


































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Final Exam. Solutions updated May 2021 by CS161 SP21 course staff. Print your name: ,. (last). (first). I am aware of the Berkeley Campus Code of Student ...
Typology: Exercises
1 / 42
This page cannot be seen from the preview
Don't miss anything!



































Solutions updated May 2021 by CS161 SP21 course staff.
Print your name: , (last) (first)
I am aware of the Berkeley Campus Code of Student Conduct and acknowledge that any academic misconduct on this exam will be reported to the Center for Student Conduct and may lead to a “F”-grade for the course.
Sign your name:
Print your class account login: cs161- and SID:
Your TA’s name:
Number of exam of person to your left:
Number of exam of person to your right:
You may consult two sheets of notes (each double-sided). You may not consult other notes, textbooks, etc. Calculators, computers, and other electronic devices are not permitted. Please write your answers in the spaces provided in the test.
You have 180 minutes. There are 9 questions, of varying credit (600 points total). The questions are of varying difficulty, so avoid spending too long on any one question. Parts of the exam will be graded automatically by scanning the bubbles you fill in, so please do your best to fill them in somewhat completely. Don’t worry—if something goes wrong with the scanning, you’ll have a chance to correct it during the regrade period.
If you have a question, raise your hand, and when an instructor motions to you, come to them to ask the question.
Do not turn this page until your instructor tells you to do so.
Page 1 of 42
Problem 1 True/False (80 points) For each of the following, FILL IN THE BUBBLE next to True if the statement is correct, or next to False if it is not. Each correct answer is worth 4 points. Incorrect answers are worth 0 points. Answers left blank are worth 1 point.
(a) Thanks to strong cryptography, a TLS connection to your bank is secure even if their web server’s TCP/IP implementation has a buffer overflow vulnerability.
True False
Solution: False. TLS secures communication between you and your bank so that nobody except you and the bank can read or modify messages sent in the connection. However, TLS does not secure the bank’s server. If the bank’s server is vulnerable, someone can hack into the bank and read or modify your communications.
(b) Thanks to strong cryptography, a TLS connection to your bank is secure even if your home router’s TCP/IP implementation has a buffer overflow vulnerability. True False
Solution: True. A key property of TLS is how it provides end-to-end security: two systems can communicate using TLS without having to trust any of the intermediaries that forward their traffic. Thus, even if an attacker completely pwns your home router, the worst they can do to you is deny you service to your bank.
Note that this answer is different from the last question because the home router is not one of the ends in the end-to-end secure communication. The two ends are your computer/browser and the bank server.
(c) To protect against Kaminsky blind spoofing attacks requires servers to implement a new version of the DNS protocol.
True False
Solution: False. There is no new version of the DNS protocol that defends against the Kaminsky attack. (DNSSEC does defend against the Kaminsky attack, but it’s more like a variation of the DNS protocol than a new version of DNS.)
(d) Using DNSSEC to resolve example.com guarantees authenticity and integrity on subsequent HTTP connections to example.com, but not confidentiality.
True False
allow and would allow any unspecified or unfamiliar input.
(i) A malicious website can execute a successful clickjacking attack even if the victim website uses HTTPS and the user’s browser correctly implements the same origin policy.
True False
Solution: True. HTTPS defends against network attackers and secures com- munications between the victim and the malicious website, but it does not defend against the malicious website sending malicious data to the victim. The same-origin policy prevents two different websites from communicating with each other, but in this scenario, there’s only one relevant website (the malicious website).
As an example, the malicious website might be a file downloading website that has a legitimate download button and a second, larger, more visible fake down- load button. If the user clicks on the fake download button, the clickjacking attack has been executed, and HTTPS and the same-origin policy did not defend against the attack.
(j) A secure hash function will not produce any collisions.
True False
Solution: False. Hashes map infinitely many input to finitely many outputs– any arbitrary-length string can be hashed, but the output is restricted to the finite space of fixed-length strings. Since the input space is larger than the output space, the hash function must produce collisions. (Think pigeonhole principle.) A secure hash function instead has the guarantee that it is computationally infeasible to find a collision. The collisions exist, but it’s impossible to find one in any reasonable amount of time.
(k) Recall that secure-cookies are cookies which the browser will only transmit over HTTPS connection. Using HTTPS and secure-cookies is one way to prevent click- jacking attacks. True False
Solution: False. As explained above, HTTPS does not defend against click- jacking attacks. Clickjacking does not necessarily need cookies to succeed, so secure cookies aren’t a defense against clickjacking. The scenario above (fake
download button) doesn’t involve cookies at all, for example.
(l) Suppose Alice has signed up for text-message two factor authentication on bank.com. If bank.com randomly generates a long number (e.g., a 16-digit number) for its 2FA codes and an attacker doesn’t hijack Alice’s phone number, then Alice’s bank.com account is secure against phishing attacks. True False
Solution: False. Consider the following attack: Alice clicks on a malicious website impersonating bank.com and types her password into the website. The attacker opens the real bank.com and enters Alice’s password. The legitimate website will send Alice a code in response to the attacker’s login request. At the same time, the malicious website now asks Alice to enter her 2FA code. Alice sees the code on her phone and enters it into the malicious website. The attacker now has Alice’s code and can enter it into the real bank.com, completing the login as Alice.
(m) For AES-CBC encryption, the IV does not need to be kept secret.
True False
Solution: True. The IV is sent in plaintext as part of the ciphertext.
(n) For AES-CTR encryption, the IV does not need to be kept secret. True False
Solution: True. The IV is sent in plaintext as part of the ciphertext.
(o) If all messages are the same length and a message is never repeated, then it is secure to re-use the same one-time-pad for encryption.
True False
Solution: False. Reusing the one-time pad leaks information. For example, consider pad k and two messages m 1 and m 2 that are the same length and never repeated. If the attacker sees the encryption of the two messages with the same key, m 1 ⊕ k and m 2 ⊕ k, then they can deduce the XOR of the two messages: (m 1 ⊕ k) ⊕ (m 2 ⊕ k) = m 1 ⊕ m 2.
(p) To securely store user passwords, a server should use AES to encrypt each user’s password and only store the ciphertexts in its database.
(t) The Slammer worm spread extra-fast because each infected instance of the worm kept increasing its scanning speed.
True False
Solution: False. The Slammer worm was extra-fast because the malicious code of the worm was extremely small. The entire worm fit in one UDP packet, so it took only a single UDP packet transmission to infect another computer.
Problem 2 Multiple Choice (74 points)
(a) (6 points) Suppose an attacker steals the private key of a website that uses TLS, and remains undetected. What can the attacker do using the private key? Mark ALL that apply.
Decrypt recorded past TLS sessions that used RSA key exchange.
Successfully perform a MITM attack on future TLS sessions.
Decrypt recorded past TLS sessions that used Diffie–Hellman key ex- change.
None of these.
Solution: RSA TLS does not have forward secrecy, so an attacker who steals the private key can decrypt recorded past RSA TLS sessions. (The attacker uses the private key to decrypt the premaster secret sent over the handshake. Then they use the decrypted premaster secret and the two random nonces sent over the handshake to derive the symmetric keys. Then they can use the symmetric keys to decrypt communications.)
Diffie-Hellman TLS does have forward secrecy, so an attacker who steals the private key cannot decrypt recorded past Diffie-Hellman TLS sessions. (The premaster secret gab^ mod p is never sent over the handshake in Diffie-Hellman TLS. Only ga^ mod p and gb^ mod p are sent, and an attacker who knows the private key and those two values cannot learn the premaster secret because the discrete log problem is hard.)
The attacker can perform a MITM attack on future TLS sessions. In RSA TLS, the attacker decrypts the premaster secret as it’s sent over the handshake, as described above. In Diffie-Hellman TLS, the attacker performs a Diffie-Hellman MITM to force both the client and server to derive premaster secrets that the attacker knows. In both cases, the attacker now knows the premaster secret and can use it with the nonces (sent in plaintext over the handshake) to derive the symmetric keys. With the symmetric keys, the attacker can decrypt and modify communications.
(b) (6 points) DNSSEC provides which of the following security properties for DNS responses? Mark ALL that apply.
Confidentiality
Integrity
None of these
Authentication
Availability
This will help Alice defend herself against some phishing attacks
None of these
Solution: The relevant security principle is considering human factors–visiting URLs like g00gle.com that are maliciously designed to look like legitimate URLs is a human mistake. Least privilege is not relevant, because Alice isn’t given any special privileges in this scenario.
Checking the URL carefully prevents against phishing attacks, where the at- tacker tries to impersonate a legitimate website (possibly by using a similar URL). Checking the URL does not directly prevent CSRF attacks. It can help defend against some CSRF attacks (because they often require the victim to visit an attacker’s website to generate the forged request), but it does not prevent the main vulnerability of CSRF attacks, which is that the server can’t distinguish between legitimate and forged requests from the victim.
DNS spoofing is a networking attack and is unrelated to carefully checking URLs (a web security defense).
(e) (6 points) Alice is trying to visit maps.google.com and neither her machine nor her local resolver have any entries in their DNS caches. In the following, assume that google.com subdomains use HTTPS and are on the predefined HSTS (HTTP Strict Transport Security) list in Alice’s browser. You do not need to worry about attacks on availability, nor attacks based on stealing private keys, malware infections, or obtaining a fraudulent google.com certificate. Mark ALL that apply.
For DNSSEC to work securely, the root and .com zones will need to sign their NS and glue/additional records.
For DNSSEC to work securely, the root and .com zones will need to en- crypt their NS and glue/additional records.
Because google.com subdomains are on the predefined HSTS list, Alice’s visit to maps.google.com is secure against DNS spoofing attacks.
Because google.com subdomains are on the predefined HSTS list, Alice’s visit to maps.google.com is secure against MITM attacks.
Because google.com subdomains are on the predefined HSTS list, Alice’s visit to maps.google.com is secure against ssl-strip attacks.
None of these apply.
Solution: Many students found this problem difficult. DNSSEC does not protect NS and glue/additional records in any manner. It doesn’t need to because its focus is on assuring the correctness of the final result (i.e., object security), not how the client gets the result.
The presence on the HSTS list means that the visit to maps.google.com will definitely occur using HTTPS. Given that, no DNS spoofing attack can fool Alice into visiting a different site unless the attacker has obtained a fraudulent certificate (which is ruled out in the framing of the problem).
Similarly, the guaranteed use of HTTPS secures the Alice’s visit against MITM attacks.
Finally, ssl-strip attacks rely on the user’s visit initially using HTTP rather than HTTPS. The use of HSTS will prevent such an initial visit from occurring.
Note on object security (compared to channel security):
Channel security: secure the letter while it is in transit between post offices (but not while it is stored)
Object security: the letter has a digital signature to make sure it hasn’t been modified (either in transit or in storage)
Depending on how it’s used, signing/verifying helps with both defending against tampering while the data is in transit along a network link and tampering while the data is stored or processed on a particular machine. The signing/verifying procedure from the crypto section ensures some channel security because no one can tamper with the message without being detected (though you need some more encryption to guarantee confidentiality), as well as protection against modification while the data is in storage because you can use Alice’s public key to verify that the message is actually from Alice. This didn’t quite give us full object security in DNSSEC because we couldn’t verify Alice’s public key in the first place, which is why we create a chain of trust that ensures that the nameservers we’re talking to aren’t compromised and are providing the correct public keys.
Notice that if you only use channel security between each pair of post offices, and a letter goes through multiple post offices before reaching its destination, there are two threats: the letter might be tampered with while it is being processed (or stored) at a particular office, and one of the post offices might be malicious and might replace the letter with an entirely different letter. Channel security doesn’t protect against either of those threats. Object security does.
(f) (8 points) Gandalf is surfing the web and visits the URL http://gondor.berkeley.edu. Assume that neither his machine nor his local resolver have any entries in their DNS caches, and that berkeley.edu is the authoritative name server for all berkeley.edu
gondor.berkeley.edu with HTTP (no HTTPS), the MITM could modify con- tent.
(g) (6 points) A border firewall’s primary purpose is (Mark ONE):
Block incoming VPN connections.
Prevent CSRF attacks.
Detect buffer overflows.
Prevent XSS attacks.
Prevent a network intruder inside the network from spreading inter- nally.
None of these.
Solution: A border firewall’s primary purpose is to control which systems and which types of connections are allowed across the site’s border. It does not focus on attack detection; generally allows, rather than hinders, incoming VPN connections; and cannot contain a network intruder already inside the network from spreading internally, since that spread does not transit the site’s border.
(h) (8 points) Which of the following attacks might allow an attacker to steal one of your browser cookies (Mark ALL that apply):
Reflected XSS
Stored XSS
Clickjacking
None of these
Buffer overflow
TLS downgrade
DDoS
Solution: Both types of XSS allow the attacker to run JavaScript in your browser. JavaScript can access your cookies (assuming the HTTPonly attribute is not set) and steal them. A buffer overflow would allow the attacker to execute arbitrary code on your machine. Depending on where the overflow is located, it may be able to access your cookies. For example, a buffer overflow in the implementation of your browser would probably be able to steal your cookies. A TLS downgrade attack would cause you to use an outdated, possibly insecure version of TLS in your connection. This would let the attacker decrypt your TLS communications, which contains cookies.
A common mistake was to select Clickjacking. While clickjacking can cause user input (clicks or keystrokes) to go where the user did not intend it to go, these misdirections still result in HTTP requests that follow the usual rules regarding whether and which cookies to send.
DDoS attacks availability (e.g. makes some resource unavailable), but this doesn’t help the attacker steal cookies.
(i) (6 points) Alice and Bob want to communicate over an insecure channel using one of the following schemes, where M is the message in plaintext. Which scheme should they use in order to avoid padding oracle attacks? Assume that (1) all of the algorithms are secure, and (2) MAC and Sign do not leak anything about M. Mark ALL that apply.
Enc(M ), MAC(M )
Enc(M || MAC(M ))
None of these
Enc(M ), MAC(Enc(M ))
Enc(M ), Sign(M )
Solution: Recall from Project 2 that in padding oracle attacks, the attacker modifies the ciphertext in some cleverly chosen fashion, asks the client to decrypt it, and then observes whether the decryption process caused an invalid-padding error. If the attacker can observe whether such an error occurred, then this leaks partial information; after repeating this many times, an attacker can piece together all of these clues to deduce what the original message must have been.
To defend against padding oracle attacks, the recipient must be able to verify the integrity of the ciphertext before decrypting it. That is, the MAC / signature must be computed over the ciphertext, and not the plaintext. Hence, only the option on the top right is correct; in the others, the integrity of the message can only be verified after decrypting the ciphertext.
(j) (6 points) Let S be a publicly available trusted service that knows the public keys of all users. Alice communicates with S to obtain Bob’s public key using the following protocol:
In step 1, Alice sends along her identity A and asks S for Bob’s public key. In step 2, S responds by returning Bob’s public key KB along with his identity B, and signs the message.
Which of the following attacks is this protocol vulnerable to? Mark ALL that
so, even though it’s flawed in a different way. We allowed full credit for answers that included Option 3 providing no other options (other than Option 1+2) were selected, and only the correct option was selected for the previous question.
Problem 3 Bypassing ASLR (48 points) Mallory is trying to perform a return-to-libc attack on a simple stack buffer overflow vulnerability. She wants to overwrite the return address of the vulnerable function with the address of the system function, and pass it an arbitrary command argument. But the system she wants to attack has ASLR enabled, so &system (the address of system) is different every time.
Wanting to explore this further, Mallory writes the simple program:
#include void main() { printf("system is at 0x%x\n", &system); }
She runs this five times, with ASLR enabled, and gets the following output: system is at 0xbf9d7f system is at 0xbf9d7f system is at 0xbf9d7f system is at 0xbf9d7f system is at 0xbf9d7f
(a) (16 points) She shouts “Eureka! It won’t work every time, but I can easily break this now!”. What did Mallory learn? How can she use it to successfully exploit the buffer overflow with a return-to-libc attack?
Solution: The implementation of ASLR has insufficient entropy — &system appears to have no more than one byte of randomness, so Mallory learned that just by repeatedly trying a manageable number of times, she can eventually luck upon the correct address of system.
Full credit required conveying the notion of exploiting repeated attempts to eventually make a correct guess.
(b) (8 points) What is the probability that Mallory will succeed if she has 1 chance to perform her return-to-libc attack?
Solution: If there is one byte of randomness, than the probability for a single attack to succeed is 2561. There might even be less randomness; in the output Mallory saw, the high bit in the bottom byte of the address never varied, so the probability might be as much as 1281.
If the probability is 2561 , then it will take Mallory an expected 128 tries to guess correctly if her failed guesses do not cause re-randomization due to crash-and- restart; or an expected 256 tries if it does.
Fill the 16 byte buffer. Note the shell comment character
sudo rm -rf / ##
Overwrite SFP in order to get to RIP (next line). AAAA Guess at &system. (reversed to account for little endi- anness)
\x14\x7f\x9d\xbf
Dummy value in the stack position where a proper IA- call would have pushed $eip to become the stored $rip. The system function’s assembly code will ex- pect 4 bytes to proceed the arguments on the stack (by “proceed”, we mean appear in lower memory addresses). This is the address that system() will return to. For this attack, it doesn’t matter that the value is bogus since system() waits for the shell to finish executing, at which point Mallory has presumably completed her attack.
Address of memory storing the attack string argument (argv[1]). This is what system() will read as its argu- ment.
\x07\x07\x07\x
Getting this answer fully correct was quite difficult. We awarded partial credit for specifying various parts.
Problem 4 Attacks on TLS (72 points) Recall the TLS protocol, depicted in the figure below. We use the following notation: {M }K denotes a message M encrypted using the key K. [M ]− K^1 denotes a message M along with a signature over M using the key K−^1.
Client Server
(^1) ClientHello
2 ServerHello
3 Certificate
4 ServerKeyExchange
5 ServerHelloDone (^6) ClientKeyExchange
(^7) ChangeCipherSpec, Finished
8 ChangeCipherSpec, Finished (^9) Application Data
10 Application Data
Figure 1: TLS 1.2 Key Exchange
(a) (24 points) Suppose the client and server use RSA to exchange the premaster secret. Mallory intercepts the ClientKeyExchange message and replaces P S with a fake value P S′. Assume that Mallory can modify the messages after ClientKeyExchange as well, if required. Which of the following are true? Mark ALL that apply.
Mallory will be able to decrypt the application data sent by the client to the server. Mallory will be able to decrypt the application data sent by the server to the client. The server will detect the tampering when it receives ClientKeyExchange.
Mallory can avoid detection until the server receives Finished from the client, at which point she’ll be detected.
Mallory can avoid detection until the client receives Finished from the server, at which point she’ll be detected.
None of these