’s identity. Then the mail server attaches a DKIM header to the email. The header contains a signature on the email, the server’s domain, and the ID of the key used to generate the signature.
To verify a DKIM header, you need to look up a public key to verify the signature. The public keys are stored using DNSSEC. To find a DKIM public key with domain {DOMAIN} and key ID {KEY_ID}, you make a DNSSEC query for {Key_ID}._domainkey.{DOMAIN} and receive a TXT type record with the public key.
For example, the name server for 20161025._domainkey.1e100.net has a TXT record with a public key. The public key has ID 20161025 and is used by the 1e100.net mail server.
Clarification during exam: Assume that _domainkey subdomain directly issues TXT records for {KEY_ID}._domainkey. For example, the _domainkey.1e100.net nameserver directly issues TXT
records for 20161025._domainkey.1e100.net.
Q7.1 (3 points) Which attacks on their own would help you learn how many DKIM keys a mail server is using?
(A) Zone enumeration with NSEC (D) None of the above (B) Zone enumeration with NSEC3 (E)
(C) Kaminsky attack
(F)
Solution: DNSSEC includes either NSEC or NSEC3, which both enable you to enumerate the subdomains present under _domainkey.1e100.net. Each time you query for a non-existent domain, you receive an NSEC record saying “No domains exist between
{PREVIOUS_KEY}._domainkey.1e100.net and {NEXT_KEY}._domainkey.1e100.net, which lets you learn some keys that exist. If you make enough non-existent queries to traverse the entire alphabet, you’ve learned all the DKIM keys that exist under that mail server.
In NSEC3, you would need to reverse the hashed domains returned in the NSEC3 records, but as shown in lecture, this is feasible with modern computing power.
The Kaminsky attack does not help you learn about all the subdomains that exist under a given domain.
Consider making a DNSSEC query to obtain the public key with ID 12875102 for the domain stanfraud.com. Assume that you start with an empty cache (except the hardcoded KSK of the root). Assume that the _domainkey subdomain uses a different KSK and ZSK from its parent domain.
1This is a Google domain that Google uses for various infrastructure. Yes, Google gets to spy on all your Berkeley email. Final Exam Page 18 of 35 CS 161 – Fall 2020
For each of the next 3 subparts, list the records of each type in your cache after the query. Your answer should be a list of domains, e.g. google.com, . (root), org, _domainkey.stanfraud.com.
Q7.2 (3 points) DS type record(s) with hash(es) of the KSKs of the following name server(s): Enter your answer in the text box on Gradescope.
(G) (H) (I) ( J) (K) (L)
Solution: com, stanfraud.com, _domainkey.stanfraud.com
The root returns a DS record to endorse the com name server. Then com returns a DS record to endorse the stanfraud.com name server. Finally, the stanfraud.com name server returns a DS record to endorse the _domainkey.stanfraud.com name server.
Q7.3 (3 points) DNSKEY type record(s) with the public key(s) (either ZSK or KSK) of the following name server(s):
Enter your answer in the text box on Gradescope.
(A) (B) (C) (D) (E) (F)
Q7.4 (3points)TXTtyperecord(s)withthepublickey(s)ofthefollowingnameserver(s)ormailserver(s): Enter your answer in the text box on Gradescope.
(G) (H) (I) ( J) (K) (L)
Solution: . (root), com, stanfraud.com, _domainkey.stanfraud.com
Each of the name servers you contact must return their own public keys so that you can verify their signatures.
Solution: 12875102._domainkey.stanfraud.com
As described in the question, the TXT record contains the final DKIM key with a given ID and a given domain. None of the other name servers need to return TXT answers, since they are performing standard DNSSEC.
Q7.5 (5 points) Which of the following private keys, if stolen on their own, would let an attacker create DKIM signatures as the 1e100.net mail server? Select all that apply.
Clarification during exam: The DKIM key refers to the private key in the DKIM key pair.
Final Exam Page 19 of 35 CS 161 – Fall 2020
(A) ZSK for the net name server (D) A DKIM key for the 1e100.net domain
(B) KSK for the 1e100.net name server
(C) KSK for the web.1e100.net name server (F) None of the above
Q7.6 (3points)Consider2versionsofDKIM.InVersionA,mailserversusethesamekeypairsindefinitely. In Version B, each week, every mail server switches all of its key pairs and publishes the old private keys.
You send an email with a valid DKIM signature, and someone else publishes that email months later. Which version(s) of DKIM would let you credibly deny that you sent that email?
Assume that nobody compromises your email account and nobody steals any private signing keys in DNSSEC and DKIM.
Clarification during exam: For Version B of DKIM, assume that the mail server publishes old public keys along with the old private keys.
(G) Neither version (H) Version A only (I) Version B only
(J) Both Version A and Version B
(K) (L)
(E) ZSK for the _domainkey.1e100.net do- main
Solution: Any private signing key along the chain of trust from the root to {KEY_ID}._domainkey.1e100.net will help the attacker sign a fake TXT record with the attacker’s public key. Then the attacker can use their own private key to create DKIM signatures.
For example, stealing the ZSK of the .net name server lets you sign a DS record endorsing the 1e100.net name server. Since you’ve stolen the ZSK, you can sign a fake DS record that claims to endorse the 1e100.net name server but is actually endorsing the attacker’s public key. This process repeats until the attacker has claimed to endorse _domainkey.1e100.net name server (but is actually endorsing the attacker’s public key). Then the attacker can use their own private key to create DKIM signatures.
Stealing the DKIM key directly also lets the attacker create DKIM signatures.
Solution: Version A: No, because anyone can make a DNSSEC query to learn the public key and verify the signature. Since the private key hasn’t been published or stolen, the signature must have been made by the mail server, which authenticated you when attaching the signature. Thus the email must have been sent by you, and you cannot credibly deny that you sent it.
Version B: Yes, because once the mail server publishes the old private key, anyone can forge DKIM signatures. You can claim that you made this signature on a fake email with the published
Final Exam
Page 20 of 35
CS 161 – Fall 2020
private key, and there would be no way to tell whether the signature came from you or the mail server.
This is the end of Q7. Leave the remaining subparts of Q7 blank on Gradescope, if there are any. Proceed to Q8 on your answer sheet.
Final Exam Page 21 of 35 CS 161 – Fall 2020
Q8 ACK Flood (12 points) Recall that a SYN flooding attack overwhelms a server by sending a huge number of TCP packets with the SYN flag set.
ACK flooding is another DoS attack based on TCP, where the attacker sends a huge number of packets with the ACK flag set. This causes the server to exhaust resources trying to match each ACK packet to an existing TCP connection.
Q8.1 (4 points) Which of the following can be overwhelmed by an ACK flooding attack? Select all that apply.
(A) Intermediate layer 3 routers (also called autonomous systems)
(B) DNS name servers that only respond to DNS queries
(C) HTTP web servers that only respond to HTTP requests
(D) HTTPS web servers that only respond to HTTP and HTTPS requests (E) None of the above
(F)
Solution: Intermediate routers pass along packets but don’t process their contents, so they are not susceptible to ACK flooding. Also, the flood of ACK packets could take different paths through the network, and most networks implement some load balancing to avoid overwhelming any one router.
As shown in lecture, DNS name servers use UDP, so they would never process TCP packets.
HTTP and HTTPS both rely on TCP, so web servers answering HTTP requests are susceptible to ACK flooding.
Q8.2 (3 points) Which of the following could effectively defend against ACK flooding attacks while allowing legitimate connections? Select all that apply.
Hint: Recall that the ACK flag is used both in the TCP handshake and in sending messages over TCP.
Final Exam
Page 22 of 35
CS 161 – Fall 2020
(G) Logging (H) NIDS (I) HIDS
(J) None of the above
(K) (L)
Solution: HIDS reconstructs TCP connections, so it would be overwhelmed by ACK flooding attacks.
A stateful firewall/NIDS would reconstruct TCP connections and be overwhelmed by ACK flooding. A stateless firewall/NIDS could try dropping all TCP packets with the ACK flag set, but this would break legitimate connections communicating over TCP.
In reality, the only way to defend against such an attack is to have a lot of compute power. Companies like Cloudflare provide DoS protection services by maintaining a large amount of compute power, and routing its customers’ requests through Cloudflare before forwarding them to its customers. If someone tries to ACK flood, it will be detected and stopped by Cloudflare, and only legitimate traffic reaches the actual server.
Q8.3 (5 points) Which field(s) in the packet headers must be set to a fixed value (cannot be random garbage) to target a specific process on a specific server?
(A) Source IP
(B) Destination IP (C) Source port
(D) Destination port (E) Sequence number (F) None of the above
Final Exam
Page 23 of 35
CS 161 – Fall 2020
Solution: ThedestinationIPmustbefixedtotargetoneserver,andthedestinationportmust be fixed to target one process on that server. All other fields can be random garbage.
This is the end of Q8. Leave the remaining subparts of Q8 blank on Gradescope, if there are any. Proceed to Q9 on your answer sheet.
Q9
Pre-Master Secrets (15 points) Recall that in TLS, the client random value RB , the server random value RS , and the pre-master secret P S are used to derive the symmetric keys. This question considers several possible algorithms for deriving the symmetric keys.
For simplicity, suppose that we always generate one master key from RB, RS, and PS, and then we use a hash-based key derivation function (HKDF) to generate the four symmetric keys from the one master key.
Assume that RB , RS , and P S are all randomly generated integers between 0 and 2256 unless otherwise stated. For each master key derivation scheme below, select all attacks a man-in-the-middle can do.
Clarification during exam: The attacker learns the value of the master key as long as the attacker knows the key derived by the client and the key derived by the server.
Clarification during exam: For all parts, assume that the MITM has observed previous handshakes between the client and the server.
Clarification during exam: Assume that all addition operations are performed on unsigned, 256-bit integers. The output is taken modulo 2256.
Clarification during exam: It is okay for the TLS handshake to fail, as long as the client/server derived a previously-used master key.
Q9.1 (3 points) Standard RSA TLS is used. To generate the master key, ignore P S, and add the other two values together: Master key = RB + RS .
(A) Learn the value of the master key
(B) Make the server derive a previously-used master key in a future handshake (C) Make the client derive a previously-used master key in a future handshake (D) None of the above
(E)
(F)
Solution: RB and RS are both sent in plaintext, so the MITM can learn the master key. Because the client initiates the handshake, the MITM can force the client to derive any key
MS by viewing RB and sending back RS′ = MS − RB.
This attack can’t be executed on the server, since the server chooses RS after the client chooses RB. The MITM could try to send some malicious RB′ to the server, but they won’t know what the server chooses as RS until after they send RB′ , so they cannot cause the server to derive a previous master key.
Q9.2 (3 points) Standard RSA TLS is used. To generate the master key, ignore RB , and add the other two values together: Master key = RS + P S .
(G) Learn the value of the master key
Final Exam Page 24 of 35 CS 161 – Fall 2020
(H) Make the server derive a previously-used master key in a future handshake (I) Make the client derive a previously-used master key in a future handshake (J) None of the above
(K)
(L)
Solution: P S is sent encrypted, so the attacker cannot learn the master key.
If the attacker tries to replay an old handshake to the client, the client will choose a different
P S, so the master key will be different.
If the attacker tries to replay an old handshake to the server, the server will choose a different RS , so the master key will be different.
Q9.3 (3 points) Standard RSA TLS is used. To generate the master key, add the three values together: Masterkey=RB +RS +PS.
(A) Learn the value of the master key
(B) Make the server derive a previously-used master key in a future handshake (C) Make the client derive a previously-used master key in a future handshake (D) None of the above
(E)
(F)
Q9.4 (3 points) A buggy version of RSA TLS is used. Instead of generating RS randomly, the server increments RS by 1 for every new connection. To generate the master key, add the three values together: Master key = RB + RS + P S.
(G) Learn the value of the master key
(H) Make the server derive a previously-used master key in a future handshake (I) Make the client derive a previously-used master key in a future handshake
Solution: P S is sent encrypted, so the attacker cannot learn the master key.
RB and RS are different each time, so an attacker can’t replay an old handshake in either direction. The client chooses {P S}P K randomly after receiving RS , so the attacker can’t exploit the properties of addition similar to the replay attack in other parts.
Final Exam Page 25 of 35 CS 161 – Fall 2020
(J) None of the above
(K) (L)
Q9.5 (3 points) A buggy version of RSA TLS is used. Instead of generating RS randomly, the server increments RS by 1 for every new connection. To generate the master key, hash the concatenation of the three values: Master key = H(RB||RS||PS).
(A) Learn the value of the master key
(B) Make the server derive a previously-used master key in a future handshake (C) Make the client derive a previously-used master key in a future handshake (D) None of the above
(E)
(F)
Solution: P S is sent encrypted, so the attacker cannot learn the master key.
Suppose a previous connection used RB, RS, and PS. An attacker can initiate a handshake with the server and cause a previous master key to be derived by sending RB − 1 to the server. SincetheserverwillchooseRS +1,theresultingmasterkeyis(RB −1)+(RS +1)+PS = RB + RS + P S, which is the same as the previous master key.
Solution: P S is sent encrypted, so the attacker cannot learn the master key.
The replay attack to the server from the previous part is no longer possible, because as long as the server sends back a different RS , even if it’s just RS + 1, the master key will be different and unpredictable, no matter what RB the attacker chooses.
Final Exam
Page 26 of 35
CS 161 – Fall 2020
This is the end of Q9. Leave the remaining subparts of Q9 blank on Gradescope, if there are any. Proceed to Q10 on your answer sheet.
Q10 Is EvanBot Real? (22 points) The website isevanbotreal.com tells users whether EvanBot is real. However, the website creator doesn’t want EvanBot to see the answer, so they require users to fill out a CAPTCHA before showing the answer.
The web server stores a database of CAPTCHA images and their corresponding text, where each CAPTCHA is given a unique ID.
1 2 3 4
Q10.1 (5 points) To verify a submitted CAPTCHA, the server runs the following SQL query, replacing $id and $text with the cookie value and submitted answer text, respectively:
SELECT * FROM captchas WHERE id = $id and answer = ‘$text’
If zero rows are returned, the server returns Incorrect CAPTCHA. If more than zero rows are
returned, the server returns the answer (Yes).
Provide an input for $text that would cause the server to return Yes, regardless of what the actual
CAPTCHA text says.
If needed, you can use $id or $text to represent the value of user input. Enter your answer in the text box on Gradescope.
(A) (B) (C) (D) (E) (F)
CREATE TABLE captchas ( id INTEGER UNIQUE , answer TEXT
);
When a client makes a GET request to isevanbotreal.com/new, the server returns a random CAPTCHA image and a cookie containing the ID number of that image. To submit the CAPTCHA, the client makes a POST request to isevanbotreal.com/submit with the answer text and the cookie containing the ID number of the image.
Solution: The simplest solution is to inject something to make the query return the entire table. Possible solutions include:
‘ OR 1=1 —
‘; SELECT * FROM captchas —
Other solutions exist.
Q10.2 (5 points) Consider a modification to the verification process. If zero rows are returned, the server returns Incorrect CAPTCHA, as before. If exactly one row is returned, the server returns Yes. If more than one row is returned, the server returns Server error.
Provide an input for $text that would cause the server to return Yes, regardless of what the actual CAPTCHA text says.
If needed, you can use $id or $text to represent the value of user input.
Final Exam Page 27 of 35 CS 161 – Fall 2020
Enter your answer in the text box on Gradescope.
(G) (H) (I) ( J) (K) (L)
Solution: The simplest solution is to inject something to make the query return the entire table, then use SQL’s LIMIT operator to limit the response to exactly one row:
‘ OR 1=1 LIMIT 1 —
‘; SELECT * FROM captchas LIMIT 1 —
If you didn’t remember the LIMIT operator, you can also take advantage of the UNIQUE constraint on the id field and build a new query that selects the one row with a given ID:
‘; SELECT * FROM captchas WHERE id = $id
Other solutions exist.
Q10.3 (3 points) You want to create a malicious link with domain isevanbotreal.com. Any user who requests a CAPTCHA and then clicks on your link will receive the answer Yes. Is it possible to create such a link?
(A) Yes, by exploiting an XSS vulnerability (if one exists) on isevanbotreal.com.
(B) Yes, the link is isevanbotreal.com/submit.
(C) No, because links make GET requests, and submissions are made through POST requests. (D) No, because links cannot be used for SQL injection.
(E)
(F)
Q10.4 (3 points) Consider the following Javascript pseudocode:
1 2 3 4 5 6
Solution: AnXSSvulnerabilityrunsJavascriptforanyuserwhoclicksonit,andtheJavascript can make a POST request with input that “solves” the CAPTCHA.
isevanbotreal.com/submit is not a sufficient link, because a user who clicks on this makes a GET request, but we need the user to make a POST request with some data to solve the CAPTCHA.
// make a GET request for a new CAPTCHA
f e t c h ( ’ h t t p : / / i s e v a n b o t r e a l . com / new ’ ) ;
injection = … // a correct SQL injection exploit from subpart 2
// send a POST request with an input that always solves the CAPTCHA
Final Exam
Page 28 of 35
CS 161 – Fall 2020
response = fetch ( ’http :// isevanbotreal .com/submit ’ , {method : ’POST’ , body : injection }) ;
// Display the response
alert ( response ) ;
7 8 9
10 11
Does this code successfully display the answer (Yes) without solving the CAPTCHA? (G) Yes, because the browser attaches the ID cookie in the POST request
(H) Yes, because the script uses HTTP, not HTTPS
(I) No, because SQL injection cannot work over Javascript
(J) No, because the ID cookie is not sent to the server in the POST request (K)
(L)
Solution: This script automates your attack in subpart 2. First it makes a request for a new CAPTCHA, which adds an ID cookie in your browser. Then it makes a POST request with the SQL injection exploit as the body. The browser will automatically attach the ID cookie to this exploit. Finally the script saves the response and displays it with alert.
HTTP/HTTPS is unrelated to this attack because it happens entirely on the application layer and doesn’t require the presence of a network attacker.
If you used an XSS vulnerability to inject this Javascript snippet, you would cause anyone who clicks on your link (reflected XSS) or opens your malicious page (stored XSS) to immediately solve a CAPTCHA without actually solving it legitimately.
Q10.5 (3 points) Which of these defenses would stop your exploit in subpart 2? Select all that apply. (A) Parameterized SQL
(B) Return the ID as a hidden form field instead of a cookie (C) Set the HttpOnly flag on the ID cookie
(D) None of the above
(E)
(F)
Final Exam
Page 29 of 35
CS 161 – Fall 2020
Solution: Parameterized SQL stops all SQL injection attacks by pre-compiling the query so that user input cannot be treated as code.
If the ID was a hidden form field, the attacker could still read its value and send it to the server.
Setting the HttpOnly flag on the ID cookie would not stop the attack, because the attacker can still read the value of the cookie, and the browser would still send the cookie to the server.
Q10.6 (3 points) Suppose the website implements a defense so that your attack in subpart 2 is no longer possible. There are no other vulnerabilities, and the CAPTCHAs are not solvable by machines, so the only way to receive the answer Yes is for a human to legitimately solve a CAPTCHA. Can a non-human still find a way to solve the CAPTCHAs?
(G) Yes, by using a CAPTCHA solving service
(H) Yes, by brute-forcing the CAPTCHA
(I) No, because CAPTCHA solving services are prohibitively expensive (J) No, because CAPTCHAs always defend against non-human attackers (K)
(L)
Solution: As seen in lecture, CAPTCHA solving services are very cheap (pennies per CAPTCHA) and readily available. CAPTCHAs usually cannot be brute-forced, because there are too many possible answers.
Final Exam
Page 30 of 35
CS 161 – Fall 2020
This is the end of Q10. Leave the remaining subparts of Q10 blank on Gradescope, if there are any. Proceed to Q11 on your answer sheet.
Q11 Hackerman Visits the Voting Booth (21 points) Your sketchy friend Jared asks you to use your CS 161 skills to help him rig some sort of election. He hands you a business card with credentials for a Russian supercomputer.
Armed with massive computing power, you show up to the Caltopia polling center. It has a Wi-Fi network secured with standard WPA2-PSK.
Q11.1 (5 points) You observe a WPA 4-way handshake. Which values from the handshake are needed to perform a brute-force search for the Wi-Fi password? Select all that apply.
(A) ANonce
(B) SNonce
(C) The router’s MAC address
(D) The client’s MAC address (E) The MICs
(F) None of the above
Solution: In the WPA2 4-way handshake, the information dependency goes {SSID, password} → PSK + {ANonce, SNonce, Router MAC, Client MAC} → PTK → MIC. In other words, the SSID and password are used to derive the PSK. Then the PSK, the nonces, and the MAC addresses are used to derive the PTK. Finally, the PTK is used to generate the MIC (message integrity/authentication codes).
To generate a guess for the PTK, you guess a password. Then you use your guessed password and the SSID to generate a guessed PSK. Then you use the guessed PSK, the nonces, and the MAC addresses to guess the PTK. Finally, you generate a MIC with your guessed PTK and see if it matches the MICs in the observed handshake.
Thus we need the