程序代做CS代考 SQL scheme javascript dns database chain compiler Java DHCP cache Popa Spring 2018

Popa Spring 2018
Print your name:
CS 161 Computer Security
,
(first)
I am aware of the Berkeley Campus Code of Student Conduct and acknowledge that any academic misconduct on this exam will lead to a “F”-grade for the course and that the misconduct will be reported to the Center for Student Conduct.
Final Exam
Sign your name:
Print your class account login: cs161-
Name of the person sitting to your left:
Please read the following before starting the exam.
and SID:
Name of the person sitting to your right:
(last)
􏰀 You may consult three double-sided sheets of notes (or six single-sided sheets).
􏰀 You may not consult other notes, textbooks, &c. Calculators, computers and other electronic devices are not permitted without prior accomodation.
􏰀 Please write your answers in the spaces provided in the test. We will not grade anything on the back of an exam page unless we are clearly told to look there.
􏰀 Before you turn in your exam, write your Student ID at the top of every page.
􏰀 Bubble every item completely! Avoid using checkmarks, Xs, writing answers on the side, &c. If you
want to unselect an option, erase it completely and clearly.
􏰀 For questions with circular bubbles, you may select only one choice.
Unselected option (completely unfilled)
Only one selected option (completely filled)
􏰀 For questions with square checkboxes, you may select any number of choices (including none or all).
You can select
multiple squares (completely filled).
􏰀 We reserve the right to deduct points from exams which do not follow the above directions. (Of course, we will make reasonable exceptions.)
􏰀 You have 170 minutes. There are 12 questions, of varying credit (221 points total). The questions are of varying difficulty, so avoid spending too long on any one question.
Do not turn this page until your instructor tells you to do so.
Page 1 of 17

SID:
Problem 1 True or False (40 points) Answer the following true or false questions.
(a) The Harvard Architecture separates the code and data of a program into two separate address spaces. This makes it impossible to treat data as code, or code as data. True or False: Buffer overflows are not exploitable on a Harvard Architecture.
True False
(b) True or False: Postconditions for a function are independent of implementation details of the
function.
True False
(c) Consider the splitting problem: given a natural number n, find integers a and b such that ab = n and a,b > 1. (Note that a and b need not be prime.) True or False: If we had a polynomial time solution to the splitting problem, we could create a polynomial time solution for factoring into prime numbers.
True False
(d) Consider the function H : {0, 1}2b → {0, 1}b . H takes a 2b-bit string s, and splits it into two b-bit blocks k and x. It then computes Ek(x), where Ek is a secure block cipher encryption using b-bit blocks and keys. True or False: H is a one-way function.
True False
(e) True or False: If an arbitrary function is collision-resistant, then it is preimage resistant. True False
(f) True or False: If an arbitrary function is collision-resistant, then it is second preimage resistant. True False
(g) True or False: If it is possible, one way to prevent CSRF attacks is to use HTTP POST requests instead of HTTP GET requests, since this prevents an attacker from creating a request using an img tag.
True False
(h) True or False: If we do not use frames on our site, this prevents attackers from performing a
clickjacking attack.
True False
(i) True or False: If you know the IP addresses, ports, TCP sequence numbers and TCP acknowl- edgement numbers in a TCP connection, you can inject TCP traffic.
Final Exam
Page 2 of 17
CS 161 – Sp 18
True
False

SID:
(j) True or False: If we have two independent detectors, there is always a way to combine them such that the combined detector is more cost-effective than either detector alone. (Ignore the cost of the detectors.)
True False
(k) True or False: HTTPS provides security even against attackers on the local network. True False
(l) True or False: Even if you carefully inspect all URLs in the address bar to make sure they do not contain Javascript, you can still fall victim to a reflected XSS attack.
True False
(m) True or False: Disabling Javascript in your browser prevents clickjacking attacks completely. True False
(n) True or False: Disabling Javascript in your browser prevents CSRF attacks completely. True False
(o) True or False: If we hash the MAC of a message, this provides confidentiality. True False
(p) True or False: If we have a secure MAC, it is computationally difficult to find two keys k and k′, and a message m such that MACk (m) = MACk′ (m).
True False
(q) True or False: Prepared statements are a possible defense for SQL injection attacks. True False
(r) True or False: DNSSEC and TLS combined prevents eavesdroppers from seeing what sites we are visiting.
True False
(s) True or False: ARP spoofing requires that the attacker has two devices on the network: one to
send requests and the other to give fake answers.
True False
(t) True or False: Whitelist approaches are often more effective than blacklists in preventing injection
Final Exam
Page 3 of 17
CS 161 – Sp 18
attacks.
True
False

SID:
Problem 2 Party, No Theme (35 points) Answer the following questions about various course topics.
(a) (6 points) You have discovered a vulnerability in Snapitterbook which lets you create malicious posts. Whenever someone visits your Snapitterbook page, the evil post sends a request to the Snapitterbook webserver which causes the visitor to post a copy of the evil post to their own wall. Now their wall is also infected!
i. Which of the following concepts are relevant to this situation? CSRF Reflected XSS
Virus Clickjacking Worm SQL Injection XSS
ii. Which of the following technologies could help fix or detect the situation above?
A strict X-Frame-Options
Input escaping
A strict Content-Security-Policy Prepared Statements
Anomaly-based detection Referer checking
CSRF Tokens
HTTPS
(b) (3 points) You are considering buying three detector solutions, with the following statistics: 1. Detector X: False positive rate 5%; False negative rate 2%
2. Detector Y: False positive rate 1%; False negative rate 5%
3. Detector Z: False positive rate 2%; False negative rate 1%
A false positive costs $50, while a false negative costs $100.
Answer the following questions which attempt to compare the cost effectiveness of each detector.
If the detectors are equally effective, either choice will be accepted. i. Compare X and Y .
X is better (or equal)
ii. Compare Y and Z.
Y is better (or equal)
iii. Compare X and Z.
X is better (or equal)
Y is better (or equal)
Z is better (or equal)
Z is better (or equal)
Cannot say
Cannot say
Cannot say
(c) (3 points) What security principle explains why using proof of work to prevent email spam might work?
(d) (3 points) A company decides to implement a complicated password policy for its employees. What security principle explains why the overall security of the system might go down?
Final Exam Page 4 of 17 CS 161 – Sp 18

SID:
(e) (3 points) For RSA signatures as discussed in lecture, why is verification faster than signing?
(f) (5 points) Bob allegedly posted a rude statement about Alice on https://bob.com/alice-sux. Alice decides to take Bob to court! As proof that the Bob’s site had the statement at some point in time, Alice presents the entire HTTPS dialogue between her and the site. She also provides all the keys derived through the process. Should the judge be convinced? Explain your answer in 2–3 sentences.
Ignore the possibility that an attacker has compromised bob.com or Bob’s private keys. Assume bob.com uses RSA TLS and has a certificate signed by a trusted certificate authority.
Judge should be convinced Judge should not be convinced Explain:
(g) (3 points) Which of the following attacks require an attacker to be on the same local network as their target?
TCP Injection ARP Spoofing DNS Spoofing
DHCP Spoofing Reflected XSS Stored XSS
(h) (3 points) Which property of the hash function does the hash chain in Bitcoin rely on? List one property alone.
(i) (3 points) Which of the following defenses are typically implemented using the compiler?
Position-Independent Executables
NX bit
(j) (3 points) Alice receives the following email:
From: : Alice,
ASLR
Stack Canaries
Your boss, Steven, wanted me to send you this link to those expense
reports for the Fall 2016 Quarter. He said that you would look at
them and give Evelyn the tax estimate she asked for earlier.

What attack does this represent? (Be as specific as possible!)
Final Exam Page 5 of 17 CS 161 – Sp 18

SID:
Problem 3 D ́ej`a Vu (16 points) The code below runs on a 32-bit Intel architecture. ASLR is enabled. There are no stack canaries, no position-independent executables and no NX bit. No padding is added by the compiler.
1 2 3 4 5 6 7 8 9
10 11
1 2 3 4 5 6
(c) On some older Intel processors, a single instruction could halt the entire system. The machine code for one such instruction is \xf0\x0f\xc7\xc8. Give an input which will cause the execution of this shellcode. Hint: We pushed &door onto the stack in order to call gets. This forms a “perfect pointer” for shellcode. Knowing that, how can you make the program start executing door?
char *gets(char *s) { /* simple implementation of gets */ char *s_ = s;
while ((*s_++ = getchar()) != ’\n’); s_[-1] = ’\0’;
return s;
deja_vu () { char door [16]; gets(door);
}
} void
(a) What sort of exploit technique works by chaining execution of small blocks of code (“gadgets”)?
(b) After disassembling the code, you find the following gadgets.
Gadget 1:
0x080484a2 <+30>: sub 0x080484a5 <+33>: ret
Gadget 2:
0x080484fc <+30>: add 0x080484ff <+33>: ret
$0x14 ,%esp
$0x14 ,%esp
Which of the above gadgets was most likely generated intentionally by the compiler? Gadget 1 Gadget 2
Final Exam Page 6 of 17 CS 161 – Sp 18

SID:
Problem 4 Mystery Matrix Math (15 points) Consider the following code which performs a mystery operation on the input matrix.
1 2 3 4 5 6 7
void mystery(int **A, size_t m, size_t n) { for (size_t i = 0; i < m; i++) { for (size_t j = 0; j < n; j++) { A[i][j] = A[j][i]; } } } Assume that m and n are both non-zero. Ignore the possibility of negative indices. (a) For each of the subparts below, mark necessary preconditions for mystery to be memory-safe. i. A ̸= NULL size(A) > m
size(A) ≥ m
ii. m̸=i,n̸=j
i n size(A) ≥ n
i, j < max(m, n) 0 ≤ i, j ∀i∀j:i

Here is a GIF of puppies






Note that google.com is loaded over HTTPS, whereas yahoo.com is loaded over HTTP.
Alice uses Mozilla Firefox on her laptop running Microsoft Windows. In her first browser tab, she has https://berkeley.edu open. In a second tab, she opens http://cute-puppies.com. In a third tab, she opens http://cute-puppies.com once again.
Assume that no two entities share information out of band. Each of the parts below are independent. (a) Assuming Alice does not use any tracking protection, which entities know that the same person
visited cute-puppies.com twice? cute-puppies.com operators
yahoo.com operators google.com operators image-host.com operators
Microsoft Mozilla Alice’s ISP UC Berkeley
(b) Assume Alice opted in for a privacy service run by her ISP. This privacy service blocks analytics scripts based on a URL-based blocklist (not host-based). Which entities know that the same person visited cute-puppies.com twice?
cute-puppies.com operators yahoo.com operators google.com operators image-host.com operators
Microsoft Mozilla Alice’s ISP UC Berkeley
(c) Assume Alice uses a browser plugin. The browser-plugin blocks the analytics scripts based on a URL-based blacklist (not host-based). Which entities know that the same person visited cute-puppies.com twice?
Final Exam
Page 14 of 17
CS 161 – Sp 18
cute-puppies.com operators yahoo.com operators google.com operators image-host.com operators
Microsoft Mozilla Alice’s ISP UC Berkeley

SID:
(d) Assume Alice uses a VPN run by UC Berkeley. Which entities know that the same person visited
Final Exam
Page 15 of 17
CS 161 – Sp 18
cute-puppies.com twice? cute-puppies.com operators
yahoo.com operators google.com operators image-host.com operators
Microsoft Mozilla Alice’s ISP UC Berkeley

SID:
Problem 11 Boogle (15 points) Boogle is a social networking website that’s looking into expanding into other domains. Namely, they recently started a map service to try their hand at fusing that with social media. The URL for the main website is https://www.boogle.com, and they want to host the map service at https://maps.boogle. com.
(a) Describe how to make a cookie that will be sent to only Boogle’s map website and its subdomains.
(b) How can Boogle ensure that cookies are only transmitted encrypted so eavesdroppers on the network can’t trivially learn the contents of the cookies?
(c) Boogle adds the ability for users to check in to locations on maps.boogle.com, but discovers an XSS vulnerability that slipped through QA. Name a hotfix they can do to prevent scripts from stealing cookies using XSS.
(d) Some of the XSS attacks are scraping sensitive information from the map site, like user emails. The security team wants to know the scope of the vulnerability. Can attackers use XSS to also scrape sensitive information from the main site, https://www.boogle.com? Explain why or why not.
(e) Boogle wants to be able to host websites for users on their servers. As we saw in HW4, it is not completely safe to host them on https://[username].boogle.com. Propose an alternate scheme so that Boogle can still host other users websites with less risk, and explain why this scheme is better.
Note: It is okay if the user sites interfere with each other, as long as they cannot affect official Boogle websites.
Final Exam Page 16 of 17 CS 161 – Sp 18

SID:
Problem 12 Scripts and SQL (15 points) Answer the following questions about Javascript and SQL.
(a)
1
Oski Bank uses Javascript to deliver account information. The https://oski.bank/account.js file is generated server-side, and contains information for currently logged-in user. For example, here is how the file would look for a customer with name “ ” and 10232 dollars:
display({ name: ” “, money: 10232 });
i. Assume a victim user visits evil.com while this user is logged in with Oski Bank. How could evil.com use this to steal the user information provided as input to display for this victim user? Include approximate HTML in your explanation.
ii. Which of the following could be used to defend against this attack? Assume you can also update the rest of oski.bank.
(b)
1 2 3 4 5
Strong Content-Security-Policy Strict Referer checking X-Frame-Options header
Oski Bank’s site also contains the following code:
CSRF Tokens
Whitelist user inputs
Only call display if window == top
name = request.form[’username’]
query = ’SELECT COUNT(*) FROM users WHERE name=”{}”’.format(name) found = database.execute(query).fetchone()[0]
if found: return ’User exists!’, 200
else: return ’User not found!’, 404
Assume that the users table also contains a hash column, which is a hexadecimal encoding of the hash of the user’s password. Explain in detail how you could determine dirks’s hash. (Hint: You might find the SQLite substr(X, Y, Z) command helpful. It returns the Z character substring of the string X starting at the Yth character.)
Final Exam Page 17 of 17 CS 161 – Sp 18