CS代考 CS 161 Computer Security

CS 161 Computer Security
Final Exam
For questions with circular bubbles, you may select exactly one choice on Gradescope. Unselected option
Only one selected option
For questions with square checkboxes, you may select one or more choices on Gradescope.
You can select
multiple squares
For questions with a large box, you need to write your answer in the text box on Gradescope.
There is an appendix at the end of this exam, containing descriptions of all C functions used on this exam.
You have 170 minutes, plus a 10-minute buffer for distractions or technical difficulties, for a total of 180 minutes. There are 11 questions of varying credit (200 points total).
The Gradescope answer sheet assignment has a time limit of 180 minutes. Do not click “Start Assignment” until you’re ready to start the exam. The password to decrypt the PDF is at the top of the answer sheet.
The exam is open note. You can use an unlimited number of handwritten cheat sheets, but you must work alone.
Clarifications will be posted at https://cs161.org/clarifications.
Q1 MANDATORY – Honor Code (5 points)
Read the following honor code and type your name on Gradescope.
I understand that I may not collaborate with anyone else on this exam, or cheat in any way. I am aware of the Berkeley Campus Code of Student Conduct and acknowledge that academic misconduct will be reported to the Center for Student Conduct and may further result in, at minimum, negative points on the exam and a corresponding notch not on Nick’s staff but on his demolition tool.
Solution: Don’tworryifyouforgottofillinyourname.Everyonegets5freepointsforembracing the suck this semester.
We won’t take any points off if you entered something for a subpart that doesn’t exist, or if you filled in a text box on a multiple-choice question, or vice-versa. To be consistent, we will not consider any unnecessary writing/bubbling on your exam during grading (pretend it’s scratch work).
This is the end of Q1. Leave the remaining subparts of Q1 blank on Gradescope, if there are any. Proceed to Q2 on your answer sheet.
Page 1 of 35

Q2 True/false (34 points) Each true/false is worth 2 points.
Q2.1 True or False: A cookie with the Secure flag set cannot be exploited in an XSS attack. True False
Q2.2 True or False: A stack canary is placed above the local variables but below the rip of a given stack frame in order to defend against buffer overflow vulnerabilities.
Clarification during exam: “below the rip” means “somewhere below the rip,” not necessarily directly below the rip.
True False
Q2.3 True or False: Secure cryptographic hash functions provide IND-CPA confidentiality on a message because they are irreversible.
True False
Solution: False. The Secure flag prevents a cookie from being sent over an unencrypted HTTP connection, which is unrelated to XSS vulnerabilities. Cookies with the HttpOnly flag are secure against XSS attacks, however.
Solution: True. Stack canaries defend against buffer overflows because stack buffers reside in the local variables, so an overflow would have to overwrite the stack canary before it overwrites the rip.
Solution: False.Thesimplestwaytoreasonaboutthisistonotethathashesaredeterministic, so they cannot be IND-CPA secure.
More formally, IND-CPA confidentiality provides a stricter sense of security in that nothing about the message is learned other than its length. Let H be a secure hash function. Define H′(x) = H(x)||x0—that is, H′ produces the output of H plus the first bit of x0. Because of the properties of H, H′ is still one-way (since reversing H′ would reverse H) and collision resistant (since a collision on H′ is a collision on H), but the first bit of x is learned, violating confidentiality.
Q2.4 Let E be an IND-CPA secure encryption scheme, and E′(x) = E(x)||len(x). In other words, E′(x) is the ciphertext E(x) concatenated with the length of the plaintext x.
Final Exam
Page 2 of 35
CS 161 – Fall 2020
True or False: E′ is IND-CPA secure. True

Solution: True.ThedefinitionofIND-CPAallowsIND-CPAsecureschemestoleakthelength of the plaintext. (Recall that in the IND-CPA game, the pair of messages in the challenge are of equal length.) Therefore, exposing the length directly is still secure.
Keep in mind that for many IND-CPA schemes, such as AES-CBC or AES-CTR, the attacker can estimate the length of the plaintext using the length of the ciphertext.
Q2.5 True or False: Modern, freely-available computer vision programs have become powerful enough to make CAPTCHAs obsolete.
True False
Q2.6 True or False: The Great Firewall of China can inject TCP RST packets to censor connections. True False
Q2.7 True or False: Modern systems enable stack canaries, WˆX, ASLR, and pointer authentication to defend against buffer overflow attacks. This is an example of defense-in-depth.
True False
Q2.8 True or False: It is possible to inspect encrypted HTTPS traffic with a HIDS. True False
Q2.9 True or False: It is easier for an off-path attacker to inject messages into a TCP connection if the initial sequence numbers were derived from the current time (with second precision) than if the initial sequence numbers were generated randomly.
Solution: False. CAPTCHAs are most vulnerable to outsourcing attacks, where attackers use real human labor, not computer vision programs, to solve them. CAPTCHAs are also still widely used.
Solution: True. The Great Firewall is an on-path adversary, so it can see TCP packets and spoof RST packets.
Solution: True. Even if your exploit defeats one of the defenses, it may not defeat all of them. This is an example of defense-in-depth.
Solution: True. The HIDS is installed on the end host and can see unencrypted application- layer data.
Final Exam Page 3 of 35 CS 161 – Fall 2020

True False
Q2.10 True or False: TLS is vulnerable to RST injection attacks during the handshake, but not after the handshake is completed.
True False
Q2.11 True or False: Input sanitation helps defend against some SQL injection and XSS attacks. True False
Q2.12 TrueorFalse:RandomizingthesourceIPandportisacommondefenseagainstDNSspoofing. True False
Solution: True. An off-path attacker must guess sequence numbers to inject messages in a TCP connection. Non-random sequence numbers make TCP more vulnerable to an off-path attacker, since the attacker has a greater chance of predicting the sequence numbers.
Solution: False. A TCP RST packet can still be injected during a TLS connection, since TLS is built on top of TCP.
Solution: True. SQL injection and XSS rely on user input being treated as code, so input sanitation would stop some (but not all) attacks.
Solution: False. Randomizing the source IP would break the functionality of DNS, because you will not be able to receive the DNS response.
Randomizing the port is okay because you still receive the response. Your computer would just need to remember what random port it sent the request with and look for the answer at the same port.
Q2.13 True or False: Of the security principles covered in class, two factor authentication is best described as an example of defense in depth.
True False
Q2.14 True or False: DNS (without DNSSEC) is secure against an on-path attacker, but not a MITM attacker.
Solution: True. 2FA means that even if one layer of your security is compromised (e.g. your password is stolen), other defenses remain in place to protect your account.
Final Exam Page 4 of 35 CS 161 – Fall 2020

True False
Q2.15 True or False: ASLR prevents all buffer overflow attacks. True False
Q2.16 True or False: Log analysis is effective at detecting attacks in real-time. True False
Q2.17 True or False: Clickjacking can help an attacker execute reflected XSS attacks. True False
Q2.18 True or False: EvanBot is a real bot. (0 points)
Final Exam
Page 5 of 35
CS 161 – Fall 2020
Solution: False. The on-path attacker can see the ID field and race the legitimate response.
Solution: False. ASLR can’t prevent overwriting local variables.
Solution: False. Logs are usually checked offline afterwards, so they usually detect attacks after they’ve already happened.
Solution: True. Clickjacking can cause the victim to click on an attacker-crafted link, and reflected XSS requires the victim to click on an attacker-crafted link.
Solution: True. See http://isevanbotreal.com to learn more.
This is the end of Q2. Leave the remaining subparts of Q2 blank on Gradescope, if there are any. Proceed to Q3 on your answer sheet.

1 2 3 4 5 6 7 8 9
Indirection
Consider the following vulnerable C code:
(24 points)
#include
#include
struct log_entry { char title [8];
char ∗msg;
void log_event(char ∗title , char ∗msg) {
size_t len = strnlen (msg, 256) ;
if (len == 256) return; /∗ Message too long. ∗/
struct log_entry ∗ entry = malloc ( sizeof ( struct log_entry ) ) ;
entry−>msg = malloc(256);
strcpy(entry−>title , title);
strncpy ( entry −>msg , msg , len + 1) ;
add_to_log ( entry ) ; /∗ Implementation not shown . ∗/
Assume you are on a little-endian 32-bit x86 system and no memory safety defenses are enabled. Q3.1 (3 points) Which of the following lines contains a memory safety vulnerability?
(A) Line 10 (D) Line 15
(B) Line 13 (C) Line 14
Solution: Line 14 uses a strcpy, which is not a memory-safe function because it only ter- minates when it sees a null byte. The attacker could provide a string that is longer than the buffer or not properly null-terminated, and strcpy would still copy the entire string into the buffer, overwriting other variables in the process.
Note that line 15 uses a strncpy whose length parameter comes from strnlen, so it is safe.
Q3.2 (3 points) Seeing an opportunity to exploit this program, you fire up GDB and step into the log_event function. Give a GDB command that will show you the address of the rip of the log_event function. (Abbreviations are fine.)
Final Exam
Page 6 of 35
CS 161 – Fall 2020
Enter your answer in the text box on Gradescope.
(G) (H) (I)
( J) (K) (L)

Q3.3 (3 points) Fill in the numbered blanks on the following stack and heap diagram for log_event. Assume that lower-numbered addresses start at the bottom of both diagrams.
Clarification during exam: The stack diagram shown is incorrect. The values 1 and title should should be swapped on the stack.
Stack Heap
title 3 12
(A) 1 = entry->msg (B) 1 = entry->msg (C) 1 = msg
2 = entry->title 2 = msg
2 = entry->title 2=entry->msg
3 = entry->title 3 = entry->msg 3=entry->title
Solution: We messed up the stack diagram for this part. Arguments are pushed on the stack in reverse order, so 1 (msg) should actually be above title, not below title. Since it’s our mistake, we are giving full credit to everyone on this subpart.
The two arguments, title and msg, must be on the stack, so 1 = msg.
Structs are filled from lower addresses to higher addresses, so 2 = entry->title and 3 = entry->msg.
Using GDB, you find that the address of the rip of log_event is 0xbfffe0f0.
Let SHELLCODE be a 40-byte shellcode. Construct an input that would cause this program to execute
shellcode. Write all your answers in Python 2 syntax (just like Project 1). Q3.4 (6 points) Give the input for the title argument.
Final Exam
Page 7 of 35
CS 161 – Fall 2020
Solution: info frame (abbreviated i f) would be the easiest command to use. Other solu- tions exist.
Enter your answer in the text box on Gradescope.
(G) (H) (I)

Solution: The strcpy at line 14 lets us write as much data as we want into entry->title, which is a buffer on the heap.
The strncopy at line 15 lets us write as much data as we want into entry->msg, which is a pointer on the heap. Note from the stack diagram that entry->msg is directly above entry->title, which is a buffer that we can overflow! Thus we can also overflow the entry->msg pointer and make it point wherever we want our data to be written.
The overarching idea is to use line 14 to overflow the entry->msg pointer to point to the rip, and then use line 15 to overwrite the rip (which entry->msg is now pointing to) with the classic buffer overflow exploit.
The title input should overflow entry->msg with the rip. We write 8 bytes of garbage to overwrite entry->title, then overwrite entry->msg with the rip.
‘A’ * 8 + ‘\xf0\xe0\xff\xbf’
Q3.5 (6 points) Give the input for the msg argument. Enter your answer in the text box on Gradescope.
(A) (B) (C) (D) (E) (F)
Solution: Now that entry->msg is pointing at the rip, our input for msg will be directly written to the rip (thanks to line 15).
Thus we can write the classic buffer overflow exploit (project 1, question 1): we overwrite the rip with the address directly above it (rip + 4), then write the shellcode. This causes the rip to point to shellcode.
‘\xf4\xe0\xff\xbf’ + SHELLCODE
Q3.6 (3 points) Which of the following defenses on their own would prevent your exploit?
Note: If stack canaries are enabled, you can assume 0xbfffe0f0 is still the correct address of the RIP.
(G) Stack canaries (H) W^X
(J) None of the above
Solution: Stackcanarieswouldnotdefendagainstthisattackbecausewearenotconsecutively writing from the local variables to the rip. Instead, we are overflowing a heap variable (no canaries on the heap) and then directly writing above the canary.
Final Exam
Page 8 of 35
CS 161 – Fall 2020

W^X defends against your exploit by preventing the shellcode on the stack from being executed.
ASLR defends against your exploit by randomizing the address of the rip that you use in your exploit.
This is the end of Q3. Leave the remaining subparts of Q3 blank on Gradescope, if there are any. Proceed to Q4 on your answer sheet.
Final Exam Page 9 of 35 CS 161 – Fall 2020

Q4 Malcode (12 points) Q4.1 (3points)MalcodeXspreadsbymakingacopyofitsownbinaryonanothermachineandexecuting
it. Which intrusion detection technique is best for detecting this malcode? (A) Signature-based detection (D) Behavioral detection
(B) Anomaly-based detection
(C) Specification-based detection
Solution: Becausethemalcodedoesnotchangeeachtimeitreplicates,wecanaddasignature for the malcode binary to detect and block it.
Q4.2 (3 points) Malcode X connects to other machines using TLS. Which intrusion detection method is best for detecting this malcode?
Select one option, and briefly justify your answer (1 sentence) in the text box.
(G) NIDS (H) HIDS (I) (J) (K) (L)
Solution: Because TLS is encrypted, the NIDS does not have the necessary host context in order to decrypt and inspect the traffic for the malcode. Thus, only the HIDS can defend against the malcode.
We may consider accepting NIDS if you explain that you can give the NIDS the server’s private keys and let it actively intercept every connection.
Q4.3 (3 points) Malcode Y spreads by encrypting its binary, copying the encrypted binary and a de- cryption script to another machine, and executing the decryption script to run the malcode. The encryption key and the IV/nonce (if needed) are randomly generated each time the malcode replicates. Which encryption schemes would cause every copy of the malcode to look different?
Clarification during exam: “Cause every copy of the malcode to look different” means that the encrypted copies of the malcode differ in at least 1 byte.
(A) AES-ECB (B) AES-CBC
(C) AES-CTR (E)
(D) None of the above
Solution: In all of these AES ciphers, the ciphertext looks different as long as the key is different each time.
Note that AES-ECB is deterministic with the same key, but changing the key still causes the ciphertext to look different.
Final Exam
Page 10 of 35
CS 161 – Fall 2020

Q4.4 (3points)MalcodeZspreadsthesamewayasMalcodeY.However,insteadofrandomlygenerating the encryption key and the IV/nonce (if needed), they are hard-coded into the binary and the decryption script. Which encryption schemes would cause every copy of the malcode to look different?
(G) AES-ECB (H) AES-CBC
(I) AES-CTR (K)
(J) None of the above
Solution: A static key and IV means that the encrypted payload always remains the same.
Note that AES-CBC and AES-CTR are both deterministic if you use the same key and IV/nonce every time.
Final Exam
Page 11 of 35
CS 161 – Fall 2020
This is the end of Q4. Leave the remaining subparts of Q4 blank on Gradescope, if there are any. Proceed to Q5 on your answer sheet.

Q5 CalCentral Security (20 points) Given your performance as a skilled attacker of the UnicornBox website, university administrators have asked you to assess the security of the CalCentral platform.
The CalCentral website is set up as follows:
• CalCentral is located at https://calcentral.berkeley.edu/.
• The Central Authentication Service (CAS) is located at https://auth.berkeley.edu/.
• CalCentral uses session tokens stored in cookies for authentication, similar to Project 3. The session token cookie has domain berkeley.edu, and the Secure and HttpOnly flags are set.
• CalCentral does not use CSRF tokens or any form of CSRF protection. Each subpart is independent.
Q5.1 (3 points) When a user attempts to sign in on CalCentral, the CAS login portal appears in a pop-up window.
True or false:BecauseCalCentralandCAShavethesameorigin,CAScanupdatetheCalCentral webpage when a user signs in successfully.
(A) True, because CalCentral and CAS are managed by the same organization.
(B) True, because windows with the same origin can interact with each other.
(C) False, because pop-up windows can never affect other windows, regardless of the origin. (D) False, because CalCentral and CAS don’t have the same origin.
Q5.2 (3 points) When a user attempts to sign in on CalCentral, the CAS login portal appears in an iframe embedded on the CalCentral page.
True or false: This design allows CalCentral to modify the text field on the CAS website to autofill the username field.
(G) True, because CalCentral and CAS are managed by the same organization.
(H) True, because the inner frame is loaded with the same origin of the outer frame. (I) False, because Javascript is needed to autofill form fields.
(J) False, because the outer frame cannot affect the contents of the inner frame.
Final Exam
Page 12 of 35 CS 161 – Fall 2020
Solution: False. These pages might be able to communicate in other ways, but they have different origins under the same-origin policy.

Q5.3 (3 points) If a user is logged into CalCentral (has a valid session token cookie), a GET Request to https://calcentral.berkeley.edu/api/photo/ will contain a response with their CalCen- tral photo. The website https://evil.com/ loads an image with the following HTML snippet:

True or false: If a user is currently signed into CalCentral, the https://evil.com/ website
will be able to successfully display their photo.
(A) True, because the browser attaches the session token in the request to CalCentral.
(B) True, because the referer in the request is https://calcentral.berkeley.edu.
(C) False, because the browser does not attach the session token in the request to CalCentral. (D) False, because the referer in the request is https://evil.com.
Q5.4 (3 points) You find a reflected XSS vulnerability on CAS. https://berkeley.edu has a footnote that says “UC Berkeley.”
True or false: Using this vulnerability, you can cause the victim to see “CS 161 Enterprises” in the footnote when they visit https://berkeley.edu.
Clarification during exam: The footnote on https://berkeley.edu/ is part of the static HTML page.
(G) True, because the script runs with the same origin as https://berkeley.edu. (H) True, because XSS subverts the same-origin policy.
(I) False, because the script runs with a different origin from https://berkeley.edu. (J) False, because the script only