EC310 Twelve Week Exam Spring 2016 06 April 2016 United States Naval Academy Electrical and Computer Engineering Department EC310 - 12 Week Midterm – Spring 2016 1. 2. 3. 4. 5. 6. Do a page check: you should have 12 pages including this cover sheet. You have 50 minutes to complete this exam. A calculator may be used for this exam. This is a closed book and closed notes exam. You may use one single-sided hand-written pages of notes. Turn in your single-sided hand-written pages of notes with your exam. This exam may be given as a makeup exam to several midshipmen at a later time. No communication is permitted concerning this exam with anyone who has not yet taken the exam. Name: ____________________ SOLUTION Instructor: ____________________ Problem Topic Possible 1 Buffer Overflow 9 2 Privileges and Permissions 10 3 Ethernet and ARP 30 4 IP and False Route Injection 30 5 Routing 13 6 BGP 8 TOTAL 100 Points Page 1 of 12 EC310 Twelve Week Exam Spring 2016 06 April 2016 Page 2 of 12 EC310 Twelve Week Exam Spring 2016 06 April 2016 Question 1 (9 pts). As demonstrated by the Real Buffer Overflow in Chapter 10, a properly executed attack can enable a malicious user to gain root level access to a system. The structure of the “payload” is illustrated below. Answer the following questions regarding the payload. (a) (2 pts) What is the purpose of the repeated return address at the bottom of the payload? Explain. To give the hacker a number of chances to get the address correctly positioned in the return address field. (b) (2 pts) True / False (circle one) If the exploit works as designed, the malicious return address copied to the eip (instruction pointer) register will point to an address in the text segment of the memory of the original program. (c) (2 pts) Why is the Exploit located below the NOP sled in the payload above (see figure)? Explain. The NOP sled is a series of “no operation” instructions that once the computer starts executing, it will continue until the first executable command, hence the Exploit must be after/below the NOP sled. The NOP sled lets the hacker be a bit off with the return address since it just need to point somewhere within the NOP sled. (d) (3 pts) Which of the following choices is/are true for defenses against a buffer overflow attack (circle all that apply): (i) (ii) (iii) (iv) Stop using C as a programing language Using the canary technique to detect possible compromise of the stack Using Address Space Layout Randomization to place the stack and heap in random locations Using the function bufferchk in C to check for going out of the bounds of an array (v) (vi) Using the function strncpy as supposed to strcpy to limit the number of characters to copy Using the non-executable stack to avoid executing instructions from the stack Page 3 of 12 EC310 Twelve Week Exam Spring 2016 06 April 2016 Question 2 (10 pts). Having grown tired of derisive remarks about ITSD on YikYak™, Ward Hall has developed an alternate text-based program called MidYak which they hope will gain popularity amongst the Brigade. Very importantly, their creation MidYak will enable them to remove unflattering comments using another program EditYak, which only their administrators can run. Consider the file listing below, which has been shortened for convenience. The executable program midyak.exe is designed to allow any user on the system to append comments to the text file /tmp/yak.txt. Another program edityak.exe will then allow ITSD administrators to remove any disrespectable notes in the file. The corresponding C source code for these two programs are midyak.c and edityak.c. -rw-r--r--rwsr-xr-x -rw-r--r--rw-r--r--rwxr-xr-- root root root root root root root root root root ... ... ... ... ... /tmp/yak.txt midyak.exe midyak.c edityak.c /usr/edityak.exe (a) (2 pts) True / False (circle one) Based on the file listing above, any user on the system could view the contents of /tmp/yak.txt using the command cat /tmp/yak.txt. (b) (2 pts) While logged in as midshipman, you attempt to directly edit the file /tmp/yak.txt using the text editor nano but are unsuccessful. Considering the privileges for the file /tmp/yak.txt, circle the letter/symbol of the file’s permissions below (i.e. the string -rw-r--r--) which would have to be changed in order for you to edit the file. -rw-r--r-- root root 1993 2016-03-24 09:55 /tmp/yak.txt (c) (2 pts) While logged in as midshipman, would executing the command chmod o+w tmp/yak.txt permit you to subsequently edit the file? Explain: No. Midshipman is not the owner of the file and thus cannot change the permissions for it. (d) (2 pts) You notice that using the program midyak.exe, you are able to append comments to the file tmp/yak.txt despite the fact that you cannot edit the file directly. Which of the following best explains why this is possible? Circle the best answer. (i) (ii) (iii) (iv) (v) The owner of both midyak.exe and /tmp/yak.txt is root The program midyak.exe is executable by all users Executing midyak.exe automatically grants you sudo access The setuid flag on the file midyak.exe has been set Executing midyak.exe automatically changes the permissions of /tmp/yak.txt This question continues on the next page. Page 4 of 12 EC310 Twelve Week Exam Spring 2016 06 April 2016 (e) (2 pts) You come across the source code edityak.c and realize how ITSD administrators are removing your MidYak comments. You copy the code into your account and compile it yourself, thereby giving you ownership and execution permissions as shown below. Will your newly compiled version permit you as midshipman to edit /tmp/yak.txt? -rwxr--r-- midshipman midshipman 6182 2016-03-24 13:55 edityak.exe Explain: No. The user midshipman still does not have write permissions on the file /tmp/yak.txt. Question 3 (30 pts). You are examining an Ethernet frame using Wireshark. This Ethernet frame is shown below. The hexadecimal contents of the Ethernet frame starts as shown: (a) (2 pts) What is the destination address for this Ethernet frame, and what does this address mean? Explain. Answer: ff:ff:ff:ff:ff:ff . This is the broadcast address. (b) (3 pts) If the Ethernet protocol is used to transmit a 5210-byte IP packet, how many frames will be needed? Show work. Answer: πΈππ. ππ ππππππ = π»ππππ πππππ πππ πππππ⁄πππππ = ππππ πππππ ππππ πππππ = π. ππ , so 4 frames are needed (c) (3 pts) Which of the following choices is/are true (circle all that apply): (i) (ii) (iii) (iv) (v) (vi) IP is a Network layer protocol Ethernet is a Data Link layer protocol Ethernet frames are encapsulated in IP packets IP packets are encapsulated in Ethernet frames The Cyclic Redundancy Code is used for error detection on an Ethernet frame Data padding is used in an Ethernet frame to meet the maximum frame length This question continues on the next page. Page 5 of 12 EC310 Twelve Week Exam Spring 2016 06 April 2016 Consider the 10 Mbps Ethernet network depicted below. For each user, symbols denote the IP address and Ethernet address. For example, MIDN Glad has IP address E and Ethernet address Y. (d) (4 pts) How much bandwidth (data rate) does MIDN Glad get? Show work. ππ π΄πππ Answer: π = π. π π΄πππ (e) (2 pts) If MIDN Happy were to move his computer to a different network, would his Ethernet address change? Explain. Answer: No. Ethernet addresses are static per device and do not change. Suppose that a number of ARP exchanges have taken place and all users have a complete and correct ARP cache, showing the correct IP address – Ethernet address pairings for all users. Evil Instructor then launches an ARP spoofing attack against MIDN Joyous with the intent of stealing all packets destined for MIDN Joyous. (f) (2 pts) What major flaw exist in the Address Resolution Protocol that makes ARP spoofing possible? Explain. Answer: An ARP Reply message can be sent without a preceding ARP request. (g) (4 pts) To launch his attack, what IP address-Ethernet address pairing would Evil Instructor send? Answer: IP address D is paired with Ethernet address V (h) (2 pts) Calculate the bandwidth (data rate) seen by each user if the Bridge was replaced with a Hub. Show work. Answer: ππ π΄πππ π = π. ππ π΄πππ (i) (2 pts) What layer of the TCP/IP model would this hub reside in? Answer: Physical layer This question continues on the next page. Page 6 of 12 EC310 Twelve Week Exam Spring 2016 06 April 2016 (j) (4 pts) If the bridge were to be replaced by a Switch where each computer would be individually connected to it, what would be the bandwidth (data rate) seen by each user? Show work. Answer: ππ π΄πππ π = π π΄πππ (k) (2 pts) What layer of the TCP/IP model would this switch reside in? Answer: Data Link layer Question 4 (30 pts). Examine the network diagram shown below. (a) (4 pts) Express the mask for the network 3.3.3.128/25 in dotted decimal notation. Answer: 255.255.255.128 (b) (4 pts) What is the last IP address assignable to a host for the network 2.2.2.64/26 ? Show your work. Answer: Block of addresses First address: 2 . 2 . 2 . 01000000 = 2 . 2 . 2 . 64 network address Last address: 2 . 2 . 2 . 01111111 = 2 . 2 . 2 . 127 broadcast address The last address assignable to a host is 2 . 2 . 2 . 126 This question continues on the next page. Page 7 of 12 EC310 Twelve Week Exam Spring 2016 06 April 2016 (c) (9 pts) Considering the network shown above, construct the routing table for Router B (RB). Place your answer in the table below, leaving any unused rows blank. /28 5 . 5 . 5 . 48 3 . 3 . 3 . 220 m0 /26 2 . 2 . 2 . 64 - m2 /26 3 . 3 . 3 . 128 - m1 /26 3 . 3 . 3 . 192 - m0 /23 8.8.8.0 3 . 3 . 3 . 140 m1 /0 0.0.0.0 3 . 3 . 3 . 140 m1 (d) (5 pts) Suppose Router B (RB) must route an IP packet with destination address 3.3.3.190. Using the routing table above, what is the matching network address for this destination IP address? Show work. Answer: After a couple of iterations, the student should come up to mask /26. Destination IP: Mask: Network ID: 3 . 3 . 3 . 10111110 255 . 255 . 255 . 11000000 3 . 3 . 3 . 10000000 = 3 . 3 . 3 . 128 (e) (2 pts) Following the previous question, what outgoing interface would Router B (RB) send the IP packet whose destination address is 3.3.3.190 ? Answer: m1 This question continues on the next page. Page 8 of 12 EC310 Twelve Week Exam Spring 2016 06 April 2016 The network diagram is shown again below for your convenience, no change has been made. Evil Instructor is located on the 5.5.5.48/28 network and wants to prevent MIDN Happy from reaching the EC310 website at 8.8.9.174. He turns his computer into a router using Loki and advertises a false network. The advertisement for this false network propagates to Router B (RB). In the table below, under the target's network (8.8.8.0), and the target's IP address (8.8.9.174) the bit values corresponding to the IP address have been filled in. 8 . 8 . 9 . 0 00001000 000010000000 100100000000 (f) (6 pts) Design a false network using the shortest possible mask (in other words, your mask /n should use the smallest possible value of n). State the network ID for the false network you would use. Use the table above to show your work. Your answer should be of the form W.X.Y.Z/n. Answer: 8.8.9.0/24 with work shown as above. Page 9 of 12 EC310 Twelve Week Exam Spring 2016 06 April 2016 Question 5 (13 pts). Consider the network shown below which uses distance vector routing. You are router F. You have just received the following distance vectors from your neighbors: B C From B: A D E A B C D E F From D: A B C D E F 4 0 10 2 6 8 From E: 10 2 8 0 7 6 A B C D E F 13 11 8 17 0 4 F Your distance to B is 2, your distance to D is 3 and your distance to E is 9. (a) (6 pts) What is the new routing table for Router F (include the distance and next hop for each destination) using distance-vector routing protocol? Enter your answer in the table on the right, using as many rows as needed. Destination Total distance A B C D E F 6 2 11 3 8 - Next hop B B D D B - (b) (2 pts) Using distance-vector routing, do you (Router F) send your distance vector to Router C? Explain. Answer: No. Distance vectors are shared only with 1-hop neighbors. Router C is not a neighbor of Router F. (c) (3 pts) Suppose the routing algorithm for the network above is shifted to link-state routing. Construct the Link-State Packet (LSP) that will be sent by Router F. Answer: Router F Router Weight B 2 D 3 E 9 (d) (2 pts) Would Router D ultimately get the LSP from Router A? Explain. Answer: Yes. All routers in the network will ultimately receive each LSP. Page 10 of 12 EC310 Twelve Week Exam Spring 2016 06 April 2016 Question 6 (8 pts). Consider the diagram below showing the interconnection of three ASs. Assuming there are no local preferences, traffic from AS 3 can travel to network N12 in AS 4 and vice versa. (a) (2 pts) What category of autonomous system is AS 3? (Circle one choice below) i. Stub AS ii. Multihomed AS iii. Transit AS (b) (2 pts) What type of autonomous system is AS 5? i. Stub AS ii. Multihomed AS iii. Transit AS (c) (2 pts) Complete the BGP path table for R6 in the table below by filling in the second column. For the “AS Path to Get Me There”, fill in the sequence of ASs from you (Router R6 in AS 3) to the destination. AS that I Need to Route To AS 4 AS Path to Get Me There AS 3 - AS 5 - AS 4 (d) (2 pts) Select TRUE or FALSE for each statement below: (i) True / False (circle one) In a network hijacking attack the attacker would advertise a more specific network ID containing the IP address of the victim. (ii) True / False (circle one) The security of Internet routing does not depend on the accuracy, integrity, and availability of the association between ASNs and the network prefixes they own and advertise. Turn in your equation sheet with your exam! Page 11 of 12 EC310 Twelve Week Exam Spring 2016 06 April 2016 This page is intentionally blank. Page 12 of 12