Popa & Wagner CS 161 Spring 2020 Computer Security
Solutions updated May 2021 by CS 161 SP21 course staff
Final Exam
For questions with circular bubbles, you may select exactly one choice on Gradescope. Unselected option
Only one selected option
For questions with square checkboxes, you may select one or more choices on Gradescope.
You can select
multiple squares
For questions with a large box, you need to provide justification in the text box on Gradescope.
You have 170 minutes. There are 9 questions of varying credit (230 points total).
The exam is open book. You can use any resources on the Internet, including course notes, as long as you are working alone.
We will not be answering any clarifications about the exam. If there are any glaring problems with wording, we will consider dropping the question from the exam after solutions/grades are released.
Q1 MANDATORY – Honor Code (5 points) On your Gradescope answer sheet, read the honor code and type your name. Failure to do so will result in a grade of 0 for this exam.
We have printed the values statement you wrote in Homework 3B below:
We did not see a values statement on your Homework 3B submission. We encourage you to take a moment and think about your core values.
We trust you will approach this exam in a way consistent with your values.
This is the end of Q1. Proceed to Q2 on your Gradescope answer sheet.
Page 1 of 34
Q2 True/false (72 points) Each true/false is worth 2 points.
Q2.1 TrueorFalse:Ifavictimisloggedintoasessiononhttps://bank.com/inonetabandvisits an attacker’s website in another, the attacker can run JavaScript to load a form at https://bank.com/transfer and extract the CSRF token from it.
True False
Q2.2 True or False: An on-path attacker can learn the request parameters of a GET request loaded over HTTPS.
True False
Q2.3 True or False: An on-path attacker can learn the request parameters of a GET request loaded over HTTP.
True False
Q2.4 True or False: Parameterized SQL is generally safer than forming a SQL query through string concatenation because you are less likely to be vulnerable to a SQL injection attack.
True False
Q2.5 TrueorFalse:InDNSSEC,iftherootkeyiscompromised,thennoDNSrecordscanbetrusted. True False
Q2.6 TrueorFalse:Diffie-HellmanisaneffectivemitigationagainstROP(Return-OrientedProgram- ming) attacks.
True False
Q2.7 True or False: Using 𝐻(𝑥) = SHA256(𝑥), where 𝑥 is a message, forms a secure message authen- tication code.
True False
Q2.8 True or False: Encrypting a message with AES-CBC mode and a random IV is IND-CPA secure.
Solution: False. SOP prevents this.
Solution: False. The request parameters will be encrypted.
Solution: True. The request parameters will be sent in plaintext.
Solution: False. There is no key here so anyone can forge a valid MAC.
Final Exam Page 2 of 34 CS 161 – Spring 2020
True False
Q2.9 TrueorFalse:ThereisnoreasontouseIPwithUDP,sincebothonlyprovidebest-effortdelivery.
True False
Q2.10 True or False: TLS has end-to-end security, so it is secure against an attacker who steals the private key of the server.
True False
Q2.11 TrueorFalse:IftheentireInternetstoppedusingHTTPPOSTrequestsandonlyallowedHTTP GET requests, CSRF attacks would still be possible.
True False
Q2.12 True or False: Suppose we compile a program with 512-bit canaries, and the program produces no output (so it is impossible to leak the value of the canary). It is possible to successfully write to memory located above the stack canary.
True False
Q2.13 True or False: Suppose that in an IND-CPA game for some encryption scheme, there is an attacker who finds a way to guess the random bit correctly with probability 0.4. The scheme could still be IND-CPA.
Solution: False. UDP is a transport layer (layer 4) protocol and IP is an inter-network layer (layer 3) protocol, so there’s no way to use UDP without IP. A connection should either use UDP+IP or TCP+IP.
Solution: False. An attacker who’s stolen the private key of the server could impersonate the server to the victim.
Solution: True. An attacker can force a victim to click on a link that generates an HTTP GET request with server-side effects.
Solution: True. Some vulnerabilities, e.g. format string vulnerabilities allow you to write to arbitrary locations in memory.
Solution: False. There is another attacker, the one that makes the opposite guess every time; this attacker has a way to guess the random bit with probability 0.6, which wins the IND-CPA game.
Final Exam
Page 3 of 34
CS 161 – Spring 2020
Q2.14 True or False: There is nothing a man-in-the-middle attacker (MITM) can do to interfere with a DNSSEC query.
True False
Q2.15 True or False: It is secure for a server to generate session tokens based only on timestamp to the nearest second, as long as every user receives a unique token.
True False
Q2.16 True or False: Destination port randomization could be implemented to increase the security of DNS without breaking the DNS protocol shown in lecture.
True False
Q2.17 True or False: Let 𝑆(𝑘, 𝑀) be the signing function for RSA signatures. Consider a new scheme with a signing function 𝑆′(𝑘, 𝑀) = [𝑆(𝑘, 𝑀||𝑟), 𝑟], where 𝑟 is a randomly chosen nonce and || is concatenation. This scheme is IND-CPA secure.
True False
Q2.18 True or False: If every website uses TLS and every cookie has the secure flag set, clickjacking attacks are still possible.
True False
Q2.19 TrueorFalse:Ascriptrunningonhttp://insecure.califlower.comcansetacookiethat will be sent to http://secure.califlower.com.
Final Exam
Page 4 of 34
CS 161 – Spring 2020
Solution: False. The MITM could do a DoS attack by dropping responses.
Solution: False. Now an attacker can brute-force tokens and possibly log in as another user.
Solution: False. The destination port needs to be well-known so requests can be sent.
Solution: False. The verifying key is still public, so anyone can verify the signature. If the attacker has a guess at the message, they can test their guess, which violates IND-CPA security.
Solution: True. TLS defends against network attacks, not web/application layer attacks, and clickjacking attacks do not need cookies to succeed.
Solution: The cookie can be set with Domain=califlower.com.
Q2.20 True or False: A script running on http://insecure.califlower.com can load http://secure.califlower.com in an iframe and read data, including cookies, from that iframe.
True False
Q2.21 True or False: A script running on http://califlower.com/insecure can load http://califlower.com/secure in an iframe and read data, including cookies, from that iframe.
True False
Q2.22 True or False: A cookie set by califlower.com without specifying a domain will be sent to califlower.com and any subdomain of califlower.com.
True False
Q2.23 TrueorFalse:Itispossibletosetacookieforhttp://califlower.comthatcannotbeaccessed by a script running on the same page.
True False
Q2.24 True or False: A script running on http://califlower.com cannot set a cookie that will be sent to https://califlower.com because they have different origins.
Solution: TheSame-OriginPolicypreventsthisbecausehttp://insecure.califlower.com and http://secure.califlower.com have different origins.
Solution: Both pages have the same origin, so this is allowed.
Solution: We decided not to grade this. This tests a subtle aspect of cookies that we didn’t teach/emphasize in class. It turns out that if no domain is specified, the cookie is treated specially and is sent back to the current domain but not to subdomains.
Final Exam
Page 5 of 34
CS 161 – Spring 2020
Solution: The cookie can be set with the HttpOnly flag.
Solution: It can, although not with the Secure flag. The cookie policy is distinct from the Same-Origin Policy.
Q2.25 True or False: If http://califlower.com loads http://broccoli.com in an iframe, the server of the child frame also receives all cookies that were originally sent to the server of the parent frame.
True False
Q2.26 Suppose Harry the hacker exploits a vulnerability on http://weaksite.com to inject the fol- lowing line of code: . Harry wants to hack Alice by tricking her into visiting the page and running the script to steal her cookies for weaksite.com.
True or False: The Same-Origin Policy would prevent this attack. True False
Q2.27 Suppose Harry the hacker exploits a vulnerability on http://weaksite.com to inject the fol- lowing line of code: . Harry wants to hack Alice by tricking her into visiting the page and running the script to steal her cookies for weaksite.com.
True or False: Setting the Secure flag on the cookies would prevent this attack. True False
Solution: We decided not to grade this question. It is arguably impossible: with modern
browsers, http://weaksite.com cannot set a cookie with the Secure flag set. (https://weaksite.com can, but the question didn’t mention the existence of such a https version of the site.) If such a
cookie did get set somehow, it turns out that it is browser-specific whether Javascript from http://weaksite.com can access the cookie: some browsers allow that, and others do not.
So, this question was faulty.
Q2.28 Bobistryingtoaccesshttps://store.nintendo.comtobuyaSwitch.SupposeEveisanon-path attacker on the same local network.
True or False: Eve can stop Bob from accessing the Nintendo Store.
Solution: The frames have different domains. Cookie scoping rules do not differ for inner frames.
Solution: Thescriptrunswithsameoriginasthepagethatloadsit,sotheSame-OriginPolicy does not help.
Final Exam
Page 6 of 34
CS 161 – Spring 2020
Solution: An on-path attacker is able to see all the TCP fields (ports, IPs, sequence numbers) and can therefore successfully inject a RST packet with high probability before the TLS hand- shake is completed. TLS provides end-to-end integrity only after the handshake is successfully completed.
Q2.29 True or False: As long as a user uses TLS to visit a website, Tor protects anonymity even if all of their relays are malicious and colluding.
True False
Q2.30 Assume you’ve set up a 3-relay Tor circuit to access some websites over HTTPS. A malicious adversary takes control of the entry relay, but the other two are honest and uncompromised. The adversary can now learn which website you are visiting.
True False
Q2.31 Assume you’ve set up a 3-relay Tor circuit to access some websites over HTTPS. A malicious adversary takes control of the middle relay, but the other two are honest and uncompromised. The adversary can now learn your identity.
True False
Q2.32 Assume you’ve set up a 3-relay Tor circuit to access some websites over HTTPS. A malicious adversary takes control of the exit relay, but the other two are honest and uncompromised. The adversary can now learn which website you are visiting.
Solution: False.Therelayscancolludetofigureoutwhotheuserisandwhichwebsitethey’re visiting
Solution: False, the entry relay can learn your identity but not which site you are visiting, and there is no way to correlate the two.
Solution: False, the entry relay protects against this.
Solution: We did not grade this question, as it was ambiguous. Under one interpretation, the answer is True: the exit relay talks to the final website, so it can see which websites are being visited. Under another interpretation, the answer is False: while the exit relay can see all websites being visited by users that are going through that exit, it cannot know which website is associated with which user. So, if there are many users, the exit relay cannot tell which one of those websites you’re visiting (and which ones someone else is visiting).
Final Exam
Page 7 of 34
CS 161 – Spring 2020
Q2.33 TrueorFalse:Withthecontacttracingprotocoldescribedinclass,evenifausergetsdiagnosed and publishes their daily tracing key, it’s impossible to track their movements for that day since their rolling identifier is re-generated every 10 minutes.
True False
Q2.34 True or False: The contact tracing protocol described in class doesn’t require any centralized trust, since individuals’ phones are running the protocol.
True False
Q2.35 True or False: In Bitcoin, once your transaction is successfully added to a block that lives on the longest chain, you can be guaranteed that it will never be lost.
True False
Q2.36 True or False: For certificate transparency, a Merkle tree might be preferred over a block chain since adding a new certificate can be done in constant time.
Solution: False.Alloftherollingidentifierscanbelinkedtothatuser.Ifamaliciousadversary was able to set up receivers around an area and keep a log of all identifiers seen, they could subsequently pick out which ones are from the user and track that user’s steps.
Solution: False. Users must trust the server to honestly keep track of who has been infected and who hasn’t.
Solution: False. The blockchain could fork and not include your transaction.
Solution: False.Addinganewcertificatetakes𝑂(log𝑛)timewithaMerkletreesinceaMerkle tree is a binary tree. Adding a new certificate to a block chain could be done in 𝑂(1) time, so the advantage does not have to do with the time to add a new certificate. Rather, we prefer a Merkle tree over a block chain because verification can be done in 𝑂(log 𝑛) time instead of 𝑂(𝑛) time.
This is the end of Q2. Proceed to Q3 on your Gradescope answer sheet. If you are finished with the exam and are ready to submit your answer sheet, please follow the submission protocol.
Final Exam
Page 8 of 34
CS 161 – Spring 2020
Q3 EvanBot’s Last Creation (15 points) Inspired by different AES modes of operation, EvanBot creates an encryption scheme that combines two existing modes of operation and names it AES-DMO (Dual Mode Operation). Provided below is an encryption schematic of AES-DMO.
(12 points) Fill in the numbered blanks for this incomplete decryption schematic of AES-DMO. Each blank is worth 1 point.
Q3.1 Blank (1) (A) IV
Q3.2 Blank (2) (G) Enc
Q3.3 Blank (3) (A) IV
Q3.4 Blank (4) (G) IV
Final Exam
Page 9 of 34
CS 161 – Spring 2020
Q3.5 Blank (5) (A) Enc
Q3.6 Blank (6) (G) IV
Q3.7 Blank (7) (A) IV
Q3.8 Blank (8) (G) Enc
Q3.9 Blank (9) (A) IV
Q3.10 Blank (10) (G) IV
Q3.11 Blank (11) (A) Enc
Q3.12 Blank (12) (G) IV
Final Exam
Page 10 of 34
CS 161 – Spring 2020
Q3.13 (3 points) Select all true statements about AES-DMO. (A) Encryption can be parallelized
(B) Decryption can be parallelized (C) AES-DMO is IND-CPA secure (D) None of the above
Solution: The diagram for encryption has a feedback from one block to the next, whereas the diagram for decryption has no such feedback. This makes decryption parallelizeable but not encryption.
DMO is IND-CPA because each block is either AES-CBC or AES-CFB, both of which are IND-CPA. You can do a proof by induction: C1 is secure since it’s the first block of AES-CFB, and each subsequent block is AES-CFB or AES-CBC where the feedback from the previous block (ciphertext) is IND-CPA, in effect a random number.
This is the end of Q3. Proceed to Q4 on your Gradescope answer sheet. If you are finished with the exam and are ready to submit your answer sheet, please follow the submission protocol.
Final Exam
Page 11 of 34
CS 161 – Spring 2020
Q4 ReenviebrmsoeC (Reasoning About Memory Safety) (11 points) Alice is writing a function to interleave one string with the reverse of another string. However, she is worried about memory safety issues. She wants to define some conditions that would ensure the safety of her code.
1 2 3 4 5 6 7 8 9
Q4.1 (3points)Selectallnecessaryprecondition(s)forreverse_combinetoensurememorysafety(but not necessarily correct functionality).
(A) str1 and str2 are null-terminated (D) None of the above (B) result != NULL (E)
to ensure memory safety (but not necessarily correct functionality). Q4.2 len(str1) ___ len(str2)
void reverse_combine(char ∗result , char ∗str1 , char ∗str2) {
size_tn=strlen(str1); int i;
for (i = 0; i < strlen(str2); i++) {
result[2∗i] = str1[n−1−i];
result[2∗i+1] = str2[i]; }
result[2∗i] = ’\0’;
For this question, let size(str) refer to the space allocated to str, and let len(str) refer to the length of str, not including the null terminator.
(C) result is null-terminated
(4 points) Fill in the following blanks so that each statement is part of the precondition for reverse_combine
(G) < (H) <=
Q4.3 size(result) ___ 2*len(str2) (A) < (B) <=
Solution: We need len(str1) >= len(str2), so that line 7 does not read before the be- ginning of the str1 buffer: the first iteration of the loop will read str1[len(str1)-1], and the last iteration will read str1[len(str1)-1-(len(str2)-1)], so we need len(str1)-1-(len(str2)-1)>=0, i.e., len(str1) >= len(str2).
Final Exam
Page 12 of 34
CS 161 – Spring 2020
Solution: Line 10 will write to result[2*len(str2)], so we need
2 * len(str2) < size(result) to avoid writing past the end of result.
(4 points) Fill in the following blanks so that each statement is an invariant that is guaranteed to hold at line 5, assuming the function’s precondition holds. Choose the most restrictive invariant (i.e. if both a < b and a <= b are true, you should choose <).
Q4.4 0 ___ i
(G) < (H) <=
Q4.5 i ___ len(str2)
(A) < (B) <=
Q4.6 2*i+1 ___ 2*len(str2) (G) < (H) <=
Q4.7 2*i+1 ___ size(result) (A) < (B) <=
Solution: We did not grade Q4.5-Q4.7, because we screwed up the statement of the question. It is ambiguous what is meant by “at line 5”; does that refer to the start of the loop or the end of the loop? Does it apply after the last iteration when we break out of the loop? We meant to refer to line 6, but we got the question wrong.
This is the end of Q4. Proceed to Q5 on your Gradescope answer sheet. If you are finished with the exam and are ready to submit your answer sheet, please follow the submission protocol.
Final Exam
Page 13 of 34
CS 161 – Spring 2020
Cauliflower Smells Really Flavorful (23 points) califlower.com decides to defend against CSRF attacks as follows:
1. When a user logs in, califlower.com sets two 32-byte cookies session_id and csrf_token randomly with domain califlower.com.
2. When the user sends a POST request, the value of the csrf_token is embedded as one of the form fields.
3. On receiving a POST request, califlower.com checks that the value of the csrf_token cookie matches the one in the form.
Assume that the cookies don’t have the secure, HTTPOnly, or Strict flags set unless stated otherwise. Assume that no CSRF defenses besides the tokens are implemented, and that CORS is not in use (if you don’t know what that means, do not worry about it). Assume every subpart is independent.
Q5.1 (3 points) Suppose the attacker gets the client to visit their malicious website which has domain evil.com. What can they do?
(A) CSRF attack against califlower.com (B) Change the user’s csrf_token cookie (C) Learn the value of the session_id cookie
(D) None of the above
Solution: The attacker’s website is of a different domain so they are not able to change/read any cookies for califlower.com. As such, they not able to execute a CSRF attack since they can’t guess the value of csrf_token.
Q5.2 (3 points) Suppose the attacker gets the client to visit their malicious website which has domain evil.califlower.com. What can they do?
(G) CSRF attack against c