CS代考 King’s College London

King’s College London
This paper is part of an examination of the College counting towards the award of a degree. Examinations are governed by the College Regulations under the authority of the Academic Board.
Examination Period Module Code Module Title
August 2020 (Period 3) 7CCSMSEN
Security Engineering
Format of Examination Start time
Time Allowed Instructions
Rubric
Written questions
1pm BST 26 August 2020
ONE AND A HALF hours
You are permitted to access any materials you wish, but this is not mandated and is not expected. You may use a calculator if you find this helpful.
ANSWER THREE OF FOUR QUESTIONS.
All questions carry equal marks. If more than three questions are answered, the three answers with highest marks will count.
The rubric for this paper must be followed and extra answers should not be submitted. For answers that are handwritten, write with blue/black ink on light coloured paper. Include the Module code, question number and student number on every page to be submitted. For an- swers that are typed, use the template provided.
Submission Deadline 2.30pm (BST) 26 August 2020
Submission Process Work must be submitted to the level 7 Informatics Assessments
KEATS page.
Your work must be submitted as a PDF file. If you have prepared some answers on computer, and some on paper (which have then been digitised), you may upload at most two PDF files – one for computer-prepared answers, one for digitised answers. Do not duplicate answers across the two PDFs – if you do this, the computer-prepared answer will be taken. You should check that your work displays correctly after it has been uploaded.
ACADEMIC HONESTY AND INTEGRITY
Students at King’s are part of an academic community that values trust, fairness and respect and actively encourages students to act with honesty and integrity. It is a College policy that students take responsibility for their work and comply with the university’s standards and re- quirements. Online proctoring / invigilation will not be used for our online assessments. By submitting their answers students will be confirming that the work submitted is completely their own. Misconduct regulations remain in place during this period and students can familiarise themselves with the procedures on the College website
Important: Students should copy out the following statement and include it with their submission for each examination:
I agree to abide by the expectations as to my conduct, as described in the academic honesty and integrity statement.
 2020 King’s College London

August 2020 7CCSMSEN (AY1920) – online exam
1. Consider the following C code fragment:
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
1 int
2 main(int argc, char ∗∗argv) 3{
4
5
6
7
8
9if(n)
intn;
printf(“Hello: %s (%d)\n”, argv[1], n);
exit(n); }
int
foobar(char ∗arg)
{
char msg[512] = { 0, };
strcat (msg, “Hello : “);
snprintf(msg + strlen(“Hello: “), \
sizeof (msg) − strlen(“Hello: “) − 1, arg); return strlen (msg);
}
if (argc > 1)
n = foobar(argv [1]);
QUESTION 1 CONTINUES ON NEXT PAGE
Page 2
SEE NEXT PAGE

August 2020 7CCSMSEN (AY1920) – online exam
a. Give a thorough description of the program’s vulnerability. In particular, name the vulnerability (1 mark) and provide a detailed overview of its exploitation (3 marks). Then, identify and explain thoroughly all the components that are involved in the exploit (4 marks).
[8 marks]
b. How would an attacker exploit the vulnerability? Hint: describe in detail what the injection vector would look like (and what retaddr and retloc the attacker may use). Use symbolic values and addresses when needed (no need to write down the shellcode).
[10 marks]
c. Would StackGuard or a bounds checker mitigate the vulnerability (1 mark)? Explain clearly the reasons (4 marks).
d. How can the program be fixed?
[5 marks]
[2 marks]
Page 3
SEE NEXT PAGE

August 2020 7CCSMSEN (AY1920) – online exam
2. A secure software development requires security engineering to fit into all the phases of the software development process.
a. In which way security engineering fits into requirements, design, imple- mentation, and testing/assurance? Motivate your answer. [7]
b. What is a threat model and why is it important?
c. Consider Leslie Lamport’s Gold Standard.
i. What is it?
ii. Explain each of Lamport’s Gold Standard.
[4]
[2] [12]
Page 4
SEE NEXT PAGE

August 2020 7CCSMSEN (AY1920) – online exam
3. Static analysis is a program analysis technique to analyze program’s code without running it.
a. b. c.
d. e. f.
1 2 3 4 5 6
of the benefits static analysis provides. [2]
of the drawbacks static analysis provides. [3]
impact on the software development process does static analysis [4]
does it mean when a static analysis is sound? [2]
does it mean when a static analysis is complete? [2] Consider a taint flow analysis as we have discussed in class. Consider
List 2 List 3
What have?
the following code snippet:
int printf(untainted char ∗fmt, …);
tainted char ∗fgets (…);
char ∗name= fgets(…, network_fd); char ∗x = name;
printf(x);
Let us assume we are interested in an analysis that identifies no tainted data flows (where untainted < tainted in a lattice). Given the initial taint source and untainted sink: i. Create a name for each missing type qualifier, assuming a flow-/path- /context-insensitive analysis. [2] ii. For each statement in the program, generate constraints on possible solutions, assuming a flow-/path-/context-insensitive analysis.. [3] What What QUESTION 3 CONTINUES ON NEXT PAGE Page 5 SEE NEXT PAGE August 2020 7CCSMSEN (AY1920) - online exam g. 1 2 3 4 5 6 7 8 iii. Solve the constraints to produce solutions for the type qualifiers iden- tified earlier (1 mark) and state whether the resulting flow is legal or illegal (1 mark). As above, assume a flow-/path-/context-insensitive analysis. [2] Consider a taint flow analysis as we have discussed in class. Consider the following code snippet: int printf(untainted char ∗fmt, ...); tainted char ∗fgets (...); char ∗name= fgets(..., network_fd); char ∗x; x = name; x = "hello!" printf(x); Let us assume we are interested in an analysis that identifies no tainted data flows (where untainted < tainted in a lattice). Given the initial taint source and untainted sink: i. Show how the program would be changed if we carried out a flow- sensitive static analysis, assuming a flow-sensitive and path-/context- insensitive analysis. [1] ii. Create a name for each missing type qualifier, assuming a flow- sensitive analysis, assuming a flow-sensitive and path-/context-insensitive analysis. [1] iii. For each statement in the program, generate constraints on possi- ble solutions, assuming a flow-sensitive and path-/context-insensitive analysis. [1] QUESTION 3 CONTINUES ON NEXT PAGE Page 6 SEE NEXT PAGE August 2020 7CCSMSEN (AY1920) - online exam iv. Solve the constraints to produce solutions for the type qualifiers iden- tified earlier (1 mark) and state whether the resulting flow is legal or illegal (1 mark). As above, assume a flow-sensitive and path- /context-insensitive analysis. [2] Page 7 SEE NEXT PAGE August 2020 7CCSMSEN (AY1920) - online exam 4. Consider the following C code fragment, which makes use of the strcpy version that truncates a copy after n bytes (i.e., strncpy): 1 int 2 main(int argc, char ∗∗argv) 3{ 4 5 6} 7 8 int foo(char ∗arg) 9 10 { 11 12 13 14 15 16 17 18 } a. char bar [512]; if (sizeof(arg) < 512) strcpy(bar, arg); return strlen(bar); Does the program suffer from a memory corruption vulnerability? If not, explain the reasons. If yes, is it possible to successfully exploit this vulnerability? In other words, is it possible to provide specific input to such a program to take advantage of its vulnerability and thus execute arbitrary code (for instance, spawning a shell), on x86-32 architectures? If yes, explain how you would exploit it (high-level steps). If not, explain why and what you would change in the code to make it exploitable. [5 marks] if (argv[1]) return foo(argv [1]); QUESTION 4 CONTINUES ON NEXT PAGE Page 8 SEE NEXT PAGE August 2020 7CCSMSEN (AY1920) - online exam b. Assuming that the above code is vulnerable (or can be modified to be- come vulnerable) and that the vulnerability can be successfully exploited (or can be modified to be exploited), then consider the following x86 assembly code fragment, which may be used to exploit the previous vulnerability: 1 int 2 main(void) 3{ 4 5 __asm__( 6 "jmp ahead\n" 7 "back:\n" 8 " 21 } QUESTION 4 CONTINUES ON NEXT PAGE Page 9 SEE NEXT PAGE popl %ebx\n" movl %ebx, 0x8(%ebx)\n" 9 " 10 " 11 " 12 " 13 " 14 " 15 " 16 " 17 "ahead:\n" 18 " call back\n" 19 " . string \"/bin/sh\"" 20 ); xorl %eax , %eax\n" movb %al , 0x7(%ebx)\n" movl %eax , 0xc(%ebx)\n" movl %eax , %edx\n" movl $0xb , %eax\n" leal 0xc(%ebx), %ecx\n" int $0x80\n" August 2020 7CCSMSEN (AY1920) - online exam i. Assuming the above assembly snippet (shown in Question 4 (b)) will be placed on the stack, what does the assembly code do? Add comments to each line and draw the stack layout before and after the considered instruction is executed. Note: you should clearly point out the direction the stack is growing towards. [12 marks] ii. An attacker creates a suitable injection vector to exploit the afore- mentioned memory error. To this end, he places the shellcode in the injection vector, pads it with his initials so as to create a message long enough to overflow lbuf; then the attacker adds the appropriate address at the right place and terminates the message with a NULL (’\0’). In other words, the injection vector looks as follows: +-----------------+-------- ---------+------------+----+ | shellcode | lclclc ... lclclclc | 0xbfff1234 | \0 | +-----------------+-------- ---------+------------+----+ Next, he runs the program giving this injection vector to it as its first argument. To his surprise, the attack fails. He asks you for help. State why the attack cannot work. [2 marks] iii. Show how the shellcode can be modified to make the attack pos- sible. (Note: don’t worry if you do not know the exact syntax of instructions; marks will be awarded for a clear explanation.) [2 marks] QUESTION 4 CONTINUES ON NEXT PAGE Page 10 SEE NEXT PAGE August 2020 7CCSMSEN (AY1920) - online exam c. Assume the aforementioned code is vulnerable (or can be modified to be so) and the vulnerability can be successfully exploited. State and describe what technique(s) would an attacker use to exploit the vulner- ability shown at the beginning of the question, if the kernel enforces a non-executable stack protection (again, assume the small program shown at the beginning of the question is exploitable or can be modified to be exploited successfully)? [4 marks] Page 11 FINAL PAGE