计算机代考程序代写 SQL javascript dns database chain compiler Java GPU android DHCP algorithm 1. (21 points) Circle True or False. Do not justify your answer. – cscodehelp代写
1. (21 points) Circle True or False. Do not justify your answer.
(a)
(b) (c) (d) (e) (f)
(g)
True or False : DHCP spoofing can be prevented by using Ethernet instead of wireless.
True or False: SYN Cookies help defend against distributed syn flooding at- tacks.
True or False: Source port randomization is a helpful defense against Kaminsky blind spoofing.
True or False : An off-path attacker is more powerful than an on-path attacker: anything an on-path attacker can do, so can an off-path attacker.
True or False: An on-path attacker is more powerful than an off-path attacker: anything an off-path attacker can do, so can an on-path attacker.
True or False : Internet censorship requires an in-path attacker (i.e., an on-path attacker that can both observe all packets and also drop any packets the censor wishes).
True or False: If you use HTTPS but not DNSSEC, the confidentiality of data you send over HTTPS is protected against on-path attackers (ignoring implemen- tation bugs and/or CA failures).
True or False : If you use HTTP and DNSSEC, the confidentiality of data you send over HTTP is protected against on-path attackers (ignoring implementation bugs and/or CA failures).
True or False : CBC mode encryption provides both confidentiality and integrity.
Solution: DHCP requests and responses are broadcast.
Solution: As we saw in the lecture on Internet censorship, an on-path attacker (who can observe all packets but not drop packets) can censor connections.
Solution: Without DNSSEC, you might be connecting to the wrong server, but even if you’re connecting to the attacker, the TLS connection will fail because the attacker doesn’t have the right private key or cert to impersonate the real server.
(h)
(i)
Solution: DNSSEC only ensures that you’re sending packets to the correct IP address. On-path attackers can observe the packets you send directly, even if you send them to the correct server.
Solution: It doesn’t provide integrity.
(j)
(k)
(l) (m)
(n)
(o) (p)
(q) (r)
(s)
True or False: CBC mode encryption provides confidentiality against chosen- plaintext attacks (IND-CPA security).
True or False : Using a pseudorandom number generator, seeded by the current time of day (measured to microsecond precision), is a good way to generate an AES key.
True or False: Cryptography is a reasonable defense if an adversary might be able to eavesdrop on network packets.
True or False : Stack canaries are a good defense against heap-based buffer overflows.
True or False : Fuzz-testing requires access to source code to find vulnerabilities.
True or False: Prepared statements are a good defense against SQL injection. True or False : Setting the “secure” flag on a cookie (so it will only be sent over
HTTPS) is a good defense against CSRF.
True or False : TLS does not provide confidentiality if you use a TCP imple- mentation whose TCP initial sequence numbers are predictable.
True or False : Access control ensures that authorized users who have access to sensitive data won’t misuse it.
True or False : Alice wants to communicate with Bob using Tor with 3 inter- mediaries. If the first 2 intermediaries are dishonest, they will be able to determine that Alice and Bob are communicating.
Solution: See lecture notes.
Solution: Such a seed is guessable, enabling brute-force attacks to recover the AES key.
Solution: They’re aimed at overflows of stack-allocated buffers; an overflow of a buffer in the heap won’t overwrite the canary and won’t be detected by the stack canary defense.
Solution: Fuzz-testing doesn’t require access to source code; you can fuzz test a binary.
Solution: Access control only limits which users can access the data; it can’t restrict what they do with the data, once they have it.
Page 2
Solution: They can see packets coming from Alice, but can’t tell where they are going (they can see that they’re going towards the 3rd intermediary, but can’t tell where they’ll go from there).
(t)
(u)
True or False : When a client sends a message over the Tor network, Tor’s onion routing works because each intermediary encrypts the message they receive with the public key of the following intermediary, so no one else can decrypt the messages.
True or False: The homomorphic properties of encryption allow servers to com- pute products or sums of encrypted data without having to decrypt it, as long as the data is encrypted with the right encryption algorithm.
Solution: All encryption is done by the client, not by the intermediaries. The client encrypts multiple times, in a nested fashion, once per intermediary; each intermediary then removes one level of encryption.
Solution: e.g., RSA or Paillier.
2. (12 points) You are doing a security test of a website, ShopSMart.com. In each part be- low, based on the symptoms you observe, give the name of the type of vulnerability that is most likely responsible for those symptoms. Write just the name of the type/category of vulnerability (e.g., “buffer overrun”); you don’t need to write a detailed description of the specific attack or vulnerability.
(a) You try to sign up for an account and type Can’t stop the signal into the text field for entering your last name. When you click the button to submit the form, you see an error page that mentions a syntax error in the database query.
What type of vulnerability does this most likely indicate?
(b) You sign up under your real name, then place an order for 65539 bookmarks: you add the bookmark to your cart and enter a quantity of 65539. You place the order. A week later, a giant package arrives at your doorstep containing 65539 bookmarks. You check your credit card bill, and you see you’ve only been charged for 3 bookmarks.
What type of vulnerability does this most likely indicate?
(c) ShopSMart.com has a one-click buy feature: on the web page for each item, there is a button labelled “Buy instantly!”. If you click that button while logged in, it
Solution: SQL injection
Solution: Integer overflow or integer conversion vulnerability (other answers may be valid as well).
Page 3
instantly places an order for the item and charges your credit card on file, without requiring you to go through any other web pages (there’s no separate checkout page, no confirmation page—the order is placed immediately). You view the HTML source for the page for the bookmark, and you see
You know this means that when the button is clicked, the browser will load the page http://shopsmart.com/instantbuy&item=bookmark. Looking through the rest of the page source, the page doesn’t appear to contain any Javascript.
What type of vulnerability does this most likely indicate?
3. (8 points) You have a secure cryptographic hash function H : {0, 1}2n → {0, 1}n that takes 2n-bit inputs and outputs a n-bit digest. You want to create a secure cryptographic hash function F : {0, 1}4n → {0, 1}n that takes 4n-bit inputs and outputs a n-bit digest. How could you do this? Fill in the definition below, assuming w,x,y,z are each n-bit values:
(Don’t explain or justify your answer.)
4. (12 points) (a) A code injection attack is one that involves attacker-chosen code being introduced into an application and then executed. Which of the following attacks
are a form of code injection attack? Circle all that apply.
1. Buffer overflow
2. Port scanning
3. Kaminsky-style blind spoofing of DNS responses
4. CSRF
5. TCP SYN flooding
6. Clickjacking
7. XSS
8. Browser-in-browser attacks
9. None of the above
Solution: CSRF.
Solution: F(w,x,y,z)=H(H(w,x),H(y,z)orF(w,x,y,z)=H(w,H(x,H(y,z))) or F (w, x, y, z) = H(H(H(w, x), y), z), etc.
Also fine: F (w||x||y||z) = H(H(w||x)||H(y||z)), etc.
Page 4
(b) In iOS, each app runs with the userid mobile. In Android, each app runs with a unique userid specific to that app. Which of these two better follows the principle of least privilege? Why?
5. (12 points) The Chrome browser contains a built-in filter which attempts to block cer- tain attacks. When a user visits http://website.com/foo.html?name=value, Chrome looks at the HTML response and checks all Javascript scripts in the page to see if any of them are contained in (that is, a substring of) value; if so, Chrome refuses to execute that script.
For each part, circle Yes or No, then explain in a sentence why or why not. Assume the attacker doesn’t try to do anything special to bypass the filter.
(a) Will this stop reflected XSS attacks?
Yes No
Explanation:
(b) Will this stop stored XSS attacks? (Stored XSS is also known as persistent XSS.)
Yes No
Explanation:
(c) Will this stop CSRF attacks?
Yes No
Explanation:
6. (15 points) (a) When users of bank.com are logged in, a request to bank.com/session.js returns a Javascript file containing
Solution: Android. Each userid can be assigned a different set of permissions.
Solution: Yes (at least some): they involve malicious data being copied from value into the response.
Solution: The malicious data in the HTML response comes from the database, not from a URL parameter.
(A prior request causes malicious data to be stored into the database; then later the victim visits a page that causes it to be copied from the database to the HTML response. That’s two requests. Neither one will be blocked by Chrome.)
Solution: In CSRF the harm is done by the server acting on the request; the response is irrelevant.
Page 5
var session_id = “0123456789”;
except that 0123456789 is replaced with the session ID for the user who made the request.
An attacker controls evil.com and would like to learn Alice’s session ID for bank.com. How can the attacker do this? Explain why the same-origin policy doesn’t stop this attack. (Assume the attacker can get Alice to visit evil.com.)
Solution: Put