2017
CS 161 Computer Security
Final Exam
Solutions updated May 2021 by CS161 SP21 course staff.
Print your name: , (last)
(first)
I am aware of the Berkeley Campus Code of Student Conduct and acknowledge that any academic misconduct on this exam will be reported to the Center for Student Conduct and may lead to a “F”-grade for the course.
Sign your name:
Print your class account login: cs161- and SID:
Your TA’s name:
Number of exam of person to your left:
Number of exam of person to your right:
You may consult two sheets of notes (each double-sided). You may not consult other notes, textbooks, etc. Calculators, computers, and other electronic devices are not permitted. Please write your answers in the spaces provided in the test.
You have 180 minutes. There are 9 questions, of varying credit (600 points total). The questions are of varying difficulty, so avoid spending too long on any one question. Parts of the exam will be graded automatically by scanning the bubbles you fill in, so please do your best to fill them in somewhat completely. Don’t worry—if something goes wrong with the scanning, you’ll have a chance to correct it during the regrade period.
If you have a question, raise your hand, and when an instructor motions to you, come to them to ask the question.
Do not turn this page until your instructor tells you to do so.
Page 1 of 42
Problem 1 True/False (80 points) For each of the following, FILL IN THE BUBBLE next to True if the statement is correct, or next to False if it is not. Each correct answer is worth 4 points. Incorrect answers are worth 0 points. Answers left blank are worth 1 point.
(a) Thanks to strong cryptography, a TLS connection to your bank is secure even if their web server’s TCP/IP implementation has a buffer overflow vulnerability.
True False
(b) Thanks to strong cryptography, a TLS connection to your bank is secure even if your home router’s TCP/IP implementation has a buffer overflow vulnerability.
True False
Solution: False. TLS secures communication between you and your bank so that nobody except you and the bank can read or modify messages sent in the connection. However, TLS does not secure the bank’s server. If the bank’s server is vulnerable, someone can hack into the bank and read or modify your communications.
Solution: True. A key property of TLS is how it provides end-to-end security: two systems can communicate using TLS without having to trust any of the intermediaries that forward their traffic. Thus, even if an attacker completely pwns your home router, the worst they can do to you is deny you service to your bank.
Note that this answer is different from the last question because the home router is not one of the ends in the end-to-end secure communication. The two ends are your computer/browser and the bank server.
(c) To protect against Kaminsky blind spoofing attacks requires servers to implement a new version of the DNS protocol.
True False
(d) Using DNSSEC to resolve example.com guarantees authenticity and integrity on subsequent HTTP connections to example.com, but not confidentiality.
True False
Solution: False. There is no new version of the DNS protocol that defends against the Kaminsky attack. (DNSSEC does defend against the Kaminsky attack, but it’s more like a variation of the DNS protocol than a new version of DNS.)
Final Exam
Page 2 of 42 CS 161 – SP 17
Solution: False. DNSSEC provides authenticity and integrity for DNS results, but not for any subsequent use of those results. The subsequent connections will have to achieve security separately, such as by using TLS.
In other words, DNSSEC helps you be confident that you have the right IP address of example.com, but it does not help secure any actual communication with example.com.
(e) A properly configured firewall can prevent any DDoS attack from disrupting the ability of remote users to access your network.
True False
(f) Using a prepared statement to feed user input to an SQL query ensures that nothing the user enters will be treated as an SQL command.
True False
(g) VPN can enable you to safely connect to your company when using an untrusted public WiFi network.
True False
(h) When configuring a firewall, it’s safer to use a whitelisting approach than it is to use a blacklisting approach.
True False
Solution: False. A firewall has limited computational resources, and a DDoS attack could overwhelm the firewall.
Solution: True. Prepared statements (parameterized SQL) pre-compiles a query before substituting user input, so nothing the user enters will be inter- preted as SQL syntax.
Solution: True. Recall that with a VPN, you encrypt your requests and send them to the VPN, who decrypts them and forwards them to the company for you. The VPN then encrypts the company’s reply and sends it back to you. Even if you’re on an untrusted wifi network, your communications with the company will be safely encrypted.
Final Exam
Page 3 of 42 CS 161 – SP 17
Solution: True. Whitelisting is default-deny, so any unspecified or unfamiliar input will be rejected by default. This is safer than blacklisting, which is default-
Final Exam
Page 4 of 42 CS 161 – SP 17
allow and would allow any unspecified or unfamiliar input.
(i) A malicious website can execute a successful clickjacking attack even if the victim website uses HTTPS and the user’s browser correctly implements the same origin policy.
True False
Solution: True. HTTPS defends against network attackers and secures com- munications between the victim and the malicious website, but it does not defend against the malicious website sending malicious data to the victim. The same-origin policy prevents two different websites from communicating with each other, but in this scenario, there’s only one relevant website (the malicious website).
As an example, the malicious website might be a file downloading website that has a legitimate download button and a second, larger, more visible fake down- load button. If the user clicks on the fake download button, the clickjacking attack has been executed, and HTTPS and the same-origin policy did not defend against the attack.
(j) A secure hash function will not produce any collisions.
True False
Solution: False. Hashes map infinitely many input to finitely many outputs– any arbitrary-length string can be hashed, but the output is restricted to the finite space of fixed-length strings. Since the input space is larger than the output space, the hash function must produce collisions. (Think pigeonhole principle.)
A secure hash function instead has the guarantee that it is computationally infeasible to find a collision. The collisions exist, but it’s impossible to find one in any reasonable amount of time.
(k) Recall that secure-cookies are cookies which the browser will only transmit over HTTPS connection. Using HTTPS and secure-cookies is one way to prevent click- jacking attacks.
True False
Solution: False. As explained above, HTTPS does not defend against click- jacking attacks. Clickjacking does not necessarily need cookies to succeed, so secure cookies aren’t a defense against clickjacking. The scenario above (fake
download button) doesn’t involve cookies at all, for example.
(l) SupposeAlicehassignedupfortext-messagetwofactorauthenticationonbank.com. If bank.com randomly generates a long number (e.g., a 16-digit number) for its 2FA codes and an attacker doesn’t hijack Alice’s phone number, then Alice’s bank.com account is secure against phishing attacks.
True False
Solution: False. Consider the following attack: Alice clicks on a malicious website impersonating bank.com and types her password into the website. The attacker opens the real bank.com and enters Alice’s password. The legitimate website will send Alice a code in response to the attacker’s login request. At the same time, the malicious website now asks Alice to enter her 2FA code. Alice sees the code on her phone and enters it into the malicious website. The attacker now has Alice’s code and can enter it into the real bank.com, completing the login as Alice.
(m) For AES-CBC encryption, the IV does not need to be kept secret.
True False
(n) For AES-CTR encryption, the IV does not need to be kept secret.
True False
(o) If all messages are the same length and a message is never repeated, then it is secure to re-use the same one-time-pad for encryption.
True False
(p) To securely store user passwords, a server should use AES to encrypt each user’s password and only store the ciphertexts in its database.
Solution: True. The IV is sent in plaintext as part of the ciphertext.
Solution: True. The IV is sent in plaintext as part of the ciphertext.
Solution: False. Reusing the one-time pad leaks information. For example, consider pad k and two messages m1 and m2 that are the same length and never repeated. If the attacker sees the encryption of the two messages with the same key, m1 ⊕k and m2 ⊕k, then they can deduce the XOR of the two messages: (m1 ⊕k)⊕(m2 ⊕k)=m1 ⊕m2.
Final Exam Page 5 of 42 CS 161 – SP 17
True False
Solution: False. AES (without any chaining mode) is deterministic, so an attacker can see if two users have the same password (the resulting ciphertext will the same). AES also only supports fixed-length inputs, so it would not be very useful unless the website forced passwords to be exactly a certain number of characters long.
Password hashing (with random salts) is a better solution for securely storing user passwords.
(q) If Website A loads a website from another domain (Website B) inside of an iframe, the same origin policy prevents Javascript from Website A from accessing any of the other website’s content in the iframe.
True False
(r) A certificate authority that issues a TLS certificate for example.com can also pas- sively decrypt TLS traffic to example.com.
True False
(s) Consider a worm that spreads by each infected instance uniform randomly selecting a 32-bit IP address. We would expect the worm to initially spread exponentially fast, but then slow down its spread during the later part of its propagation.
True False
Solution: The certificate authority only knows example.com’s public key, not its private key, which it would need for passive decryption. A certificate binds a public key to an identity (in this case the domain name example.com).
Solution: True. The initial exponential spread is because the increased num- ber of infected computers also means more computers are working to infect other computers. (The first computer infects 2 other computers. Then these 2 computers each infect 2 more computers. Then these 4 computers each infect 2 other computers, and so on.)
The worm later slows down because it runs out of computers to infect, so the rate of new computers getting infected (and spreading the infection) decreases.
Final Exam
Page 6 of 42 CS 161 – SP 17
Solution: True. Website A and Website B have different origins, so by the same-origin policy, the inner and outer frames cannot access each other.
(t) The Slammer worm spread extra-fast because each infected instance of the worm kept increasing its scanning speed.
True False
Solution: False. The Slammer worm was extra-fast because the malicious code of the worm was extremely small. The entire worm fit in one UDP packet, so it took only a single UDP packet transmission to infect another computer.
Final Exam
Page 7 of 42 CS 161 – SP 17
Problem 2 Multiple Choice (74 points)
(a) (6 points) Suppose an attacker steals the private key of a website that uses TLS, and remains undetected. What can the attacker do using the private key? LL that apply.
Decrypt recorded past TLS sessions that used RSA key exchange.
Successfully perform a MITM attack on future TLS sessions.
Decrypt recorded past TLS sessions that used Diffie–Hellman key ex- change.
None of these.
Solution: RSA TLS does not have forward secrecy, so an attacker who steals the private key can decrypt recorded past RSA TLS sessions. (The attacker uses the private key to decrypt the premaster secret sent over the handshake. Then they use the decrypted premaster secret and the two random nonces sent over the handshake to derive the symmetric keys. Then they can use the symmetric keys to decrypt communications.)
Diffie- LS does have forward secrecy, so an attacker who steals the private key cannot decrypt recorded past Diffie- LS sessions. (The premaster secret gab mod p is never sent over the handshake in Diffie- LS. Only ga mod p and gb mod p are sent, and an attacker who knows the private key and those two values cannot learn the premaster secret because the discrete log problem is hard.)
The attacker can perform a MITM attack on future TLS sessions. In RSA TLS, the attacker decrypts the premaster secret as it’s sent over the handshake, as described above. In Diffie- LS, the attacker performs a Diffie- ITM to force both the client and server to derive premaster secrets that the attacker knows. In both cases, the attacker now knows the premaster secret and can use it with the nonces (sent in plaintext over the handshake) to derive the symmetric keys. With the symmetric keys, the attacker can decrypt and modify communications.
(b) (6 points) DNSSEC provides which of the following security properties for DNS responses? LL that apply.
Final Exam
Page 8 of 42
CS 161 – SP 17
Confidentiality Integrity
None of these
Authentication Availability
Solution: DNSSEC provides integrity and authenticity on responses because it signs all DNS records. (Recall that signatures provide integrity and authen- ticity.)
DNSSEC does not provide confidentiality because it does not encrypt DNS records. (DNS records are public information anyway, so confidentiality isn’t needed.)
DNSSEC does not provide availability. A MITM attacker could always drop packets, and there’s nothing DNSSEC can do to defend against that.
(c) (8 points) “Mixing program control and user data” is a class of vulnerabilities where a program/application accidentally treats user input as code and executes it. Which of the following attacks exploit this class of vulnerabilities? LL that apply.
Buffer overflows CSRF
SQL Injection None of these
Stored XSS Reflected XSS Clickjacking
Solution: In buffer overflows, user input is treated as C code. In SQL injection, user input is treated as SQL code. In XSS (both types), user input is treated as JavaScript code.
In CSRF, the attacker tricks the victim into making a malicious request with the user’s cookies attached. User input isn’t ever treated as code during the attack.
In clickjacking, the attacker tricks the victim into clicking an unintended link or button. User input isn’t ever treated as code during the attack.
(d) (6 points) To verify that she is visiting the correct website, Alice is told to make sure to check that the URL in the browser’s address bar is the URL she actually wants to visit. Which of the following statements are true? LL of the following statements that apply.
Of relevance for this situation is the principle of Least Privilege
Of relevance for this situation is the principle of Consider Human Factors
This will help Alice defend herself against CSRF attacks
This will help Alice defend herself against some DNS spoofing attacks
Final Exam Page 9 of 42
CS 161 – SP 17
This will help Alice defend herself None of these against some phishing attacks
Solution: The relevant security principle is considering human factors–visiting URLs like g00gle.com that are maliciously designed to look like legitimate URLs is a human mistake. Least privilege is not relevant, because Alice isn’t given any special privileges in this scenario.
Checking the URL carefully prevents against phishing attacks, where the at- tacker tries to impersonate a legitimate website (possibly by using a similar URL).
Checking the URL does not directly prevent CSRF attacks. It can help defend against some CSRF attacks (because they often require the victim to visit an attacker’s website to generate the forged request), but it does not prevent the main vulnerability of CSRF attacks, which is that the server can’t distinguish between legitimate and forged requests from the victim.
DNS spoofing is a networking attack and is unrelated to carefully checking URLs (a web security defense).
(e) (6 points) Alice is trying to visit maps.google.com and neither her machine nor her local resolver have any entries in their DNS caches. In the following, assume that google.com subdomains use HTTPS and are on the predefined HSTS (HTTP Strict Transport Security) list in Alice’s browser. You do not need to worry about attacks on availability, nor attacks based on stealing private keys, malware infections, or obtaining a fraudulent google.com certificate. LL that apply.
Final Exam
Page 10 of 42
CS 161 – SP 17
For DNSSEC to work securely, the root and .com zones will need to sign their NS and glue/additional records.
For DNSSEC to work securely, the root and .com zones will need to en- crypt their NS and glue/additional records.
Because google.com subdomains are on the predefined HSTS list, Alice’s visit to maps.google.com is secure against DNS spoofing attacks.
Because google.com subdomains are on the predefined HSTS list, Alice’s visit to maps.google.com is secure against MITM attacks.
Because google.com subdomains are on the predefined HSTS list, Alice’s visit to maps.google.com is secure against ssl-strip attacks.
None of these apply.
Solution: Many students found this problem difficult.
DNSSEC does not protect NS and glue/additional records in any manner. It doesn’t need to because its focus is on assuring the correctness of the final result (i.e., object security), not how the client gets the result.
The presence on the HSTS list means that the visit to maps.google.com will definitely occur using HTTPS. Given that, no DNS spoofing attack can fool Alice into visiting a different site unless the attacker has obtained a fraudulent certificate (which is ruled out in the framing of the problem).
Similarly, the guaranteed use of HTTPS secures the Alice’s visit against MITM attacks.
Finally, ssl-strip attacks rely on the user’s visit initially using HTTP rather than HTTPS. The use of HSTS will prevent such an initial visit from occurring.
Note on object security (compared to channel security):
Channel security: secure the letter while it is in transit between post offices (but not while it is stored)
Object security: the letter has a digital signature to make sure it hasn’t been modified (either in transit or in storage)
Depending on how it’s used, signing/verifying helps with both defending against tampering while the data is in transit along a network link and tampering while the data is stored or processed on a particular machine. The signing/verifying procedure from the crypto section ensures some channel security because no one can tamper with the message without being detected (though you need some more encryption to guarantee confidentiality), as well as protection against modification while the data is in storage because you can use Alice’s public key to verify that the message is actually from Alice. This didn’t quite give us full object security in DNSSEC because we couldn’t verify Alice’s public key in the first place, which is why we create a chain of trust that ensures that the nameservers we’re talking to aren’t compromised and are providing the correct public keys.
Notice that if you only use channel security between each pair of post offices, and a letter goes through multiple post offices before reaching its destination, there are two threats: the letter might be tampered with while it is being processed (or stored) at a particular office, and one of the post offices might be malicious and might replace the letter with an entirely different letter. Channel security doesn’t protect against either of those threats. Object security does.
(f) (8 points) Gandalf is surfing the web and visits the URL http://gondor.berkeley.edu. Assume that neither his machine nor his local resolver have any entries in their DNS caches, and that berkeley.edu is the authoritative name server for all berkeley.edu
Final Exam Page 11 of 42 CS 161 – SP 17
subdomains. Assuming global deployment and use of DNSSEC, and that DNS zones use Key Signing Keys (KSKs) and Zone Signing Keys (ZSKs), which of the following are True? LL that apply.
Gandalf ’s machine can use the berkeley.edu KSK to encrypt the query it sends to the berkeley.edu DNS server.
berkeley.edu’s ZSK will be signed by the root’s KSK.
berkeley.edu’s ZSK will be signed by berkeley.edu’s KSK.
Gandalf ’s machine will receive a final A record for gondor. berkeley.edu that is signed with berkeley.edu’s ZSK.
Gandalf ’s machine will receive a fi- nal A record for gondor.berkeley. edu that is encrypted with a pub- lic key that Gandalf provides in his DNS query.
The final A record for gondor. berkeley.edu will have object secu- rity.
If zones correctly implement DNSSEC, then Gandalf is secure against a MITM attacker who at- tempts to modify content retrieved from the gondor.berkeley.edu web site.
Solution: Left column (top-to-bottom):
False. KSKs are only used to sign and verify values. They are never used to
encrypt values.
False. berkeley.edu’s ZSK is signed by berkeley.edu’s KSK, not the root’s KSK.
True. A given name server’s ZSK is always signed by that same name server’s own KSK.
True. The final A record for gondor.berkeley.edu comes from the berkeley.edu name server, and berkeley.edu uses its ZSK to sign anything that’s not a ZSK (including A records).
Right column (top-to-bottom):
False. Gandalf (the client) never provides a public key. In DNSSEC, the public keys are provided by the name servers.
True. We can be sure the A record itself (the object) has not been tampered with. See the previous subpart for a definition of object security.
False. DNSSEC guarantees that Gandalf has gotten the correct IP address for gondor.berkeley.edu. However, it does not secure communications be- tween Gandalf and gondor.berkeley.edu. For example, if Gandalf talks to
Final Exam
Page 12 of 42 CS 161 – SP 17
(g) (6 points) A border firewall’s primary purpose is ( NE):
Final Exam
Page 13 of 42
CS 161 – SP 17
gondor.berkeley.edu with HTTP (no HTTPS), the MITM could modify con- tent.
Block incoming VPN connections. Prevent CSRF attacks.
Detect buffer overflows.
Prevent XSS attacks.
Prevent a network intruder inside the network from spreading inter- nally.
None of these.
Solution: A border firewall’s primary purpose is to control which systems and which types of connections are allowed across the site’s border. It does not focus on attack detection; generally allows, rather than hinders, incoming VPN connections; and cannot contain a network intruder already inside the network from spreading internally, since that spread does not transit the site’s border.
(h) (8 points) Which of the following attacks might allow an attacker to steal one of your browser cookies ( LL that apply):
Reflected XSS Stored XSS Clickjacking None of these
Buffer overflow TLS downgrade DDoS
Solution: Both types of XSS allow the attacker to run JavaScript in your browser. JavaScript can access your cookies (assuming the HTTPonly attribute is not set) and steal them.
A buffer overflow would allow the attacker to execute arbitrary code on your machine. Depending on where the overflow is located, it may be able to access your cookies. For example, a buffer overflow in the implementation of your browser would probably be able to steal your cookies.
A TLS downgrade attack would cause you to use an outdated, possibly insecure version of TLS in your connection. This would let the attacker decrypt your TLS communications, which contains cookies.
A common mistake was to select Clickjacking. While clickjacking can cause user input (clicks or keystrokes) to go where the user did not intend it to go, these misdirections still result in HTTP requests that follow the usual rules regarding whether and which cookies to send.
DDoS attacks availability (e.g. makes some resource unavailable), but this doesn’t help the attacker steal cookies.
(i) (6 points) Alice and Bob want to communicate over an insecure channel using one of the following schemes, where M is the message in plaintext. Which scheme should they use in order to avoid padding oracle attacks? Assume that (1) all of the algorithms are secure, and (2) MAC and Sign do not leak anything about M. LL that apply.
Enc(M ), MAC(M ) Enc(M ), MAC(Enc(M )) Enc(M || MAC(M)) Enc(M),Sign(M)
None of these
Solution: Recall from Project 2 that in padding oracle attacks, the attacker modifies the ciphertext in some cleverly chosen fashion, asks the client to decrypt it, and then observes whether the decryption process caused an invalid-padding error. If the attacker can observe whether such an error occurred, then this leaks partial information; after repeating this many times, an attacker can piece together all of these clues to deduce what the original message must have been.
To defend against padding oracle attacks, the recipient must be able to verify the integrity of the ciphertext before decrypting it. That is, the MAC / signature must be computed over the ciphertext, and not the plaintext. Hence, only the option on the top right is correct; in the others, the integrity of the message can only be verified after decrypting the ciphertext.
(j) (6 points) Let S be a publicly available trusted service that knows the public keys of all users. Alice communicates with S to obtain Bob’s public key using the following protocol:
1. A−→S:A,B
2. S−→A:[KB,B]K−1
S
In step 1, Alice sends along her identity A and asks S for Bob’s public key. In step 2, S responds by returning Bob’s public key KB along with his identity B, and signs the message.
Which of the following attacks is this protocol vulnerable to? LL that
Final Exam Page 14 of 42 CS 161 – SP 17
apply.
Mallory can tamper with S’s re- sponse so as to substitute her own public key KM instead of KB.
Mallory can tamper with S’s re- sponse so as to substitute an older key KB′ that Bob might have re- voked.
Since S’s response is not encrypted, Mallory can use KB to decrypt any messages Alice sends to Bob in the future.
None of these.
Solution: Option 1 (upper left) doesn’t work because it requires Mallory to forge a signature on (KM , B).
Option 2 is a valid attack (assuming Mallory has recorded some the older value KB′ and its corresponding signature).
Option 3 (upper right) is factually incorrect – the public key KB is used for
encrypting messages, not decrypting messages. Mallory requires the private key
K−1 to decrypt the messages. B
(k) (8 points) For the same situation as in the previous question, which of the following modifications to step 2 would defend against the attacks that the protocol in that question is vulnerable to? LL that apply.
S −→ A : [KB,A,B]K−1 S −→ A : [KB,B,A,N]K−1, where SS
S −→ A : [KB,B,T]K−1 where T is a timestamp S
S−→A:[KB,T]K−1 where is a nonce randomly selected by S S −→ A : [KB,B,N]K−1, where N
S
is a nonce randomly selected by S None of these
timestamp
S
Solution: The server can prevent a replay attack by including a timestamp in its response, as in Option 2. Option 1 (upper left) does not prevent replays. Option 3 (lower left) doesn’t work because it doesn’t bind the public key to Bob’s identity; Mallory can request her own key from the server and then forward the message to Alice. Using a nonce instead of a timestamp in S’s response (Options 4 and 5) only works if A sends the nonce to S in step 1.
A student pointed out on Piazza that the problem asks for defending against attacks applicable to the protocol in the previous question, and Option 3 does
Final Exam
Page 15 of 42
CS 161 – SP 17
so, even though it’s flawed in a different way. We allowed full credit for answers that included Option 3 providing no other options (other than Option 1+2) were selected, and only the correct option was selected for the previous question.
Final Exam Page 16 of 42 CS 161 – SP 17
Problem 3 Bypassing ASLR (48 points) Mallory is trying to perform a return-to-libc attack on a simple stack buffer overflow vulnerability. She wants to overwrite the return address of the vulnerable function with the address of the system function, and pass it an arbitrary command argument. But the system she wants to attack has ASLR enabled, so &system (the address of system) is different every time.
Wanting to explore this further, Mallory writes the simple program:
#include
void main() {
printf(“system is at 0x%x\n”, &system);
}
She runs this five times, with ASLR enabled, and gets the following output:
system is at 0xbf9d7f14
system is at 0xbf9d7f99
system is at 0xbf9d7f88
system is at 0xbf9d7f36
system is at 0xbf9d7f08
(a) (16 points) She shouts “Eureka! It won’t work every time, but I can easily break this now!”. What did Mallory learn? How can she use it to successfully exploit the buffer overflow with a return-to-libc attack?
Solution: The implementation of ASLR has insufficient entropy — &system appears to have no more than one byte of randomness, so Mallory learned that just by repeatedly trying a manageable number of times, she can eventually luck upon the correct address of system.
Full credit required conveying the notion of exploiting repeated attempts to eventually make a correct guess.
(b) (8 points) What is the probability that Mallory will succeed if she has 1 chance to perform her return-to-libc attack?
Solution: If there is one byte of randomness, than the probability for a single attack to succeed is 1 . There might even be less randomness; in the output
256
Mallory saw, the high bit in the bottom byte of the address never varied, so the probability might be as much as 1 .
128
If the probability is 1 , then it will take Mallory an expected 128 tries to guess 256
correctly if her failed guesses do not cause re-randomization due to crash-and- restart; or an expected 256 tries if it does.
Final Exam Page 17 of 42 CS 161 – SP 17
(c) (24 points) Suppose Mallory is able to control the input (i.e. argv[1]) to the following silly backup program, written by programmers from (assume headers necessary for this code to compile have been included):
// Protect our data by making 2 copies!
void double_copy(char *data) {
char buf1[16];
char buf2[16];
strcpy(buf2, data);
strcpy(buf1, data);
}
int main(int argc, char *argv[]) {
// recall: argv[0] is the name of the program
if (argc != 2)
return -1;
double_copy(argv[1]);
}
Give an input that will cause “sudo rm -rf /” to be run on the victim machine with probability equal to what you answered in the previous part.
Use the following assumptions about the victim system:
1. It is an IA-32 platform with 4-byte words (recall it’s also little endian).
2. The stack is aligned at word granularity.
3. Local variables of each function are placed on the stack in the order they appear in the source code.
4. ASLR is enabled for the stack segment.
5. argv[1] == 0x07070707 will always evaluate to true.
Hint: # is the shell comment character.
You can use \x** (where the *s are replaced by hex digits) to represent a character in hexadecimal form. Fill in the answer below:
Solution: Note 1: the write to buf2 doesn’t matter for the purposes of this problem. Any overflow will be immediately rewritten by the write to buf1.
Note 2: we don’t use any 0 characters in our solution since these would be interpreted as NUL-terminators and cause the strcpy() to stop.
“sudo rm -rf / ##AAAA\x14\x7f\x9d\xbfDUMM\x07\x07\x07\x07”
Final Exam Page 18 of 42 CS 161 – SP 17
Fill the 16 byte buffer. Note the shell comment character # at the end so that subsequent bytes are ignored
sudo rm -rf / ##
Overwrite SFP in order to get to RIP (next line). AAAA
Guess at &system. (reversed to account for little endi- anness)
\x14\x7f\x9d\xbf
Dummy value in the stack position where a proper IA-32 call would have pushed $eip to become the stored $rip. The system function’s assembly code will ex- pect 4 bytes to proceed the arguments on the stack (by “proceed”, we mean appear in lower memory addresses). This is the address that system() will return to. For this attack, it doesn’t matter that the value is bogus since system() waits for the shell to finish executing, at which point Mallory has presumably completed her attack.
DUMM
Address of memory storing the attack string argument (argv[1]). This is what system() will read as its argu- ment.
\x07\x07\x07\x07
Getting this answer fully correct was quite difficult. We awarded partial credit for specifying various parts.
Final Exam Page 19 of 42 CS 161 – SP 17
Problem 4 Attacks on TLS (72 points)
Recall the TLS protocol, depicted in the figure below. We use the following notation:
{M}K denotes a message M encrypted using the key K. [M]−1 denotes a message M
along with a signature over M using the key K−1.
Client
Server
K
1. Client sends a 256-bit random number Rb and supported cipher suites C
2. Server sends a 256-bit random number Rs and chosen cipher suite Cser
3. Server sends certificate
4. DH: Server sends [g, p, ga mod p]K−1 server
5. Server signals end of handshake
6. DH: Client sends gb mod p
RSA: Client sends {P S}Kserver
Client and server derive cipher keys Cb,Cs andintegritykeysIb,Is fromRb,Rs,PS
7. Client sends MAC(dialog, Ib) 8. Server sends MAC(dialog, Is)
9. Client data takes the form {M1, MAC(M1, Ib)}Cb 10. Server data takes the form {M2, MAC(M2, Is)}Cs
Figure 1: TLS 1.2 Key Exchange
(a) (24 points) Suppose the client and server use RSA to exchange the premaster secret. Mallory intercepts the ClientKeyExchange message and replaces PS with a fake value PS′. Assume that Mallory can modify the messages after ClientKeyExchange as well, if required. Which of the following are true? LL that apply.
Final Exam
Page 20 of 42
CS 161 – SP 17
Mallory will be able to decrypt the application data sent by the client to the server.
Mallory will be able to decrypt the application data sent by the server to the client.
The server will detect the tampering when it receives ClientKeyExchange.
Mallory can avoid detection until the server receives Finished from the client, at which point she’ll be detected.
Mallory can avoid detection until the client receives Finished from the server, at which point she’ll be detected.
None of these
2 ServerHello
3 Certificate
4 ServerKeyExchange
5 ServerHelloDone
8 ChangeCipherSpec, Finished
10 Application Data
1 ClientHello
6 ClientKeyExchange
7 ChangeCipherSpec, Finished
9 Application Data
Solution: Mallory can pick an arbitrary PS′, encrypt it with the server’s pub- lic key to obtain a valid ciphertext {P S′}Kserver , and replace {P S}Kserver with {PS′}Kserver in ClientKeyExchange. The server will be unable to detect the tampering, and Option 3 (lower left) is therefore incorrect.
MallorycanthenobtainthesymmetrickeysCb′,Cs′,Ib′,Is′ asderivedbytheserver from PS′. She can use Ib′ to forge a valid MAC over the modified dialog in Step 7 and avoid detection by the server. Option 4 (upper right) is therefore incorrect.
However, Mallory will still be unable to obtain the keys Cb, Cs, Ib, Is as derived by the client, since she does not know the value of PS. In Step 8, the server will send the client a MAC over the dialog using the fake key Is′. In order to avoid detection, Mallory would need to re-compute this MAC using the key Is as expected by the client. She will be unable to do so (since she does not know Is), and will necessarily be detected (Option 5).
Once the client detects the tampering, it will terminate the handshake. Op- tions 1 and 2 (top and middle left) are therefore incorrect as well. Of the two of these, Option 2 is better than Option 1. Mallory is trying to get the server to accept a bogus PS, which would allow Mallory to know what keys the server uses, and therefore to potentially decrypt the data it sends. But Mallory has no way to change the client’s view of PS, nor to recover the original PS, so even if Mallory’s subterfuge goes undetected, she has no way to read data that the client sends. Therefore, answers that included Option 1 received no credit. Answers that included Option 2 but not Option 1 potentially received some partial credit, depending on which other options were selected.
(b) Now suppose the client and server use Diffie-Hellman for exchanging the premaster secret. Mallory wants to decrypt the data sent by the server to the client by downgrading the cipher suites. She doesn’t care about the data sent by the client to the server. If the server always picks the strongest cipher suite and parameters available, specify whether Mallory’s attack will succeed in the following scenarios (Yes/No).
If yes, then list the handshake messages Mallory will need to necessarily modify. If not, explain why.
Assume that unless specified, all cryptographic algorithms supported by the client and server are secure.
i. (12 points) Suppose the client and server support 3DES in addition to AES. Mallory is aware of an attack on 3DES that allows her to learn any message encrypted using it. She therefore wishes to force the client and server to use 3DES instead of AES as the encryption algorithm.
Final Exam Page 21 of 42 CS 161 – SP 17
Solution: No. Mallory will still be unable to learn the master secret, and hence will not be able to forge the MAC over the dialog. She will thus get detected.
ii. (12 points) Suppose the client and server support a weak variant of Diffie- Hellman (DHweak). Mallory is aware of an attack on DHweak that allows her to learn the exchanged secret. She therefore wishes to force the client and server to use DHweak instead of standard Diffie-Hellman.
(c) (24 points) Recall that ClientHello contains a nonce Rb, along with C, the cipher suites supported by the client. ServerHello contains a nonce Rs along with Cser, the cipher suite chosen by the server. Which of the following modifications to the TLS protocol would prevent Mallory from conducting any downgrade attacks on the cipher suites? LL that apply.
Solution: Yes. Mallory needs to modify ClientHello + both Finished mes- sages. Since she can extract the exchanged secret, she can derive the in- tegrity keys necessary to modify the MACs.
ServerKeyExchange includes [Rb]K−1 , [C]K−1
server server
ServerKeyExchange includes [Rb, C]K−1 server
ServerKeyExchange includes [C]K−1 server
ServerKeyExchange includes [Cser]K−1 server
ServerKeyExchange includes [C]K−1 , [Cser]K−1
server server
ServerKeyExchange includes [C || Cser] −1
ServerKeyExchange includes [Rb || C || Cser] −1
Kserver None of these
Kserver
Solution: The attack won’t work if the client can verify that the cipher suites C received by the server were altered by Mallory. To this end, the server can send the client a signature over C after binding it with Cser (as in Options 6 and 7). The client can then verify the signature, validate C, and be assured that the server chose Cser after receiving the correct cipher suites. (Including Rb as in Option 7 is unnecessary, but doesn’t cause any problems.)
Options 1, 2 and 3 (lefthand column) don’t work because Mallory can obtain the necessary signature by launching her own separate TLS session with the server and sending C in the ClientHello message. Including Rb in the signature doesn’t help because Mallory can still MITM the connection as follows:
1. Pause the client’s ClientHello message
2. Launch a separate TLS session using the client’s Rb and C, obtaining a valid signature over these
Final Exam
Page 22 of 42
CS 161 – SP 17
3. Resume the client’s ClientHello after downgrading C to C′
4. Replace the server’s signature over C′ and Rb using the one obtained in (2). Option 4 (lower left) doesn’t contain a signature over C, so the client can’t tell
that the server never received the client’s original cipher suite offerings.
Option 5 (upper right) doesn’t work because it contains separate signatures over C and Cser, allowing Mallory to selectively replace the signature over C, as described above.
Problem 5 Software vulnerability (64 points) Here is a fragment of Python source code for a fictitious email-based spell-checker service:
def process_incoming_email(msg):
return_addr = msg.get(“From”)
search_term = msg.get(“Subject”)
status = os.system(“fgrep ” + search_term + ” /usr/share/dict/words”)
if status == 0: # exit code 0 means success
response = “The word ” + search_term + ” is spelled right!”
else:
response = “Sorry, ” + search_term + ” is not a word.”
send_response(return_addr, response)
In this service, users submit a word to check as the Subject: header field of an email. For example:
To:
From:
Subject: phenommenon
The process incoming email function is responsible for checking the spelling of the word, generating an appropriate response message, and sending the response back to the original sender via email. The function works by extracting a search term from the Subject header field, then using the fgrep command to search for the term in /usr/share/dict/words, a file containing a list of English words. The fgrep command searches a file for a fixed text pattern; its syntax is ‘fgrep pattern filename ’.
os.system is a Python function that accepts a single string and executes the string using the command shell. It works the same as the C system() library routine that we discussed in lecture.
(a) (16 points) The process incoming email function has a vulnerability. What email Subject: could you send that would cause the server to pause for 10 seconds before replying?
Subject:
Final Exam Page 23 of 42 CS 161 – SP 17
Solution: There are several possibilities. Here are some examples (the last two only work if the shell used is Bash):
Subject: ; sleep 10; fgrep word
Subject: word /dev/null; sleep 10; echo
Subject: & sleep 10 #
Subject: $(sleep 10)
We accepted various ways of running a delay, like sleep 10, wait 10, and sleep(10) (even though the parentheses are shell metacharacters and wouldn’t actually work in a shell command). We also accepted // and — as comment markers in place of #.
We show what command each of these Subject: lines will run. The general theme is to first do something that escapes the context of the fgrep command, and at the end do something to take care of the /usr/share/dict/words that will be appended.
fgrep & sleep 10 # /usr/share/dict/words
fgrep is immediately put into the background with ‘&’ and ignored. The sleep command runs, then ‘#’ starts a comment that continues to the end of the line.
fgrep ; sleep 10; fgrep word /usr/share/dict/words
The ‘;’ ends the fgrep command. Running fgrep without arguments is an error, but the error is ignored and the shell next runs the sleep command. Theinjectedfgrep wordcombineswiththecode’s/usr/share/dict/words to finish with a valid command, as if the user had done a request for ‘word’.
fgrep word /dev/null; sleep 10; echo /usr/share/dict/words
The first fgrep command searches /dev/null, a pseudo-file with no con- tents (basically turning the fgrep into a no-op. The echo command at the end harmlessly consumes the terminating filename.
fgrep $(sleep 10) /usr/share/dict/words
The $(…) syntax spawns a new subshell and substitutes the result of the subcommand into the top-level command line. You can also write it using backquotes: `sleep 10`. Because sleep does not produce any output, the command will first sleep for 10 seconds, then run the command fgrep /usr/share/dict/words.
(b) (16 points) What email Subject: could you send that would tell you whether or not there is a user called dbadmin on the spellcheck server? The list of users is stored in the file /etc/passwd.
Subject:
Final Exam Page 24 of 42 CS 161 – SP 17
Solution:
Subject: dbadmin /etc/passwd #
The above search term will cause process incoming email to build this com-
mand:
fgrep dbadmin /etc/passwd # /usr/share/dict/words
Instead of searching /usr/share/dict/words, fgrep will search /etc/passwd. The ‘#’ turns the /usr/share/dict/words at the end of the command into a comment. The exit code of fgrep will reflect whether the search term dbadmin was found in /etc/passwd. If dbadmin was found, the email reply will be
The word dbadmin /etc/passwd # is spelled right! If dbadmin was not found, the email reply will be
Sorry, dbadmin /etc/passwd # is not a word.
Some ideas that do not work completely:
dbadmin /etc/passwd; cd
This doesn’t work because the return value of os.system is the return value of the last command. Putting a cd (or other command) at the end will cause the return value of os.system to reflect that command, not fgrep dbadmin /etc/passwd.
dbadmin /etc/passwd;
This doesn’t work because the /usr/share/dict/words that gets ap- pended will be interpreted as a command name by the shell. Because the file is not executable, trying to execute it will always result in a nonzero exit status.
The slight variant dbadmin /etc/passwd (no semicolon at the end) actu- ally does work, because the /usr/share/dict/words that gets appended will be interpreted as an additional filename argument to fgrep, not a separate command. The search will work correctly as long as dbadmin is not present in /usr/share/dict/words.
(c) (32 points) State one way that you could fix the vulnerability? (If you name more than one, we will only grade the first.)
Solution: Possible solutions:
• Use subprocess.Popen in place of os.system. (Or some other API that allows you to specify a vector of command arguments, rather than a shell string.)
Final Exam Page 25 of 42 CS 161 – SP 17
• Carefully escape search term to remove shell metacharacters. (This is tricky because it requires detailed knowledge of how the shell will interpret each character.)
• Implement the search in Python rather than using a fgrep subprocess.
Problem 6 Coffee Shop Worries (54 points) Alice and Bob just arrived at Brewed Awakening, the local coffee shop. Eve is already there, enjoying a cup of tea.
(a) (6 points) Alice wants to connect to Brewed Awakening’s WiFi network. Under which protocols would her connections be safe from sniffing attacks by other coffee shop visitors, such as Eve? Mark all that apply.
WEP WPA2 – Enterprise mode WPA2 – Personal mode None of these
(b) (24 points) Turns out that Brewed Awakening’s network has no encryption. Al- ice warns Bob that its not safe to use this connection, but Bob disagrees. Bob connects to the WiFi, and tests that he has Internet connectivity by going to https://kewlsocialnet.com. It loads without issues. Bob says the Alice: “See, no problem! That access was totally safe!”
If Bob is correct and the access to kewlsocialnet.com was safe, explain why he is correct. If he is not correct, provide a network attack against Bob.
Answer:
Solution: Only “WPA2 – Enterprise mode” provides per-connection secret keys with the WiFi access point to secure each connection separately.
Solution: Bob is correct.
Bob is visiting an HTTPS website, which uses TLS to provide an end-to-end secure channel. As Bob’s browser did not encounter any certificate warnings, then unless there’s been a CA breach or some other CA issue, the network connection has confidentiality, authentication, and integrity.
We allowed full credit for solutions that specified that Bob was incorrect and provided a valid approach for undermining his HTTPS connection to the site, including the threat of obtaining fraudulent certs from misbehaving CAs.
We allowed only partial credit for solutions that framed attacks that would work in the situation if TLS did not provide all of the strong security properties that it
Final Exam Page 26 of 42 CS 161 – SP 17
does. These solutions received more credit if they clearly stated that the attack is relevant for Bob’s subsequent connections, rather than his test connection. These solutions received less credit if they were simply stating that because the WiFi network is unencrypted, an attacker could read Bob’s private information, since use of HTTPS prevents that.
(c) (24 points) Now that he has tested his WiFi access, Bob then tells Alice: “I want to buy that last muffin at the counter. Let me check if I have enough money in my bank account.” Eve hears this and panics! She wants the last muffin too but is waiting for her friend Mallory to bring enough cash to buy it. She is now determined to somehow stop Bob from buying that last muffin by preventing him from checking his bank account. Through the corner of her eye, Eve sees Bob start to type https://bank.com in his browser URL bar . . .
Describe two network attacks Eve can do to prevent Bob from checking his bank account. For each attack, describe clearly in one or two sentences how Eve performs the attack.
Attack #1:
Attack #2:
Solution:
Note that Eve cannot do an ARP or DHCP spoofing attack as Bob has already connected to the WiFi network, so already knows the IP and hardware addresses of the local network’s gateway and DNS resolver. (This assumes that extraneous ARPs are not accepted by Bob’s system. ARP spoofing is a viable answer for this problem if accompanied by specific mention of this consideration.)
1. TCP RST injection attack — Eve can sniff Bob’s transmitted (and re- ceived) packets, so she can observe the sequence numbers of TCP packets. Thus, Eve can send a valid TCP RST packet to Bob’s browser (or to the bank website), re