2017
CS 161 Computer Security
Midterm 2
Midterm solutions updated May 2021 by CS161 SP21 course staff.
Print your name: , (last)
(first)
I am aware of the Berkeley Campus Code of Student Conduct and acknowledge that academic misconduct will be reported to the Center for Student Conduct.
Sign your name:
Print your class account login: cs161-
Name of the person sitting to your left:
and SID:
Name of the person sitting to your right:
You may consult one sheet of paper of notes. You may not consult other notes, textbooks, etc. Calculators, computers, and other electronic devices are not permitted. We use Gradescope for grading so please write your answers in the space provided.
If you think a question is ambiguous, please come up to the front of the exam room to the staff. If we agree that the question is ambiguous we will add clarifying assumptions to the central document projected in the exam rooms.
You have 110 minutes. There are 5 questions, of varying credit (120 points total). The questions are of varying difficulty, so avoid spending too long on any one question. Use a #2/hb or softer pencil. For bubble questions, fill the bubble completely and clearly erase any mistakes.
Some of the test may include interesting technical asides as footnotes. You are not responsible for reading the footnotes.
Do not turn this page until your instructor tells you to do so.
Page 1 of 15
Problem 1 True/False (14 points) (a) (2 points) True/False: The origin policy for cookie access is different from the origin
for JavaScript.
True False
(b) (2 points) True/False: An on-path attacker can disrupt any TCP connection the attacker can see.
True False
Solution: True. TCP messages are not secured by cryptography, so the at- tacker can read any messages sent over TCP. The on-path attacker can also see all the packet fields (including sequence numbers) and inject their own messages into the connection.
Midterm 2
Page 2 of 15
CS 161 – Fa 18
Solution: True. Cookie policy and same-origin policy have different sets of rules.
(c) (2 points) True/False: Without additional cryptographic authentication, conven- tional DNS is vulnerable to an on-path attacker.
True False
Solution: True. An on-path attacker can see the ID field (and source port, if source port randomization is in use) and spoof a malicious DNS response. If the malicious response reaches the victim before the legitimate response, the victim will accept the malicious response as valid.
(d) (2 points) True/False: Both ARP and DHCP can be spoofed by an attacker con- nected to the same WiFi network as the victim.
True
False
Solution: True. ARP and DHCP both involve the victim broadcasting a mes- sage to everyone on the local network (e.g. the WiFi network) and accepting the first response. The attacker could spoof a malicious response to the victim, and if the malicious response reaches the victim before the legitimate response, the victim will accept the malicious response as valid.
(e) (2 points) True/False: Along with randomizing the source port and the identifier field, randomizing the destination port will further increase the entropy in prevent- ing .
True False
(f) (2 points) True/False: Replacing a small set of input characters is generally suffi- cient to prevent CSRF attacks.
True False
Solution: False. The destination port in DNS is a fixed constant (port 53) and cannot be randomized. If the port was randomized, users would not know which port to send their DNS queries to.
Solution: False. CSRF attacks are mainly about the attacker tricking the victim into sending a request. CSRF does not involve malicious input being treated as code, so replacing input characters will not prevent CSRF attacks. (CSRF tokens are the main defense, and they don’t involve replacing input characters.)
(g) (2 points) True/False: “SYN cookies” can work if the ACK is the first 4 bytes of SHA256(SIP ∥SP ORT ∥SEQ)
True
False
Solution: False.
Recall that when SYN cookies are in use, the server chooses its initial sequence number in the SYN-ACK packet such that the server sequence number encodes
Midterm 2
Page 3 of 15
CS 161 – Fa 18
any additional state needed to complete the handshake. This additional state usually is signed or HMAC’d to prevent tampering. The client must return this sequence number in the ACK before the server allocates some space to maintain the connection. This design lets the server avoid storing any state after receiving a SYN packet.
The ACK here doesn’t work as a valid SYN cookie for several reasons. First, it only contains the first four bytes of a hash, which isn’t enough to fully encode any information. Also, it’s missing a random key that prevents an attacker from precomputing ACKs and sending them along with the initial SYN and circumventing the SYN cookie. You’d use HMAC instead because it’s a keyed hash function that the attacker can’t compute without the secret key.
Midterm 2 Page 4 of 15 CS 161 – Fa 18
Problem 2 Keep Your Answers Short and Tweet (54 points) In all these questions please keep your answers short. If you can’t fit it in roughly a tweet, you are probably writing too much.
(a) (4 points) Consider the following code snippet:
stmt = connection.prepareStatement(“SELECT * FROM users
WHERE USERNAME = ? AND ROOM = ?”);
stmt.setString(1, username);
stmt.setInt(2, roomNumber);
stmt.executeQuery();
What type of attack does this type of coding defend against?
(b) (4 points) A CA commonly validates certificates by checking whether the person requesting can add a piece of data onto the domain’s web page. Does a CA’s DNS server need to resist the Kaminsky attack?
Solution: SQL Injection
Note the SQL query and the prepareStatement function. This code snippet is setting up a prepared statement, which is a defense against SQL injection.
Solution: Yes. Attacker could otherwise create a fake web page to host the check.
Specifically, an attacker can request a malicious certificate that states that the attacker’s public key belongs to Google. The CA will ask the attacker to add some data on Google’s homepage. The attacker uses the Kaminsky attack to fool the CA into thinking that the IP address of Google is an attacker-owned IP address. The CA sees the data on “Google’s homepage” (actually the attacker’s page) and issues the certificate.
(c) (4 points) In the name “robert’; drop table students –”, what is the pur- pose of the ’?
Solution: Terminates the string or closes the opening quote.
This SQL injection input is probably being placed in a SQL query that wraps the input around quotes. The single quote after robert acts as a closing quote to match the opening quote added by the query, which allows the rest of the input (the drop statement) to be treated as SQL code.
(d) (4 points) In the name “robert’; drop table students –”, what is the pur- pose of the –?
Midterm 2 Page 5 of 15 CS 161 – Fa 18
Solution: Makes the rest of the statement a comment.
This SQL injection input is probably being placed in a SQL query that wraps the input around quotes. The two dashes at the end force the query to ignore the closing quote added by the query. (Otherwise, there would be an odd number of quotes: 2 added by the query, and one added by the input. The mismatched quotes would probably cause a syntax error.)
(e) (6 points) A page foo.berkeley.edu displays the value of the cookie “NAME” on the page https://foo.berkeley.edu/xss without any protection. You control the website bar.berkeley.edu. What is the domain, path, and flags you should set so only that page receives your value of name?
(f) (4 points) foo.berkeley.edu wants to mitigate such cookie-based XSS attacks from other berkeley.edu sites. Why can’t foo, without examining the content of the cookies themselves, distinguish between cookies set by foo and malicious cookies set by bar?
Solution: Domain: *.berkeley.edu (or berkeley.edu), path: /xss, Flags: Secure (can also add HTTPOnly but not essential)
Solution: Because cookies are presented as name/value pairs. The domain and path are not presented (without examining the content of the cookie).
The browser allows multiple cookies to have the same name and value, as long as they have different domains and paths. foo and bar could each set a cookie with the same name and value, but different domains. (The browser usually stores the cookie under the unique identifier name/domain/path.)
(g) (4 points) foo.berkeley.edu wants to prevent clickjacking, but at the same time wants any other site to be able to embed foo. Why can’t they prevent clickjacking?
(h) (4 points) Why can’t TLS protect against an on-path attacker who only wants to terminate connections?
Solution: Framebusting (preventing other websites from embedding foo) is a main defense against clickjacking. However, foo wants other sites to be able to embed it, so it can’t use framebusting.
Midterm 2 Page 6 of 15 CS 161 – Fa 18
Solution: Because TLS is built on TCP (i.e. the encrypted TLS packets are sent using TCP), and the on-path attacker can perform RST injection on the lower-level TCP connection to terminate the TLS connection.
(i) (4 points) Why can’t TLS protect against a censor who wants to block specific websites?
Solution: TLS doesn’t hide which website you’re communicating with. TLS packets still need to contain information like the destination IP (in plaintext, with no encryption) so that lower-level protocols can send the encrypted message to the right destination.
Also note that in the TLS handshake, the server sends the certificate in plaintext, which would show the censor which website you’re communicating with.
(j) (4 points) Why can’t TLS protect against XSS attacks?
(k) (4 points) What vulnerabilities can occur if a site renders part of the URL into the resulting web page?
(l) (4 points) Why could a user site user.github.com steal a visitor’s login cookies to github.com?
(m) (4 points) Why can’t a user site user.github.io steal a visitor’s login cookies to github.com?
Solution: XSS vulnerabilities happen at at the application layer (HTTP/web), which is a higher layer than TLS.
In other words, TLS can secure communications between you and the server, but if the server itself is vulnerable, TLS does nothing to protect that.
Solution: Reflected XSS.
This is the definition of reflected XSS.
Solution: Because cookies can be read/set by subdomains. By the cookie policy, user.github.com can read and set cookies for github.com.
Solution: By cookie policy, user.github.io cannot read or set cookies for github.com because the domains don’t match.
Midterm 2 Page 7 of 15 CS 161 – Fa 18
Problem 3 The Internet of Shit (12 points) A typical “Internet of Things” device has a webserver which people in the local network can use to manage it, reachable through http://iosdevice.local/. Of course this device, like most such devices, is horribly insecure, complete with a default username (“admin”) and password (“secret”) and has no other defenses against SQL injection, XSS attacks, CSRF attacks, etc. The URL encoding for ’ is %27 : is %3A, < is %3C, > is %3F, space is %20 and / is %2F.
Lets consider some different ways of attacking it…
As an attacker, we can get a potential victim to visit our web page.
(a) (4 points) The login page is http://iosdevice.local/login?user={USER}&password={PASSWORD}. What “im- age” can we include on our page to ensure that a user who hasn’t changed the password will be logged into the device?
Solution: A user who hasn’t changed the password will have the default user- name (admin) and password (secret).
Including an image tag with a link causes the user’s browser to automatically make a request to the link (trying to fetch an image). We want the user to be logged in, so we want to force their browser to make a request to the login URL with the default username and password:
(b) (4 points) The following page http://iosdevice.local/info?status={QUESTION} includes the contents of status unescaped in the page. What iframe can we include on our page so that the script http://evil.com/script.js is run in the context of isodevice?
Solution: