United States Naval Academy Electrical and Computer Engineering Department

advertisement
EC310 Twelve Week Exam Spring 2016
06 April 2016
United States Naval Academy
Electrical and Computer Engineering Department
EC310 - 12 Week Midterm – Spring 2016
1.
2.
3.
4.
5.
6.
Do a page check: you should have 12 pages including this cover sheet.
You have 50 minutes to complete this exam.
A calculator may be used for this exam.
This is a closed book and closed notes exam. You may use one single-sided hand-written pages of notes.
Turn in your single-sided hand-written pages of notes with your exam.
This exam may be given as a makeup exam to several midshipmen at a later time. No communication is
permitted concerning this exam with anyone who has not yet taken the exam.
Name:
____________________
SOLUTION
Instructor:
____________________
Problem
Topic
Possible
1
Buffer Overflow
9
2
Privileges and Permissions
10
3
Ethernet and ARP
30
4
IP and False Route Injection
30
5
Routing
13
6
BGP
8
TOTAL
100
Points
Page 1 of 12
EC310 Twelve Week Exam Spring 2016
06 April 2016
Page 2 of 12
EC310 Twelve Week Exam Spring 2016
06 April 2016
Question 1 (9 pts). As demonstrated by the Real Buffer Overflow in Chapter 10, a properly executed attack
can enable a malicious user to gain root level access to a system. The structure of the “payload” is illustrated
below. Answer the following questions regarding the payload.
(a) (2 pts) What is the purpose of the repeated return address at the bottom of the payload? Explain.
To give the hacker a number of chances to get the address correctly positioned in the return address
field.
(b) (2 pts) True / False (circle one) If the exploit works as designed, the malicious return address copied to the
eip (instruction pointer) register will point to an address in the text segment of the memory of the original
program.
(c) (2 pts) Why is the Exploit located below the NOP sled in the payload above (see figure)? Explain.
The NOP sled is a series of “no operation” instructions that once the computer starts executing, it will
continue until the first executable command, hence the Exploit must be after/below the NOP sled. The
NOP sled lets the hacker be a bit off with the return address since it just need to point somewhere
within the NOP sled.
(d) (3 pts) Which of the following choices is/are true for defenses against a buffer overflow attack
(circle all that apply):
(i)
(ii)
(iii)
(iv)
Stop using C as a programing language
Using the canary technique to detect possible compromise of the stack
Using Address Space Layout Randomization to place the stack and heap in random locations
Using the function bufferchk in C to check for going out of the bounds of an array
(v)
(vi)
Using the function strncpy as supposed to strcpy to limit the number of characters to copy
Using the non-executable stack to avoid executing instructions from the stack
Page 3 of 12
EC310 Twelve Week Exam Spring 2016
06 April 2016
Question 2 (10 pts). Having grown tired of derisive remarks about ITSD on YikYak™, Ward Hall has
developed an alternate text-based program called MidYak which they hope will gain popularity amongst the
Brigade. Very importantly, their creation MidYak will enable them to remove unflattering comments using
another program EditYak, which only their administrators can run.
Consider the file listing below, which has been shortened for convenience. The executable program
midyak.exe is designed to allow any user on the system to append comments to the text file
/tmp/yak.txt. Another program edityak.exe will then allow ITSD administrators to remove any
disrespectable notes in the file. The corresponding C source code for these two programs are midyak.c and
edityak.c.
-rw-r--r--rwsr-xr-x
-rw-r--r--rw-r--r--rwxr-xr--
root
root
root
root
root
root
root
root
root
root
...
...
...
...
...
/tmp/yak.txt
midyak.exe
midyak.c
edityak.c
/usr/edityak.exe
(a) (2 pts) True / False (circle one) Based on the file listing above, any user on the system could view the
contents of /tmp/yak.txt using the command cat /tmp/yak.txt.
(b) (2 pts) While logged in as midshipman, you attempt to directly edit the file /tmp/yak.txt using the
text editor nano but are unsuccessful. Considering the privileges for the file /tmp/yak.txt, circle the
letter/symbol of the file’s permissions below (i.e. the string -rw-r--r--) which would have to be changed
in order for you to edit the file.
-rw-r--r-- root root
1993 2016-03-24 09:55 /tmp/yak.txt
(c) (2 pts) While logged in as midshipman, would executing the command chmod o+w tmp/yak.txt
permit you to subsequently edit the file? Explain:
No. Midshipman is not the owner of the file and thus cannot change the permissions for it.
(d) (2 pts) You notice that using the program midyak.exe, you are able to append comments to the file
tmp/yak.txt despite the fact that you cannot edit the file directly. Which of the following best explains
why this is possible? Circle the best answer.
(i)
(ii)
(iii)
(iv)
(v)
The owner of both midyak.exe and /tmp/yak.txt is root
The program midyak.exe is executable by all users
Executing midyak.exe automatically grants you sudo access
The setuid flag on the file midyak.exe has been set
Executing midyak.exe automatically changes the permissions of /tmp/yak.txt
This question continues on the next page.
Page 4 of 12
EC310 Twelve Week Exam Spring 2016
06 April 2016
(e) (2 pts) You come across the source code edityak.c and realize how ITSD administrators are removing
your MidYak comments. You copy the code into your account and compile it yourself, thereby giving you
ownership and execution permissions as shown below. Will your newly compiled version permit you as
midshipman to edit /tmp/yak.txt?
-rwxr--r-- midshipman midshipman 6182 2016-03-24 13:55 edityak.exe
Explain:
No. The user midshipman still does not have write permissions on the file /tmp/yak.txt.
Question 3 (30 pts). You are examining an Ethernet frame using Wireshark. This Ethernet frame is shown
below. The hexadecimal contents of the Ethernet frame starts as shown:
(a) (2 pts) What is the destination address for this Ethernet frame, and what does this address mean? Explain.
Answer:
ff:ff:ff:ff:ff:ff . This is the broadcast address.
(b) (3 pts) If the Ethernet protocol is used to transmit a 5210-byte IP packet, how many frames will be needed?
Show work.
Answer:
π‘Έπ’•π’š. 𝒐𝒇 π’‡π’“π’‚π’Žπ’†π’” =
𝑻𝒐𝒕𝒂𝒍 π’ƒπ’šπ’•π’†π’”
π’Žπ’‚π’™ π’ƒπ’šπ’•π’†π’”⁄π’‡π’“π’‚π’Žπ’†
=
πŸ“πŸπŸπŸŽ π’ƒπ’šπ’•π’†π’”
πŸπŸ“πŸŽπŸŽ π’ƒπ’šπ’•π’†π’”
= πŸ‘. πŸ’πŸ• , so 4 frames are needed
(c) (3 pts) Which of the following choices is/are true (circle all that apply):
(i)
(ii)
(iii)
(iv)
(v)
(vi)
IP is a Network layer protocol
Ethernet is a Data Link layer protocol
Ethernet frames are encapsulated in IP packets
IP packets are encapsulated in Ethernet frames
The Cyclic Redundancy Code is used for error detection on an Ethernet frame
Data padding is used in an Ethernet frame to meet the maximum frame length
This question continues on the next page.
Page 5 of 12
EC310 Twelve Week Exam Spring 2016
06 April 2016
Consider the 10 Mbps Ethernet network depicted below. For each user, symbols denote the IP address and
Ethernet address. For example, MIDN Glad has IP address E and Ethernet address Y.
(d) (4 pts) How much bandwidth
(data rate) does MIDN Glad get?
Show work.
𝟏𝟎 𝑴𝒃𝒑𝒔
Answer: πŸ’ = 𝟐. πŸ“ 𝑴𝒃𝒑𝒔
(e) (2 pts) If MIDN Happy were to
move his computer to a different
network, would his Ethernet address
change? Explain.
Answer:
No. Ethernet addresses are
static per device and do not
change.
Suppose that a number of ARP exchanges have taken place and all users have a complete and correct ARP
cache, showing the correct IP address – Ethernet address pairings for all users. Evil Instructor then
launches an ARP spoofing attack against MIDN Joyous with the intent of stealing all packets destined for
MIDN Joyous.
(f) (2 pts) What major flaw exist in the Address Resolution Protocol that makes ARP spoofing possible?
Explain.
Answer: An ARP Reply message can be sent without a preceding ARP request.
(g) (4 pts) To launch his attack, what IP address-Ethernet address pairing would Evil Instructor send?
Answer: IP address D is paired with Ethernet address V
(h) (2 pts) Calculate the bandwidth (data rate) seen by each user if the Bridge was replaced with a Hub. Show
work.
Answer:
𝟏𝟎 𝑴𝒃𝒑𝒔
πŸ–
= 𝟏. πŸπŸ“ 𝑴𝒃𝒑𝒔
(i) (2 pts) What layer of the TCP/IP model would this hub reside in?
Answer: Physical layer
This question continues on the next page.
Page 6 of 12
EC310 Twelve Week Exam Spring 2016
06 April 2016
(j) (4 pts) If the bridge were to be replaced by a Switch where each computer would be individually connected
to it, what would be the bandwidth (data rate) seen by each user? Show work.
Answer:
𝟏𝟎 𝑴𝒃𝒑𝒔
𝟐
= πŸ“ 𝑴𝒃𝒑𝒔
(k) (2 pts) What layer of the TCP/IP model would this switch reside in?
Answer: Data Link layer
Question 4 (30 pts). Examine the network diagram shown below.
(a) (4 pts) Express the mask for the network 3.3.3.128/25 in dotted decimal notation.
Answer: 255.255.255.128
(b) (4 pts) What is the last IP address assignable to a host for the network 2.2.2.64/26 ? Show your work.
Answer: Block of addresses
First address: 2 . 2 . 2 . 01000000 = 2 . 2 . 2 . 64 network address
Last address: 2 . 2 . 2 . 01111111 = 2 . 2 . 2 . 127 broadcast address
The last address assignable to a host is 2 . 2 . 2 . 126
This question continues on the next page.
Page 7 of 12
EC310 Twelve Week Exam Spring 2016
06 April 2016
(c) (9 pts) Considering the network shown above, construct the routing table for Router B (RB). Place your
answer in the table below, leaving any unused rows blank.
/28
5 . 5 . 5 . 48
3 . 3 . 3 . 220
m0
/26
2 . 2 . 2 . 64
-
m2
/26
3 . 3 . 3 . 128
-
m1
/26
3 . 3 . 3 . 192
-
m0
/23
8.8.8.0
3 . 3 . 3 . 140
m1
/0
0.0.0.0
3 . 3 . 3 . 140
m1
(d) (5 pts) Suppose Router B (RB) must route an IP packet with destination address 3.3.3.190. Using the
routing table above, what is the matching network address for this destination IP address? Show work.
Answer: After a couple of iterations, the student should come up to mask /26.
Destination IP:
Mask:
Network ID:
3 . 3 . 3 . 10111110
255 . 255 . 255 . 11000000
3 . 3 . 3 . 10000000
= 3 . 3 . 3 . 128
(e) (2 pts) Following the previous question, what outgoing interface would Router B (RB) send the IP packet
whose destination address is 3.3.3.190 ?
Answer: m1
This question continues on the next page.
Page 8 of 12
EC310 Twelve Week Exam Spring 2016
06 April 2016
The network diagram is shown again below for your convenience, no change has been made. Evil
Instructor is located on the 5.5.5.48/28 network and wants to prevent MIDN Happy from reaching
the EC310 website at 8.8.9.174. He turns his computer into a router using Loki and advertises a false
network. The advertisement for this false network propagates to Router B (RB).
In the table below, under the target's network (8.8.8.0), and the target's IP address (8.8.9.174) the bit
values corresponding to the IP address have been filled in.
8
.
8
.
9
.
0
00001000 000010000000 100100000000
(f) (6 pts) Design a false network using the shortest possible mask (in other words, your mask /n should use
the smallest possible value of n). State the network ID for the false network you would use. Use the table
above to show your work. Your answer should be of the form W.X.Y.Z/n.
Answer: 8.8.9.0/24 with work shown as above.
Page 9 of 12
EC310 Twelve Week Exam Spring 2016
06 April 2016
Question 5 (13 pts). Consider the network shown below which uses distance vector routing.
You are router F. You have just received the following distance vectors from your neighbors:
B
C
From B:
A
D
E
A
B
C
D
E
F
From D:
A
B
C
D
E
F
4
0
10
2
6
8
From E:
10
2
8
0
7
6
A
B
C
D
E
F
13
11
8
17
0
4
F
Your distance to B is 2, your distance to D is 3 and your distance to E is 9.
(a) (6 pts) What is the new routing
table for Router F (include the
distance and next hop for each
destination) using distance-vector
routing protocol? Enter your answer
in the table on the right, using as
many rows as needed.
Destination
Total distance
A
B
C
D
E
F
6
2
11
3
8
-
Next hop
B
B
D
D
B
-
(b) (2 pts) Using distance-vector routing, do you (Router F) send your distance vector to Router C? Explain.
Answer: No. Distance vectors are shared only with 1-hop neighbors. Router C is not a neighbor
of Router F.
(c) (3 pts) Suppose the routing algorithm for the network above is shifted to link-state routing. Construct the
Link-State Packet (LSP) that will be sent by Router F.
Answer:
Router F
Router Weight
B
2
D
3
E
9
(d) (2 pts) Would Router D ultimately get the LSP from Router A? Explain.
Answer: Yes. All routers in the network will ultimately receive each LSP.
Page 10 of 12
EC310 Twelve Week Exam Spring 2016
06 April 2016
Question 6 (8 pts). Consider the diagram below showing the interconnection of three ASs. Assuming there
are no local preferences, traffic from AS 3 can travel to network N12 in AS 4 and vice versa.
(a) (2 pts) What category of autonomous system is AS 3? (Circle one choice below)
i. Stub AS
ii. Multihomed AS
iii. Transit AS
(b) (2 pts) What type of autonomous system is AS 5?
i. Stub AS
ii. Multihomed AS
iii. Transit AS
(c) (2 pts) Complete the BGP path table for R6 in the table below by filling in the second column. For the
“AS Path to Get Me There”, fill in the sequence of ASs from you (Router R6 in AS 3) to the destination.
AS that I Need to Route To
AS 4
AS Path to Get Me There
AS 3 - AS 5 - AS 4
(d) (2 pts) Select TRUE or FALSE for each statement below:
(i)
True / False (circle one) In a network hijacking attack the attacker would advertise a more
specific network ID containing the IP address of the victim.
(ii)
True / False (circle one) The security of Internet routing does not depend on the accuracy,
integrity, and availability of the association between ASNs and the network prefixes they own
and advertise.
Turn in your equation sheet with your exam!
Page 11 of 12
EC310 Twelve Week Exam Spring 2016
06 April 2016
This page is intentionally blank.
Page 12 of 12
Download