United States Naval Academy Electrical and Computer Engineering Department

advertisement
EC310 Twelve Week Exam Spring 2015
April 2, 2015
United States Naval Academy
Electrical and Computer Engineering Department
EC310 - 12 Week Midterm – Spring 2015
1.
2.
3.
4.
5.
6.
Do a page check: you should have 8 pages including this cover sheet.
You have 50 minutes to complete this exam.
A calculator may be used for this exam.
This is a closed book and closed notes exam. You may use two single-sided hand-written pages of notes.
Turn in your two single-sided hand-written pages of notes with your exam.
This exam may be given as a makeup exam to several midshipmen at a later time. No communication is
permitted concerning this exam with anyone who has not yet taken the exam.
Name:
____KEY________________
Instructor:
____________________
Problem
Topic
Possible
1
Buffer Overflow
16
2
Routing
12
3
Ethernet and Address Resolution
28
4
IP and Man-in-the-Middle Attack
44
TOTAL
100
Points
Page 1 of 9
EC310 Twelve Week Exam Spring 2015
April 2, 2015
Question 1 (16 pts). You are using a Linux system where no user has been granted sudo privileges. After
typing in the command ls –l gethappy.exe you see:
This file is owned by atwood who is a member of the group named instructor.
(a) (3 pts) You (midshipman) are not a member of the group instructor. What command would
atwood have to enter to give you (and all other users) permission to read and execute the
gethappy.exe file?
Answer: chmod o+rx
gethappy.exe
OR
chmod o=rx
gethappy.exe
1 point for chmod, 1 point for o+rx, 1 point for file name
The owner atwood then makes some changes to permissions and you now see:
Suppose that Evil Jose is executing the file gethappy.exe. He inserts malicious code onto the program's
stack. His malicious code is 40 bytes long and is intended to open a command prompt. He guesses that his 40byte exploit is on the stack at address bffff7d0, so he follows his exploit with several repetitions of this
return address. The picture on the below left indicates how Jose believes the stack is arranged.
Unfortunately (for him), Evil Jose guessed wrong about the location of his 40-byte exploit: it is actually stored
starting at address bffff7cc. The picture on the below right indicates how the stack is actually arranged.
(Note that Jose did guess the correct location of where the return address is stored.)
Jose finds out that his attack is not working.
What Evil Jose Believes the Stack Looks Like
Reality: The Actual Stack
This question continues on the next page.
Page 2 of 9
EC310 Twelve Week Exam Spring 2015
April 2, 2015
(b) (6 pts) Explain how Evil Jose should have crafted his attack to successfully execute a buffer overflow
without needing to guess the exploit location exactly. Your answer should be no more than a few sentences,
and should indicate what specific tool or technique Evil Jose should have employed, and why this technique
would have helped him.
Correct student answer (but the picture below is not required):
Evil Jose should have prefaced his 40-byte exploit with a NOP sled. Since he does not know the exact
location of where the buffer is located in memory, a NOP sled allows him to be a little off with the return
address. For example, if he entered 8 NOPs, the stack would look like that shown below, and his attack
would have worked.
Use judgment on grading. Give 3 points for mention of NOP sled and 3 points for a quasi-grammatical
explanation of how it helps.
Comment: In actuality, given how the stack was actually organized, 4 NOPs would have resulted in a
successful attack, but more than 24 NOPs would have led to failure for a different reason: the 40-byte
exploit would then start overwriting the return address.
Comments:
The problem: Jose's exploit fails because when the return address bffff7d0 is loaded into the buffer,
execution starts four bytes into the exploit (not at the start of the exploit). Although Jose correctly
overrode the section of memory containing the return address, the value he chose as the new return
address—bffff7d0—was not the correct location of the start of the exploit.
The student should get minimal points for saying: "Jose should change the return address to bffff7cc
so that execution begins at the start of his exploit." Recall that Jose does not know where his exploit is
located, and an exhaustive search of all possible return addresses is not a good and helpful tool/approach.
The student should get no points for saying: "Jose should have placed the starting location for his buffer
entry at a different location in memory." Recall that Jose has no control of where the compiler has
placed the target buffer in memory. Whatever he types into the buffer is going to begin at address
bffff7cc.
Page 3 of 9
EC310 Twelve Week Exam Spring 2015
April 2, 2015
(c) (3 pts) Suppose Evil Jose eventually gets his exploit to work, and opens a command prompt. When Evil
Jose performs this attack, whose command prompt opens? Explain.
Answer:
A command prompt for atwood opens. Deduct 2 points for answer: “root”.
Explanation: Since the setuid flag is set on this file, Jose is running the program
as though he were the file's owner. If he then opens a command prompt, a
command prompt for the file owner (atwood) would be opened.
(d) (4 pts) Explain how monitoring/checking of the eip register can prevent a program from being exploited by
a buffer overflow. Be specific.
The eip register should never hold an address that is outside the program's allotted text segment.
Specifically, the eip register should never be permitted to hold an address that is in the stack's address
range. This is the "non-executable stack" technical solution.
Use judgment on grading. No points should be given if the student does not present a solution that
mentions the need to ensure that the eip register values should be restricted to a addresses within a
certain range.
Question 2 (12 pts). Consider the network shown below, where the numbers on the links indicate the cost of
using that link. For example, the cost of using the link from Router A to Router B is 7. The network uses link
state routing.
(a) (6 pts) Sketch the Link State
Packet (LSP) that is crafted by
Router A. Fill in your answer in the
table below.
Router
LSP for Router A
Router
B
G
H
Weight
7
1
3
Weight
One point per entry. Deduct one point for each incorrect/superfluous entry. Grade cannot be less than
zero.
(b) (6 pts) Router A sends an IP packet to Router D. What is the path that this packet traverses through the
network? (Your answer should consist of a series of routers, e.g.: "A-B-C-D").
Answer:
A–G–B–E– C–D
One point per entry.
Deduct one point for each incorrect entry
Page 4 of 9
EC310 Twelve Week Exam Spring 2015
April 2, 2015
Question 3 (28 pts). Consider the 10 Mbps Ethernet used by the six users (five midshipmen and Evil Jose)
shown below. For each user, we show symbols denoting the IP address and Ethernet address. For example,
MIDN Happy has IP address A and Ethernet address U.
(a) (2 pts) How many bits are in an Ethernet address?
Answer:
48
NPC
(b) (2 pts) What layer of the TCP/IP reference model does the bridge operate at? Answer: Data Link NPC
(c) (4 pts) What is the effective data rate seen by MIDN Happy? Answer:
2.5 Mbps. Deduct 2 pts for 3.33
Mbps
(d) (4 pts) If the bridge were to be replaced by a hub, what would be the effective data rate seen by MIDN
Happy?
Answer: 10 Mbps / 6 users = 1.67 Mbps . NPC
MIDN Happy now wants to send an IP packet to his friend MIDN GoLucky. He knows MIDN GoLucky's
IP address is C. To determine MIDN GoLucky's Ethernet address, MIDN Happy sends an ARP Request
Message.
(e) (3 pts) What Ethernet address is used as the destination address in the frame that contains the ARP Request
Message in its data field? Answer:
The broadcast address OR FF:FF:FF:FF:FF:FF.
NPC
(f) (3 pts) When an IP packet is placed in the data field of an Ethernet frame, the IP packet is said to be (choose
one):
(i)
(ii)
(iii)
(iv)
(v)
Packetized
Encapsulated
Framed
Segmented
Transported
NPC
This question continues on the next page.
Page 5 of 9
EC310 Twelve Week Exam Spring 2015
April 2, 2015
(g) (4 pts) After learning MIDN GoLucky's Ethernet address, MIDN Happy sends a 9001 byte IP packet to
MIDN GoLucky. How many Ethernet frames were needed to send this IP packet? Show work.
Answer:
9001/1500 = 6.0007 … so seven frames are needed.
Deduct one point for answer: “6”
(h) (6 pts) Suppose that a number of ARP exchanges have taken place and all six users have a complete and
correct ARP cache, showing the correct IP address – Ethernet address pairings for all users.
MIDN Happy then launches an ARP spoofing attack against Evil Jose. After completing the attack,
whenever a user sends an IP packet to Evil Jose , the IP packet will be sent to MIDN Happy instead.
To accomplish this attack, MIDN Happy sends an unsolicited ARP reply that contains an incorrect IP
address – Ethernet address pairing.
Construct the complete ARP cache for MIDN GoLucky after the ARP spoofing attack is completed. Place
your answer in the table below. Use the IP address and Ethernet address symbols shown in the figure on the
previous page.
ARP cache for MIDN GoLucky
IP Address
Ethernet Address
A
U
B
U
C
W
D
X
E
Y
F
Z
Two points for correct first line (MIDN Happy)
Two points for correct second line (Evil Jose)
2 points for the remaining lines.
No penalty if the midshipmen do not include the table
entry for MIDN GoLucky ( C - W ).
Page 6 of 9
EC310 Twelve Week Exam Spring 2015
April 2, 2015
Question 4 (44 pts). Examine the network shown below. MIDN Happy (whose IP address is 2.2.2.10)
regularly accesses the EC310 website (IP address 7.7.7.179).
(a) (2 pts) How many bytes are in an IP address?
Answer:
4
NPC
(b) (10 pts) Considering the network shown above, construct the routing table for Router B. Place your answer
in the table below, leaving any unused rows blank. ( 3 pts for correct mask order, 2 point for last line in
table, 2 points for Network address column, 2 points for Next-hop column, 1 points for interface
column)
(c) (2 pts) What layer of the TCP/IP reference model does a router (such as RB in the picture) operate at?
Answer:
Network NPC
This question continues on the next page.
Page 7 of 9
EC310 Twelve Week Exam Spring 2015
April 2, 2015
(d) (2 pts) In one sentence, what is the purpose of a network mask?
Answer: The network mask is used to extract the network ID from an IP address. NPC
Evil Jose is located on the 5.5.5.0/24 network and wants to prevent MIDN Happy from reaching the EC310
website at 7.7.7.179. He turns his computer into a router using Loki and advertises a false network. The
advertisement for this false network propagates to Router RB.
Answer for
part (g)
*
In the table below, under the target's network (7.7.7.128), and the target's IP address (7.7.7.179) the bit
values corresponding to the first three octets have been filled in.
(e) (4 pts) In the table below, fill in the bit-values for the last octet of the target's network and the target's IP
address. Two points for each entry
(f) (8 pts) Design a false network! Specifically, state the network ID for the false network you would use.
Use the table above to show your work. Your answer should be of the form W.X.Y.Z/n.
Answer: See figure above. 7.7.7.160 / 27 ( or 7.7.7.176 / 28 or 7.7.7.176/29 )
Use judgment on grading. No points for meaningless answers.
This question continues on the next page
Page 8 of 9
EC310 Twelve Week Exam Spring 2015
April 2, 2015
(g) (4 pts) The network administrator has decided to employ a passive interface to spoil this attack. Select the
best router, and a best interface on that router, for employment of a passive interface. (Note that this
question is asking you to first choose the best router, and then choose one of the interfaces on that specific
router.) Answer this question by placing an asterisk directly next to your chosen router interface on the
picture on the preceding page, and writing next to this asterisk: "Answer for g".
See picture. Deduct two points if answer is given as m0 interface on RB; no credit for other answers.
Questions (h) – (j) below are not related to the previous questions.
(h) (4 pts) Express the mask for the network 6.6.6.128/27 in dotted decimal notation.
Answer:
255.255.255.224
deduct two points for: 6.6.6.224
(i) (4 pts) How many IP addresses are available for assignment to hosts on the network 6.6.6.128/27 ?
Answer:
25 − 2 =
30
Deduct 2 pts if student shows correct formula but uses wrong number of bits in host-ID
(j) (4 pts) What is the broadcast address for the network 6.6.6.128/27 ? Show your work!
Answer:
6.6.6.159
Use judgment on grading. Give 2 points partial credit if student shows the right thought process but
makes a math error.
Turn in your equation sheet with your exam!
Page 9 of 9
Download