CS 161 Computer Security
For questions with circular bubbles, you may select exactly one choice on the Exam Tool. Unselected option
Only one selected option
For questions with square checkboxes, you may select one or more choices on the Exam Tool.
You can select
For questions with a large box, you need to write your answer in the text box on the Exam Tool.
There is an appendix at the end of this exam, containing descriptions of all C functions used on this exam.
You have 170 minutes, plus a 10-minute buffer for distractions or technical difficulties, for a total of 180 minutes. There are 10 questions of varying credit (200 points total).
The exam is open note. You can use an unlimited number of handwritten cheat sheets, but you must work alone.
Clarifications will be posted on the Exam Tool.
Q1 MANDATORY – Honor Code (5 points) Read the following honor code and type your name on Gradescope.
I understand that I may not collaborate with anyone else on this exam, or cheat in any way. I am aware of the Berkeley Campus Code of Student Conduct and acknowledge that academic misconduct will be reported to the Center for Student Conduct and may further result in, at minimum, negative points on the exam and a corresponding notch on Nick’s demolition tool.
Solution: Everyone gets 5 free points for embracing the suck this semester.
We won’t take any points off if you entered something for a subpart that doesn’t exist, or if you filled in a text box on a multiple-choice question, or vice-versa. To be consistent, we will not consider any unnecessary writing/bubbling on your exam during grading (pretend it’s scratch work).
Page 1 of 36
Q2 True/false (38 points) Each true/false is worth 2 points.
Q2.1 True or False: WPA2 is a protocol that translates IP addresses to MAC addresses. True False
Q2.2 True or False: Specification-based detection uses a blacklist. True False
Q2.3 True or False: If a pseudorandom number generator (pRNG) is secure, then an attacker who only sees the output of the pRNG is unable to learn its internal state.
Q2.4 TrueorFalse:Argon2andPBKDF2areappropriatealgorithmstousewhenhashingandstoring passwords in a database.
Q2.5 True or False: All forms of two-factor authentication (2FA) are resistant to phishing attacks. True False
Q2.6 TrueorFalse:Loggingisamethodofintrusiondetectioninwhichserverlogfilesarepreserved so they can be asynchronously scanned to detect malicious activity.
Solution: False. ARP translates IP addresses to MAC addresses. WPA2 creates a secure connection at the link layer in a local wireless network and does not use IP addresses at all.
Solution: False.Specification-baseddetectionusesawhitelist.Signature-baseddetectionuses a blacklist.
Solution: True. If the internal state of the PRNG is known, then all future outputs can be predicted.
Solution: True. Argon2 is a slow hashing algorithm specifically designed for hashing pass- words.
Solution: False. The only method of 2FA that is resistant to phishing attacks by design is security keys/WebAuthn/U2F. All other methods are vulnerable to phishing attacks.
Final Page 2 of 36 CS 161 – Spring 2021
Q2.7 True or False: Cryptographically secure MACs can be constructed using secure cryptographic hash functions.
Q2.8 TrueorFalse:Whenanalyzingacryptographichashingscheme,preimageresistance(one-way) implies collision resistance.
Q2.9 True or False: Sending all DNS requests and responses over HTTPS can be used as an effective defense against censorship by preventing censors from knowing what websites you are visiting.
Q2.10 TrueorFalse:One-timepads,aslongastheyareusedcorrectly,aresecureagainstanadversary with infinite computational power.
Solution: True. This is the definition of logging.
Solution: True. HMAC, a secure MAC construction, is constructed using secure hash func- tions.
Solution: False. Preimage resistance says that given y, it is computationally hard to find any x such that H(x) = y. Collision resistance says that it is computationally hard to find a ̸= b such that H(a) = H(b). While these properties are related, one does not imply the other.
Solution: False. The censor may be unable to see the contents of the DNS response (because it’s encrypted in TLS), but the censor can still see what name servers you’re talking to and deduce what websites you’re visiting. The censor can also see what websites you’re visiting when you make a connection to the actual website.
Solution: True.Aslongasyourkeyisrandomlygenerated,XORingthekeywiththeplaintext will result in a truly random ciphertext.
Formally, given a ciphertext, every single plaintext is equally likely, because each plaintext corresponds to a different key, and each key is equally likely. Even with infinite computational power, an attacker cannot determine what plaintext was sent.
Q2.11 True or False: TLS is able to prevent on-path attackers from learning metadata about your communications (e.g. request and response times, message length) by encrypting communications from a client to a server.
Page 3 of 36 CS 161 – Spring 2021
Q2.12 True or False: Publicly accessible stairs, walkways, and elevators can be considered part of the physical equivalent of a trusted computing base for airport security.
Q2.13 True or False: Clickjacking refers to a class of attacks where the attacker manipulates the user interface of a website to convince the user to click something that they did not intend to click on.
Q2.14 Consider two different detectors with the same false positive rate and false negative rate. Assume that false negatives and false positives are equally costly.
True or False: A website with a high volume of users but a low volume of attacks would benefit more from placing the detectors in series rather than in parallel.
Q2.15 True or False: Signature-based intrusion detection systems are good at identifying novel network attacks that have not been previously seen.
Solution: False.TLSdoesnothidemessagelength.RecallthatTLSusessymmetricencryption to encrypt messages after the plaintext, and symmetric encryption does not hide message length.
Solution: False. None of these items need to be relied upon for the correct functioning of airport security. Things like metal detectors, X-ray scanners, and TSA agents would be considered part of the TCB, since their malfunctioning would affect the effectiveness of airport security.
Page 4 of 36
CS 161 – Spring 2021
Solution: True.Detectorsinseriesproducealowerfalsepositiveratebuthigherfalsenegative rate, which results in lower errors overall due to the high volume of users.
Solution: False.Novelattacksthathavenotbeenseenbeforewillnothaveexistingsignatures. Signature-based IDS does not identifying novel attacks.
Q2.16 True or False: A primary advantage of a host-based intrusion detection system (HIDS) over a network-based intrusion detection system (NIDS) is that traffic can be analyzed in plaintext, since the host can access decrypted TLS traffic.
Q2.17 True or False: For organizations with a large number of network devices, network-based intrusion detection systems (NIDS) are easier to deploy and manage than host-based intrusion detection systems (HIDS).
Q2.18 TrueorFalse:TheUDPprotocolguaranteesthatpacketsaredeliveredtothedestinationserver by detecting dropped packets and retransmitting them until they are acknowledged.
Q2.19 True or False: Alice decides to use Tor to protect herself from tracking and surveillance online. The Tor circuit contains three Tor nodes: an entry node, a relay node, and an exit node. Assume the nodes do not collude. The exit node knows Alice’s IP address but not the domain of the website she is visiting.
Q2.20 True or False: EvanBot is a real bot. (0 points)
Solution: True.ItishardforaNIDStoanalyzeencryptedTLStraffic,becauseTLSisdesigned to be end-to-end secure between the client and server. However, a HIDS is installed directly on the server, so it can access decrypted TLS traffic.
Solution: True. NIDS can be deployed at a single on-path location, while HIDS must be deployed on every single host and kept in sync with the latest rules/signatures/configuration.
Solution: False. UDP is best-effort and provides no delivery guarantees.
Solution: False. Using three nodes in the circuit, the Tor exit node will know the domain of the destination website, but does not know which IP address initiated the request. The exit node only knows the IP address of the middle relay node from which it received the request.
Page 5 of 36
CS 161 – Spring 2021
Solution: True. How dare you doubt our trusty AI.
Q3 Full Stack Security (17 points) Examtool is a test-taking website located at https://exam.cs161.org/. Assume that all network connections are made over HTTPS, unless otherwise specified.
Examtool uses session tokens for user authentication. Session tokens are stored as cookies with Domain=exam.cs161.org and no other cookie attributes (no Secure flag, no HttpOnly flag, Path=/).
When a student fills out or changes an answer, their browser makes a POST request to https://exam.cs161.org/submit_question with the student’s updated answers.
Q3.1 (5 points) Which of the following attacks could allow an adversary to read the session token cookie? Select all that apply.
(A) Reflected XSS attack at https://exam.cs161.org/
(B) Stored XSS attack at https://exam.cs161.org/
(C) Exploitable buffer overflow vulnerability in the student’s browser
(D) Root access to another device on the same Wi-Fi network that the student is using (E) Root access to the Wi-Fi access point that the student is using
(F) None of the above
An exploitable buffer overflow vulnerability could allow an attacker to execute arbitrary code as the browser. If the attacker controls the entire browser application, they could read the cookies stored in the browser.
Root access to another device on the same Wi-Fi network makes the attacker an on-path network attacker. Root access to the Wi-Fi access point makes the attacker a MITM network attacker. However, since the requests are made with HTTPS/TLS, and TLS is end-to-end secure, network attackers will not be able to read cookie values (which are encrypted in TLS).
Page 6 of 36 CS 161 – Spring 2021
Q3.2 (4points) Foraquestiononanexam,Alicefirstsubmits“A”andthenlaterchangesheranswerand submits “B”. What could a MITM attacker between Alice’s computer and the exam.cs161.org server do? Select all that apply.
(G) Perform a DoS attack to prevent Alice from submitting an answer choice (H) Perform a replay attack to restore Alice’s saved answer to “A”
(I) Modify Alice’s submitted answer choice to “C”
(K) None of the above
However, TLS does not guarantee availability, so a MITM could prevent Alice’s request from reaching the server. For example, the MITM could use TCP RST injection to end the TLS connection (remember that TLS runs on top of TCP).
Q3.3 (4 points) Suppose the MITM attacker has identified a vulnerability in HTTPS that allows them to arbitrarily read and modify data in transit without detection. Alice submits another answer. What could a MITM attacker between Alice’s computer and the exam.cs161.org server do? Select all that apply.
(A) Set cookie values for the page at https://exam.cs161.org/ (B) Redirect Alice’s browser to https://evil.com/
(C) Access any file on Alice’s computer
(D) Change Alice’s answer choice without detection
(E) None of the above
Solution: The MITM attacker can now modify the contents of Alice’s message and change Alice’s answer choice.
The following subparts are independent of the previous subparts.
An instructor uploads an exam to Examtool by applying some cryptography to the exam and sending it over an insecure channel.
• m is the message to encrypt (i.e. the exam).
Final Page 7 of 36 CS 161 – Spring 2021
• ∥ is concatenation.
• k1 and k2 are two different secret keys known only to the Examtool server and the instructor. • E(k, m) is the encryption function of an IND-CPA secure symmetric encryption scheme.
• MAC(k, m) is a secure MAC function.
For each pair of cryptographic schemes, select the scheme with fewer potential vulnerabilities. Q3.4 (2 points) Select the more secure scheme:
(G) C = C1∥C2, where C1 = E(k1, m) and C2 = MAC(k1, C1) (H) C = C1∥C2, where C1 = E(k1, m) and C2 = MAC(k2, C1) (I)
Q3.5 (2 points) Select the more secure scheme:
(A) C = C1∥C2, where C1 = E(k1, m) and C2 = MAC(k2, C1)
(B) C = E(k1, m||MAC(k2, m)) (C)
Solution: The first option reuses a key k1 in two different algorithms. The second option uses different keys k1 and k2 for two different algorithms. Key reuse is insecure, so the second option is more secure.
Solution: As shown in lecture, encrypt-then-MAC is more secure than MAC-then-encrypt.
The first option is encrypt-then-MAC, because the message is encrypted first, and then the MAC is applied on the ciphertext. The second option is MAC-then-encrypt, because the plaintext is MAC’d first, and then the message and MAC are encrypted.
Page 8 of 36
CS 161 – Spring 2021
Q4.1 (5 points) In the same-origin policy, which of the following are used in determining the origin of an HTTP webpage? Select all that apply.
(A) IP (C) Protocol (E) Request path
(B) Port (D) Domain name (F) None of the above
(I) No, because https://cdn.abtesters.com uses a certificate that is signed for different domain name.
(3points) BearBankdecidestomovetheloginformtohttps://auth.bearbank.comandembed it on the homepage (https://bearbank.com/) in an iframe.
Bear Bank’s website is located at https://bearbank.com and contains the following HTML: