程序代写CS代考 SQL scheme python x86 javascript dns chain compiler Java cache algorithm Popa & 2019

Popa & 2019
Print your name:
CS 161 Computer Security
,
(last)
I am aware of the Berkeley Campus Code of Student Conduct and acknowledge that academic misconduct will be reported to the Center for Student Conduct and may further result in partial or complete loss of credit.
Sign your name:
Print your SID:
Name of the person Name of the person sitting to your left: sitting to your right:
You may consult three double-sided, handwritten sheet of paper of notes. You may not consult other notes or textbooks. Calculators, computers, and other electronic devices are not permitted.
Bubble every item completely. Avoid using checkmarks or Xs. If you want to unselect an option, erase it completely and clearly.
For questions with circular bubbles, you may select only one choice. Unselected option (completely unfilled)
Only one selected option (completely filled)
For questions with square checkboxes, you may select one or more choices. You can select
multiple squares (completely filled).
If you think a question is ambiguous, please come up to the front of the exam room to the TAs. If we agree that the question is ambiguous we will announce the clarification to everyone.
You have 170 minutes. There are 10 questions of varying credit (125 points total).
Do not turn this page until your instructor tells you to do so.
Final Exam
(first)
Page 1 of 22

Problem 1 Potpourri is unhealthy (20 points) (a) (2 points) True or False: Modern web browsers protect against clickjacking by using the
same-origin policy to prevent sites from putting other origins into an iframe. True False
(b) (2 points) True or False: The primary danger of XSS vulnerabilities is that they let an attacker execute Javascript on the victim machine without having the victim visit the attacker’s website.
True False
(c) (2 points) True or False: Even if you carefully inspect all links that you click, you can still be vulnerable to a CSRF attack.
True False
(d) (2 points) True or False: For most common implementations of session cookies (as seen in lecture and on the project), a SQL injection can let an attacker steal the sessions of other users.
True False
(e) (2 points) True or False: If a script is loaded from another origin using a script tag, the same-origin policy prevents this script from reading the cookies on the current page.
Final Exam
Page 2 of 22
CS 161 – Spring 2019
True
False

Final Exam
Page 3 of 22 CS 161 – Spring 2019
(f) (2points) Somearchitecturesprohibitexecutingunalignedmachinecodeinstructions.Thismakes it harder for an attacker to perform (1) , which often chains together “gadgets” found by jumping to the middle of instructions.
(g) (2 points) In certificate transparency, after a certificate authority signs a certificate, they submit the signed certificate to a certificate transparency log. They receive a(n) (1) in return. If the signed certificate is not in the log after a certain amount of time, certificate authorities can use this to prove malicious or incorrect behavior of the log.
(h) (2 points) The use of trusted boot systems and signed code helps prevent (1) , which is malcode that often hides in the BIOS and operating system.
(i) (2 points) At the beginning of their life cycles, computer worms grow (1) , but as time goes on it becomes harder to find new victims and the worm growth slows.
(j) (2 points) Tor is fundamentally vulnerable against timing attacks conducted by global adversaries because it is supposed to be (1) .
(1):
(1):
(1):
(1):
(1):

Problem 2 Welcome to the Wonderful World of (14 points) People of earth, boys and girls, children of all ages, welcome to the wonderful world of block cipher, symmetric encryption, and hash functions!
(a) There are two symmetric encryption schemes, 𝖲𝗒𝗆𝖤𝗇𝖼𝖠 and 𝖲𝗒𝗆𝖤𝗇𝖼𝖡. Both implement valid encryption / decryption on a message / ciphertext, but one of them may be insecure.
Bob wants to combine these two schemes to avoid the risk of using a failed encryption scheme. He proposes the following combinational construction.
Construction I: The ciphertext of the message 𝑀 consists of two parts: 1. The first part of the ciphertext 𝐶𝑝𝑎𝑟𝑡−1 = 𝖲𝗒𝗆𝖤𝗇𝖼𝖠.𝖤𝗇𝖼𝗋𝗒𝗉𝗍(𝑘; 𝑀).
2. The second part of the ciphertext 𝐶𝑝𝑎𝑟𝑡−2 = 𝖲𝗒𝗆𝖤𝗇𝖼𝖡.𝖤𝗇𝖼𝗋𝗒𝗉𝗍(𝑘; 𝑀). 3. That is, the ciphertext is 𝐶 = (𝐶𝑝𝑎𝑟𝑡−1, 𝐶𝑝𝑎𝑟𝑡−2).
⋄ Question: Is the Construction I secure if at least one of the symmetric encryption schemes is secure? Why?
• If yes, fill the corresponding circle, and provide a concise description of why it can hide the message.
• If no, fill the corresponding circle, and provide a concise description of a counterexample. Please answer within 4 lines.
Yes. No. Please answer within the following four lines.
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
Final Exam Page 4 of 22 CS 161 – Spring 2019

Final Exam
Page 5 of 22 CS 161 – Spring 2019
(b) Bob proposes another combinational construction. Construction II: To encrypt message 𝑀, there are two steps:
1. The intermediate value 𝐼 = 𝖲𝗒𝗆𝖤𝗇𝖼𝖠.𝖤𝗇𝖼𝗋𝗒𝗉𝗍(𝑘;𝑀), which means it encrypts 𝑀 directly under key 𝑘. This intermediate value is not the ciphertext.
2. The final ciphertext 𝐶 = 𝖲𝗒𝗆𝖤𝗇𝖼𝖡.𝖤𝗇𝖼𝗋𝗒𝗉𝗍(𝑘; 𝐼 ), which means it encrypts the intermediate value under key 𝑘.
3. That is, the ciphertext is 𝐶 = 𝖲𝗒𝗆𝖤𝗇𝖼𝖡.𝖤𝗇𝖼𝗋𝗒𝗉𝗍(𝑘; 𝖲𝗒𝗆𝖤𝗇𝖼𝖠.𝖤𝗇𝖼𝗋𝗒𝗉𝗍(𝑘; 𝑀))
⋄ Question: Is the Construction II secure if at least one of the symmetric encryption schemes is
secure? Why?
• If yes, fill the corresponding circle, and provide a concise description of why it can hide the message.
• If no, fill the corresponding circle, and provide a concise description of a counterexample.
Yes. No.
Please answer within 4 lines.
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________ (c) You accidentally fell into a trap and entered the 8th floor of .
On the wall the following sentences appear:
No block cipher provides IND-CPA confidentiality because they must be deterministic. No hash function provides IND-CPA confidentiality because they must be deterministic. No HMAC provides IND-CPA confidentiality because …
No digital signature provides IND-CPA confidentiality because ….
Some words on the last two lines are missing.
⋄ Question: What do you think the reasons should be? (Answer within the lines)


No HMAC provides IND-CPA confidentiality because:
______________________________________________________________________
No digital signature provides IND-CPA confidentiality because:
______________________________________________________________________
______________________________________________________________________

(d) To make RSA signatures secure, we can apply a cryptographic hash function 𝐻 over the message 𝑀 , where the output of the hash function is a non-negative integer in {0, 1, …, 2256 − 1}. We know that this hash function 𝐻 must be second-preimage resistant; otherwise, another message 𝑀′ ≠ 𝑀 can be found that also matches the signature.
Later, the RSA signature is computed as follows:
𝑑
(mod 𝑛),
𝑠𝑖𝑔 = 𝐻 (𝑀)
where 𝑛 is the RSA modulo, (𝑒, 𝑛) forms the RSA public key, (𝑑, 𝑛) forms the RSA private key, and 𝑒𝑑 ≡ 1 (mod 𝜙(𝑛)), where 𝜙(𝑛) is Euler’s totient function.
Alice wonders whether she can customize her hash function. She creates another function 𝐻′, modified from 𝐻 :
𝐻′(𝑥) = 𝐻(𝑥) − 𝐻(′′Alice′′) (mod 2256).
⋄ Question: Can we use 𝐻 ′ instead of 𝐻 for RSA signature for every possible message that Alice
might sign?
Yes. No.
And explain within the line: ______________________________________________________________________
Final Exam Page 6 of 22 CS 161 – Spring 2019

Problem 3 Low-level Denial of Service (8 points) In this question, you will help Mallory develop new ways to conduct denial-of-service (DoS) attacks.
(a) CHARGENandECHOareservicesprovidedbysomeUNIXservers.ForeveryUDPpacketarriving at port 19, CHARGEN sends back a packet with 0 to 512 random characters. For every UDP packet arriving at port 7, ECHO sends back a packet with the same content.
Mallory wants to perform a DoS attack on two servers. One with IP address 𝐴 supports CHARGEN, and another with IP address 𝐵 supports ECHO. Mallory can spoof IP addresses.
i. Is it possible to create a single UDP packet with no content which will cause both servers to consume a large amount of bandwidth?
• If yes, mark ‘Possible’ and fill in the fields below to create this packet. • If no, mark ‘Impossible’ and explain within the provided lines.
Possible
If possible, fill in the fields:
Source IP: Source port:
If impossible, why?
Impossible
Destination IP: Destination port:
______________________________________________________________________
______________________________________________________________________
ii. Assume now that CHARGEN and ECHO are now modified to only respond to TCP packets (post-handshake) and not UDP. Is it possible to create a single TCP SYN packet with no content which will cause both servers to consume a large amount of bandwidth?
• If yes, mark ‘Possible’ and fill in the fields below to create this packet. • If no, mark ‘Impossible’ and explain within the provided lines.
Possible
If possible, fill in the fields:
Source IP: Source port: Sequence #:
Impossible
Destination IP: Destination port: Ack #: N/A
Final Exam
Page 7 of 22 CS 161 – Spring 2019
If impossible, why? ______________________________________________________________________ ______________________________________________________________________

(b) A typical web server maintains a connection after receiving each TCP connection request. Write down the the name of the transport layer attack that can cause denial-of-service on the web server which works by consuming a large amount of server memory.
______________________________________________________________________
Final Exam Page 8 of 22 CS 161 – Spring 2019

Problem 4 OTP-KE (9 points) Alice and Bob want to communicate securely. They come up with a new key exchange protocol, inspired by the Diffie-Hellman key exchange but based on the security properties of the one-time pad. Assume 𝐸𝐾(𝑀) is a one-time-pad with message 𝑀 and key 𝐾. The two of them randomly generate 𝐴 and 𝐵, which will be their own unique one-time pad keys. Alice also generates a truly random key 𝑆, which is the symmetric key she and Bob want to agree on and will be used for further communication after the key exchange.
To execute the protocol, Alice uses one-time-pad encryption to encrypt 𝑆 using her secret key 𝐴, then sends 𝐸𝐴(𝑆) to Bob. Bob encrypts the resulting message using his secret key and sends back 𝐸𝐵 (𝐸𝐴(𝑆)). Alice decrypts that message and sends back 𝐷𝐴 (𝐸𝐵 (𝐸𝐴(𝑆))).
Please answer each of the following questions in three sentences or less. Longer responses will not get credit.
(a) Explain how Alice and Bob can agree on 𝑆 based on this protocol.
(b) Is this protocol secure against a passive attacker?
Yes No
If yes, explain why. If no, provide an attack.
(c) Is this protocol secure against an active attacker?
Yes No
No explanation needed.
Final Exam Page 9 of 22
CS 161 – Spring 2019

Problem 5 Private set intersection (13 points) Suppose Alice has a list of 𝑛 integers 𝑎1, 𝑎2, … , 𝑎𝑛; and Bob has a list of 𝑛 integers as well 𝑏1, 𝑏2, … , 𝑏𝑛. Each integer is only 16 bits long.
(a) Alice wants to know if they have any numbers in common, i.e., if there exist 𝑖, 𝑗 such that 𝑎𝑖 = 𝑏𝑗 . Bob applies a function 𝐹 to each of his numbers, and sends the list 𝐹(𝑏1),𝐹(𝑏2),…𝐹(𝑏𝑛) to Alice.
i. Which of the following choices of 𝐹 allows Alice to identify whether Bob has a 𝑏𝑗 that is equal to some element 𝑎𝑖 in Alice’s list? 𝑘 is a shared symmetric key.
𝐹(𝑥) = SHA-256(𝑥) 𝐹(𝑥) = AES-CBC𝑘(𝑥)
Final Exam
Page 10 of 22
CS 161 – Spring 2019
𝐹(𝑥) = SHA-256(𝑥||𝑟), where 𝑟 is 256 bits long and randomly chosen per 𝑥
𝐹(𝑥) = SHA-256(𝑥||𝑘) 𝐹(𝑥) = AES𝑘(𝑥) None of the above
ii. Which of the following choices of 𝐹 ensure that Alice can only identify the 𝑏𝑗 values that are equal to some element 𝑎𝑖 in Alice’s list? Alice should not be able to identify the value of 𝑏𝑗 if it is not equal to some value in her list.
𝐹(𝑥) = SHA-256(𝑥)
𝐹(𝑥) = SHA-256(𝑥||𝑟), where 𝑟 is 256 bits
long and randomly chosen per 𝑥 𝐹(𝑥) = AES𝑘(𝑥)
𝐹(𝑥) = AES-CBC𝑘(𝑥) 𝐹(𝑥) = SHA-256(𝑥||𝑘) None of the above

Final Exam
Page 11 of 22 CS 161 – Spring 2019
(b) NowsupposethatAliceandBobbothwishtolearnthecommonelementsintheirlists.Tothisend, they engage in a new protocol inspired by Diffie/Hellman. They agree on a large prime number 𝑝. Alice chooses a secret value 𝛼 uniformly at random from the set {1, 2, 3, … , 𝑝 − 2, 𝑝 − 1}. Bob follows the same procedure to choose a secret value 𝛽. They then exchange four messages sequentially, as follows. (𝐻 is a secure hash function.)
1. 2. 3. 4. i.
ii.
Alice → Bob: (𝐻(𝑎 ))𝛼,(𝐻(𝑎 ))𝛼,…,(𝐻(𝑎 ))𝛼 (all modulo 𝑝) 12𝑛
Bob → Alice: (𝐻(𝑏 ))𝛽,(𝐻(𝑏 ))𝛽,…,(𝐻(𝑏 ))𝛽 (all modulo 𝑝) 12𝑛
Alice → Bob: ??????????????????????????????????? Bob → Alice: ???????????????????????????????????
What values should Alice and Bob send to each other in steps 3 and 4? They should be able to identify values that exist in both their lists. They should not be able to identify any value in the other person’s list if is not equal to some value in their own list.
3. Alice → Bob: ____________________________________________________________
4. Bob → Alice: ____________________________________________________________
Now suppose that Bob decides to cheat in step 4. Instead of sending the correct message to Alice, he wishes to make Alice believe that their lists are identical. Alice follows the protocol as before, and does not expect Bob to cheat.
⋄ Question: What values should Bob send to Alice in step 4 to achieve this? ________________________________________________________________________

Problem 6 Network Security (20 points) Answer the following questions about network security.
(a) Bob connects his laptop to the DeCafe coffee shop’s Wifi, which anyone nearby can join without a password. He browses to the website http://www.foocorp.com. At the table next to him is an evil attacker, Mallory, who has also joined the DeCafe Wifi network. What kind of threat model best describes Mallory when she first joins the network, with respect to Bob’s connection with DeCafe router’s?
Off-path attacker In-path attacker
On-path attacker None of these
(b) Bob returns home and types into his browser www.foocorp.com. Suppose that Mallory has managed to poison the DNS cache on Bob’s laptop, such that it now thinks the IP address of www.foocorp.com is 6.6.6.6, which is the IP address of a server that Mallory controls.
Final Exam
Page 12 of 22 CS 161 – Spring 2019
Mallory will be unable to steal Bob’s cookies for http://www.foocorp.com if http://www.foocorp.com uses HTTP- Only cookies.
Mallory will be unable to steal Bob’s cookies for http://www.foocorp.com if http://www.foocorp.com uses a CSP policy that only allows scripts to be loaded from sources on foocorp.com
Mallory will be unable to steal foocorp.com cookies marked with the secure flag.
Mallory will be unable to inject JavaScript into http://www.foocorp.com
Mallory will be unable to steal Bob’s foocorp.com cookies if foocorp.com uses HTTPS and Bob’s browser checks cer- tificate transparency logs over HTTPS.
Mallory will be unable to steal Bob’s cook- ies if foocorp.com uses HTTPS and Bob’s browser has previously received an HSTS header.
None of the above
(c) Suppose that foocorp.com domain has the following four subdomains:
(www, alphabet, sushi, money).
The attacker knows that foocorp.com has only four subdomains but does not know any of their names, and wishes to discover the subdomains using the zone enumeration attack discussed in class.
⋄ Question: Assuming every DNS server uses plain NSEC, what is the minimum number of queries the attacker needs to make to foocorp.com’s nameservers in the worst-case for the attacker?
01234
5 6 to 10 11 to 24 25 to 35 ≥ 36

Final Exam
Page 13 of 22
CS 161 – Spring 2019
(d) Suppose that a user Alice is browsing the Internet at home and Mallory is an on-path attacker. In which of the following scenarios will Mallory be able to identify whether or not Alice is visiting a website on foocorp.com?
Alice’s machine and local DNS resolver ran- domize the source port of DNS queries; foocorp.com’s NS server use DNS (with- out DNSSEC); foocorp.com does not use HTTPS
Alice’s machine and local DNS resolver use a fixed source port for every DNS query; foocorp.com’s NS server uses DNSSEC with plain NSEC; foocorp.com does not use HTTPS
Alice’s machine and local DNS resolver use a fixed source port for every DNS query; foocorp.com’s NS server uses DNSSEC with NSEC3; foocorp.com does not use HTTPS
Alice’s machine and local DNS resolver use a fixed source port for every DNS query; foocorp.com’s NS server uses DNSSEC with NSEC3; foocorp.com uses HTTPS
None of the above
(e) FooCorp has chosen to use very short TTLs in all of their DNS responses. Which of the following statements are true?
Short TTLs help protect against attacks where FooCorp’s DNS servers have been compromised
Assuming all DNS servers used DNSSEC with plain NSEC, then FooCorp’s decision to use short TTLs will increase the amount of work that the DNS servers of FooCorp’s parent zone need to perform
Short TTLs increase the number of requests FooCorp’s DNS servers need to support
Short TTLs help protect against DNS cache poisoning attacks by an on-path attacker
Short TTLs help protect against blind- spoofing attacks
None of the above
(f) FooCorp hosts all of its servers on machines provided by CheapCloud: a large, but unreliable, cloud hosting provider. CheapCloud suffers from two major problems: (i) they have frequent data breaches; and (ii) they often need to assign new IP addresses to their customers’ servers. Nevertheless, CheapCloud promptly notifies their customers whenever either of these events occurs.
⋄ Question: Which of the following designs or techniques can FooCorp use to help mitigate some of the security issues caused specifically by CheapCloud’s poor environment?
FooCorp uses plain DNS and sets short TTLs for all of its DNS responses
FooCorp uses RSA-based TLS with certifi- cate pinning
FooCorp uses DNSSEC with plain NSEC
FooCorp uses DHE-based TLS, but does not use certificate pinning
FooCorp uses DNSSEC with NSEC3 None of the above

Final Exam
Page 14 of 22
CS 161 – Spring 2019
(g) Suppose foocorp.com, .com, and the root DNS servers all use DNSSEC. An attacker has com- promised the .com zone’s DNS servers and stolen just the .com Zone Signing Key (ZSK). Once .com manages to remove the attacker, which of the following steps should be taken to prevent an attacker from using the stolen ZSK to forge DNS responses after all existing signatures have expired?
foocorp.com will need to update its RRSIG records
foocorp.com will need to update its DNSKEY records
foocorp.com will need to update its DS records
foocorp.com will need to update its Key Signing Key
.com will need to update its DNSKEY records
.com will need to update its RRSIG records `.’ (the root zone) will need to update its
DNSKEY records
`.’ (the root zone) will need to update its
DS records for .com None of the above

Problem 7 Detection to Surveillance (7 points) The “No Such Agency” is looking to build a new surveillance system designed to detect “bad dudes”. They want to deploy this system at a single location on the network that they identified as a hub for international communication.
(a) Oneproposeddetectorhasafalsepositiverate(FPR)of𝑋,andafalsenegativerate(FNR)of𝑌,and the other proposed detector has a FPR of 𝑌 and a FNR of 𝑋 . Let 𝐶𝑃 be the cost of a false-positive, 𝐶𝑁 be the cost of a false negative, and 𝑝 be the fraction of malicious communications. Assume the detectors are otherwise identical.
⋄ Question: For what value of 𝑝 are the two systems equally preferred (as a function of 𝑋 , 𝑌 , 𝐶𝑃 and 𝐶𝑁 )?
𝑝=
Ungraded scratch space for calculations:
(b) Someone else suggests alerting at random: a random system will alert with probability 𝑟, and will not alert with probability (1 − 𝑟). Find the false-positive and the false-negative rates of this system.
FPR = FNR =
Ungraded scratch space for calculations:
Final Exam Page 15 of 22 CS 161 – Spring 2019

Problem 8 Virtual Tables, Real Fun (16 points) The following code runs on a 32-bit x86 system.
1 2 3 4 5 6 7 8
1 2 3 4 5 6 7 8 9
10
11
12
13
14
15
16
#include
int main() { FILE ∗fp;
char buf[8];
fp = fopen(“outis”, “rb”); fread(buf, sizeof char, 12, fp);
fclose ( fp ) ; }
Behind the hood, the FILE struct is implemented in stdio.h as follows:
struct _IO_FILE ; /∗ implementation omitted ∗/
typedef struct {
struct _IO_FILE ufile ; struct _IO_jump_t ∗ vtable ;
} FILE;
struct _IO_jump_t {
size_t (∗fread)(void ∗, size_t , size_t , FILE ∗); size_t (∗fwrite)(void ∗, size_t , size_t , FILE ∗); int (∗fclose)(FILE ∗);
/∗ more members below omitted ∗/
};
int fclose(FILE ∗fp) { return fp−>vtable−>fclose(fp); } /∗ more implementations below omitted ∗/
Make the following assumptions:
1. No memory safety defenses are enabled.
2. The compiler does not perform any optimizations, reorder any variables, nor add any padding in between struct members.
3. The implementation of the function fopen has been omitted. Assume a sensible implementation of fopen that initializes the ufile and vtable fields of the FILE struct to sensible values.
Final Exam Page 16 of 22 CS 161 – Spring 2019

(a) Running the program in gdb using invoke -d as in Project 1, you find the following: • &buf = 0xbf608040
• &fp = 0xbf608048
• sizeof(struct _IO_FILE) = 32
You wish to prove you can exploit the program by having it jump to the memory address 0xdeadbeef.
Complete the Python script below so that its output would successfully exploit the program. Note: The syntax \xRS indicates a byte with hex value 0xRS.
#!/usr/bin/env python2
import sys
sys.stdout.write(‘\x_____\x_____\x_____\x_____’ + \
‘\x_____\x_____\x_____\x_____’ + \
‘\x_____\x_____\x_____\x_____’)
(b) Now you wish to write an exploit script, such that running it will successfully exploit the program. You save your code from part (a) as a script called egg. The vulnerable program is called hack_me. Which of the following code snippets is a valid exploit script?
#!/bin/bash
./egg | invoke hack_me
#!/bin/bash
outis=$(./egg)
invoke hack_me $outis
#!/bin/bash
invoke -e outis=$(./egg) hack_me
#!/bin/bash
./egg > outis
invoke hack_me
(c) Which of the following defenses would stop your attack in part (a) from exploiting the program by jumping to memory address 0xdeadbeef? Assume 0xdeadbeef is at a read-only part of memory.
Stack canaries
ASLR which does not randomize the .text segment (as in Project 1)
WˆX
ASLR which also randomizes the .text seg- ment
(d) (Consider this question independently from part (c).) Now consider that we move the variables fp and buf outside of the main function, as follows:
1 2 3 4
#include
char buf[8]; /∗ &buf = 0x08402020 ∗/
FILE ∗fp; /∗ &fp = 0x08402028 ∗/
int main() { /∗ rest of main is the same, but no variables ∗/ }
Final Exam
Page 17 of 22
CS 161 – Spring 2019
True or False: It is possible to modify the exploit in part (a) to exploit this modified program.
True
False

Problem 9 Hacking the 161 Staff (10 points)
After months of development, the CS 161 staff is ready to unveil their new course homepage at http://cs161.org. Each TA has their own account and, after authenticating on http://cs161.org/login, can update any student’s grade on the final exam by making an HTTP GET request to:
http://cs161.org/updatefinal?sid=&score=
where is the student ID, and is the student’s new exam score (as a number – without
the percent sign).
(a) Mallory is a student in CS 161, with the student ID of 12345678. She wants to use a CSRF attack to change her exam score to 100 percent. She overhears her TA mention in discussion that he likes to visit http://cool-web-forum.com which Mallory happens to know does not properly sanitize HTML in user inputs.
⋄ Question: Give an input which Mallory can post to the forum in order to execute a CSRF attack to change her exam score, assuming there are no CSRF defenses on cs161.org.
______________________________________________________________________
______________________________________________________________________
(b) The TA then visits the web forum, yet Mallory’s grade does not change. Mallory deduces that the 161 staff must have included a defense for CSRF on their webpage. Not one to be deterred, Mallory decides to attempt her attack again.
The login page has an open redirect: It can be provided a webpage to automatically redirect to after the user successfully authenticates. For example the URL:
http://cs161.org/login?to=http://google.com would redirect any logged in user to http://google.com.
Using this information, Mallory crafts the following attack—replacing your URL in part (a) with the following URL:
http://cs161.org/login?to=http://cs161.org/updatefinal?sid=12345678&score=100
A few minutes later, Mallory observes that her final grade is changed to a 100 percent. Which of the following are CSRF defenses that Mallory might have circumvented?
Final Exam
Page 18 of 22
CS 161 – Spring 2019
Origin checking Referer checking CSRF tokens
Content-Security-Policy Prepared statements Session cookies
Cookie policy Same-origin policy None of the above

(c) The 161 staff update their site to better protect against CSRF. Mallory now notices that the website contains a profile page for each member of the 161 staff, reachable from the URL
http://cs161.org/staff?name=
where is replaced with each staff member’s name. If the provided does not corre- spond to a member of the 161 staff, then instead a page is loaded with a message stating “Sorry, but there is no TA named !”
Suspecting that this website might be vulnerable to reflected XSS, Mallory visits the following URL:
http://cs161.org/staff?name=
A Javascript popup immediately appears on her screen. Mallory smiles, realizing that she can weaponize this to login as her TA. She returns to the web forum that her TA frequently visits and posts a link.
Assume that Mallory’s TA will click on any link that he sees on the web forum, and assume that Mallory controls her own website http://mallory.com.
⋄ Question: How can Mallory pull off her attack and login as her TA? Make sure to include the link she posts on the forum in your answer. If you assume that Mallory’s website has any scripts running, you must define what they are and what inputs they take in.
Final Exam Page 19 of 22 CS 161 – Spring 2019

Problem 10 Evil TLS (8 points)
(a) AcompanywantstoprotecttheirwebserverbyinstallinganewNIDSthatwillman-in-the-middle and decrypt all HTTPS traffic sent to its web server. The connections are end-to-end encrypted between the clients and the web server, and the NIDS is installed at a location that can see all the encrypted traffic. The NIDS could be passive (only inspects traffic), or it could be active (dropping or injecting packets). If the company gives the NIDS access to the TLS private key for the server, the NIDS will be able to decrypt a TLS connection to the web server if the connection uses. . .
RSA TLS, and the NIDS is passive.
Ephemeral Diffie- LS, and the NIDS is passive.
RSA TLS, and the NIDS is active.
Ephemeral Diffie- LS, and the NIDS is active.
(b) Imagine that we modify the TLS handshake as follows. Now, the server will be the first to send its nonce 𝑅𝑠. Then, the browser will send both its nonce 𝑅𝑏 and the encryption {𝑃𝑆}𝐾𝑠𝑒𝑟𝑣𝑒𝑟 of a fresh random 𝑃𝑆 value to the server. Finally, browser and server compute 𝑅𝑠 ⊕ 𝑅𝑏 ⊕ 𝑃𝑆 and use this as the only input to the PRNG. The cipher and integrity keys for the connection will depend only on 𝑃𝑅𝑁𝐺(𝑅𝑠 ⊕𝑅𝑏 ⊕𝑃𝑆).
True or False: This modified handshake is vulnerable to a replay attack. True False
If yes, fill in the messages that would be sent when performing a replay attack. If not, explain why the scheme is still secure.
⋄ If yes, fill in the messages:
1. Server sends nonce: 𝑅𝑠1
2. Browser sends nonce: 𝑅𝑏1
3. Browser sends encrypted pre-master secret: 𝐸1 = {𝑃𝑆1}𝐾𝑠𝑒𝑟𝑣𝑒𝑟 4. …
5. Server sends nonce: __________________________________ 6. Browser sends nonce: __________________________________
7. Browser sends encrypted pre-master secret: __________________________________
8. …
⋄ If no, explain on these lines (concisely):
____________________________________________________________________________
____________________________________________________________________________
____________________________________________________________________________
Final Exam Page 20 of 22 CS 161 – Spring 2019

Selected C Manual Pages
FILE *fopen(const char *pathname, const char *mode);
The fopen() function opens the file whose name is the string pointed
to by _pathname_ and associates a stream with it. If _mode_ is “rb”,
this opens the text file for reading. The stream is positioned at the
beginning of the file.
size_t fread(void *ptr, size_t size, size_t nmemb, FILE *stream);
The function fread() reads _nmemb_ items of data, each _size_ bytes long,
from the stream pointed to by _stream_, storing them at the location
given by _ptr_.
size_t fwrite(void *ptr, size_t size, size_t nmemb, FILE *stream);
The function fwrite() writes _nmemb_ items of data, each _size_ bytes
long, to the stream pointed to by _stream_, obtaining them from the
location given by _ptr_.
int fclose(FILE *stream);
The fclose() function flushes the stream pointed to by _stream_ and
closes the underlying file descriptor.
Final Exam Page 21 of 22 CS 161 – Spring 2019

.
Figure 1: Actual actual reality: nobody cares about his secrets. (Also, I would be hard-pressed to find that wrench for $5.)
(Also, why would anyone use a public key algorithm for disk encryption?)
Final Exam Page 22 of 22 CS 161 – Spring 2019