Raluca & 2016
CS 161 Computer Security
Final Exam
Print your name: , (last)
(first)
I am aware of the Berkeley Campus Code of Student Conduct and acknowledge that any academic misconduct on this exam will be reported to the Center for Student Conduct and may lead to a “F”-grade for the course.
Sign your name:
Print your class account login: cs161- and SID:
Your TA’s name:
Number of exam of person to your left:
Number of exam of person to your right:
You may consult two sheets of notes (each double-sided). You may not consult other notes, textbooks, etc. Calculators, computers, and other electronic devices are not permitted. Please write your answers in the spaces provided in the test.
You have 180 minutes. There are 11 questions, of varying credit (200 points total). The questions are of varying difficulty, so avoid spending too long on any one question. Parts of the exam will be graded automatically by scanning the bubbles you fill in, so please do your best to fill them in somewhat completely. Don’t worry—if something goes wrong with the scanning, you’ll have a chance to correct it during the regrade period.
If you have a question, raise your hand, and when an instructor motions to you, come to them to ask the question.
Do not turn this page until your instructor tells you to do so.
Question: 1 2 3 4 5 6 7 8 9 10 11 Total Points: 46 16 24 16 16 12 12 19 12 12 15 200 Score:
Page 1 of 18
“Ransomware is the greatest thing to ever happen to computer security, all thanks to anar- chist crypto nerds who wanted magic internet money.” -Securi Exam Page 2 of 18 CS 161 – FA 17
Problem 1 True or false (46 points) Circle True or False. Do not justify your answer.
(a) True or False: The same origin policy allows https://www.amazon.com to access the resources of http://www.amazon.com.
(b) True or False: Framebusting is a defense against cookie tracking.
(c) True or False: The httpOnly flag of a cookie mitigates XSS attacks because it
ensures the browser sends the cookie only over https.
(d) True or False: Javascript running on the outer frame of a website can always access the resources of an inner frame in the page.
(e) True or False: Two Javascript scripts embedded in pages running in two different tabs on a user’s browser can never access the resources of each other.
(f) True or False: All CA-s in your browser need to be trustworthy in order to be protected via TLS (assume no certificate pinning).
(g) True or False: If you obtained the long-term private key of a party in a TLS connection, you can decrypt past TLS connections if the server uses DHE for the key exchange.
(h) True or False: TLS does not hide who the communicating parties are from an observer.
(i) True or False: AES-ECB mode (encrypting each block separately with the block cipher and the same IV) is IND-CPA.
(j) True or False: Cryptographic hash functions do not have any collisions.
(k) True or False: User chosen passwords are good seed values for a PRG.
(l) True or False: A website that rejects all user input that contains , a user viewing the post in script mode would see the alert, whereas a user not browsing in script mode would see sanitized output.
(a) Their initial release of the feature has users enter script-mode by navigating to https://facepalm.com/script-mode, whereas normal browsing navigates to https: //facepalm.com/no-script-mode. They quickly notice scripts popping up to steal the cookies of users who enter script-mode. How could they change the cookies they set for users such that attackers would not be able to steal cookies? Answer in one sentence.
(b) After implementing this change, attack-scripts no longer steal cookies, but they quickly notice scripts popping up that send users’ private information (i.e. birthday, apps visited, etc.) over to https://evil.com. The FacePalm admins decide that users browsing in script-mode should not be allowed to view their own private con- tent. They decide to switch the URLs that users browse to: now to browse in script- mode, users visit https://script-mode.facepalm.com, whereas for normal brows- ing, users now visit https://no-script-mode.facepalm.com, and to view private content, users visit https://no-script-mode.facepalm.com/private. Why can attackers no longer steal private information?
(c) After the change in part b, FacePalm notices scripts that force users to post annoy- ing copypasta. After seeing “I am still getting ya” posted for the fifteenth time, the FacePalm admins decide to put an end to it, so they restrict post-content requests to no-script-mode domains (i.e. users must request https://no-script-mode. facepalm.com/post in order to post content, and there is no script-mode equiv- alent endpoint). However, they notice that benign users still end up posting an- noying messages to https://no-script-mode.facepalm.com/post. What type of vulnerability is FacePalm likely facing here, and how could they solve this issue?
Final Exam Page 12 of 18 CS 161 – FA 17
Problem 8 Diagnosing Heartbleed (19 points) OpenSSL, a popular open-source implementation of TLS, was recently attacked by ex- ploiting a vulnerability in its handling of heartbeat messages, which is now known as the Hearbleed vulnerability.
Someone decided that TLS should support its own “heartbeat” messages to maintain long term connections (in addition to TCP’s keepalives) and that these heartbeat mes- sages should contain arbitrary content sent by the client and echoed back by the server.
The relevant, simplified implementation is as follows:
typedef struct {
/* length of heartbeat message from client. This field is set by the server. */
uint32_t length;
/* contents of the heartbeat message. This is controlled by the malicious client. */
uint8_t *data; } SSL3_RECORD;
uint8_t *processHeartbeat(SSL3_RECORD *r) {
/* message type e.g. HEARTBEAT; this field set by client */
uint8_t type = *((uint8_t *) &r->data[0]);
/* length of data; this field set by client */
uint16_t len = *((uint16_t *) &r->data[1]);
uint8_t *buf = malloc(len + 3);
/* type of response */
*((uint8_t *) &buf[0]) = HEARTBEAT_RESPONSE;
/* response length equals client’s message length */ *((uint16_t *) &buf[1]) = len;
/* copy the client’s message verbatim */
memcpy(buf + 3, r->data, len);
/* return the message to be sent to the client */
return buf; }
Figure 1: Vulnerable Procedure
Observe that the SSL3 RECORD contains a pointer to data sent by the malicious client. The server populates the length field of SSL3 RECORD with the length of the data actually sent by the client. The data sent by the client itself contains the encoded message itself, with the first byte always specifying the type of message. For Heartbeat messages the type specifies that it is a heartbeat message, the next two bytes specify the length the client expects back, and the remaining bytes are the nonce the client sends.
(a) A vulnerability here makes the program leak large parts of its memory upon process- ing a heartbeat message. This is catastrophic as the memory may potentially have cryptographic keys, session cookies from other users, and other secrets. Describe the vulnerability and construct the exploit heartbeat message.
Final Exam Page 13 of 18 CS 161 – FA 17
(b) What is the approximate maximum memory (in kilobytes) can the attacker read using one malicious heartbeat message?
(c) Would the use of stack canaries prevent this attack? Why?
(d) Would the use of DEP prevent this attack? Why?
(e) Would the use of ASLR prevent this attack? Why?
(f) Would the use of memory safe programming language prevent this attack? Why?
(g) Suggest a modification to the code that fixes this vulnerability while keeping the intended functionality of heartbeats.
Final Exam Page 14 of 18 CS 161 – FA 17
Problem 9 Secure Broadcast (12 points) Consider a server s that wishes to broadcast messages to clients c1,...,cn. We define secure broadcast to be a protocol where each client is guaranteed to recieve messages that are generated by the server, i.e. we want to ensure that a client can indeed verify that the message comes from the server and from no one else.
(a) Consider a design where s shares the same symmetric key with all the clients (using an out-of-bound secure channel). s attaches a MAC, computed using the symmatric key, to each message sent to the clients. Does this scheme guarantee integrity and authenticity? Explain why or why not.
(b) Consider a design where s shares a unique random key with each client (using a secure out of bound channel) and then MACs all messages using this unique key. Does this scheme guarantee authenticity? (Ignore replay attacks here.)
(c) Consider a client is unhappy about the message it gets from the server and would like to convince a judge that s sent to him such a terrible message. Can the client convince the judge by showing the message and the MAC? If yes, explain why. If not, propose a fix.
Final Exam Page 15 of 18 CS 161 – FA 17
Problem 10 Hunting block cipher chaining modes (12 points) Unexcited about the block cipher chaining modes Alice learned in CS 161, especially CBC and CTR, she decides to create her own that also provides IND-CPA security. Let B be a block cipher and denote by Bk(p) the block cipher applied to plaintext p with key k. Alice has come up with the block cipher chaining modes below and she needs your help to decide if they are IND-CPA or not. For each scheme below, say whether it is IND-CPA or not. If it is not IND-CPA, additionally give a concrete example of an information the attacker learns about the plaintext from the ciphertext in this encryption scheme that he/she would not be able to learn from an IND-CPA-secure scheme.
Consider the plaintext P = (P1, P2, . . . , Pl) where each Pi has size the block size of B. Let ⊕ be bitwise XOR.
(a) Enck(P)=(C1,...,Cl),whereCi =Bk(i⊕Pi).
(b) Enck(P) = (IV1,C1,...,IVl,Cl), where Ci = Bk(IVi ⊕ Pi), where each IVi is generated randomly and independently of the other IVs.
(c) Let IV = hash(P), where hash is a cryptographic hash function (in particular, it is collision resistant). Assume the hash of P fits exactly in the IV size. Let C0 = IV . Enck(P)=(IV,C1,...,Cl),whereCi =Bk(Ci−1 ⊕Pi).
Final Exam Page 16 of 18 CS 161 – FA 17
Problem 11 Sessions with localStorage (15 points) Browsers support a feature called localStorage, which allows a website to save and load data on the user’s computer. The storage is a key-value database, which can be accessed by JavaScript code on a webpage. Data that is saved by one page can be accessed by any other page that comes from the same origin. Unlike cookies, data in localStorage is not automatically sent with any HTTP requests.
Consider building a website using localStorage to implement a session management system.
(a) Suppose the server receives an HTTP request containing correct credentials that authenticate a user. The server generates a random session token to be stored in the browser. However, the server doesn’t have direct access to localStorage.
Describe an HTTP response that the server can send in order to get the session token stored. You can either provide the code snippet or describe what the code should do.
(b) Next, the user loads a page with a form for executing an action while logged in. The page always has the exact same URL and HTML code, regardless of which user is logged in (this helps with caching performance).
Describe what could be included in the page to ensure that a form submission to the site’s server will include the user’s session token, as well as how the server would receive the session token. You don’t have to write actual code; assume that JavaScript code is capable of:
• Running when the page loads
• Running just before the browser submits a form
• Saving and loading data in localStorage
• Inspecting and modifying the contents of the webpage as it is interpreted by the browser (this is called the DOM or Document Object Model).
Final Exam
Page 17 of 18 CS 161 – FA 17
(c) Consider how an XSS vulnerability would affect the security of this session manage- ment system, compared to a session management system that stores a session token in a cookie. Could an attacker exploit an XSS vulnerability to steal the session token in this system? Could an attacker steal the session token if the site stored the session token in a cookie instead?
(d) Consider web-specific attacks, other than XSS, that an attacker might perform in order to have the site take action on behalf of the user without the user’s knowledge.
Name one type of attack in that is a problem with using cookies that using Local- Storage to record session IDs prevents.
(e) Name one type of attack other than XSS that is equally applicable to this system as it is to a system that uses cookies.
Final Exam Page 18 of 18 CS 161 – FA 17