CS 361S - Network Security and Privacy Spring Homework #2

Similar documents
CS 361S - Network Security and Privacy Spring Homework #3

Homework 3 CS161 Computer Security, Fall 2008 Assigned 10/07/08 Due 10/13/08

CS 361S - Network Security and Privacy Spring Homework #1

Software Security: Buffer Overflow Attacks (continued)

Program Security and Vulnerabilities Class 2

Software Security: Buffer Overflow Defenses and Miscellaneous

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I

Software Security: Miscellaneous

Homework 5: Exam Review

CSE 565 Computer Security Fall 2018

Software Security: Misc and Principles

DO NOT OPEN UNTIL INSTRUCTED

Software Security: Buffer Overflow Defenses

CS 361S - Network Security and Privacy Spring Project #1

CS 155 Final Exam. CS 155: Spring 2006 June 2006

CS 161 Computer Security

Runtime Defenses against Memory Corruption

Software Security: Buffer Overflow Attacks

COMP3441 Lecture 7: Software Vulnerabilities

CSCE 548 Building Secure Software Buffer Overflow. Professor Lisa Luo Spring 2018

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask

Buffer Overflow Attacks

NETWORK INTRUSION. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

Computer Security. 04r. Pre-exam 1 Concept Review. Paul Krzyzanowski. Rutgers University. Spring 2018

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I

Cyber Moving Targets. Yashar Dehkan Asl

Internetwork Expert s CCNA Security Bootcamp. Common Security Threats

We will focus on Buffer overflow attacks SQL injections. See book for other examples

CS 161 Computer Security

Buffer Overflow Defenses

C and C++ Secure Coding 4-day course. Syllabus

Buffer overflow prevention, and other attacks

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows

Excerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt

CS 361S - Network Security and Privacy Spring Project #2

CS 161 Computer Security

Persistent key, value storage

UMSSIA LECTURE I: SOFTWARE SECURITY

INNOV-09 How to Keep Hackers Out of your Web Application

CSE 565 Computer Security Fall 2018

The Security Problem

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

Internet Layers. Physical Layer. Application. Application. Transport. Transport. Network. Network. Network. Network. Link. Link. Link.

Endpoint Security - what-if analysis 1

BEng (Hons) Telecommunications. Examinations for / Semester 1

Buffer Overflows. A brief Introduction to the detection and prevention of buffer overflows for intermediate programmers.

Fundamentals of Computer Security

CIS 4360 Introduction to Computer Security Fall WITH ANSWERS in bold. First Midterm

Curso: Ethical Hacking and Countermeasures

Security and Privacy in Computer Systems. Lecture 5: Application Program Security

CS 161 Computer Security

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

Software Security II: Memory Errors - Attacks & Defenses

Introduction to Penetration Testing: Part One. Eugene Davis UAH Information Security Club February 21, 2013

Network Security. Thierry Sans

CS 161 Computer Security

Secure Software Development: Theory and Practice

CS 161 Computer Security

CS System Security 2nd-Half Semester Review

CS 161 Computer Security

Memory Safety (cont d) Software Security

Office Hours and Locations. Vyas: Th 15:30--17:00 or by appointment, CIC 2122 Zach: Mon 17:00--18:00, CIC 2214 Tiffany: Tu 16:00--17:00, CIC 2214

GCIH. GIAC Certified Incident Handler.

Buffer Overflows. Buffers. Administrative. COMP 435 Fall 2017 Prof. Cynthia Sturton. Buffers

CS161 Midterm 1 Review

Computer Security Fall 2006 Joseph/Tygar MT 3 Solutions

1. Out of the 3 types of attacks an adversary can mount on a cryptographic algorithm, which ones does differential cryptanalysis utilize?

Memory Corruption Vulnerabilities, Part II

Drone /12/2018. Threat Model. Description. Threats. Threat Source Risk Status Date Created

CS 161 Computer Security

Int ernet w orking. Internet Security. Literature: Forouzan: TCP/IP Protocol Suite : Ch 28

ETHICAL HACKING & COMPUTER FORENSIC SECURITY

Homework 2: Symmetric Crypto Due at 11:59PM on Monday Feb 23, 2015 as a PDF via websubmit.

Software Security (cont.): Defenses, Adv. Attacks, & More

414-S17 (Shankar) Exam 1 PRACTICE PROBLEMS SOLUTIONS Page 1/7

The Edward S. Rogers Sr. Department of Electrical and Computer Engineering

SECURE CODING PART 1 MAGDA LILIA CHELLY ENTREPRENEUR CISO ADVISOR CYBERFEMINIST PEERLYST BRAND AMBASSADOR TOP 50 CYBER CYBER


Cling: A Memory Allocator to Mitigate Dangling Pointers. Periklis Akritidis

CS321: Computer Networks TELNET, SSH

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Security: Threats and Countermeasures. Stanley Tan Academic Program Manager Microsoft Singapore

CS 155 Final Exam. CS 155: Spring 2012 June 11, 2012

CSE484 Final Study Guide

Securing Internet Communication: TLS

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

SoK: Eternal War in Memory

Buffer overflow background

EasyCrypt passes an independent security audit

sottotitolo System Security Introduction Milano, XX mese 20XX A.A. 2016/17 Federico Reghenzani

DAY 3. CS3600, Northeastern University. Alan Mislove

Secure coding practices

CS System Security Mid-Semester Review

Transport Level Security

HW 8 CS681 & CS392 Computer Security Understanding and Experimenting with Memory Corruption Vulnerabilities DUE 12/18/2005

CS Programming Languages Fall Homework #2


Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 11 Basic Cryptography

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

CSE 565 Computer Security Fall 2018

Transcription:

CS 361S - Network Security and Privacy Spring 2014 Homework #2 Due: 11am CDT (in class), April 17, 2014 YOUR NAME: Collaboration policy No collaboration is permitted on this assignment. Any cheating (e.g., submitting another person s work as your own, or permitting your work to be copied) will automatically result in a failing grade. The Deparment of Computer Science code of conduct can be found at http://www.cs.utexas.edu/undergraduate-program/code-conduct. Late submission policy This homework is due at the beginning of class on April 17. All late submissions will be subject to the following policy. You start the semester with a credit of 3 late days. For the purpose of counting late days, a day is 24 hours starting at 11am on the assignment s due date. Partial days are rounded up to the next full day. You are free to divide your late days among the take-home assignments (3 homeworks and 2 projects) any way you want: submit three assignments 1 day late, submit one assignment 3 days late, etc. After your 3 days are used up, no late submissions will be accepted and you will automatically receive 0 points for each late assignment. You may submit late assignments to Vitaly Shmatikov or Oliver Jensen. If you are submitting late, please indicate how many late days you are using. Write the number of late days you are using: 1

Homework #2: Return to Molvanîa (50 points) Problem 1 molvcrypt is a string encryption function from a popular Molvanîan software library. /* * str: An input string to be encrypted. * key: An 8-byte encryption key. * On failure, this function should return NULL. * On success, this function should return a pointer to a string that * has the length of the encrypted string encoded in the first 4 bytes, * followed by the actual encrypted string (not NULL-terminated). */ char *molvcrypt(char *str, char *key) { size_t len = strlen(str); char *crypted = malloc(len + 4); unsigned int i; for (i = len; i!= 0; i--) { } *(crypted + i + 4) = *(str + i) ^ (key[i%8]); // XORing with the key } *(size_t *)(crypted) = len; return crypted; Problem 1a (4 points) Mark every unsafe memory operation in the above code and explain why it is unsafe. Problem 1b (4 points) Add the missing checks needed to ensure that all memory operations in this code execute safely. Write these checks as inline comments in the blank spaces where they should have appeared in the code. 2

Problem 2 All Molvanîan C compilers for x86 insert stack canaries into generated code to prevent stack smashing attacks. Nevertheless, Molvanîan Cyber-Security Bureau mandates the use of libsafe with all executables compiled from C. Problem 2a (3 points) What additional protections are gained by using libsafe with stack-canary-equipped executables? Problem 2b (4 points) Consider the following code: void omgwtfbbq() { char query[256]; char *p = query; char uid[64]; char pwd[64]; } strcpy(p, "UPDATE user_accts SET password = "); p += strlen(p); gets(uid); gets(pwd); strcpy(p, pwd); p += strlen(p); strcpy(p, " WHERE userid = "); p += strlen(p); strcpy(p, uid); p += strlen(p); strcpy(p, " "); db_query(query); In addition to the obvious SQL injection vulnerability, this code is vulnerable to stack smashing. Suppose the compiler inserts stack canaries and all C string functions are protected by libsafe. Does this protect this code from stack smashing? 3

Problem 3 x68 is Molvanîan homegrown chip architecture. upwards. Unlike on x86, the stack on x68 grows Problem 3a (4 points) How does a stack overflow attack work on x68? Problem 3b (4 points) How would you implement stack canaries on x68? What would be the main differences from x86? Problem 3c (4 points) How would you implement libsafe on x68? What would be the main differences from x86? Problem 4 A famous Molvanîan hacker R00tkowski proposes the following defense against buffer overflow attacks. All code pages should be mapped to low memory addresses (e.g., from 00000000 to 0000FFFF on x86 machines) and the rest of the pages should be marked as non-executable. 4

Problem 4a (3 points) Would this technique prevent standard stack smashing exploits? What about return-to-libc? Explain. Problem 4b (3 points) Assuming that hardware modifications are not feasible, which system components (OS, compiler, linker, run-time environment, etc.) must be modified to implement this technique? Problem 4c (3 points) What are the disadvantages of protecting memory in this way? Problem 5 Blind IP spoofing is an attack that hijacks an existing TCP connection between two hosts. Suppose hosts A and B are communicating using TCP. The attacker first establishes a connection with A. Because TCP sequence numbers are often assigned sequentially, the attacker uses the sequence numbers in his own connection to approximately guess the sequence numbers in the connection between A and B. The attacker then sends packets with B s source address and an appropriate sequence number to A. Host A believes that these packets were sent from B and executes commands contained in them. 5

Problem 5a (2 points) Why is this attack called blind? Problem 5b (4 points) Suppose that when the connection between A and B is established, TCP sequence numbers are computed in the same way as in the SYN cookie defense against denial of service. Does this help against blind IP spoofing? Explain. Problem 6 (4 points) The Molvanîan Institute for Advanced Cryptology developed a new method for protecting network communications. Their idea is to use Wide-Area Authenticated, Confidential Keys (WACK) to guarantee authentication, confidentiality, and integrity for every network packet. Assume that the endpoints of the connection already share key K, their secret WACK. Let p be the plaintext packet. The sender encrypts p with K using the AES block cipher in counter mode, appends SHA-1(K, p) to guarantee integrity and authentication, and sends the resulting tuple over the insecure network. What, if anything, is wrong with this method? Problem 7 (4 points) Molvanîan Security Agency (MSA) stores important secret documents on its internal website http://msa.mi/topsecret. The Web server hosting this site is configured to reject all connections from IP addresses located outside the MSA s local network. 6

Suppose an employee of MSA visits an external website. Explain how the owner of this website can use DNS cache poisoning to steal documents stored at msa.mi/topsecret (you should assume that the Web browser on the employee s computer correctly enforces the same origin policy). 7

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback