CSCI 6531/4531 Computer Security Midterm Exam Due December 15th, 2012 at 12:00pm

Instructions
- Unless approved by the class instructor, late submissions will not be accepted - Submit using blackboard - Submit as MS Word .doc (answer in this document please). - Name the file: lastname_firstname_final.doc - Work
Q1) (20pts) Given a plaintext P = {p1, p2, p3, , pn}, where pi is plaintext block number i. Alice encrypted it with DESCBC with key K and initialization vector IV to produce C= {c1, c2, c3, , cn} and left it on the desktop for Bob. Bob decrypted the message using key K and initialization vector IV to produce C= ,c1, c2, c3, , cn}. What relationship between (K and K) and (IV and IV) would result in ci = ci , for all ci C , ci C, and all 1 < i n? Justify your answer. Q2) (20pts) a. (10pts) Consider the following code:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 void set_passwd(char passwd_correct, int is_root) { unsigned char name[10]; memset(name, 0x00, 10);

printf("Enter name: "); scanf("%s",name); if (is_root == 1 && passwd_correct == 'y') printf("running as root\n"); else printf("NOT running as root\n"); } int main(int argc, char **argv) { int is_root = 0; unsigned char passwd[20]; memset(passwd, 0x00,5); printf("Enter password: "); scanf("%s",passwd); if (strcmp(passwd, "root_passwd") == 0) set_passwd('y', is_root);

27 28 29 30 31

else set_passwd('n', is_root); return 0; }

Assuming that arguments to a function are assigned memory locations in the reverse order they appear in the function call, answer the following questions stating any assumptions you make clearly:
i. ii.

(4pts) Identify potential buffer overflow vulnerabilities in the code (state line numbers and the reason for the vulnerability). (6pts) Craft an exploit so that the program flow could be shifted to printing the message running as root even if the password entered is not correct. Your answer should be in the form of the exploit in hex (e.g. AA BB CC DD EE AA 11).

b. (10pts) Consider the following code:

1 2 3 4 5 6 7 int main(int argc, char** argv) { int i = 1; int j = 2; long k = 3; char x[4] = "AAA"; }

If the address of EBP was 0xbffff3d8 and assuming that variables are assigned memory locations in the order they appear above, answer the following questions: i. ii. iii. iv. v. vi. vii. (1pts) What is the address of i? (1pts) What is the address of j? (1pts) What is the address of k? (1pts) What is the address of x? (1.5pts) What is the address of argc? (1.5pts) What is the address of EIP? (3pts) If x is read from the command line, what input would you provide to overwrite the return pointer with 41424344?

Q3) (10pts) Download the tool HashCalc from http://download.cnet.com/HashCalc/3000-2250_4-10130770.html. Answer the following questions as clearly as you can (make sure HMAC is unchecked): a. (2.5pts) What is the SHA-1 hash of the string something? b. (2.5pts) If 8db6a9a5cbe035da38e7738b2e831ea2 is the MD5 hash of the string cs6531, what string hashes to 8db6a9a5cbe035da38e7738b2e831ea3? c. (5pts) Show the indices of the non-zero values within table T of a bloom filter that has the following characteristics

i. ii. iii.

T is a 1x256 table (T*0+ T*255+). All values in T are initialized to zeros. The bloom filter uses 4 hash functions: MD5, SHA-1, SHA-512, and CRC32. Only the first byte of each hash functions is used. The dictionary used has the words password, wordpass, drowssap, and ssapdrow.

Q4) (30pts) Answer the following questions (3pts each). Justify your answer. a. What provides better resistance to malware, an ACL or a capability-based system? b. What type of malware is the following: Good code If date is December 8th; Corrupt all files on the computer Good code c. Consider the DoS attack patterns described by the packet captures below. Describe each attach and it is targeting. Define firewall rules in the EXACT format shown in Table 9.1 in the book that stops it (make sure to not block legitimate traffic as well): i. 11:18:11 IP 192.168.1.1.100 > 10.10.1.11.53: UDP, length 1000 11:18:12 IP 192.168.1.1.101 > 10.10.1.11.53: UDP, length 1000 11:18:13 IP 192.168.1.1.102 > 10.10.1.11.53: UDP, length 1000 11:18:14 IP 192.168.1.1.100 > 10.10.1.11.53: UDP, length 1000 11:18:15 IP 192.168.1.1.101 > 10.10.1.11.53: UDP, length 1000 11:18:16 IP 192.168.1.1.102 > 10.10.1.11.53: UDP, length 1000 11:18:17 IP 192.168.1.1.100 > 10.10.1.11.53: UDP, length 1000 11:18:18 IP 192.168.1.1.101 > 10.10.1.11.53: UDP, length 1000 11:18:19 IP 192.168.1.1.102 > 10.10.1.11.53: UDP, length 1000 ii. 11:18:11 11:18:12 11:18:13 11:18:14 11:18:15 11:18:16 11:18:17 11:18:18 11:18:19 11:18:11 11:18:12 IP 192.168.1.1.100 > 10.10.1.11.53: UDP, length 1000 IP 192.168.1.1.100 > 10.10.1.11.54: UDP, length 1000 IP 192.168.1.1.100 > 10.10.1.11.55: UDP, length 1000 IP 192.168.1.1.100 > 10.10.1.11.56: UDP, length 1000 IP 192.168.1.1.100 > 10.10.1.11.57: UDP, length 1000 IP 192.168.1.1.100 > 10.10.1.11.58: UDP, length 1000 IP 192.168.1.1.100 > 10.10.1.11.59: UDP, length 1000 IP 192.168.1.1.100 > 10.10.1.11.60: UDP, length 1000 IP 192.168.1.1.100 > 10.10.1.11.61: UDP, length 1000 IP 192.168.1.1.100 > 10.10.1.11.80: TCP SYN, length 100 IP 192.168.1.1.100 > 10.10.1.11.80: TCP SYN, length 100

iii.

11:18:13 11:18:14 11:18:15

IP 192.168.1.1.100 > 10.10.1.11.80: TCP SYN, length 100 IP 192.168.1.1.100 > 10.10.1.11.80: TCP SYN, length 100 IP 192.168.1.1.100 > 10.10.1.11.80: TCP SYN, length 100

d. Describe a packet trace (in the format show in the question above) that describes a SMURF attack where the attacker is at 192.168.1.1, uses intermediate hosts at 172.10.0.1-255, and the attack target is at 192.168.1.11. e. What is the difference between metamorphic and polymorphic viruses? f. What is the difference between an open and a closes access control policy? g. What is an example of a directory in Linux that uses the sticky bit? h. What is an example of a program in Linux that uses SETUID? i. What privileges would the user Alex who belong to group Users gets, given the following base and extended permissions (explain how the privileges where gained): Base permissions: owner (Bob): rwx group (sys): rwothers: r-Extended permissions: specify permit permit deny j.

rwx -wx -wx -w-

u: Jack u: Hammer u: Alex g: Users

Answer the following questions: i. What is the principal of operation of an IDS? How are the logical components of an IDS distinguished from those of an IPS? ii. Describe the effects of the firewall rules below: Source Address Source Port Dest Address Dest Port Action Any Any 192.168.1.2 SMTP Allow Any Any Any Any Deny

Q5) (20pts) T/F questions (2pts each) (justify all your answers): a. T F Shellcode is not specific to a particular processor architecture. b. T F A traditional packet filter makes filtering decisions on an individual packet basis and does not take into consideration any higher layer context. c. T F A prime disadvantage of an application-level gateway is the additional processing overhead on each connection.

d. T F Intrusion detection is based on the assumption that the behavior of the intruder differs from that of a legitimate user in ways that can be quantified. e. T F Given sufficiently privileged access to the network handling code on a computer system, it is difficult to create packets with a forged source address. f. T F A bot propagates itself and activates itself, whereas a worm is initially controlled from some central facility. g. T F The principal objectives of computer security are to prevent unauthorized users from gaining access to resources, to prevent legitimate users from accessing resources in an unauthorized manner, and to enable legitimate users to access resources in an authorized manner. h. T F Spear-phishing attacks are distinguished from phishing attacks by the source of the attack. i. T F SIP-flooding and TCP-SYN flood are both application-based bandwidth consumption DoS attack. j. T F An NIDS sensor placed outside the external firewall can identify firewall configuration problems.