计算机代考程序代写 SQL scheme python x86 javascript dns database compiler Java cache algorithm 2021

(E) (F)
After a user successfully logs into their account, Bear Bank’s website sets a session_token cookie to track the user’s logged in status and allows users to transfer funds by making a GET request to https://bearbank.com/transfer.
Q4.4 (3 points) Which of the following cookie attributes would cause the session_token cookie to be sent in a request to https://bearbank.com/transfer? Select all that apply.
(G) Domain=bearbank.com; Path=/transactions
(H) Domain=bearbank.com; Path=/transfer; Secure
(I) Domain=auth.bearbank.com; Path=/login; HttpOnly; Secure
(J) None of the above
(K)
(L)
Q4.5 (3points) BearBankrealizesthattherearenoCSRFprotectionsonthetransferform,whichmeans attackers can steal money from users’ accounts.
Which of the following are reliable defenses against CSRF attacks? Select all that apply.
Clarification during exam: Everyone will receive credit for this question because we did not specify what it means for a defense to be “reliable.”
(A) Add a random CSRF token to the transfer form each time the page loads
(B) Check the referrer header on the server when processing the transfer form submission
(C) Move the transfer form to an iframe hosted at https://transfer.bearbank.com
(D) None of the above
(E)
(F)
The following subparts are independent of the previous subparts.
Tree Bank is different bank considering alternative security methods. Once a user is logged in, they can send HTTP requests to Tree Bank to make transactions. Each request contains a session token set by the server when the user first logged in. The requests do not contain any counters or timestamps. The requests are sent over HTTP (not HTTPS).
Eve is an on-path attacker.
Final Page 8 of 26 CS 161 – Spring 2021

Final
Page 9 of 26
CS 161 – Spring 2021
Q4.6 (4 points) Eve observes a single request from EvanBot to Tree Bank, which contains a transaction. What can Eve do? Select all that apply.
(G) Learn EvanBot’s session token
(H) Learn the contents of EvanBot’s transaction
(I) Learn EvanBot’s password
(J) Repeat EvanBot’s transaction
(K) None of the above
(L)
Q4.7 (4 points) Assume that the user knows Tree Bank’s public key, and Tree Bank’s corresponding private has not been compromised. Suppose that Tree Bank requires that the user encrypt the entire HTTP request (including the transaction and token) with the ElGamal scheme from lecture before sending it to the bank.
Eve observes a single encrypted request from EvanBot to Tree Bank, which contains a transaction. What can Eve do? Select all that apply.
(A) Learn EvanBot’s session token
(B) Learn the contents of EvanBot’s transaction
(C) Learn EvanBot’s password
(D) Repeat EvanBot’s transaction
(E) None of the above
(F)
Q4.8 (3 points) What is the best way for the bank to defend against Eve’s attacks, and what concept best describes the design flaw that allowed Eve to compromise EvanBot’s requests?
(G) Use DNSSEC. Don’t build your own crypto. (H) Use TLS. Don’t build your own crypto.
(I) Use DNSSEC. Security is economics.
(J) Use TLS. Security is economics.
(K) Use DNSSEC. Least privilege. (L) Use TLS. Least privilege.

Q5 TC sPeedy (15 points) To improve the speed of TCP, Alice suggests modifying the TCP protocol to allow data to be sent in the SYN and SYN-ACK packets during the 3-way handshake. The data in the SYN packet is immediately accepted by the server during the initial handshake (before the 3-way handshake finishes).
Clarification during exam: In sub-parts 4 and 5, in subsequent connections, the token is sent only in the SYN packet.
Q5.1 (3 points) Which of the following attacks are possible on this modified scheme? Select all that apply.
Clarification during exam: “Reliably”means that the attacker doesn’t have to guess any values. (A) An off-path attacker can reliably inject packets after a connection has been established.
(B) An off-path attacker can reliably execute a RST injection attack.
(C) An off-path attacker can fool the server into accepting some spoofed data.
(D) None of the above
(E)
(F)
Q5.2 (2 points) Alice notices that her modified scheme may be vulnerable to a DoS attack where the attacker sends a large data payload in the SYN packet without completing the TCP handshake. She proposes including SYN cookies as part of her modification.
True or False: SYN cookies provide a valid defense against the proposed DoS attack. (G) True (H) False (I) (J) (K) (L)
Q5.3 (4 points) Alice uses her modified 3-way handshake to form a TCP connection with a server. Assume that source port randomization is not in use.
What fields would an on-path attacker have to guess in order to inject some data from Alice’s client to the server?
(A) Client IP address and port (D) Client sequence number (B) Server IP address and port (E) None of the above
(C) Server sequence number
(F)
Alice modifies her protocol to use a cryptographic token. When a client and server connect for the first time:
1. The client sends a SYN packet with a token request.
Final Page 10 of 26 CS 161 – Spring 2021

2. The server generates a token using a MAC function with a key known only to the server and responds with a SYN-ACK packet to the client containing the token. The client and server both store the token.
3. The client responds with an ACK packet, as in normal TCP.
In subsequent connections, the client skips the 3-way handshake by sending the SYN packet with both the token and data (similar to Alice’s modification from previous parts). The server verifies the value of the token and acknowledges both the SYN and the data. The server may begin sending data to the client before receiving the client’s ACK as part of the handshake. The server rejects the SYN and data if the token is invalid.
Here are diagrams detailing the protocol:
Client
Server Client
Server
Initial handshake
Subsequent handshakes
Q5.4 (3 points) Which of the following attacks on TCP becomes more difficult with the addition of the token? Select all that apply.
(G) RST injection (J) None of the above (H) Blind hijacking (K)
(I) MITM hijacking
(L)
Q5.5 (3points) Amajorissuewiththisprotocolisthatitisvulnerabletoreplayattacks,asanadversary can spoof a connection by replaying the token. A potential workaround is to modify the TTL (time to live) of the token. Name one benefit and one drawback of using a shorter TTL rather than a longer TTL.
Enter your answer in the text box on Exam Tool.
Final Page 11 of 26 CS 161 – Spring 2021
SYN-ACK + token + data
SYN-ACK + data
SYN + token request
ACK
SYN + token + data
ACK

Q6 UnicornBox v2 (17 points) UnicornBox decides to implement 2-factor authentication (2FA).
The server stores a table of active codes with the following schema:
1 2 3 4 5
CREATE TABLE IF NOT EXISTS users ( username TEXT,
code TEXT,
−− Additional fields not shown.
);
When a user wants to log in:
1. The user logs in by making a POST request with their username and password.
2. The server randomly generates a 10-digit numerical code and stores it in the users table.
3. The server sets a cookie with name = auth_user and value = the user’s username in the user’s browser. The server also sends a text to the user’s phone with the code.
4. The user makes a GET request to https://unicornbox.com/confirm?code=$code, where $code is the code that was entered.
5. The server runs the SQL query SELECT username FROM users WHERE code = ‘$code’, where $code is the value submitted by the user.
6. The server checks that the value returned by the SQL query matches the username sent in the auth_user cookie in the request submitted by the user.
Clarification during exam: For all sub-parts, the user has an entry in the table. Clarification during exam: “CalCentral” should be “UnicornBox” in the question text.
Clarification during exam: In step 1, the server verifies the password and will not proceed if the password is wrong.
Q6.1 (5 points) Assume that evan is the name of an account in UnicornBox with an entry in the users table.
Construct an input for $code that would cause the SQL query in step 5 to return evan. Enter your answer in the text box on Exam Tool.
Q6.2 (4 points) How can you log in as evan without knowing their password? You may use PAYLOAD to reference your answer from the previous part.
Hint: You will need 2 steps. List both.
Enter your answer in the text box on Exam Tool.
Final Page 12 of 26 CS 161 – Spring 2021

Final
Page 13 of 26 CS 161 – Spring 2021
Q6.3 (4 points) Which of these defenses would stop your exploit from above? Select all that apply. (A) Using SQL prepared statements
(B) Rate limiting requests to the UnicornBox server
(C) Putting the hash of the username in the cookie instead of the username
(D) Using a 20-digit code instead of a 10-digit code
(E) None of the above
(F)
Q6.4 (4points) ConsideramodificationtoSteps5and6.IfthereareanyrowsreturnedbytheSQLquery, then the verification succeeds without checking the value of the returned username. However, the server returns an error without executing the query if the format of the code is not exactly 10 numerical digits.
True or False: The modified scheme is no longer exploitable using SQL injection. Briefly justify (1 sentence) your answer.
(G) True (H) False (I) (J) (K) (L) Enter your answer in the text box on Exam Tool.

Q7
Plaintext Feedback (15 points) Consider the “plaintext feedback” (PFB) mode where the encryption formula for ciphertext block Ci is given as follows:
C0 = IV
Ci =E(K,Pi)⊕Ci−1
E is AES encryption and D is AES decryption.
M1 M2 M3
IV
KKK
C1 C2 C3
Final
Page 14 of 26 CS 161 – Spring 2021
Encryption
Clarification during exam: IVs are always randomly generated and never reused in this question.
Clarification during exam: Mi in the encryption diagram refers to plaintext block Pi. Q7.1 (3 points) Which of these is the corresponding decryption equation?
(A)Pi =D(K,Ci ⊕Ci−1) (B)Pi =D(K,Ci ⊕Pi−1) (C)Pi =D(K,Pi ⊕Pi−1)
(D)Pi =E(K,Ci ⊕Ci−1) (E)Pi =E(K,Ci ⊕Pi−1) (F)Pi =E(K,Pi ⊕Pi−1)
Q7.2 (3 points) Alice and Bob are communicating using PFB mode. Alice encrypts and sends a 10-block message encrypted using PFB. Bob receives the message, but the 6th ciphertext block C6 is lost in transmission. Which blocks of plaintext can Bob recover? Assume Bob is aware that C6 was lost in transmission.
(G) Bob can recover all blocks of the message.
(H) Bob can recover all blocks up to and including P6, but no block after that. (I) Bob can recover all blocks up to and including P5, but no block after that. (J) Bob can recover all blocks except for P6 and P7.
(K) Bob can recover all blocks except for P6.
(L) Bob cannot recover any block of the message.
Encryption
Encryption

Final
Page 15 of 26
CS 161 – Spring 2021
Q7.3 (3 points) PFB mode is not IND-CPA secure. To prove this, the adversary will win the IND-CPA game against the challenger as follows:
First, the adversary sends two messages, P and P′. The first message P is 3 unique, randomly generated blocks, P = P1∥P2∥P3. Which of the following values of P ′ would allow the adversary to win the IND-CPA game?
(A) P ′ = P1′ ∥P1′ ∥P1′ , where P1′ is a randomly generated block
(B) P ′ = P1′ ∥P2′ ∥P3′ , where P1′ , P2′ , and P3′ are unique, randomly generated blocks
(C)P′ =P1∥P2∥P3
(D) P′ = P1′∥P2′∥P3′, where Pi′ is the same as Pi, but with the last bit flipped
(E) P′ = P1′∥P2′∥P3′, where Pi′ is the same as Pi, but every bit flipped
(F)
Q7.4 (3 points) The challenger sends back a ciphertext C = C0∥C1∥C2∥C3, which is an encryption of either P or P ′. Describe a strategy that the adversary should use to deduce whether P or P ′ was encrypted that would allow them to win the IND-CPA game with probability greater than 12 .
Enter your answer in the text box on Exam Tool.
Q7.5 (3 points) Which of the following are true about PFB mode? Select all that apply. (A) Decryption is parallelizable
(B) PFB provides integrity
(C) The plaintext must be padded to a multiple of the block length (D) None of the above
(E)
(F)

Q8 Caltopia DNS (21 points) EvanBot is trying to determine the IP address of caltopia.com with DNS. However, some attackers on the network want to provide EvanBot with the wrong answer.
Attacker 2
EvanBot
Attacker 1
Resolver
Attacker 3
.com nameserver
Final
Page 16 of 26
CS 161 – Spring 2021
Assumptions:
• Eachattackerisaman-in-the-middle(MITM)attackerbetweentheirtwoneighborsonthediagram above.
• No attackers can perform a Kaminsky attack.
• Standard DNS (not DNSSEC) is used unless otherwise stated.
• No private keys have been compromised unless otherwise stated.
• In each subpart, both EvanBot’s cache and the local resolver’s cache start empty.
• Each subpart is independent.
Clarification during exam: Assume that bailiwick checking is in use for this entire question.
In each subpart, EvanBot performs a DNS query for the address of caltopia.com.
Q8.1 (4 points) In this subpart only, assume the attackers only passively observe messages.
Q8.2
(3 points) Which of the attackers can poison the local resolver’s cached record for cs161.org by injecting a record into the additional section of the DNS response? Select all that apply.
Note: Attacker 1 has intentionally been left out as an answer choice.
Which of the attackers would observe an A record with the IP address of caltopia.com as a result of EvanBot’s query? Select all that apply.
(A) Attacker 1 (C) Attacker 3 (E) None of the above
(B) Attacker 2 (D) Attacker 4
(F)
(G) Attacker 2 (H) Attacker 3
(I) Attacker 4 (K)
(J) None of the above
(L)
Root nameserver
caltopia.com
nameserver
Attacker 4

Final
Page 17 of 26 CS 161 – Spring 2021
Q8.3 (4points) AssumethattheresolverandthenameserversallvalidateDNSSEC,butEvanBotdoesnot validate DNSSEC. Which of the attackers can poison EvanBot’s cached record for caltopia.com by modifying the DNS response? Select all that apply.
(A) Attacker 1 (C) Attacker 3 (E) None of the above
(B) Attacker 2 (D) Attacker 4
(F)
Q8.4 (5 points) In this subpart only, assume the attackers only passively observe messages.
Assume that everyone validates DNSSEC. Which of the following records would Attacker 3 observe as a result of EvanBot’s query? Select all that apply.
(G) DS record with hash of the .com name server’s public KSK
(H) DS record with hash of the caltopia.com name server’s public KSK
(I) A record with the IP address of caltopia.com
(J) A record with the IP address of the caltopia.com name server
(K) DNSKEY record with the .com name server’s public KSK
(L) None of the above
Q8.5 (3points) AssumethateveryonevalidatesDNSSEC,andthecaltopia.comnameserver’sprivate KSK has been compromised (i.e. all attackers know the caltopia.com name server’s private KSK). No other private keys have been compromised.
Can EvanBot trust that they received the correct IP address of caltopia.com? (A) Yes, because the ZSK that signs the A record has not been compromised
(B) Yes, because the trust anchor (the root’s KSK) has not been compromised
(C) No, because the compromised KSK can be used to sign a malicious A record
(D) No, because the compromised KSK can be used to sign a fake ZSK that is used to sign a malicious A record
(E) (F)
(2 points) True or False: DNSSEC prevents Attacker 4 from learning the IP address of caltopia.com.
Q8.6

Final
Page 18 of 26
CS 161 – Spring 2021
(G) True (H) False (I)
(J) (K) (L)

Q9
Mutuality
Recall the TLS handshake:
Client
(18 points)
1. Client sends 256-bit random number Rb and supported ciphers 2. Server sends 256-bit random number Rs and chosen cipher
3. Server sends certificate
4. DH: Server sends {g, p, ga mod p} −1
Server
5. Server signals end of handshake
6. DH: Client sends gb mod p RSA: Client sends {P S}
Client and server derive cipher keys Cb, Cs and integrity keys Ib, Is from Rb,Rs,PS
7. Client sends MAC(dialog, Ib) 8. Server sends MAC(dialog, Is)
9. Client data takes the form {M1, MAC(M1, Ib)}Cb 10. Server data takes the form {M2, MAC(M2, Is)}Cs
In TLS, we verify the identity of the server, but not the client. How would we modify TLS to also verify the identity of the client?
Clarification during exam: All parts of this question refer to a modified TLS scheme designed to verify the identity of the client.
Q9.1 (3 points) Which of these additional values should the client send to the server? (A) A certificate with the client’s public key, signed by the client’s private key
(B) A certificate with the client’s public key, signed by the server’s private key
(C) A certificate with the client’s private key, signed by a certificate authority’s private key
(D) A certificate with the client’s public key, signed by a certificate authority’s private key
(E)
(F)
Q9.2 (3 points) How should the client send the premaster secret in RSA TLS?
Final Page 19 of 26 CS 161 – Spring 2021
2. ServerHello
3. Certificate
4. ServerKeyExchange
5. ServerHelloDone
8. ChangeCipherSpec, Finished
10. Application Data
1. ClientHello
6. ClientKeyExchange
7. ChangeCipherSpec, Finished
9. Application Data

Final
Page 20 of 26
CS 161 – Spring 2021
(G) Encrypted with the server’s public key, signed by the client’s private key
(H) Encrypted with the client’s public key, signed by the server’s private key
(I) Encrypted with the server’s public key, signed by a certificate authority’s private key
(J) Encrypted with the client’s public key, signed by a certificate authority’s private key
(K)
(L)
Q9.3 (3 points) EvanBot argues that the key exchange protocol in Diffie- LS doesn’t need to be changed to support client validation. Is EvanBot right?
(A) Yes, because only the client knows the secret a, so the server can be sure it’s talking to the legitimate client
(B) Yes, because the server has already received and verified the client’s certificate
(C) No, the client must additionally sign their part of the Diffie-Hellman exchange with the client’s private key
(D) No, the client must additionally sign their part of the Diffie-Hellman exchange with the certificate authority’s private key
(E) (F)
Q9.4 (2 points) True or False: The server can be sure that they’re talking to the client (and not an attacker impersonating the client) immediately after the client and server exchange certificates.
(G) True (H) False (I) (J) (K) (L)
Q9.5 (3points) AtwhatstepintheTLShandshakecanboththeclientandserverbesurethattheyhave
derived the same symmetric keys?
(A) Immediately after the TCP handshake, before the TLS handshake starts
(B) Immediately after the ClientHello and ServerHello are sent (C) Immediately after the client and server exchange certificates (D) Immediately after the client and server verify signatures
(E) Immediately after the MACs are exchanged and verified
(F)

Final
Page 21 of 26
CS 161 – Spring 2021
Q9.6 (4 points) Which of these keys, if stolen individually, would allow the attacker to impersonate the client? Select all that apply.
(G) Private key of a certificate authority (H) Private key of the client
(I) Private key of the server
(J) Public key of a certificate authority (K) None of the above
(L)

Q10 Storefront
Consider the following vulnerable C code:
1 2 3 4 5 6 7 8 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
(26 points)
void copy_string(char ∗dst , const char ∗src , size_t n) {
for (size_t i = 0; i < n + 1; i++) { dst[i] = src[i]; if (src[i] == ’\0’) { break ; } } } void add_to_store (char ∗ lst ) { char listing [256]; copy_string ( listing , lst , 256) ; printf("Contacting server to add: %s...\n", listing); contact_server_and_wait(listing); // Implementation not shown. } void invoke(char ∗ lst ) { add_to_store ( lst ) ; } int main ( void ) { char buf [4096]; do { fgets(stdin, buf, 4096); invoke ( buf ) ; } while (strcmp(buf, "exit") != 0); return 0; } Definitions of relevant C functions may be found on the last page of this exam. Assume you are on a little-endian 32-bit x86 system. Assume that there is no compiler padding or saved additional registers in all questions. For the first four parts, assume that no memory safety defenses are enabled. Clarification during exam: The strcmp function is identical to strncmp, except that it doesn’t take an argument n. Clarification during exam: There are no vulnerabilities present outside of the provided source code (so there are no vulnerabilities in contact_server_and_wait). Clarification during exam: Line 26 should be fgets(buf, 4096, stdin). Q10.1 (3 points) Which of the following memory safety vulnerabilities is present in this code? Final Page 22 of 26 CS 161 – Spring 2021 (A) Format string vulnerability (D) None of the above (B) Signed/unsigned vulnerability (C) Off-by-one (E) (F) Q10.2 (3 points) Which of the following values on the stack can be partially or completely overwritten by the call to copy_string at line 13? Select all that apply. Hint: Draw a stack diagram. (G) listing (J) None of the above (H) SFP of add_to_store (K) (I) RIP of add_to_store (L) Q10.3 (6 points) Assume that the address of listing is 0xcffb5030. Construct an input at Line 26 that would allow an attacker to execute malicious shellcode. You may reference the variable SHELLCODE as a 28-byte shellcode in your answer. Write your answer in Python 2 syntax (just like in Project 1). Enter your answer in the text box on Exam Tool. Q10.4 (3points) Yourexploitfromabovemaynotnecessarilyworkwithallpossibleaddressesoflisting. Provide one such address that would prevent your exploit from working. Write your answer in a format like 0xdeadbeef. Q10.5 Enter your answer in the text box on Exam Tool. (3 points) Which of the following techniques could an attacker use to execute malicious shellcode if W^X and no other defenses are enabled? Select all that apply. Final Page 23 of 26 CS 161 – Spring 2021 (A) Return-oriented programming (B) ret2esp (C) Server-side request forgery (D) None of the above (E) (F) Q10.6 (4 points) True or False: Stack canaries with no other defenses would prevent an attacker from executing malicious shellcode in this code (not necessarily using your exploit from above). Assume that all 4 bytes of the stack canary are randomized. Justify your answer. True False Enter your answer in the text box on Exam Tool. Q10.7 (4points) TrueorFalse:ASLRwithnootherdefenseswouldpreventanattackerfromexecuting malicious shellcode in this code (not necessarily using your exploit from above). Justify your answer. True False Enter your answer in the text box on Exam Tool. Final Page 24 of 26 CS 161 – Spring 2021 Q11 Cat (0 points) What is the name of Nick’s gray cat? Enter your answer in the text box on Exam Tool. Final Page 25 of 26 CS 161 – Spring 2021 Final Page 26 of 26 CS 161 – Spring 2021 C Function Definitions int strncmp(const char *s1, const char *s2, size_t n); The strncmp() function compares the first (at most) n bytes of two strings s1 and s2. It returns an integer less than, equal to, or greater than zero if s1 is found, respectively, to be less than, to match, or be greater than s2. char *fgets(char *s, int size, FILE *stream); fgets() reads in at most one less than size characters from stream and stores them into the buffer pointed to by s. Reading stops after an EOF or a newline. If a newline is read, it is stored into the buffer. A terminating null byte ('\0') is stored after the last character in the buffer