Nicholas & Peyrin CS 161 Summer 2021 Computer Security
For questions with circular bubbles, you may select exactly one choice on Examtool. Unselected option
Final
Only one selected option
For questions with square checkboxes, you may select one or more choices on Examtool.
You can select
multiple squares
For questions with a large box, you need to write your answer in the text box on Examtool.
There is an appendix at the end of this exam, containing descriptions of all C functions used on this exam.
You have 170 minutes, plus a 10-minute buffer for distractions or technical difficulties, for a total of 180 minutes. There are 12 questions of varying credit (200 points total).
The exam is open note. You can use an unlimited number of handwritten cheat sheets, but you must work alone.
Clarifications will be posted on Examtool.
Q1 MANDATORY – Honor Code (5 points) Read the following honor code and type your name on Examtool.
I understand that I may not collaborate with anyone else on this exam, or cheat in any way. I am aware of the Berkeley Campus Code of Student Conduct and acknowledge that academic misconduct will be reported to the Center for Student Conduct and may further result in, at minimum, negative points on the exam and a corresponding notch on Nick’s demolition tool.
Page 1 of 25
Q2 True/false (30 points) Each true/false is worth 2 points.
Q2.1 True or False: TLS with Diffie-Hellman is still vulnerable to man-in-the-middle attackers by intercepting and performing two separate key exchanges with both sides.
True False
Q2.2 True or False: In TLS, an attacker cannot change the client and server random values Rb and Rs sent at the beginning of the exchange undetected, even though the client and server have not yet agreed on a set of symmetric keys.
True False
Q2.3 True or False: Referrer validation is a valid defense against reflected XSS attacks.
Clarification during exam: This question has been dropped. All students will receive credit on this question.
True False
Q2.4 True or False: Hybrid encryption typically uses symmetric encryption to encrypt the plaintext and asymmetric encryption to encrypt a symmetric key.
True False
Q2.5 True or False: If the first and last node in a Tor circuit learn that they are part of the same circuit and collude with one another, they are able to deanonymize the Tor user, even if the middle node is honest.
True False
Q2.6 True or False: One advantage of pointer authentication over stack canaries is that pointer authentication is harder to brute-force than stack canaries.
True False
Q2.7 True or False: While developing a website, the programmer leaves the server password hidden in the website’s HTML. This violates Shannon’s Maxim.
True False
Q2.8 TrueorFalse:MostCAPTCHAsaresetuptodistinguishgoodbots,suchaswebcrawlers,from malicious bots.
True False
Q2.9 True or False: Cursorjacking is a UI attack that relies on creating a fake cursor that is more prominent or visible than the real cursor.
True False
Q2.10 TrueorFalse:Inaprogramthathasstackcanariesenabled,thestackcanarytakesonthesame value across multiple executions of the program.
Final
Page 2 of 25 CS 161 – Summer 2021
True False
Q2.11 True or False: If Alice encrypts a message with AES-CBC, but instead of using completely random IVs, she uses R, R + 1, R + 2, and so on, where R is a random value that she chose once, this scheme is IND-CPA secure.
True False
Q2.12 True or False: DNSSEC uses TLS to protect against attacks when transmitting packets. True False
Q2.13 True or False: SHA-256 is a good hash function to use when hashing passwords. True False
Q2.14 TrueorFalse:Afirewalldoesnotdefendagainstatrustedpartyinsidethefirewallthatbecomes malicious and attempts to breach other computers within the network.
True False
Q2.15 True or False: One weakness of one-time authentication codes, such as those sent to a user’s cell phone number, is that they are still vulnerable to a transient phishing attack.
True False Q2.16 (0 points) True or False: EvanBot is a real bot.
Final
Page 3 of 25
CS 161 – Summer 2021
True
False
Q3 (18 points)
Q3.1 (5 points) Which of the following URLs have the same origin as http://piazza.com/? Select
all that apply.
(A) https://piazza.com/
(B) http://piazza.com:614/ (C) http://web.piazza.com/ (D) http://piazza.com/run (E) http://aplaza.com/
(F) None of the above
Q3.2 (3 points) If the script is in-
cluded in http://piazza.com/, which of these pages can the script modify? (G) http://piazza.com/ (J) All of the above
Final
Page 4 of 25 CS 161 – Summer 2021
(H) http://bank.com/ (I) http://cs161.org/
(K) None of the above
(L)
Q3.3 (5 points) In which of the following contexts would the contents of a cookie with the HttpOnly flag be sent? Select all that apply.
(A) A user clicks on a link that sends a request over HTTP to the domain of the cookie
(B) A user clicks on a link that sends a request over HTTPS to the domain of the cookie
(C) JavaScript is used to send a request over HTTP to the domain of the cookie
(D) JavaScript is used to read the value of the cookie and send its contents to a different domain (E) A page includes an tag loading an image using HTTP from the domain of the cookie (F) None of the above
Q3.4 (5 points) http://evanbot.piazza.com is setting a cookie. Which of these cookie attributes can http://evanbot.piazza.com set (without being rejected by the browser) so that the cookie gets sent on a request to http://web.piazza.com/pictures? Select all that apply.
(G) domain=evanbot.piazza.com; path=/pictures (H) domain=piazza.com; path=/pictures
(I) domain=com; path=/pictures
Final
Page 5 of 25 CS 161 – Summer 2021
(J) domain=evanbot.piazza.com
(K) domain=piazza.evanbot.com; path=/pictures (L) None of the above
Q4 Coffee-Shop Attacks (17 points) Dr. Yang comes to MoonBucks and tries to connect to the network in the coffee shop. Dr. Yang and http://www.piazza.com are communicating through TCP. Mallory is an on-path attacker.
Q4.1 (5 points) Which of the following protocols are used when Dr. Yang first connects to the Wi- Fi network and visits http://www.piazza.com? Assume any caches are empty. Select all that apply.
(A) CSRF (C) DNS (or DNSSEC) (E) DHCP
(B) IP (D) HTTP (F) None of the above
Q4.2 (3 points) Suppose Mallory spoofs a packet with a valid, upcoming sequence number to inject the malicious message into the connection. Would this affect other messages in the connection?
(G) Yes, because the malicious message replaces some legitimate message
(H) Yes, because future messages will arrive out of order
(I) No, because on-path attackers cannot inject packets into a TCP connection
(J) No, because TCP connections are encrypted
(K)
(L)
Q4.3 (3 points) To establish a TCP connection, Dr. Yang first sends a SYN packet with Seq = 980 to the server and receives a SYN-ACK packet with Seq = 603; Ack = 981. What packet should Dr. Yang include in the next packet to complete the TCP handshake?
(A) SYN-ACK packet with Seq = 981; Ack = 604 (B) SYN-ACK packet with Seq = 604; Ack = 981 (C) ACK packet with Seq = 981; Ack = 604
(D) ACK packet with Seq = 604; Ack = 981
(E) Nothing to send, because the TCP handshake is already finished.
(F)
Q4.4 (3 points) Immediately after the TCP handshake, Mallory injects a valid RST packet to the server. Next, Mallory spoofs a SYN packet from Dr. Yang to the server with headers Seq = X. The server responds with a SYN-ACK packet with Seq = Y ; Ack = X + 1. What is the destination of this packet?
Final
Page 6 of 25
CS 161 – Summer 2021
(G) Dr. Yang
(H) The server
Final
Page 7 of 25
CS 161 – Summer 2021
Q4.5
(3 points) Which of the following network attackers would be able to perform the same attacks as Mallory?
Clarification during exam: By “perform the same attacks,” we mean “reliably perform the same attacks.”
(I) Mallory (K)
(J) None of the above
(L)
(A) A MITM attacker between Dr. Yang and the server
(D) None of the above
(E) (F)
(B) An off-path attacker (C) All of the above
Q5 Dual Asymmetry (15 points) Alice wants to send two messages M1 and M2 to Bob, but they do not share a symmetric key.
Clarification during exam: Assume that p is a large prime and that g is a generator modp, like in ElGamal. Assume that all computations are done modulo p in Scheme A.
Q5.1 (3 points) Scheme A: Bob publishes his public key B = gb. Alice randomly selects r from 0 to p-2. Alice then sends the ciphertext (R, S1, S2) = (gr, M1 × Br, M2 × Br+1).
Select the correct decryption scheme for M1:
(A)R−b ×S1 (D)Bb ×S1
(E) (C) B−b × S1 (F)
Q5.2 (3 points) Select the correct decryption scheme for M2:
(G)B−1 ×R−b ×S2 (J)B−1 ×R×S2
(B) Rb × S1
(K) (I)B−1 ×Rb ×S2 (L)
Q5.3 (4 points) Is Scheme A IND-CPA secure? If it is secure, briefly explain why (1 sentence). If it is not secure, briefly describe how you can learn something about the messages.
Clarification during exam: For Scheme A, in the IND-CPA game, assume that a single plaintext is composed of two parts, M1 and M2.
(A) Secure (C) (E)
(H)B×R−b ×S2
(B) Not secure (D)
(F)
Final
Page 8 of 25 CS 161 – Summer 2021
Q5.4 (5 points) Scheme B: Alice randomly chooses two 128-bit keys K1 and K2. Alice encrypts K1 and K2 with Bob’s public key using RSA (with OAEP padding) then encrypts both messages with AES-CTR using K1 and K2. The ciphertext is RSA(PKBob, K1∥K2), Enc(K1, M1), Enc(K2, M2).
Which of the following is required for Scheme B to be IND-CPA secure? Select all that apply. (G) K1 and K2 must be different
(H) A different IV is used each time in AES-CTR
Final
Page 9 of 25 CS 161 – Summer 2021
(I) M1 and M2 must be different messages
(J) M1 and M2 must be a multiple of the AES block size (K) M1 and M2 must be less than 128 bits long
(L) None of the above
Q6 Under Pressure (16 points) Alice and Bob are communicating large pieces of secret data with each other using an IND-CPA secure encryption scheme, but they are being slowed down by their connection! They decide to use compression to improve the amount of data they can send.
Consider the following properties of compression algorithms:
• Compression algorithms reduce the length of the input.
• High-entropy (random-looking) data may only have its length reduced slightly, or not at all • Low-entropy (predictable) data can often have its length reduced considerably
Q6.1 (3 points) Alice and Bob consider first encrypting and then compressing their data. They send compress(Enc(K, M )), where the input to the compression algorithm is the output of the encryp- tion algorithm. Provide one reason why this might be a bad idea.
Final
Page 10 of 25
CS 161 – Summer 2021
Q6.2 (5 points) Realizing their mistake, Alice and Bob instead decide to compress their data before encrypting it. They send Enc(K, compress(M )), where the input to the encryption algorithm is the output of the compression algorithm.
True or False: This combination of compress-then-encrypt is IND-CPA secure. If you answer True, briefly justify your answer (no formal proof needed). If you answer False, describe how an adversary could win the IND-CPA game with probability greater than 0.5.
(G) True (H) False (I)
(J) (K) (L)
For the rest of this question, consider a compress-then-encrypt algorithm with the following properties:
• Assume that Alice and Bob’s messages consist of byte strings.
• When compressing, any chain of m consecutive, identical runs of n bytes (total length mn) are compressed into a single run of length n. Runs consisting of a single byte (n = 1) are included.
• Encryption preserves the exact length of the message (no padding is used). For example, the following sequence of bytes:
Index 0 1 2 3 4 5 6 7 8 9 Byte 0x00 0x11 0x22 0x33 0x44 0x44 0x55 0x66 0x77 0x77
would be compressed to a message of length 8, since there are 2 1-byte runs in positions 4–5 and 8–9. Similarly, the following sequence of bytes:
Index 0 1 2 3 4 5 6 7 8 9 Byte 0xaa 0xbb 0xaa 0xbb 0xcc 0xdd 0xcc 0xdd 0xee 0xff
would be compressed to 6 bytes, since there are two 2-byte runs in positions 0–3 and two 2-byte runs in positions 4–7.
Q6.3 (5 points) Alice sends the same message M = secret repeatedly to Bob, using the compression algorithm from above for a compress-then-encrypt scheme.
Assume that Mallory doesn’t have complete control over the messages that Alice sends, but Mallory is able to append to the sent messages before they are compressed and encrypted.
For example, if Alice repeatedly sends the message M = secret, Mallory can force the compressed and encrypted message to be M′ = secret∥x, where x is chosen by Mallory. She can do this repeatedly for any value of x that she chooses.
If Mallory can observe all resulting ciphertexts from the compress-then-encrypt algorithm as they are transmitted to Bob, devise a way to recover the last byte of secret.
Clarification during exam: Assume that Alice’s messages will never produce ambiguous behavior when being compressed.
Clarification during exam: Assume that the encryption algorithm preserves the exact length of the plaintext.
Final
Page 11 of 25 CS 161 – Summer 2021
Final
Page 12 of 25
CS 161 – Summer 2021
Q6.4 (3 points) Assume that Mallory has a method for recovering the last byte of the message. If secret is 32 bytes long and there are 256 possible values for a byte, what is the most number of messages Alice has to send (that Mallory can append to) in order to learn the entire secret?
(G) 2128 (H) 2256
(I) 32256
(J) 256 × 32
(K) 25632
(L) None of the above
Q7
TLS Secret Chaining (12 points) Recall that TLS with RSA does not provide forward secrecy. An attacker who has recorded past connections and then stolen the server’s private key can decrypt any past connection.
Consider a modified TLS scheme. RSA is used for the first connection. In future connections, the premaster secret is instead encrypted using the cipher key from the previous connection. Assume this encryption is IND-CPA secure.
Final
Page 13 of 25 CS 161 – Summer 2021
The server and client perform n TLS connections. The first connection is numbered C1, and the most recent connection is numbered Cn. The attacker records some of these connections and then steals the server’s private key. For each set of recorded connections, select all connections the attacker can decrypt.
Clarification during exam: Assume that ranges of connections are inclusive. For example, “All connections between C1 and Cn” would include C1 and Cn.
Q7.1 (3 points) The attacker records all connections except C1.
(A) Connection C1 only
(B) Connections C1 and C2 only (C) All connections except C1
(D) All connections between C1 and Cn−1 (E) All connections between C1 and Cn (F) None of the above
Q7.2 (3 points) The attacker records all connections except Cn.
(G) Connection C1 only
(H) Connections C1 and C2 only (I) All connections except C1
(J) All connections between C1 and Cn−1 (K) All connections between C1 and Cn (L) None of the above
Q7.3 (3 points) The attacker records all connections except C2.
(A) Connection C1 only
(B) Connections C1 and C2 only (C) All connections except C1
(D) All connections between C1 and Cn−1 (E) All connections between C1 and Cn (F) None of the above
Q7.4 (3points) SupposewemodifytheTLSschemefromabove.Ineveryconnection,theclientencrypts their random number Rb with RSA before sending it to the server. (Recall that in regular TLS, Rb is sent with no encryption.)
Does this scheme provide forward secrecy?
(G) Yes, because Rb is needed to generate the symmetric keys
(H) Yes, because an attacker can perform a replay attack
Final
Page 14 of 25 CS 161 – Summer 2021
(I) No, because the attacker can still learn Rb after stealing the private key (J) No, because only Diffie- LS provides forward secrecy
(K)
(L)
Q8 Intrusion Detection Scenarios (12 points) For each scenario below, select the best detector or detection method for the attack.
Q8.1 (3points) TheattackerconstructsapathtraversalattackwithURLescaping:%2e%2e%2f%2e%2e%2f.
(A) NIDS, because of interpretation issues (D) HIDS, because of cost
Final
Page 15 of 25
CS 161 – Summer 2021
(B) NIDS, because of cost
(C) HIDS, because of interpretation issues
(E) (F)
Q8.2 (3 points) The attacker is attacking a large network with hundreds of computers, and a detector must be installed as quickly as possible.
(G) NIDS, because of interpretation issues (H) NIDS, because of cost
(I) HIDS, because of interpretation issues
(J) HIDS, because of cost
(K) (L)
Q8.3 (3 points) The attacker constructs an attack that is encrypted with HTTPS. (A) NIDS, because of interpretation issues (D) HIDS, because of cost
(B) NIDS, because of cost
(C) HIDS, because of interpretation issues
(E) (F)
Q8.4 (3 points) The attacker constructs a buffer overflow attack using shellcode they found online in a database of common attacks.
(G) Signature-based (H) Specification-based (I) Anomaly-based
(J) Behavioral
(K) (L)
Q9 To The Moon (15 points) ToTheMoon Bank has just created an online banking system. When a user wants to complete a transfer, they follow these steps:
1. The user logs in by making a POST request with their username and password.
2. The server sets a cookie with name=auth_user and value=$token, where $token is a session token specific to the user’s login session.
3. The user initiates a transfer by making a GET request to https://tothemoonbank.com/transfer?amount=$amount&to=$user, replacing $amount and $user with the intended amount and recipient. Transfers use a parameterized SQL query.
4. The server runs the SQL query SELECT username FROM users WHERE session_token = ‘$token’, replacing token with the value of the cookie. The server does not use parameter-
ized SQL or any input sanitization.
Q9.1 (4 points) Which of the following attacks are possible in this system? Select all that apply.
(A) SQL injection (D) Path traversal attack (B) ROP attack (E) None of the above
(F)
malicious link https://tothemoonbank.com/transfer?amount=100&to=Mallory.
Which of the following scenarios would cause Alice to send $100 to Mallory? Select all that apply.
(G) Alice clicks on the malicious link when Alice is not logged into the bank
(H) Alice clicks on the malicious link when Alice is logged into the bank
(I) Alice visits Mallory’s website, which has an img tag loading the malicious link, when Alice is not logged into the bank
(J) Alice visits Mallory’s website, which has an img tag loading the malicious link, when Alice is logged into the bank
(K) None of the above
(L)
Q9.3 (4 points) Suppose Step 4 is modified. To initiate a transfer, instead of making a GET request, the user makes a POST request to https://tothemoonbank.com/transfer with the amount and recipient in the POST body.
Which of the following scenarios would cause Alice to send $100 to Mallory? Select all that apply. Clarification during exam: The malicious link in the answer choices should be
https://tothemoonbank.com/transfer?amount=100&to=Mallory.
Final
Page 16 of 25 CS 161 – Summer 2021
(C) CSRF attack
Q9.2 (4 points) Mallory is a malicious user with an account on ToTheMoon Bank. Mallory creates a
Final
Page 17 of 25
CS 161 – Summer 2021
(A) Alice clicks on the malicious link when Alice is not logged into the bank
(B) Alice clicks on the malicious link when Alice is logged into the bank
(C) Alice visits Mallory’s website, which has an img tag loading the malicious link, when Alice is not logged into the bank
(D) Alice visits Mallory’s website, which has an img tag loading the malicious link, when Alice is logged into the bank
(E) None of the above
(F)
Q9.4 (3 points) Which user inputs might be vulnerable to SQL injection? Select all that apply. (G) amount parameter
(H) to parameter
(I) Value of the auth_user cookie (J) None of the above
(K)
(L)
Q10 AES-EMAC
Consider AES-EMAC, which is another scheme for generating secure MACs.
M1 M2 Mn
(19 points)
AES
K1 K1 K1
Sn
S1 S2
K2
Q10.1 (2 points) True or False: Given only T, an attacker can generate a valid MAC for M||M′, for an M′ of the attacker’s choosing.
True False
Q10.2 (2 points) True or False: Given only T and K1, an attacker can generate a valid MAC for
M||M′, for an M′ of the attacker’s choosing.
True False
Q10.3 (2 points) True or False: Given only T, K1, and K2, an attacker can generate a valid MAC for M||M′, for an M′ of the attacker’s choosing.
True False
Q10.4 (2 points) True or False: Given the output T and the secret keys K1 and K2, the entire original
message M can be reconstructed.
True False
For the rest of the question, regardless of your answer to the previous parts, assume that the output is S1||S2 . . . ||Sn||T .
AES
AES
AES
Q10.5
Q10.6
(4 points) Which values are needed to recover the entire original message? Select all that apply. (A)Si forall1≤i≤n (D)K2
(B) T (E) None of the above
Final
Page 18 of 25 CS 161 – Summer 2021
(C) K1
(F)
(3 points) Which of these equations is correct for calculating a plaintext block Mi given the output and both keys K1 and K2?
T
(G) Mi = Dec(K1, Si) ⊕ Si−1 (H) Mi = Dec(K1, Si ⊕ Si−1) (I) Mi = Dec(K2, Si) ⊕ Si−1
(J) Mi = Dec(K2, Si ⊕ Si−1) (K) Mi = Enc(K1, Si) ⊕ Si−1 (L) Mi = Enc(K1, Si ⊕ Si−1)
Q10.7 (4 points) Select all true statements about this scheme.
(A) To compute AES-EMAC on a message, the message must first be padded to a multiple of the block size
(B) Encryption can be parallelized (C) Decryption can be parallelized (D) AES-EMAC is IND-CPA secure (E) None of the above
(F)
Final
Page 19 of 25
CS 161 – Summer 2021
Q11 DNS Lookups (15 points) EvanBot performs a lookup for the IP address of toon.cs161.org. For each DNS or DNSSEC record, determine which name server sent the record.
Q11.1 (3 points) A type record with the IP address of toon.cs161.org
(A) root name server (D) None of the above
(B) .org name server
(C) cs161.org name server
(E) (F)
Q11.2 (3 points) A type record with the IP address of the cs161.org name server (G) root name server (J) None of the above
(H) .org name server
(I) cs161.org name server
(K) (L)
Q11.3 (3 points) A type record with the IP address of cs161.org (not the name server) (A) root name server (D) None of the above
(B) .org name server
(C) cs161.org name server
(E) (F)
Q11.4 (3 points) DNSKEY type record with the public key of the cs161.org name server (G) root name server (J) None of the above
(H) .org name server
(I) cs161.org name server
(K) (L)
Q11.5 (3 points) DS type record with the hash of the .org name server’s public key
Final
Page 20 of 25
CS 161 – Summer 2021
(A) root name server
(B) .org name server
(C) cs161.org name server
(D) None of the above
(E) (F)
Q12 Wallet Management
Consider the following vulnerable C code:
1 2 3 4 5 6 7 8 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
Q12.1 (4 points) For the first subpart, assume that no memory safety defenses are enabled.
Let SHELLCODE be a 24-byte malicious shellcode. If the address of wals is 0x9fffcad0, provide an input as a series of Python print statements that would cause your program to execute malicious shellcode.
(26 points)
#include
#include
struct wallet {
char owner[4]; /∗ 4 bytes. ∗/ int amt; /∗ 4 bytes. ∗/
};
int main ( void ) {
int wallet_idx = 0; struct wallet wals [8]; char buf [16];
while (1) {
/∗ Get wallet index . ∗/ printf(“Enter wallet index:\n”); fgets(buf, 16, stdin);
int wallet_idx = atoi(buf);
if ( wallet_idx < 0) {
/∗ Exit loop if invalid index. ∗/
break ; }
/∗ Update dollar amount . ∗/
printf("Enter dollar amount:\n"); fgets(buf, 16, stdin); wals[wallet_idx].amt = atoi(buf);
/∗ Read owner. ∗/
printf("Enter owner name:\n");
gets ( wals [ wallet_idx ] . owner ) ; }
return 0;
}
Final
Page 21 of 25 CS 161 – Summer 2021
Assume you are on a little-endian 32-bit x86 system. Assume that there is no compiler padding or additional saved registers in all subparts.
Clarification during exam: The atoi function converts a string to an integer. For example, atoi("3") would return the integer value 3.
For example, a sequence of non-malicious inputs that updates wallet 0 without exiting the loop would be:
print('0')
print('1000')
print('NN')
Write your answer in Python 2 syntax (just like in Project 1).
For the remaining parts of this question, assume that stack canaries are enabled.
Q12.2 (3 points) Complete the stack diagram with stack canaries enabled. Each row represents 4 bytes.
Parts (2a), (2b), and (2c):
RIP of main (2a) (2b) (2c) (3a) (3b) (3c) (3d)
(G) (2a) - SFP of main; (2b) - wallet_idx; (2c) - canary
(H) (2a) - SFP of main; (2b) - canary; (2c) - wallet_idx
(I) (2a) - canary; (2b) - SFP of main; (2c) - wallet_idx
(J) (2a) - canary; (2b) - wallet_idx; (2c) - SFP of main
(K) (2a) - wallet_idx; (2b) - SFP of main; (2c) - canary
(L) (2a) - wallet_idx; (2b) - canary; (2c) - SFP of main Q12.3 (3 points) Parts (3a), (3b), (3c), and (3d):
(A) (3a) - wals[0].amt; (3b) - wals[0].owner; (3c) - wals[1].amt; (3d) - wals[1].owner (B) (3a) - wals[0].owner; (3b) - wals[0].amt; (3c) - wals[1].owner; (3d) - wals[1].amt (C) (3a) - wals[7].amt; (3b) - wals[7].owner; (3c) - wals[6].amt; (3d) - wals[6].owner
Final Page 22 of 25 CS 161 – Summer 2021
(D) (3a) - wals[7].owner; (3b) - wals[7].amt; (3c) - wals[6].owner; (3d) - wals[6].amt
(E)
(F)
Q12.4 (3 points) Describe, briefly, a vulnerability on line 19. Additionally, describe a one-line fix to line 19 that would make this code memory-safe.
Q12.5 (5 points) Let SHELLCODE be a 24-byte malicious shellcode. If the address of the RIP of main is 0xbfeffc80, provide an input as a series of Python print statements that would cause your program to execute malicious shellcode.
Q12.6 (4points) Assumethatthecalltogetsonline31isreplacedwithfread(wals[wallet_idx].owner, 1, 4, stdin). Recall that fread does stop reading at a newline and does not add a NULL termi- nator.
Q12.7
EvanBot thinks that this code is no longer exploitable because the gets function is no longer used. Assume that your 24-byte shellcode must be written in a contiguous block of memory. Is EvanBot correct? If you answer Yes, describe why you can no longer exploit this code. If you answer No, describe how you would write your shellcode to a contiguous block of memory.
(G) Yes (H) No (I) (J) (K) (L)
(4 points) This part is independent of the previous subpart, but assume that stack canaries are still enabled. Which of the following actions would individually prevent the attacker from executing malicious shellcode (not necessarily using the exploit from above)?
Clarification during exam: The answer choice “Enabling pointer authentication” has been dropped. All students will receive credit for that answer choice only.
(A) Enabling non-executable pages in addition to stack canaries (B) Enabling pointer authentication
Final
Page 23 of 25 CS 161 – Summer 2021
Final
Page 24 of 25 CS 161 – Summer 2021
(C)Replacingthecalltogetsonline31withfgets(wals[wallet_idx].owner, 4, stdin) (D) Swapping the positions of the owner and amt fields in the wallet struct
(E) None of the above
(F)
C Function Definitions
int printf(const char *format, ...);
printf() produces output according to the format string format.
char *gets(char *s);
gets() reads a line from stdin into the buffer pointed to by s until
either a terminating newline or EOF, which it replaces with a null byte
('\0').
char *fgets(char *s, int size, FILE *stream);
fgets() reads in at most one less than size characters from stream and
stores them into the buffer pointed to by s. Reading stops after an
EOF or a newline. If a newline is read, it is stored into the buffer.
A terminating null byte ('\0') is stored after the last character in
the buffer.
size_t fread(void *ptr, size_t size, size_t nmemb, FILE *stream);
The function fread() reads nmemb items of data, each size bytes long,
from the stream pointed to by stream, storing them at the location
given by ptr.
Note that fread() does not add a null byte after input.
Final Page 25 of 25 CS 161 – Summer 2021