SFL Main Exam
Winter Term 20/21, Feb 22, Group V-X
Points and time: This exam lasts 120 minutes, plus 30 minutes for uploading
your results. In total, you can obtain 120 points, i.e., plan for one minute per point.
Copyright By PowCoder代写 加微信 powcoder
Allowed materials: This is an open-book exam. You are allowed to use the lecture material (slides, books, exercises), a local system (including compiler, debugger and dis/assembler), a calculator, and dictionaries. You are not allowed to team up with others, or to otherwise communicate. The usage of the Internet, except the exam video conference, lecture videos and Moodle, is prohibited.
Solution format: Solve the questions on your own paper with a well-readable pen. Typewritten solutions will not be accepted. Please note your student number on all pages. Answer in German or English. Watch your handwriting!
Solution submission: Digitize your hand-written exam (e.g., using a scanner or camera) and upload your solution to the according Moodle task (“Aufgabe”) before the deadline. Please make sure that your digitized solutions are readable.
Passing this exam: You have passed this exam if you obtain at least 50% of the points, i.e., ≥ 60 points in total.
1 2 3 4 5 6 7 8 9 Sum
Short Title
Hash Functions
Network Security Shellcode
Integer Over-/Underflows Stack
Access Control
Web Security
1 RSA (12 points)
1. (4 pts) RSA Computation: Let p = 9 and q = 17 be the chosen RSA prime numbers and e = 43 the public exponent. Compute n, i.e., the second part of the public key, and the private key d. Hint: d <= 11.
2. (4 pts) Encryption: Encrypt the plaintext message x = 5 using the public key (n = 153, e = 3).
3. (4 pts) Decryption: Decrypt the ciphertext y = 5 using the private key d = 7 and the public key (n = 33,e = 3).
SFL Main Exam
Page 2 of 13
SFL Main Exam
2 Hash Functions (12 pts)
Hash functions have to fulfill certain guarantees to be cryptographically secure. The following table provides five failed attempts to define hash functions. Your task it showing why these functions are not suitable as hash functions. Let m be an arbitrarily long hash input, p be any public prime number, and AESenc(m,K) an AES encryption function that encrypts m (as many blocks as required) using a public (!) symmetric key K.
Hash function
F3(m) → m mod 2256
F4(m) → AESenc(m, K) mod 2256 F5(m) → mp mod 2256
1. (5 pts) Security Guarantees: State if (not why) each of the five defined func- tions (i) achieve compression, (ii) are collision resistant, and (iii) are one-way functions. Please use the table template above.
2. (3 pts) Collision Resistance: Provide a concrete counterexample (i.e., two mes- sages m and m, where m ≠ m) for one of the functions F2–F5 that disproves its collision resistance.
3. (2 pts) One-Way Functions: Prove with a counterexample why (at least) one of the functions F4–F5 is not a one-way function.
4. (2 pts) Random Hash: Let F6 be another function that every time returns a random number r regardless of the input m. 0 ≤ r < 2256. F6 fulfills all of the previously mentioned guarantees. Is F6 thus a hash function? Provide reasons.
Page 3 of 13
Compression
Collision Res.
One-Way Function
SFL Main Exam
3 Network Security (14 pts)
1. TLS Certificates (4 pts) Your fellow students claim that they have “stolen” the TLS certificate of webshop.com. After you sniffed the communication when visiting this website, you indeed can confirm that webshop.com ships its TLS certificate to its clients as part of the TLS handshake. Does the certificate allow you to impersonate webshop.com in a Man-in-the-Middle attack against an HTTPS- encrypted stream between a client and webshop.com? If so, how, if not, why not?
2. Onion Routing (4 pts) Assume an onion routing client C communicates non- encrypted with a DNS server S via three onion routers R1 (entry node), R2 (middle node) and R3 (exit node). How often are DNS messages encrypted due to onion routing? (+2) Can the selected onion routers manipulate DNS messages? (+2)
3. Firewalling (6 pts) Assume a network architecture in which a centralized firewall is placed between an internal network and the Internet. The administrator has placed all hosts in their internal network into the network range 192.168.7.0/24.
Your task is to configure the firewall policies. Allow internal hosts to establish and pursue communication with any external host on any port using any protocol. External servers must otherwise not be able to connect to internal hosts. Specify firewall rules and a default policy that allow exactly this.
Action Source IP Src. port Dest. IP
... ... ... ...
Table 1: FORWARD table (default policy
Dest. port
Protocol State
Page 4 of 13
4 Software Security: Shellcode (13 points)
You encounter the following Linux x64 shellcode. The code is structured in five code blocks (as per comments). Your task is to analyze this shellcode grouped by code block. Assume that chararr is an address to readable/writable memory.
1. Calling convention (3 pts): Note down how the first four parameters are passed to x64 Linux system calls. Mention where the system call return value is stored.
2. Syscalls (4 pts): The shellcode issues four system calls (blocks 2–5). List them and their parameters, identified by block number. Define system call return values whenever necessary. Example: rval = sys close(fd).
Hint: Find a partial system call table below.
3. Shellcode Block Semantics (5 pts): Each of the five code blocks follows a
certain goal. Briefly describe this goal per code block.
4. Output (1 pt): Does the shellcode write something? If so, to which file?
push 0 mov rax , push rax
’./kitten’
20 sys read 01 sys write 2 sys open
Partial x64 Linux System Call Table
char *fname uint fd ulong start
int family int fd
char *fname int error code pid t pid
char *buf char *buf int flags
size t len
int type sockaddr *a
char *argv[]
size t count size t count int mode
ulong prot
int protocol int addrlen
char *envp[]
SFL Main Exam
mov rdx , 0 syscall
rdi , [rsp]
mov rdi , rax
mov rax , 0
lea rsi , [chararr] mov rdx , 1024 syscall
mov rdx , rax
mov rax , 1
xor rdi , rdi
lea rsi , [chararr] syscall
mov rdi , rax mov rax , 0x3c syscall
3 sys close
10 sys mprotect 39 sys getpid 41 sys socket 42 sys connect 57 sys fork
59 sys execve 60 sys exit
62 sys kill
Page 5 of 13
Over- and Underflows (4 pts): Pinpoint and describe the two integer under- /overflow vulnerabilities in this program. State the affected line numbers (+2), and if an under- and/or overflows can occur (+2).
Hint: A variable v of type int32 t can be −231 = INT MIN ≤ v ≤ INT MAX = 231 − 1. Hint #2: The statement sizeof(int32 t) corresponds to 4 (bytes).
Follow-Up Problem (4 pts): When these vulnerabilities are triggered, the func- tion may suffer from additional follow-up bugs. Describe them for each of the two integer under-/overflow vulnerabilities (+2). Provide concrete sequences of inputs that trigger the follow-up bugs (+2).
The Fix (6 pts): Change the code or add (complete!) code in order to mitigate or handle the two under- and overflows (+6). You can use goto err; (which aborts the function with an error) to handle error cases. Annotate your changes with the according line numbers you plan to change and/or extend.
SFL Main Exam
1 2 3 4 5 6 7 8 9
5 Software Security: Integer Overflows (14 points)
You are given a C function that accepts a (non-NULL) pointer to an integer array arr with arrlen > 0 elements, and that is susceptible to integer under- and overflows for some combinations of the two other integer parameters x and c:
void array_add(int32_t arr[], int32_t arrlen, int32_t x, int32_t c) { if(x<0||arrlen>INT_MAX/4){gotoerr;}
if (x * (int32_t) sizeof(int32_t)
>= arrlen * (int32_t) sizeof(int32_t)) { goto err; } if (c == INT_MIN) { goto err; }
if (arr[x] == INT_MIN) {
arr[x] = c; // overwrite uninitialized array value
arr[x] += c; // add to current sum
return; err:
fprintf(stderr, “Ouch,␣something␣bad␣happened.␣Quiting\n”);
exit(1); }
Page 6 of 13
6 Software Security: Stack Canary Implementation (12 points)
Stack canaries aim to detect buffer overflows of stack variables. Your task is to implement such a canary check. You are given the following x64 assembly snippet that represents a typical function prologue and epilogue. The function body is arbitrary, but assume that it reserves 32 bytes stack space for local variables.
Your task is to add a stack canary check to this code. Separate your code into canary prologue (the part before the function body) and epilogue (after the function body).
You will have to rely on a certain canary value. For your convenience, assume that the canary value is already computed and stored at address canAddr (this is a label you should use in your code). If the canary check fails, jump to the label canaryFail.
mov rbp , rsp
; place your canary prologue here
; (arbitrary function body, using 32 bytes of stack space for variables) ;
; place your canary epilogue here
SFL Main Exam
Page 7 of 13
7 Authentication (18 pts)
1. (8pts)SQLInjectionvulnerabilitiesmayallowtoleakaserver’spassworddatabase. As an effective countermeasure, password databases should not store plaintext passwords, but only hashed passwords. Please discuss the security of this scheme.
a) Suppose the attacker learns only the hash of a password. Further suppose the attacker cannot infer the plaintext password from this hash. Can the attacker use this hash to authenticate against the vulnerable service? (+1)
b) Unfortunately, in practice, attackers can oftentimes infer plaintext passwords from hashed passwords. How? (+1)
c) Suppose the passwords are not only hashed, but also salted. Once the database leaks, is the salt known to the attacker? (+1)
d) Can an attacker infer the cleartext password of salted passwords? If so, how, and if not, why not? (+2)
e) Which additional security principle would you suggest against this threat? Name it and reason why it helps to remedy the described situation. (+3)
2. (6 pts) One-time passwords (OTPs) can strengthen authentication, e.g., if used as a second factor. However, in case of a counter-based token, the OTP token and the authentication server can get out of sync if the token generates an OTP which is never used to authenticate with the server.
a) How can this problem be solved? (+2)
b) Why does this problem solution weaken the OTP scheme? (+2)
c) How can this weakness be mitigated? (+2)
3. (4 pts) The DH-EKE derives a secret key from a shared password. Subsequently, this key can be used for symmetric encryption, instead of directly using the shared password as secret key. If the shared password leaks, using the DH-EKE derived key offers additional security guarantees over just using the shared password as the encryption key. Name (+1) and give a practical example for (+3) this additional security guarantee.
SFL Main Exam
Page 8 of 13
SFL Main Exam
8 Access Control (14 points)
Superman Batman Ironman Hulk Wolverine Gamora Storm
Classics Classics Classics Classics Modern Modern Modern Female Female
File Owner
gun Batman handcuff Flash
fly Hulk knife Wolverine rpg Superman tank Wolverine flowers Wolverine smile Batman
Classics Classics Classics Modern Classics Modern Female Classics
Privileges Owner Group Other
R—X –– R—X R—– – RWX R—X R—X
R—– –– RWX –– RW— RW— – RW— R—– –
RWX RW— RW—
Assume a system with the users/groups (left) and files (right) listed
above. Answer:
1. (1 pts): Which user(s) can execute the file “fly”? (+1)
2. (1 pts): Which user(s) can execute the file “tank”? (+1)
3. (1 pts): Which file(s) can user “Gamora” read? (+1)
4. (1 pts): Which file(s) can group “Modern” execute? (+1)
5. (2 pts): Which user can read the most files (+1), and which files are these (+1)?
6. (2 pts): User “Batman” would like to give the group “Classics” privileges to read the file “gun”. Is this possible in MAC, DAC, or both? (+1) List the new privileges for the “gun” file that make this possible. (+1)
7. (2 pts): User “Storm” is rogue and wants to trick user “Batman” to execute a malware. What can user “Storm” do, given the current file system privileges? Hint: Assume that “Batman” will eventually execute one of the listed files. (+2)
8. (2 pts): User “Wolverine” wants to grant read privileges to the file “knife” also to user “Thor” (and only to this user). Can “Wolverine” do so, in the given privilege system? (+1) If so, how? If not, what can “Wolverine” do? (+1)
9. (2 pts): After closer inspection, you find a world-readable and world-executable file called OMG that is owned by user “Batman” and has the setuid bit set. Your analysis reveals that OMG can read and print an arbitrary file specified as user argument. Which consequences does this have?
Page 9 of 13
1 2 3 4 5 6 7 8
…
…
a) Which vulnerability does the code include (+2)?
Hint: location.href contains the URL of the current page.
b) How can this be abused in principle (no concrete inputs required) and what does the attacker gain (+2)?
c) How can HttpOnly cookies defend against the above threat? (+2)
2. (5 pts) You are responsible for a webshop that ships the following form to let
authenticated (logged in) users to place an order via HTTPS.
a) This form is unprotected against a certain attack type. Which? (+1) b) What could attackers achieve by abusing this insecure form? (+2)
c) How can you fix this vulnerability? (+2)
1