Popa & Wagner Spring 2016
CS 161 Computer Security
Midterm 1
Problem 1 True or False, and Fill-me-in (12 points) In parts (a) and (b), circle True or False. In parts (c), fill in the blank. Do not justify your answer.
(a) True or False : A problem with iframes is that if a user visits an attacker’s website, that website could load a bank website inside
it stores them in a database. Alice comes to this forum and visits a page where she can see every comment including this one.
Write down the exact string Alice will see in her browser when she views the at- tacker’s comment.
Solution: Explanation: After escaping, this will saved in the database and included in the
HTML response as
<script> document.write("You were attacked!");</script>
When the browser displays that on the screen, it will turn the < into <, etc., without executing it.
Problem 2 Multiple choice (12 points)
(a) When you pay for something online using PayPal, the PayPal checkout form that shows the price and asks for your PayPal login always appears on its own page, never embedded in an iframe on the seller’s checkout page. What threat is this defending against? Circle the best answer.
XSS CSRF
Clickjacking Buffer overruns None of the above
Integer overflow SQL injection Same-origin policy Drive-by malware
(b) NinjaCourses.com is written in Python. Sheryl decides to rewrite it in C, ensuring her re-implementation behaves the same. Assuming Sheryl tries to make her C implementation have the same functionality as the Python implementation, what new security threats might Sheryl’s C code face that aren’t equally applicable to the original Python code? Circle all that apply.
XSS Clickjacking
Phishing
Separation of responsibility None of the above
CSRF
Buffer overruns
SQL injection
Two-factor authentication
(c) After finishing her C code, Sheryl does CS 161’s project 1 and learns for the first time about the ret2esp technique. Which of the following provides a complete defense against ret2esp attacks? Circle all that apply.
Midterm 1 Page 2 of 7 CS 161 – Sp 16
Non-executable Stack Content Security Policy (CSP)
Memory-safe programming languages Prepared statements
None of the above
Referer validation Same-origin policy
Least privilege Two-factor authentication
Solution: Explanation: A non-executable stack prevents ret2esp, since ret2esp involves executing a jmp *esp instruction, which involves jumping into the stack. If the stack is non-executable, jumping there will fail (cause a segmenta- tion fault). Memory-safe programming languages also prevent it, because they prevent overflowing buffers in the first place and thus there’s no way to overwrite the return address to point to a jmp *esp instruction.
Problem 3 Web security
Patsy-Bank learned about the CSRF flaw on their site described in discussion section, and they hired a security consultant who helped them fix it by adding a random CSRF token to the sensitive /transfer request. A valid request now looks like:
https://patsy-bank.com/transfer?to=bob&amount=10&token=
The CSRF token is chosen randomly, separately for each user.
Not one to give up easily, Mallory starts looking at the welcome page. She loads the following URL in her browser:
https://patsy-bank.com/welcome?name=
When this page loaded, Mallory saw an alert pop up that says “Jackpot!”. She smiles, knowing she can now force other bank customers to send her money.
(a) What kind of attack is the welcome page vulnerable to? Provide the name of the category of attack.
(b) Mallory plans to use this vulnerability to bypass the CSRF token defense. She’ll replace the alert(“Jackpot!”); with some carefully chosen JavaScript. What should her JavaScript do? (Describe using at most 1–2 sentences.)
(15 points)
Solution: Reflected XSS
Solution: Load a payment form, extract the CSRF token, and then submit a transfer request with that CSRF token.
Or: Load a payment form, extract the CSRF token, and send it to Mallory.
Midterm 1 Page 3 of 7 CS 161 – Sp 16
(c) If Patsy-Bank added frame-busting code to the welcome page, would that stop this attack? Circle yes or no.
Yes No
(d) Mallory wants to attack Bob, a customer of Patsy-Bank. Name one way that Mallory could try to get Bob to click on a link she constructed.
Solution: Send him an email with this link (making it look like a link to some- where interesting). Post the link on a forum he visits. Set up a website that Bob will visit, and have the website open that link in an iframe. Send Bob a text message or a message in Facebook with the link.
(There were many possible answers. You only needed to list one.)
Problem 4 Evaluating defenses (16 points) Michael is considering several ideas for defending against some of the threats we’ve seen in this class. For each of the following scenarios, decide whether Michael’s proposed defense is secure or not (i.e., whether it is effective at defending against the named threat). Circle “Secure” or “Insecure”; if you circle “Insecure”, also describe in a sentence or less how an attacker could defeat Michael’s defense.
(a) Michael notices that a bank is vulnerable to CSRF attacks. To defend against CSRF, Michael proposes that the bank add a X-Frame-Options header to every page.
Secure Insecure
(b) To prevent buffer overruns, Michael proposes to allocate all buffers on the heap. In other words, even if a buffer is declared as a local variable, Michael proposes that the compiler should insert a call to malloc() to allocate space for the buffer, and free the buffer when the function returns.
Secure Insecure
(c) To prevent phishers from using homeographic attacks using internationalized char- acters (e.g., paypal.com, where the first p is in Cyrillic), Michael proposes that browsers should allow only the characters A-Za-z0-9_-. to appear in the domain name of a URL; if the domain name contains any other characters, the browser should refuse to load the URL.
Solution: Attack: It does nothing to stop it.
Solution: Attack: Overwrite stuff in the heap to overwrite a function pointer. (Many other attacks are possible as well.)
Midterm 1 Page 4 of 7 CS 161 – Sp 16
Secure Insecure
(d) To prevent session fixation attacks, Michael proposes to use 256-bit session IDs, where the first 128 bits are chosen randomly for each session, and the last 128 bits are a secret value that is specific to the server but the same for all sessions with that server.
(As a reminder, session fixation attacks apply to sites that accept a session ID in the URL and set a session cookie with the same value.)
Secure Insecure
Problem 5 Reasoning about memory safety (20 points) Consider the following C code.
/* Requires: ??? */
void shuffle(int a[], int b[], size_t m, size_t n) {
for (size_t i = 0; i < m; i++) {
int tmp = a[i];
a[i] = b[n-i];
b[n-i] = tmp;
}
}
For each of the following candidate preconditions in parts (a)–(d), answer whether that precondition is sufficient to ensure that shuffle() will be memory-safe. If it is not sufficient, also specify an example of an input that would satisfy the precondition but could cause memory-unsafe behavior.
Solution: We also accept Insecure with the attack: use a domain name that exploits the similarities between vv/w or l/i/1 or O/0.
Solution: Attack: Mallory can still take her own session ID, put it in a URL, and get Victoria the victim to fetch that URL.
(a) a != NULL && Sufficient
(b) a != NULL && Sufficient (c) a != NULL &&
b != NULL
Not sufficient
Solution: a = {0}, b = {0}, m = 2, n = 1
b != NULL && m == 0 && n == 0
Not sufficient
b != NULL && m == n
Midterm 1
Page 5 of 7
CS 161 – Sp 16
Sufficient Not sufficient
(d) a != NULL && b != NULL && m < size(a) && n < size(b) Sufficient Not sufficient
(e) Suggest a better precondition. Your precondition should be sufficient to ensure that shuffle() is memory-safe, and be as general as possible. Don’t worry about what shuffle() is trying to accomplish; it just needs to be memory-safe.
Problem 6 Secure design and implementation (14 points)
(a) Blackbeard decides to set up his own course scheduling site, PirateCourses.com. To manage this machine remotely, he installs a SSH server on it. He discovers that the version of SSH he is running is vulnerable to a buffer overflow exploit, but he’s too lazy to upgrade. Instead, he configures the SSH daemon to run on a custom port, 5467. However, when he logs in a week later, he finds all his data gone. What security principle did he ignore?
(b) Blackbeard fixes this, and his website is now flourishing. He hires Alice to implement tagging, so users can add tags to courses and search for courses by tag. For instance, when a user searches for the tag easy_exams, the following page is loaded:
http://www.piratecourses.com/?query=easy_exams
That page contains a list of all courses with the easy_exams tag.
Unfortunately, Alice doesn’t know how to write secure code. Crabby the crab searchesforthetagcourses that are easy to’; drop table users --andsud- denly none of the PirateCourses users can log in any more. What kind of vulnera- bility was this?
Solution: a = {0}, b = {0}, m = 2, n = 2
Solution: a = {0,1,2}, b = {0}, m = 2, n = 0
Solution: a != NULL && b != NULL && m <= size(a) && n < size(b) && m <= n+1
Solution: Don’t rely on security through obscurity.
Solution: SQL injection
Midterm 1 Page 6 of 7 CS 161 – Sp 16
(c) Name two different reasonable techniques that Alice could have used that each would have prevented the vulnerability in part (b).
Problem 7 Snooping on your friends (11 points) Alice sets up a private wiki page for her friends, running on scripts.berkeley.edu, at
https://scripts.berkeley.edu/∼alice/wiki
Alice has a session cookie in her browser for the wiki page, which is still valid for two weeks from now. When she visits the wiki site, she is immediately logged in and can read the content.
Eve doesn’t have an account on Alice’s wiki, but is dying to read what Alice and her friends are saying on that wiki page. Eve has her own web site running on scripts.berkeley.edu, at
https://scripts.berkeley.edu/∼eve/
Consider that Eve manages to get Alice to visit Eve’s page. How can Eve get a copy of
Alice’s wiki page?
Note that Alice is security savvy and she employs the following security techniques:
1. Her wiki employs CSRF protection correctly so a CSRF attack won’t work.
2. The session cookie is httpOnly so JavaScript cannot access it.
3. Alice is not susceptible to phishing attacks. She checks the URL carefully wherever she goes (including the unicode!). When she visits a site that is not hers, including Eve’s site, she does not provide her password or other sensitive information.
4. Alice will not click on anything in Eve’s page other than visiting the page.
5. She scopes her cookies with domain=scripts.berkeley.edu and a path corresponding to ∼alice/wiki, so that other users’ servers on scripts.berkeley.edu won’t receive her cookies.
Describe Eve’s attack here:
Solution: Prepared statements. Escaping. Input validation (whitelisting). Pick any two of those three.
Solution: Eve’s page will load https://scripts.berkeley.edu/~alice/wiki in an iframe. It will also include JavaScript that uses the JavaScript DOM API’s to read the contents of the iframe (this is allowed by the same-origin policy, since it’s the same origin) and then send that to a website controlled by Eve.
Midterm 1 Page 7 of 7 CS 161 – Sp 16