Uploaded by Grant C.

Practice Final Exam 2 - solutions

advertisement
CSCI-UA.0480-63: Intro to Computer Security
Spring 2023
Practice Final Exam #2
●
●
●
●
The exam is open book and open notes. You may use a computer with all wireless
communication turned off.
You have 110 minutes.
Please answer any 9 out of the 12 short-answer questions in Part 1, and then question 1
and either question 2 or 3 from Part 2. Clearly indicate which questions you have
decided to answer by checking the box next to their number. You will not receive extra
credit for answering more than the required number of questions.
You are bound by the NYU honor code not to give or receive unpermitted aid.
Name: ______________________________________________________________________
Part 1
Question #
Score
Part 2
Question #
1 (required)
TOTAL:
Score
Part 1 (45 points): Short-answer questions. Please answer any 9 of the following 12. You should explain
your thinking, but your answers need not be longer than a few sentences.
▢A.
Why is it important to zeroize cryptographic keys when implementing a protocol like Signal?
These protocols are designed to provide forward secrecy- keys are only used for one message and can
be deleted after use, to ensure that if the user’s device is compromised in the future key material for
old messages will not remain. It’s important to zeroize, rather than simply delete, keys to ensure that
they aren’t left behind in memory once they’re no longer being used.
▢B.
Tor Browser Bundle (TBB) is a modified version of Firefox designed for use with Tor. TBB makes
several changes, such as sending a blank User-Agent string, no time zone or language
preferences, and not allowing JavaScript to enumerate the browser’s plugins. Explain why these
changes were made.
These attributes are all used for browser fingerprinting, identifying a user’s browser by its unique
combination of settings. It is especially important for Tor users, because their traffic will be sent from
different Tor exit nodes every 10 minutes as they change Tor circuits. The goal is to ensure the user’s
browser is not easily linkable to allow linking the same browser to multiple Tor circuits.
▢C.
Does the MTA use an access control list-model or capability-model to authorize rides on the NY
subway? What would the subway experience look like if the opposite model were used?
MTA swipe cards work like capabilities-having the card enables spending the balance and riding. They
can be shared or delegated and used anonymously-no identification is needed. An ACL model would
require identifying every subway rider (like at the airport) which would probably be unworkable on
the subway given the volume of riders.
▢D.
Would it make sense for a web site to set both the secure and httponly attributes on the
same login cookie?
Yes-they prevent against distinct attacks (secure against HTTP cookie-stealing and httponly against
cross-site scripting and other script-injection attacks). It is common to set both.
▢E.
Suppose you notice the following permissions set on the program foo in your UNIX system:
-rws-wx-wx 1 root root foo
Explain why this file represents a security risk
This program is executable by all users and runs with root privilege. It is also writable by all users. So
any user can change the program’s behavior and run it as root. Effectively, all users can do anything as
root and this totally undermines system security.
▢F.
Are https://www.nyu.edu and https://nyu.edu considered the same origin under the
browser’s Same Origin Policy? Can they set cookies that will be sent to the other?
They are distinct origins as the hosts do not match (nyu.edu vs. www.nyu.edu). But they can share
cookies. Either can set a cookie with domain=nyu.edu which will the be sent to nyu.edu and all
subdomains (*.nyu.edu) and thus would go to both. Note that www.nyu.edu can set a domain for a
superdomain like nyu.edu (but not edu, which is a public suffix).
▢G.
Explain why modern browsers no longer allow Javascript to query the CSS :visited property of
<a> tags.
The :visited property can be used for history-sniffing attacks. An attack website can load a lot of links,
then check the :visited property to see if the user had visited those sites before.
▢H.
Some versions of UNIX support a user called nobody that has no access rights to the file system.
Explain why might Alice download a program foo and set it with the the following permissions:
-r-sr-xr-x 1 nobody nogroup foo
This program is set to run with the permissions of “nobody”. This is a weak way to isolate a script and
prevent it from accidentally accessing files it shouldn’t. Note that it still has normal group privileges
though (the setgid bit is not set).
▢I.
Support for the X-frame-options header was added to browsers to allow specific web pages
to declare that they should not be loaded in an iframe. What attack was this added to prevent?
This header will ensure that content is only loaded in a top-level frame. It prevents clickjacking/UI
redress attacks where a page is loaded in an iframe with misleading UI overlaid on top.
▢J.
Which cryptographic primitive is used by DNSSEC to improve the security of DNS, and what
property of DNS records is it meant to ensure?
DNSSEC adds signatures to DNS responses. It is meant to protect the integrity of results-a network
attacker cannot modify DNS results (DNS hijacking or DNS poisoning) without causing the signature
check to fail.
▢K.
Besides the fact that it leaves slightly fewer characters available for creating a secure password,
why should you be worried if your bank bans you from using the characters <>!" in your
password?
This is a sign that the server is not hashing passwords (passwords should only be stored in hashed
form). If the passwords are properly hashed, then any special characters will be converted and there is
no need to ban them to prevent SQL injection.
▢L.
Is it easier for an attacker on your unsecured wireless network to inject packets if you connect to
a server over TCP or over UDP?
It’s easier to inject packets over UDP. UDP is stateless so it’s trivial to inject packets which will be
accepted. TCP connections have state (specifically sequence numbers). Any injected packets must have
sequence numbers within the allowable window, or else the server (or client) will reject them.
Sequence numbers are picked randomly at the beginning of a session, so they are difficult to predict
exactly.
Part 2 (30 points total): Longer questions. Please answers question 1, then either 2 or 3:
▢1.
Exploits: Two out of three of the following code examples are vulnerable to the type of exploits
we discussed in class. For each, explain (a) what exploit the code is trying to defend against (b) if
still vulnerable, how an attacker can still exploit this code and what they can achieve by doing so.
If not vulnerable, explain why not.
a. A Python program set to run with root privilege which is designed to append
user-specified data to a file only if it is in a whitelist of allowed files:
Hint: abs_path() canonicalizes a filename by resolving any symbolic links and resolving
any path traversal characters (like “../”).
This code is vulnerable to the inverse of a TOCTTOU attack (instead it’s a time-of-use to
time-of-check attack). Although the code opens a file and then does the check, unlike the
traditional flow, an attacker can simply reverse the order of the attack. The attacker passes in a
symlink to a safe file, then tries to change the symlink to a dangerous file after the check is
performed. If successful (this requires an interrupt at the perfect time), the attacker can then
use this code to write to any file.
b. A Python web server which takes a user-specified password update and inserts into a
password database:
Hint: sha256(s).hexdigest() hashes the string s using SHA256 and returns the
resulting hash as a string of hexadecimal characters.
This code is safe. While a SQL query is created dynamically by string concatenation
which is usually a risky idea, the attacker-supplied input (new_pw) is hashed before being
added to the query string and converted to all hex characters. This will remove all control
characters and ensure that no SQL injection is possible. The replace(“;”,””) code will have no
effect (any ‘;’ characters will have already been removed by the hashing).
c. A C function in a web server which copies a user-supplied password to local memory
then compares it against a target value, returning 4 * the number of errors found.
Hint: strncpy(dest, src, n) copies up to n characters from src to dest, stopping
early if a null byte is found. In this case, the null byte is copied. If n non-null bytes are copied, the
function stops without copying a null byte.
The following line is the problem:
buf[strlen(password)] = "\0"; // null-terminate!
While this is attempting to null-terminate the string, in case strncpy copies len bytes and
doesn’t null-terminate, note that this will write a single zero-byte at an arbitrary point in the
stack, depending on how long the user-supplied string is. Note that if the user passes in a
string of exactly 64 characters, this will overwrite the low-order bit of the local variable
“error_penalty” to be zero. This means that the loop will fail to count the number of
mismatched characters in the password and return 0 in all cases, meaning any password of
length 64 will cause the function to return true.
This does not allow for arbitrary code execution like a normal buffer overflow, but allows an
attacker to bypass a password check.
▢2.
The ENDBRANCH instruction: In 2016, Intel added a new instruction called ENDBRANCH.
Processes can choose to enable ENDBRANCH protection. Once enabled, after any jump the next
operation performed must be ENDBRANCH, or else the process terminates with an error.
a. To use this new instruction, is it necessary to re-write old C code? Is it necessary to
re-compile it?
It’s not necessary to re-write old code, but it does need to be re-compiled so that the compiler
can add ENDBRANCH instructions at the target of all branches.
b. Will this new instruction protect code that is vulnerable to stack-based buffer overflows?
Why or why not?
An attacker can easily bypass this: since they are writing code onto the stack and then
overwriting a function’s return address to jump to this code, they can place an ENDBRANCH
instruction at the point they are jumping to.
c. How will this instruction affect the use of NOP slides when developing exploits?
NOP slides should be replaced with ENDBRANCH slides to ensure that anywhere the code
jumps to will be an allowable place to jump to.
d. Will this new instruction affect return-to-library and/or return-oriented-programming
exploits?
Return-to-library attacks should still work, because they involve jumping to library functions
which must begin with an ENDBRANCH so that normal code can call them.
Return-oriented-programming typically involves jumping into the middle of existing functions.
ENDBRANCH will make this much harder, since the attacker must jump to existing foil this
approach, since ENDBRANCH instructions.
▢3.
Spam and email addresses: Suppose that, frustrated with spam, you give out business cards
which each have a unique email address printed on them like the following:
jbonneau-74fbf54b28f0b54ab5d7879ed1c76992@jbonneau.com
a. Is this system more akin to an ACL or capabilities?
This is more like capabilities-one of these email addresses is like a capability to send you
email.
b. Assuming you plan to give out a maximum of about 1,000 business cards, about
how many bits long do you think the numeric suffix should be to ensure that it is
infeasible for a spammer to guess a valid address?
This requires some additional assumptions. First we need to define some acceptable
probability of the attacker successfully guessing an address. Suppose we can live with a 2-64
probability of success. Furthermore suppose the attacker is willing to send 232 emails hoping to
get one through. Keeping in mind there are about 28 valid addresses, we would need
addresses to be 104 bits long in this case (64+32+8).
c. If you don’t want to store a database of all valid email addresses you’ve given
out, propose a way to use cryptography to generate addresses so that they are
easy to validate while only storing a single key. Describe exactly how each
address will be created.
Many approaches are possible, but the simplest is to have the address be a nonce plus a MAC
computed on that nonce using a secret key stored at the server. It’s also possible to use digital
signatures instead, which would mean the addresses can be verified by a server only knowing
the public key, which might be more secure but would require slightly bigger addresses.
Solutions using encryption are also possible.
d. How would you propose dealing with an address that one of your friends
accidentally leaks to a spammer?
Assuming a cryptographic solution like the one in part (c) is being used, so there is no list of all
email addresses given out, your mail server should keep a blocklist of revoked addresses, so
that once an address is compromised future mail to that address can be blocked. If a list of
valid addresses is kept, the compromised address simply needs to be deleted from this list.
Download