Introduction to Cybersecurity (WS 16/17) Practice Exam. Sample Solution Name Matriculation Seat

Size: px

Start display at page:

Download "Introduction to Cybersecurity (WS 16/17) Practice Exam. Sample Solution Name Matriculation Seat"

Tamsin Simpson
5 years ago
Views:

1 Introduction to Cybersecurity (WS 16/17) Date: 02/10/2017 Practice Exam The Tutors Saarland University Sample Solution Name Matriculation Seat The following practice exam is not part of the official teaching material and is therefore neither relevant nor irrelevant for the (re-)exam. Furthermore, we do not guarantee the correctness of the sample solution. DO NOT OPEN the exam until instructed to do so. Read all the instructions first. You have to write the exam on the seat with the number that has been assigned to you. The exam is closed-book, closed-notes. No auxiliary means are allowed. At your desk, you may only have writing utensils, beverages, food, ID cards, and an English dictionary. Bags and jackets have to be left at the walls of the lecture room, mobile phones and computers need to be switched off. The exam takes 180 minutes. You can get at most 180 points. The number of points you can get for an exercise thus gives you a hint about how much time you should spend on that exercise (1 minute per point). Write your solutions in the space provided after each problem or on the extra page provided for each problem. You can write your answers in German or English. Be neat and write legibly. It is in your best interest that we understand your answers. You will be graded not only on the correctness of your answer, but also on the clarity with which you express it. If you need to go to the bathroom during the exam, please turn in your exam booklet. Only one person may go to the bathroom at a time. Every attempt of deception will force us to exclude you from this exam and all following exams of this lecture. The University keeps a record of attempts of deception. Good luck! Problem Total Score Points

2 Sample Solution / Problem 1: System security part (60 points) 1. System Part 1 (30 Points) (a) Exercise 1 (ACL vs. Capabilities) (10 Points) For the two concepts Access control list (ACL) and Capabilities, briefly explain the core idea and how they differ. Access control list: Each object is associated with a list containing information about who has which rights to, for example, read or write into a file. A reference monitor then checks each subject against said list and eventually access is granted or denied. Capabilities: Each subject holds a unique token that gives information about which rights the subject has for which object. Here the reference monitor checks the token. The difference is that ACL is object centered whereas the concept of Capabilities is subjectcentered. (b) Exercise 2 (Access control on Linux) (15 Points) File permissions Owner Group File size Modification Date File Name rw r r Joe Students Feb 10 14:15 solution.leaked rw rwxrwx Bob Bob 343K Nov 5 00:36 fsociety.bin rwsrwx root Students 666K Jan 1 12:15 end-humanity.bin rwsrw Eve Students 9774K Mar 5 16:54 execute-me.bin Decide whether or not the following statements are true or false and explain your answer. We have that students = {Bob, Alice, Caroline}. (i) Eve can write into solution.leaked. (ii) Caroline can execute end-humanity.bin with RUID 0. (iii) Bob can execute end-humanity.bin. (iv) Caroline can execute execute-me.bin with the EUID of Eve. (v) root can read execute-me.bin. Solution: (i) No, only the owner Joe can write into the file. (ii) Not with this RUID. (iii) Yes, he can, because he is in the students group. (iv) No, Caroline can not execute this file. (v) Yes, root has full filesystem privileges. 2

3 2. System Part 2 (35 points) The Bank of the VVest uses the following backdoored 32-bit program in order to transfer an amount of 10 euros to the account number that is contained within the file account.txt. 1 # include <stdio.h> 2 # include < stdlib.h> 3 # include < string.h> 4 5 void backdoor () 6 { 7 //... 8 // Backdoor code. 9 // } void perform_ transaction ( char * account, int amount ) 13 { 14 fprintf ( stdout, " Transfer %d euros to %s.\n", amount, account ); 15 // // Code which actually performs the transaction. 17 // } void read_ transaction ( FILE * f) 21 { 22 int amount = 10; 23 int canary = 0 x256 ; 24 char buf [10]; 25 memset ( buf, 0, sizeof ( buf )); // Fill the buffer with zeroes 26 fread ( buf, 54/3, 1, f); // Read 54/3 bytes into buf 27 if( canary!= 0 x256 ) 28 { 29 fputs (" ABORTING : Manipulation attempt detected.\ n", stderr ); 30 exit (1) ; 31 } 32 perform_ transaction ( buf, amount ); 33 } int main ( int argc, char ** argv ) 36 { 37 FILE *f = fopen (" account. txt ", "r"); 38 if(f == NULL ) 39 { 40 perror (" Failed to open file "); 41 exit (1) ; 42 } 43 read_ transaction ( f); 44 fclose (f); 45 } You have write access to the file account.txt because the self-proclaimed cybersecurity experts of the bank missed to set its file permissions correctly. For the following tasks, assume that sizeof(int) amounts to 32 bits and that there is no alignment or reordering of local variables. 3

4 (a) Stack Layout (8 Points) Draw the stack layout of the function read transaction. Make sure to include the saved frame pointer, all local variables and the return address as well as their addresses on the stack. Assume that the buffer is located at address 0x The values for the saved frame pointer and the return address are left out here as you cannot deduct the information from the exercise. (b) Vulnerability (6 Points) Locate, name and describe the apparent vulnerability of the program. Is it possible to divert the control flow of the program to the backdoor function by crafting malicious input? Explain. There is a buffer overflow vulnerability in line 26. It is not possible to divert the control flow to the backdoor function because this would require the ability to overwrite at least one byte of the saved frame pointer. However, this is infeasible as the buffer s bound can be exceeded by eight bytes only. As the size of 32-bit integers amounts to four bytes, this is sufficient to overwrite the variables amount and canary only. Following the amount variable on the stack, it is not possible to overwrite the saved frame pointer, which would require the buffer s bound to be exceeded by nine bytes at least. (c) Stack Canary (6 Points) Explain the functionality of the stack canary. Under which circumstances does it protect against an attacker? Consider a compiler performing optimizations by removing dead (unused) code. What could possibly go wrong with this type of canary check? The stack canary is overwritten if the buffer overflows by one or more bytes. If the canary check detects that the canary value differs from the original value 0x256, it will abort execution of the program and prevent a potentially malicious transaction to be performed. It only provides protection to an attacker who does not know the canary value and who does not have the ability to perform exhaustive search (brute force) on the value. Considering a compiler that removes dead code, the canary check could be optimized away because the canary variable is not referenced anywhere between its assignment and its check. Therefore, the compiler might assume that it is a constant, without regarding that it could be modified by undefined behavior. 4

5 (d) Exploitation (4+11 Points) Craft an input exploiting the vulnerability on a Little-Endian system in order to transfer 100 euros to the bank account without causing a program crash. i. How do you overwrite the canary without triggering manipulation detection? Calculate how the four bytes overwriting the canary have to be crafted. 256 = = 0x100 Applying Little-Endian ordering, we get the following bytes needed to replace the canary: 0x00 0x01 0x00 0x00 That is, the first four bytes exceeding the buffer size must correspond to these bytes in the provided order. ii. Exactly state the contents of the file account.txt for your exploit in hexadecimal and describe how you crafted it. The ASCII code of 0 is 0x30. The hexadecimal value of 100 can be calculated as follows: 100 = = 0x64 We can therefore craft a file containing the following bytes: 0x31 0x32 0x33 0x34 0x35 0x36 0x37 0x38 0x00 0x00 0x00 0x01 0x00 0x00 0x64 0x00 0x00 0x00 The first eight bytes correspond to the ASCII representation of the account number. They are followed by a null-terminator in order to properly terminate the string. Another null byte follows in order to completely fill the buffer with ten bytes of data. However, this byte can be chosen arbitrarily. The bytes 0x00 0x01 0x00 0x00 follow, being the bytes that are required in order to overwrite the stack canary as shown in a). The stack canary is then followed by the value that is supposed to overwrite amount, in Little-Endian order. 5

6 Sample Solution / Problem 2: Web security (30 points) 1. Exercise 1: SQL Injection (30 points) Assume the following PHP function that checks if your login credentials are valid: 1 function check_ login ( $user, $pwd ) { 2 global $database ; 3 4 $query = $database - > prepare (" SELECT id, password, salt FROM users WHERE username = : user AND password = ". $pwd." "); 5 6 $query -> bindparam ( : user, $user ); 7 $query -> bindparam ( : pwd, $pwd ); 8 9 if (! $query -> execute ()) { 10 echo " error sql statement execution "; 11 echo $query - > errorinfo (); 12 } else { 13 $retval = $query - > fetchall (); 14 if( count ( $retval ) == 0) // count returns number of rows 15 return 0; // No valid login 16 } 17 return 1; 18 } (a) Explain the apparent SQL Injection vulnerability in this function: (5 Points) The prepared statement is used wrong. In the query at line 4 there is a parameter identifier for user but the password is simple append to the query as string concatenation. Therefore, you can inject SQL statements via the password variable such that you can perform arbitrary statements. The function does not crash because bindparam() does return true if it has replaced the placeholder with the variable and false if it fails. (b) Create values for $user and $pwd that can successfully login and explain why this works: $usrr = arbitrary String, for example admin $pwd = OR 1=1 (c) Briefly explain how to successfully fix this vulnerability: (15 Points) (10 Points) Input validation filter, for example disallow apostrophes, semicolons, percent symbols, hyphens, underscores,... Check of any character that has special meaning and check of the data type (e.g. make sure it s an integer) Whitelisting characters, (blacklisting chars does not work because you can forget to filter out some characters and you could prevent valid input (e.g. username O Brien)) Allow only well defined set of safe values, sets should be implicitly defined through regular expressions. Prepared statements which allow creation of static queries with bind variables such that it preserves the structure of intended query. 6

7 Sample Solution / Problem 3: Cryptography part (60 points) 1. Private Key Cryptography (40 points) (a) Consider an encryption scheme = (Gen, Enc, Dec) where Gen outputs k K := {0, 1} n \{0 n } uniformly at random Enc : {0, 1} n K {0, 1} n : Enc(m, k) = k m Dec : {0, 1} n K {0, 1} n : Dec(c, k) = k c Prove or disprove whether satisfies perfect secrecy. (8 Points) No! Since the key space K is smaller than the message space, perfect secrecy can not be achieved. 7

Figure 1: Source: Wikimedia, changed (b) Consider the arbitrary length encryption given by Figure 1 where the IV is 1 n and the block cipher encryption Π = (BGEN, BEN C, BDEC) is correct and secure

8 Figure 1: Source: Wikimedia, changed (b) Consider the arbitrary length encryption given by Figure 1 where the IV is 1 n and the block cipher encryption Π = (BGEN, BEN C, BDEC) is correct and secure against chosen plaintext attacks. i. Show how decryption is done by drawing a picture or giving a function Dec. ii. Show that the given scheme is not secure against chosen plaintext attacks. In other words, construct two messages for which you can easily identify which one was encrypted given only a ciphertext. (20 Points) i. Be c = c 1 c 2... c l then Figure 2: Source: Wikimedia Dec k (c i ) = { BDEC k (c 1 1 n ) for i=1, BDEC k (c i ) c i 1 otherwise ii. Consider an attacker A doing the following. Note that A has access to an encryptionoracle and n is the block-length: A. Query O with 1 n 1 n, the first block of the response will be BENC k (1 n 1 n ) = BENC k (0 n ) denote it as resp. B. A outputs (m 0, m 1 ) with m 0 = m 0,0 m 0,1 = 1 n 0 n and m 1 = m 1,0 m 1,1 = 0 n 0 n and receives c b which is either the encryption of the first or second element of the tuple A submitted. C. A then checks whether the first block is equal to resp. If and only if so A outputs 0 else 1. As the IV will always be 1 n the encryption of the first block is defined as BENC k (IV m b,0 ) = BENC k (1 n m b,0 ). If m 0 is chosen, then this is equal to resp but as Π is correct BENC k (1 n 0 n ) BENC k (1 n 1 n ) so the bit output by A is always the right one. Therefore A will always win the CPA-Game, so the scheme is not CPA-secure. (c) Let K := {0, 1} n and let (GEN, MAC, V RF Y ) be a MAC-scheme. GEN outputs a key k = (k 1, k 2 ) drawn uniformly at random from K K. Furthermore, let MAC : (K K) {0, 1} n {0, 1} n : MAC((k 1, k 2 ), m) = k 1 m k 2 8

9 be a MAC function. VRFY takes a key k, a message m and a tag t and checks whether t = MAC((k 1, k 2 ), m). Show that this MAC-Scheme is insecure as follows: Given a finite number of tags t i for messages m i chosen by yourself, construct a tag t for a message m m i also chosen by yourself. Assume t is a valid tag for the message m. then t 1 n is a valid tag for m 1 n : (12 Points) V RF Y ((k 1, k 2 ), t 1 n, m 1 n ) (k 1 (t 1 n ) k 2 = m 1 n ) (k 1 t k 2 = m) 9

10 2. Public Key Cryptography (20 points) (a) Compute Z 33 and show your steps. Since 33 = 3 11 it holds that: (5 Points) (b) Consider Z 7. Solve the following equations. i. 2 mod 7 = ii. 3 6 mod 7 = iii. (5 6) mod 7 = φ(n) = (3 1) (11 1) = 20 i. 2 mod 7 {3, 4} ii. 3 6 mod 7 = 1 iii. (5 6) mod 7 = 2 (c) Compute 5 1 in Z 11 and show your steps. Using repeated squaring: (9 Points) (6 Points) 5 1 = 5 9 = = (5 4 ) 2 5 = ((5 2 ) 2 ) 2 5 = (3 2 ) 2 5 = = 4 5 = 9 Using a similar technique: 5 1 = 5 9 = (5 3 ) 3 = 4 3 = 9 10

11 Sample Solution / Problem 4: Privacy and Theory (30 Points) 1. Privacy (15 Points) (a) Exercise 1 (K-Anonymity) In this exercise you should analyze K-Anonymity of datasets. Assume for this exercise, that AGE, GENDER, RELATIONSHIP STATUS are quasi identifiers. (15 Points) Table 1: Dataset 1 RELATIONSHIP STATUS GENDER AGE FAVOURITE GAME in Relationship male Call of Duty single male Minecraft single male Minecraft in Relationship female Skyrim single male Minecraft in Relationship male Call of Duty in Relationship female Skyrim in Relationship female Skyrim Table 2: Dataset 2 RELATIONSHIP STATUS GENDER AGE FAVOURITE GAME single male Call of Duty single male Minecraft in Relationship male World of Warcraft in Relationship male Skyrim in Relationship female League of Legends in Relationship female Half Life 3 single female Bioshock single female Far cry 2 Table 3: Dataset 3 RELATIONSHIP STATUS GENDER AGE FAVOURITE GAME single male Call of Duty single male Minecraft single male World of Warcraft single male Skyrim single male League of Legends single male Half Life 3 single male Bioshock single male Far cry 2 For each Dataset 1-3 check if it satisfies K-Anonymity. If so, what is the maximal k for which it satisfies K-Anonymity? Explain your answer. 11

12 We first note that every Dataset satisfies the definition of K-Anonymity with k= 1, which means that every person can hide in a set of at least size one (e.g., the set containing only themselves). Consequently, we only need to find the maximal k for each dataset. Dataset 1 The first dataset satisfies K-Anonymity with k=2, because we can partition the dataset in 3 anonymity sets of size 2: 3x(single,male,14-18), 3x(in Relationship,female,19-23), 2x(in Relationship,male,19-23) Dataset 2 In dataset is a person with a different age compared to the others. (in Relationship,female,19-23) is a set of quasi identifiers that appears only once. So this dataset satisfies k-anonymity with k=1 Dataset 3 In this dataset every person has the same quasi identifiers, whats satisfies K-Anonymity with k=8 2. Information Flow (15 Points) In this exercise you have to look at the information processing of a short program. In the last few months, Bob always forgot his PIN as he wanted to do online banking, so he wrote a short program, that should output his PIN if he inputs a password he surprisingly always remembers. Assuming the password is really strong, what are the problems with his code? (a) What are the Information Flow problems in this program? Name at least 2 and briefly explain them. You can assume that secretpin, var, var2 are high variables. 1 def f1(var ): 2 secretpin = low2 = rev ( secretpin ) 4 if ( iscorrect ( var )): """ returns True if password is correct """ 5 return secretpin 6 else if ( var == foobar ): 7 return rev ( low2 ) """ reversed integer is returned """ 8 else : 9 return def main ( password ): 12 low = 0 13 if (f1( password ) == 0): 14 return 0 15 else : 16 var2 = f1( password ) 17 while ( var2 > 0): 18 var2 = var low = low return low password = raw_ input (" Please enter your password ") 23 main ( password ) (15 Points) 12

13 line 13-19: Here is a conditional and also timing flow. The while-loop depends on a high variable and assigns it indirectly to a low variable. also the time that this computation needs depends on the high variable. line 3: If the password is foobar then the reversed form of low2 is returned. The problem here is that low2 gets the reversed value of secretpin with a wrong password you nevertheless get the correct secretpin 13

Introduction to Cybersecurity (WS 16/17) Practice Exam. Name Matriculation Seat

Introduction to Cybersecurity (WS 16/17) Date: 02/10/2017 Practice Exam The Tutors Saarland University Name Matriculation Seat The following practice exam is not part of the official teaching material