Exercises

Question 1

include <stdio.h></stdio.h>

Consider the C program below, which is affected by a typical buffer overflow vulnerability.

#include <stdlib.h>
#include <string.h></string.h></stdlib.h>

void vuln() {
char buf[32];
<— Here —>
scanf(“%s”, buf);
if (strncmp(buf, “Knight_King!”, 12) !=
0) {
abort();
}

int main(int argc, char** argv) {
vuln();
}

Draw the stack layout when the program is executing the instruction at line 7, showing:
a. Direction of growth and high-low addresses.
b. The name of each allocated variable.
c. The boundaries of frame of the function frames (main and vuln).
Show also the content of the caller frame (you can ignore the environment variables, just focus on what matters for the vulnerability and its exploitation).

Answer 1

(Low Addresses)
buf[0-3]
…
buf[28-31]
EBP (vuln)
EIP
…
EBP (main)
(High Addresses)

Main Frame: EBP (main) - EIP
Vuln Frame: EBP (vuln) - End

Question 2

include <stdio.h></stdio.h>

Consider the C program below, which is affected by a typical buffer overflow vulnerability.

#include <stdlib.h>
#include <string.h></string.h></stdlib.h>

void vuln() {
char buf[32];
<— Here —>
scanf(“%s”, buf);
if (strncmp(buf, “Knight_King!”, 12) !=
0) {
abort();
}

int main(int argc, char** argv) {
vuln();
}

Write an exploit for the buffer overflow vulnerability in the above program. Your exploit should execute the following simple shellcode, composed only by 4 instructions (4 bytes): 0x12 0x34 0x56 0x78.
Write clearly all the steps and assumptions you need for the exploitation, and show the stack layout right after the execution of the scanf() during the program exploitation.

Answer 2

(Low Addresses)
buf[0-3] => “Knig”
buf[4-7] => “ht_k”
buf[8-11] => “ing!”
buf[12-15] => NOP Sled
… => NOP Sled
buf[28-31] => 0x12 0x34 0x56 0x58
EBP (vuln) => Not Relevant
EIP => Pointer to around the start of the NOP sled interval
…
EBP (main)
(High Addresses)

Question 3

include <stdio.h></stdio.h>

Consider the C program below, which is affected by a typical buffer overflow vulnerability.

#include <stdlib.h>
#include <string.h></string.h></stdlib.h>

void vuln() {
char buf[32];
<— Here —>
scanf(“%s”, buf);
if (strncmp(buf, “Knight_King!”, 12) !=
0) {
abort();
}

int main(int argc, char** argv) {
vuln();
}

If address space layout randomization (ASLR) is active, is the average exploit still work without modifications? Why?

Answer 3

No, because the address of the stack would be randomized for every execution, and we must have to have a leak in order to exploit it successfully.

Question 4

include <stdio.h></stdio.h>

Consider the C program below, which is affected by a typical buffer overflow vulnerability.

#include <stdlib.h>
#include <string.h></string.h></stdlib.h>

void vuln() {
char buf[32];
<— Here —>
scanf(“%s”, buf);
if (strncmp(buf, “Knight_King!”, 12) !=
0) {
abort();
}

int main(int argc, char** argv) {
vuln();
}

If the stack is made non executable (i.e., NX, W^X), is the average exploit still working without modifications? If not, propose an alternative solution to exploit the program.

Answer 4

No, we can use ret to libc technique in order to execute the system function in the libc and obtain a shell. In order to do that, we change the value of B and let it point to the address of system.

Question 5

BlaBlaStack is a new stack protection mechanism that is designed to protect against local attackers (e.g., users that can have a shell and launch binaries).
BlaBlaStack works by inserting instructions in the prologue that push a value to the stack. This value is generated at compile time and is hardcoded in the binary.
Then, during the epilogue, this value is popped from the stack and an appropriate instruction compares it with the hardcoded, expected one.
In case of match, the program goes on, otherwise it is aborted.
● Why this mechanism does not provide proper protection against stack overflows?
● How would you fix BlaBlaStack in order to protect from local attackers?

Answer 5

This is a compiler based protection mechanism, it is a variant of the stack canary mechanism seen in class. The attacker can read the binary, for example using a disassembler, obtain the hardcoded value and include it as part of the exploit.
Instead of hardcoding the canary value, the instructions in the prologue should generate a random value and push it on a general purpose register. During the epilogue, the register is used to compare the valued popped from the stack.

Question 6

include <stdio.h></stdio.h>

Consider the C program below:

#include <stdlib.h>
#include <string.h></string.h></stdlib.h>

void vuln(int n) {
struct {
char buf[16];
char tmp[16];
int sparrow = 0xBAAAAAAD;
} s;

if (n > 0 && n < 16) {
fgets(s.buf,n,stdin);
if(strncmp(s.buf, “H4CK”, 4) != 0 &&
s.buf[14] != “X”) {
abort();
}
scanf(“%s”, s.tmp);
if(s.sparrow != 0xBAAAAAAD) {
printf(“Goodbye!\n”);
abort();
}
}
}

int main(int argc, char** argv) {
vuln(argc);
return 0;
}

Draw the stack layout when the program is executing the instruction at line 12, showing:
a. Direction of growth and high-low addresses;
b. The name of each allocated variable;
c. The boundaries of frame of the function frames (main and vuln).
Show also the content of the caller frame (you can ignore the environment variables, just focus on what matters for the vulnerability and its exploitation).

Answer 6

(Low Addresses)
buf[0-3]
…
buf[15-12]
tmp[3-0]
…
tmp[15-12]
sparrow
EBP (vuln)
EIP
n
…
EBP (main)
(High Addresses)

Main Frame: EBP (main) - EIP
Vuln Frame: EBP (vuln) - buf[0-3]

Question 7

include <stdio.h></stdio.h>

Consider the C program below:

#include <stdlib.h>
#include <string.h></string.h></stdlib.h>

void vuln(int n) {
struct {
char buf[16];
char tmp[16];
int sparrow = 0xBAAAAAAD;
} s;

if (n > 0 && n < 16) {
fgets(s.buf,n,stdin);
if(strncmp(s.buf, “H4CK”, 4) != 0 &&
s.buf[14] != “X”) {
abort();
}
scanf(“%s”, s.tmp);
if(s.sparrow != 0xBAAAAAAD) {
printf(“Goodbye!\n”);
abort();
}
}
}

int main(int argc, char** argv) {
vuln(argc);
return 0;
}

The program is affected by a buffer overflow vulnerability. Complete the following table.

Vulnerability: Buffer Overflow
Line(s):
Motivation:

Answer 7

Vulnerability: Buffer Overflow
Line(s): scanf(“%s”, s.tmp)
Motivation: buffer where there is no boundness for the insertion

Question 8

include <stdio.h></stdio.h>

Consider the C program below:

#include <stdlib.h>
#include <string.h></string.h></stdlib.h>

void vuln(int n) {
struct {
char buf[16];
char tmp[16];
int sparrow = 0xBAAAAAAD;
} s;

if (n > 0 && n < 16) {
fgets(s.buf,n,stdin);
if(strncmp(s.buf, “H4CK”, 4) != 0 &&
s.buf[14] != “X”) {
abort();
}
scanf(“%s”, s.tmp);
if(s.sparrow != 0xBAAAAAAD) { This
printf(“Goodbye!\n”);
abort();
}
}
}

int main(int argc, char** argv) {
vuln(argc);
return 0;
}

The underlined lines of code (indicated by “This”) attempt to mitigate the exploitation of the buffer overflow vulnerability you just found.

a. Shortly describe what is the implemented technique, and how it works in general.

b. Describe the weaknesses in this specific implementation, and how you would fix them.

Answer 8

a. The underlined code implements a stack canary as a mitigation against stack-based buffer overflows. When writing past the end of a stack-allocated buffer, one would overwrite the variable x before overwriting the saved EIP. Before returning from the function, the content of the variable x is checked against the original value: if they differs, a buffer overflow is detected and the program aborts without returning from the function (i.e., without triggering the exploit).

b. In this case, the stack canary is a static value (0xBAAAAAAD): if the binary is available, it is enough to retrieve this value by reverse engineering the program; then, during the exploitation it is enough to overwrite the stack canary with this (known) value. To fix this issue, the stack canary should be randomized at the program startup and placed in a register.

Question 9

include <stdio.h></stdio.h>

Consider the C program below:

#include <stdlib.h>
#include <string.h></string.h></stdlib.h>

void vuln(int n) {
struct {
char buf[16];
char tmp[16];
int sparrow = 0xBAAAAAAD;
} s;

if (n > 0 && n < 16) {
fgets(s.buf,n,stdin);
if(strncmp(s.buf, “H4CK”, 4) != 0 &&
s.buf[14] != “X”) {
abort();
}
scanf(“%s”, s.tmp);
if(s.sparrow != 0xBAAAAAAD) { This
printf(“Goodbye!\n”);
abort();
}
}
}

int main(int argc, char** argv) {
vuln(argc);
return 0;
}

Write an exploit for the buffer overflow vulnerability in the above program to execute the following simple shellcode, composed only by 4 instructions (4 bytes): 0x51 0x52 0x5a 0x5b. Make sure that you show how the exploit will appear in the process memory with respect to the stack layout right before and after the execution of the detected vulnerable line during the program exploitation. Ensure you include all of the steps of the exploit, ensuring that the program and the exploit execute successfully. Include also any assumption on how you must call the program (e.g., the values for the command-line arguments required to trigger the exploit correctly, environment variables).

Answer 9

(Low Addresses)
buf[0-3]
…
buf[15-12] =>
tmp[3-0]
…
tmp[15-12] => 0x51 0x52 0x5a 0x5b
sparrow =>
EBP (vuln) => Not Relevant
EIP
n
…
EBP (main)
(High Addresses)

Question 10

include <stdio.h></stdio.h>

Consider the C program below:

#include <stdlib.h>
#include <string.h></string.h></stdlib.h>

void vuln(int n) {
struct {
char buf[16];
char tmp[16];
int sparrow = 0xBAAAAAAD;
} s;

if (n > 0 && n < 16) {
fgets(s.buf,n,stdin);
if(strncmp(s.buf, “H4CK”, 4) != 0 &&
s.buf[14] != “X”) {
abort();
}
scanf(“%s”, s.tmp);
if(s.sparrow != 0xBAAAAAAD) {
printf(“Goodbye!\n”);
abort();
}
}
}

int main(int argc, char** argv) {
vuln(argc);
return 0;
}

Write an exploit for the buffer overflow vulnerability in the above program to execute the following simple shellcode, composed only by 4 instructions (4 bytes): 0x51 0x52 0x5a 0x5b. Make sure that you show how the exploit will appear in the process memory with respect to the stack layout right before and after the execution of the detected vulnerable line during the program exploitation. Ensure you include all of the steps of the exploit, ensuring that the program and the exploit execute successfully. Include also any assumption on how you must call the program (e.g., the values for the command-line arguments required to trigger the exploit correctly, environment variables).

Answer 10

buf[0-3] => H4CK
… => Irrelevant
buf[15-12] => Irrelevant
tmp[0-3] => Nop Sled
… => Nop Sled
tmp[15-12] => 0x51 0x52 0x5a 0x5b
sparrow => 0xBAAAAAAD
Base vuln => Irrelevant
EIP => tmp[0-3]
N
…
Base Main

Question 11

include <stdio.h></stdio.h>

Consider the C program below:

#include <stdlib.h>
#include <string.h></string.h></stdlib.h>

void vuln(int n) {
struct {
char buf[16];
char tmp[16];
int sparrow = 0xBAAAAAAD;
} s;

if (n > 0 && n < 16) {
fgets(s.buf,n,stdin);
if(strncmp(s.buf, “H4CK”, 4) != 0 &&
s.buf[14] != “X”) {
abort();
}
scanf(“%s”, s.tmp);
if(s.sparrow != 0xBAAAAAAD) {
printf(“Goodbye!\n”);
abort();
}
}
}

int main(int argc, char** argv) {
vuln(argc);
return 0;
}

Let’s assume that the C standard library is loaded at a known address during every execution of the program, and that the (exact) address of the function system() is 0xf7e38da0. Explain how you can exploit the buffer overflow vulnerability to launch the program /bin/secret.

Answer 11

We write ni tmp het string /bin/secret, and we overwrite the saved EIP with the address of system. We then overwrite 8 bytes more for the system) EIP (to exit) and for the pointer ot - Yso that, when
jumping into the system) function, this pointer will be where system ) expects the parameter and will complete the execution.

buf[0-3] => H4CK
… => (not relevant)
buf[15-12] => (not relevant)
… not relevant
tmp[7-4] => /bin => Add Y
tmp[11-8] => /sec
tmp[15-12] => ret\0
OxAD OxAA 0xAA 0xBA
(not relevant)
Oxf7e38da0
exit
~ Addr Y

Question 12

If the ASLR is enabled what is randomized

Answer 12

Both the stack and the shared libraries are randomized

Question 13

include <stdio.h></stdio.h>

Consider the C program below:

#include <stdlib.h>
#include <string.h></string.h></stdlib.h>

void vuln(int n) {
struct {
char buf[16];
char tmp[16];
int sparrow = 0xBAAAAAAD;
} s;

if (n > 0 && n < 16) {
fgets(s.buf,n,stdin);
if(strncmp(s.buf, “H4CK”, 4) != 0 &&
s.buf[14] != “X”) {
abort();
}
scanf(“%s”, s.tmp);
if(s.sparrow != 0xBAAAAAAD) {
printf(“Goodbye!\n”);
abort();
}
}
}

int main(int argc, char** argv) {
vuln(argc);
return 0;
}

Assume now that the program is compiled without any mitigation against exploitation (the address space layout is not randomized, the stack is executable, and there are no stack canaries). Propose the simplest modification to the C code provided (i.e., patch) that solves the buffer overflow vulnerability detected, motivating your answer.

Answer 13

scanf(“%15s”, s.tmp); fgets(s.tmp,15,stdin);

Question 14

See the code in the picture 1 in the Comp Sec album

Assuming that the program is compiled and run for the usual IA-32 architecture (32-bits), with the usual cdecl calling convention, draw the stack layout just before the execution of line 11 showing:
● Direction of growth and high-low addresses;
● The name of each allocated variable;
● The boundaries of the function stack frames (main and guess)
Show also the content of the caller frame (you can ignore the environment variables: just focus on what matters for the exploitation of typical memory corruption vulnerabilities).
Assume that the program has been properly invoked with a single command line argument.

Answer 14

See the picture 1S in the Comp Sec album

Question 15

See the picture 1 in the Comp Sec album

The program is affected by a typical buffer overflow and a format string vulnerability. Which line each happen and why

Answer 15

See picture 2S in the Comp Sec album

Question 16

See the picture 1 in the Comp Sec album

Assume that the program is compiled and run with no mitigation against exploitation of memory corruption vulnerabilities (no canary, executable stack, environment with no ASLR active).

Focus on the buffer overflow vulnerability. Write an exploit for the buffer overflow vulnerability in the above program to execute the following simple shellcode, composed only by 4 instructions (4 bytes): 0x58 0x5b 0x5a 0xc3.

Make sure that you show how the exploit will appear in the process memory with respect to the stack layout right before and after the execution of the detected vulnerable line during the program exploitation.
Ensure you include all of the steps of the exploit, ensuring that the program and the exploit execute successfully. Include also any assumption on how you must call the program (e.g., the values for the command-line arguments required to trigger the exploit correctly).

Answer 16

See the picture 3S in the Comp Sec album

Question 17

See code in the picture 1 in the Comp Sec album

Now focus on the format string vulnerability you identified. We want to exploit this vulnerability to overwrite the saved EIP with the address of the environment variable $EGG that contain your executable shellcode. Assuming we know that:
● The address of $EGG (i.e., what to write) is 0x44674234 (0x4467(hex) = 17511(dec), 0x4234(hex) = 16948(dec))
● The target address of the EIP (i.e., the address where we want to write ) is 0x42414515
● The displacement on the stack of your format string is equal to 7
write an exploit for the format string vulnerability to execute the shellcode in the environment variable EGG.
Write the exploit clearly, detailing all the components of the format string, and detailing all the steps that lead to a successful exploitation.

Answer 17

The command line argument is directly fed as a format string to snprintf, and the format string itself is on the stack with a given displacement: we just need to construct a standard format string exploit.
- We need to write 0x44674234 to 0x42414515(<tgt>)
- 0x4467 > 0x4234 -> we write 0x4234 first
The value of the command line argument will have the form <tgt><tgt+2>%<N1>c%<pos>$hn%<N2>c%<pos+1>$hn
where</N2></pos></N1></tgt></tgt>

<tgt> = 0x42414515
<tgt+2> = 0x42414517
<pos> = 7
<N1> = dec(0x4234) - 8 (bytes already written) = 16948 - 8 = 16940
<N2> = dec(0x4467) - 16948 (bytes already written) = 17511 - 16948 = 563 thus the final string is
\x15\x45\x41\x42\x17\x45\x41\x42%16940c%7$hn%563c%8$hn
</N2></N1></pos></tgt>

Question 18

See the code in the picture 1 in the Comp Sec album

Now consider that the program is compiled enabling the exploit mitigation technique known as stack canary. Assume that the compiler and the runtime correctly implement this technique with a random value changed at every program execution. Are the two exploits you wrote still working without modifications? Why? If not working modify the exploit so that it works reliably in this setting (i.e., enabled stack canaries). Please describe precisely how you would modify the above exploit, and any further assumption you need to make it work. If your exploit needs to perform multiple iteration of any loop, please describe what you would write to the standard input at every iteration of the loop(s). If the exploit is working without modification, please describe precisely why the vulnerability is still exploitable.

Answer 18

First exploit
No. the first exploit would overwrite the stack canary (placed in the stack before the return address). The code placed by the compiler in the function epilogue would detect the canary overwrite and abort the execution of the program without jumping to the saved return address, and without executing the attacker’s shellcode. We need to make the program perform two iterations of the loop.
First iteration: write an argv[1] that starts with ‘_’ (e.g., ‘_dbg!\n’) and ‘DEBUG’ at line 16; the code at lines 17-21 will print n words from the stack. Assuming that n is sufficiently high to print also the word containing the stack canary (or, if the attacker controls the command line arguments, passing a sufficiently high n), this would leak the stack canary value for that specific execution of the program.
Then, as strncmp(s.buf, “DEBUG”, 5) == 0 , the do…while loop will not exit.
Second iteration: at this point, we know the value of the stack canary (read during the first loop iteration). We write to stdin (i.e., we put in the buffer) the same exploit I wrote at point 2, changing it slightly so that the stack canary gets overwritten by the value leaked during the first iteration. Also, we need to ensure that strncmp(s.buf, “DEBUG”, 5) == 1 so that the loop ends, the function returns, and the shellcode is executed.
Second exploit
Yes, the second exploit still work without modification

Question 19

We are designing the password policy for an online banking website. Which of the following rule sets is more adequate in your opinion, and why?

1. Passwords must be at least 12 characters long, with at least one lowercase, one uppercase, one number and one special character. Passwords must be changed at least every 30 days and cannot match previous ones. Accounts are locked after 3 wrong attempts.
2. Passwords must be at least 8 characters long, and not belong to a dictionary of common passwords. They must be changed at least every 30 days and cannot match previous ones. Accounts are locked after 5 wrong attempts

Answer 19

1. This seems stronger, because it enforces long (against bruteforcing), non-reused (against stealing) passwords and mitigates bruteforcing. However, it will lead users to write down passwords
2. This one has an additional measure (non dictionary words) that is missing in the previous scheme. Given that guessing is more likely than cracking, and that writing down passwords is a pitfall, this scheme is definitely better with respect to the previous one.

Question 20

Consider biometric authentication.
Describe (a) how the authentication phase works and (b) explain the phases that are needed to deploy such an authentication system in a company.

Answer 20

It is based on recording features extracted from a biometric characteristic of each user. At each authentication, the measured features are compared with the recorded ones. Each user is thus required to measure the characteristic when a system is deployed.

Question 21

Consider biometric authentication.
The company is evaluating whether to use a fingerprint scanner or iris recognition as a characteristic for authentication purposes. What are the considerations that you would make?

Answer 21

Fingerprint scanning and iris recognition are both very precise authentication methods. Fingerprint scanning is slightly easier to fool with counterfeits. Iris recognition is a more invasive procedure which may be less tolerable by users. Additionally, iris recognition is far more costly.

Question 22

Password authentication is widely used because it is weaker but cheaper

True or false? Why?

Answer 22

True, because it does not require special equipment, and it is even easier to deploy in many environments.

Question 23

Biometric systems are not deterministic, and this is an issue

Answer 23

True, because the biometric features that they measure (e.g., fingerprints, hand geometry) may change over time, and measurement errors can occur. Thus, they need to be carefully evaluated for false acceptance and false rejection ratios.

Question 24

Biometric systems identify a person on the basis of their physical characteristics, making it impossible for an attacker to impersonate someone else

True or false? Why?

Answer 24

False. Attacks have been developed against biometric systems. For example it is rather easy to duplicate someone’s fingerprints.

Question 25

Introducing a biometric system to protect a high-value target will decrease risks for the target, often at the expense of increasing personal risk for the users

True or false? Why?

Answer 25

True, if the system makes attacking a user the most viable way to access the high value target.

Question 26

OTP (one-time passwords) are relatively easy, drop-in replacements for static passwords

True or false? Why?

Answer 26

True, because it requires little equipment and set up effort for interfacing. The only significant cost is associated to password/secret code generation (i.e. the cost of the token, or of sending SMS with codes, etc.)

Question 27

The only source of error of biometric authentication is the evolution of the human body characteristics.

True or false? Why?

Answer 27

False, because measurement errors can occur during each authentication phase. Also, the process is non deterministic intrinsically.

Question 28

A biometric system is more secure than a password-based system

True or false? Why?

Answer 28

False. In order to evaluate the level of security we need to know more of the system they are designed to protect. Their level of security could be comparable, or either could be a better choice than the other.

Question 29

Consider biometric authentication.
Describe how it works, focusing on the phases that are needed to deploy such an authentication system in a company

Answer 29

It is based on recording features extracted from a biometric characteristic of each user. At each authentication, the measured features are compared with the recorded ones. Each user is thus required to measure the characteristic when a system is deployed.

Question 30

Consider biometric authentication.
The geometry of the palm of the hand has been proposed as a biometric characteristic for authentication purposes. Discuss what issues do you see in this idea.

Answer 30

There are two main issues: false positive (another user with the hand geometry very similar to the legitimate user may be able to authenticate), which may happen if the features are too generic; false negative (the legitimate user may be unable to authenticate), which may happen if the features are too specific.

Question 31

In a company, each employee has a private office, where only authorized people can enter. The workstation is positioned such that the computer screen faces the wall. Also assume that passwords are only used to access cloud-based services over TLS. We need to design proper policies to minimize the risk that passwords get compromised. Such policies will be enforced whenever a user chooses a new password.
What are the main characteristics of a password on which we can act when writing a policy?

Answer 31

Complexity = length, rich character set

Non guessability = not belonging to dictionaries, not user related

Frequency of change

Question 32

In a company, each employee has a private office, where only authorized people can enter. The workstation is positioned such that the computer screen faces the wall. Also assume that passwords are only used to access cloud-based services over TLS. We need to design proper policies to minimize the risk that passwords get compromised. Such policies will be enforced whenever a user chooses a new password.

What is the most likely attack scenario against passwords considering the above description of the conditions of each employee? Why?

Given the previous answer, what is the most important characteristic that you need to enforce in the password policy (in order to avoid the attack scenario)?

Answer 32

Guessing, because the office space is confined and accessible only to authorized personnel. Cracking is the second most-likely attack. Snooping is certainly not an option here.

Against guessing, we must enforce that passwords are not related to the user and, in general, not belonging to dictionaries or common passwords

Question 33

What are the differences between MAC and DAC?
Make an example of real-world MAC system and at least one example of real-world DAC system.

Answer 33

Key difference: in DAC owner assigns control over resource, in MAC security admin sets levels.
Example of MAC: classification of secret documents in the military. Examples of DAC, you name it, any OS.

Question 34

What are the differences between access control lists and capability lists?

Answer 34

ACLs are efficient with per-object operations, but cannot be used to assign multiple owners to the same object (this can be partially addressed with groups). Capabilities are efficient with per-subject operations, which make them inefficient when objects change frequently.

Question 35

Consider the following two policies to choose passwords from:
● Policy-a: three random English words from a 16k wordlist
● Policy-b: eight random characters among letters (upper or lowercase) and decimal digits

Consider a company, Company-a, applying Policy-a, but having users choose a single repeated word from the list one in 100 times,

Consider a different company, Company-b, where Policy-b is applied, but the users pick 8 equal decimal digits one in 100 times?

Quantify how many attempts are needed to guess a password on average in both companies, and how many attempts are needed, on average, is to guess the easiest password in both companies.

Answer 35

To understand the rationale behind the [Solution], let’s break down the calculations and reasoning for each company:

Policy-a: Passwords consist of three random English words from a 16,000-word list.

1. Average Number of Guesses:
   • Standard Password Entropy:
     
     • The total number of possible passwords (combinations of three words) is ( 16,000^3 ).
     • Entropy in bits is calculated as ( \log_2(16,000^3) = 3 \times \log_2(16,000) ).
     • ( \log_2(16,000) \approx 14 ), so ( 3 \times 14 = 42 ).
     • Thus, the entropy is ( 2^{42} ).
   • Adjusted for Repeated Word:
     
     • One in 100 passwords is a repeated word.
     • With 99% chance, a password has entropy ( 2^{42} ).
     • With 1% chance, a password is the same word repeated thrice, making it easy to guess (essentially 1 guess needed).
   • Average Guess Calculation:
     
     • Average number of guesses: ( 0.99 \times 2^{42} + 0.01 \times 1 ).
     • Simplifying: ( 0.99 \times 2^{42} \approx 2^{41.9} ).
2. Easiest Guess (Minimum Entropy):
   • Minimum entropy case is the easiest password to guess.
   • If a password is a single repeated word, it means choosing one word out of 16,000 and repeating it.
   • There are ( 16,000 ) such passwords, occurring 1 in 100 times.
   • Probability of easiest password: ( \frac{1}{100} \times \frac{1}{16,000} = \frac{1}{1,600,000} ).
   • Entropy calculation: ( -\log_2(\frac{1}{1,600,000}) \approx 20 ).
   • Therefore, the easiest password guess needs ( 2^{20} ) attempts.

Policy-b: Passwords are eight random characters among letters (upper or lowercase) and decimal digits.

1. Average Number of Guesses:
   • Standard Password Entropy:
     
     • The total number of possible passwords is ( 62^8 ).
     • Entropy in bits: ( \log_2(62^8) = 8 \times \log_2(62) ).
     • ( \log_2(62) \approx 6 ), so ( 8 \times 6 = 48 ).
     • Thus, the entropy is ( 2^{48} ).
   • Adjusted for Repeated Digits:
     
     • One in 100 passwords is eight equal decimal digits.
     • With 99% chance, a password has entropy ( 2^{48} ).
     • With 1% chance, a password is one of 10 possible repeated digits (0-9), making it easy to guess (10 guesses needed).
   • Average Guess Calculation:
     
     • Average number of guesses: ( 0.99 \times 2^{48} + 0.01 \times 10 ).
     • Simplifying: ( 0.99 \times 2^{48} \approx 2^{46.9} ).
2. Easiest Guess (Minimum Entropy):
   • Minimum entropy case is the easiest password to guess.
   • If a password consists of a single repeated digit, there are 10 such passwords, occurring 1 in 100 times.
   • Probability of easiest password: ( \frac{1}{100} \times \frac{1}{10} = \frac{1}{1,000} ).
   • Entropy calculation: ( -\log_2(\frac{1}{1,000}) \approx 10 ).
   • Therefore, the easiest password guess needs ( 2^{10} ) attempts.

In summary, the solution involves calculating the average number of guesses based on the probabilities of different password strengths and identifying the number of attempts needed for the easiest password to guess in each policy. The calculations use entropy principles and probability adjustments to account for the distribution of passwords.

Question 36

Consider a password storage scheme where the user-supplied password is hashed with a 4 bytes long, uniformly randomly sampled string (salt), employing SHA-2-256 and its digest is stored on disk, together with the random string.
Computing a single SHA-2-256 costs around 133 microwatts with current technology, and takes 4 microseconds.
What is the probability that an attacker, with a 100 kWh budget is able to guess, through bruteforcing, one randomly picked, 7 lowercase latin alphabet characters password, given digest and salt? Assume for simplicity that the entire energy budget is used for SHA-2-256 computations, without overheads.

Answer 36

To understand the rationale behind the [Solution], let’s break down the calculations and reasoning step by step.

The problem involves determining the probability that an attacker, with a specified energy budget, can successfully brute-force a password. The password scheme includes:

1. Password Characteristics: A 7-character password using only lowercase Latin alphabet letters.
2. Hashing Mechanism: Passwords are hashed using SHA-2-256 with a 4-byte (32-bit) salt.
3. Energy and Time Costs:
   
   • Each SHA-2-256 computation costs 133 microwatts.
   • Each SHA-2-256 computation takes 4 microseconds.
4. Attacker’s Energy Budget: 100 kWh (kilowatt-hours).

1. Total Energy Budget Conversion:
   
   • Convert 100 kWh to watt-seconds (joules).
   • ( 100 \text{ kWh} = 100 \times 1,000 \text{ watts} \times 3,600 \text{ seconds} = 360,000,000 \text{ watt-seconds} ).
   • ( 100 \text{ kWh} = 3.6 \times 10^{11} \text{ watt-seconds} ).
2. Energy Per SHA-2-256 Computation:
   
   • Each SHA-2-256 computation costs 133 microwatts.
   • ( 133 \text{ microwatts} = 133 \times 10^{-6} \text{ watts} ).
3. Time Per SHA-2-256 Computation:
   
   • Each SHA-2-256 computation takes 4 microseconds.
   • ( 4 \text{ microseconds} = 4 \times 10^{-6} \text{ seconds} ).
4. Number of SHA-2-256 Computations Possible:
   
   • Calculate how many SHA-2-256 computations can be performed with the given energy budget.
   • Energy per SHA-2-256 computation: ( 133 \times 10^{-6} \text{ watts} \times 4 \times 10^{-6} \text{ seconds} = 5.32 \times 10^{-12} \text{ watt-seconds} ).
   • Number of SHA-2-256 computations: ( \frac{3.6 \times 10^{11} \text{ watt-seconds}}{5.32 \times 10^{-12} \text{ watt-seconds}} \approx 6.77 \times 10^{22} \approx 2^{77} ).
5. Probability of Successful Guess:
   
   • Total number of possible passwords: ( 26^7 ) (since there are 26 lowercase letters and the password is 7 characters long).
   • Number of possible salts: ( 2^{32} ) (since the salt is 4 bytes long).
   • Total number of password-salt combinations: ( 26^7 \times 2^{32} \approx 2^{64} ).
   • Probability of guessing one specific password-salt combination in one attempt: ( \frac{1}{2^{64}} ).
6. Expected Success With Given Computations:
   
   • If the attacker can make ( 2^{77} ) attempts, the probability of not guessing the password in each attempt is ( \left(1 - \frac{1}{2^{64}}\right) ).
   • For ( 2^{77} ) attempts, the probability of not guessing the password in any attempt is approximately ( \left(1 - \frac{1}{2^{64}}\right)^{2^{77}} ).
   • Using the approximation for large numbers: ( \left(1 - \frac{1}{2^{64}}\right)^{2^{77}} \approx e^{-\frac{2^{77}}{2^{64}}} = e^{-2^{13}} ).
   • ( e^{-2^{13}} ) is extremely close to zero, implying that the success probability is practically 1.

• The attacker’s energy budget allows for ( 2^{77} ) SHA-2-256 computation attempts.
• The probability of successfully guessing one specific 7-character password with a 32-bit salt is ( \frac{1}{2^{64}} ).
• Given the number of attempts possible (( 2^{77} )), the attacker can perform approximately ( 2^{13} ) times more attempts than needed to guess the password on average.
• Therefore, the probability of guessing the password within the energy budget is almost certain, making the success practically guaranteed.

Question 37

Consider the same password hashing strategy as before. Quantify the change in the attacker success probability if the digest of the SHA-2-256 hash digest is cut down to 160 bits, discarding the last 96 bits obtained from the computation, reducing the resistance to collisions for SHA-2-256.

Answer 37

The new question explores the impact on the attacker’s success probability when the SHA-2-256 hash digest is truncated from 256 bits to 160 bits. This truncation reduces the collision resistance but the question asks how this change affects the attacker’s probability of successfully brute-forcing a password.

1. Hash Truncation Effect:
   
   • Originally, SHA-2-256 produces a 256-bit digest. By truncating this to 160 bits, the resulting digest size is reduced.
   • This reduction in digest size primarily affects the collision resistance, not the preimage resistance, which is more relevant to brute-force attacks.
2. Collision Resistance vs. Preimage Resistance:
   
   • Collision Resistance: The difficulty of finding two different inputs that produce the same hash output. For a 160-bit hash, this is about ( 2^{80} ) (because of the birthday paradox).
   • Preimage Resistance: The difficulty of finding an input that produces a given hash output. For a 160-bit hash, this is about ( 2^{160} ).
3. Impact on Brute-Forcing:
   
   • The attacker’s goal in a brute-force attack is to find the correct password that matches a given hash, which relies on preimage resistance.
   • The truncation to 160 bits does not change the preimage resistance significantly for practical purposes in this scenario.
   • The total number of possible passwords is still ( 26^7 ), and each password-salt combination must still match the truncated 160-bit hash.
4. Attacker’s Computational Capacity:
   
   • As before, the attacker can make ( 2^{77} ) SHA-2-256 computations with the given energy budget.
   • The probability of guessing the correct password in one attempt remains ( \frac{1}{2^{64}} ), based on the total number of password-salt combinations.
5. Conclusion:
   
   • Despite the reduction in collision resistance, the preimage resistance remains sufficiently strong (160 bits).
   • The attacker’s strategy remains unchanged: attempting to brute-force the password.
   • Given the same computational capacity and the same number of possible password-salt combinations, the attacker’s success probability does not change.

• Key Point: The success probability of brute-forcing a password depends on preimage resistance, which is not significantly affected by truncating the hash to 160 bits in this context.
• Rationale:
  
  • Truncation affects collision resistance (related to finding two different inputs with the same hash) but not preimage resistance (related to finding an input for a specific hash).
  • The number of possible password-salt combinations and the attacker’s computational efforts remain the same.
  • Thus, the probability of successfully brute-forcing the password remains unchanged.

Question 38

Consider the case of an air-gapped embedded device (i.e., without any network connection or similar communication means), where it is desired to have firmware updates performed connecting a mass storage device to it. The device does not have any permanent energy source (battery or connection to mains), and is thus turned off between uses. Argue on whether it is possible or not to employ digital certificates and a PKI infrastructure to validate the origin authenticity of the firmware updates. In case this is possible, sketch briefly the firmware validation procedure, otherwise highlight the reason why it cannot be performed, and provide a solution.

Answer 38

The scenario involves an air-gapped embedded device (i.e., without network connectivity) that requires firmware updates via a mass storage device. This device lacks a permanent power source, meaning it is turned off between uses. The question asks whether digital certificates and a Public Key Infrastructure (PKI) can be used to validate the origin authenticity of the firmware updates. If it is possible, a brief outline of the firmware validation procedure is requested. If not, the reasons why it cannot be performed and a potential solution should be provided.

The solution concludes that the air-gapped device without a permanent power supply cannot perform certificate validation due to the inability to keep track of time and therefore cannot check for certificate expiration. However, alternative methods or obtaining a time reference could allow for secure firmware validation. The provided rationale is detailed as follows:

1. Timekeeping and Certificate Expiration:
   
   • Issue: Digital certificates have expiration dates to ensure that they remain valid only for a certain period. This helps mitigate risks if the certificate’s private key is compromised or the certificate needs to be revoked.
   • Timekeeping Requirement: To validate a digital certificate, the device must know the current date and time to check if the certificate is still valid.
   • Air-Gapped Device Challenge: The device in question is turned off between uses and lacks a permanent power source, meaning it cannot maintain an internal clock. Consequently, it cannot reliably determine the current date and time when it powers on, making it impossible to check certificate expiration dates.
2. Potential Solutions:
   
   • Static Public Key for Signature Verification:
     
     • Description: Instead of using certificates that expire, a static public key can be used to verify the digital signature of the firmware. This public key would not require a reference to the current time.
     • Procedure: The firmware would be signed with a private key corresponding to the static public key stored on the device. When the firmware is updated, the device verifies the signature using this static public key.
     • Pros and Cons: This method is simpler and eliminates the need for timekeeping, but it reduces flexibility and potentially increases the risk if the public key needs to be rotated or revoked.
   • Obtaining a Time Reference:
     
     • Description: If the device could obtain a current time reference each time it powers on, it could perform proper certificate validation.
     • MSF-60 Radio Time Signal: The device could decode the MSF-60 time signal, which broadcasts the current time.
     • GPS Module: A GPS module can provide accurate time information.
     • Security Considerations: Both methods involve a trade-off as they can be spoofed. An attacker could broadcast a fake time signal or GPS signal to mislead the device about the current time, potentially causing it to accept expired or malicious certificates.
     • Implementation Complexity: Adding hardware for time synchronization increases complexity and cost.

• The lack of a permanent power source means the device cannot keep an accurate record of time. This prevents it from checking certificate expiration dates, a crucial step in digital certificate validation.

1. Static Public Key: Use a static public key for signature verification, eliminating the need for time validation.
2. Time Reference Solutions: Integrate a method to obtain the current time (e.g., MSF-60 radio signal or GPS), though these can be spoofed and add complexity.

1. Power On: When the device is powered on, it retrieves the current time from an MSF-60 signal or a GPS module.
2. Certificate Validation: The device uses the obtained time to check the expiration date of the digital certificate associated with the firmware.
3. Signature Verification: If the certificate is valid, the device uses the public key in the certificate to verify the digital signature of the firmware.
4. Update Execution: If the signature is valid, the firmware update is applied.

This detailed explanation provides a clear understanding of the constraints, potential solutions, and the reasoning behind the conclusion provided in the solution.

Question 39

You are willing to realize a digitally controlled safe. The safe should be opened only by authorized people, and it should require at least two authentication factors. Design and describe a secure cryptographic protocol which authenticates a user employing a “something you know” and a “something you have” factor, minimizing the amount of information kept by the digital safe. You can assume that the safe is endowed with a constant power supply, and an internal, reliable timing reference. Solutions minimizing the effort of decommissioning the safe will receive better grades.

Answer 39

The problem involves designing a digitally controlled safe that requires at least two authentication factors: “something you know” (e.g., a password) and “something you have” (e.g., a smartcard or RFID). The goal is to create a secure cryptographic protocol that minimizes the information stored by the safe and simplifies decommissioning.

The solution provided outlines a protocol that combines a numerical code (password) and a cryptographic signature from a smartcard or RFID. Here’s a detailed explanation of the points to be considered:

1. Two-Factor Authentication (2FA):
   
   • “Something you know”: This is typically a password or PIN known only to the user.
   • “Something you have”: This involves a physical device like a smartcard or RFID capable of performing cryptographic operations (e.g., signing).
2. Storage and Security of Passwords:
   
   • Salted Password Hash: To protect the password, the safe stores a salted hash of the password. A salt is a random value added to the password before hashing to ensure that even if two users have the same password, their hashes will be different. This also defends against precomputed attacks like rainbow tables.
   • Hash Algorithm: A cryptographically secure hash function (e.g., SHA-256) should be used to hash the salted password.
3. Public Key Infrastructure (PKI):
   
   • Smartcard/RFID Public Key: During user enrollment, the public key corresponding to the smartcard or RFID is stored in the safe. This key will be used to verify signatures produced by the smartcard/RFID.
   • Signature Verification: When attempting to open the safe, the device generates a random challenge, which the smartcard/RFID signs. The safe verifies the signature using the stored public key.
4. Authentication Protocol:
   
   • Step-by-Step Process:
     
     1. User Input: The user enters their password/PIN on the safe’s keypad.
     2. Password Hashing: The safe combines the password with the stored salt and hashes it to produce a digest.
     3. Challenge Generation: The safe generates a random bitstring (challenge) of at least 256 bits.
     4. Signature Request: The smartcard/RFID signs the random challenge using its private key.
     5. Signature Verification: The safe verifies the signature using the corresponding public key stored during enrollment.
     6. Password Digest Check: The safe checks if the password digest matches the stored value.
     7. Access Decision: If both the signature and the password digest are valid, the safe opens.
5. Decommissioning Considerations:
   
   • Minimal Stored Information: By only storing salted password hashes and public keys, the safe minimizes the sensitive information it holds.
   • Erasing Data: Decommissioning the safe involves securely erasing the stored salted password hashes and public keys. This ensures that no residual data can be used to authenticate or compromise the safe.
   • Password Policy: Implementing a strong password policy (e.g., requiring complex passwords) and using a robust hash function further protect against unauthorized access and simplify decommissioning.

1. Salted Password Hashing:
   
   • Why: Protects against rainbow table attacks and ensures each password hash is unique.
   • How: Store the salt and the hash of the password concatenated with the salt.
2. Smartcard/RFID for Cryptographic Signatures:
   
   • Why: Provides a secure “something you have” factor that can perform cryptographic operations.
   • How: Store the public key on the safe, use the private key on the smartcard/RFID to sign challenges.
3. Challenge-Response Protocol:
   
   • Why: Ensures that the smartcard/RFID is present and can perform real-time cryptographic operations.
   • How: Generate a random bitstring challenge, have the smartcard/RFID sign it, and verify the signature with the stored public key.
4. Efficient Decommissioning:
   
   • Why: Simplifies the process of securely retiring the safe without leaving sensitive information.
   • How: Focus on erasing the salted password hashes and public keys. This approach ensures minimal residual data.

The proposed solution effectively combines “something you know” (password) and “something you have” (smartcard/RFID) to create a secure and user-friendly authentication protocol. It minimizes stored information to enhance security and simplifies decommissioning by only requiring the erasure of salted password hashes and public keys. This detailed breakdown highlights the rationale behind each step and ensures a robust, secure, and manageable system.

Question 40

The bank is worried that, as employees have full access to the Internet, their computer could become infected with malware. Thus, he decides to install a system to analyze the content of any HTTP response and scan it with an anti-virus for the presence of known malware. Assume we’re interested in filtering traffic to HTTP pages only. What kind of packet filter should the bank put between the employees’ LAN and the Internet zone? Why?

Answer 40

To address the bank’s concern about employees’ computers potentially getting infected with malware due to unrestricted Internet access, it is crucial to implement a system that can analyze HTTP traffic and scan for malware. The goal is to filter and inspect HTTP responses effectively. Here’s a detailed breakdown of the points to consider and the reasoning behind choosing an application proxy, specifically an HTTP proxy, for this purpose.

1. Traffic Analysis Requirements:
   
   • Deep Packet Inspection (DPI): To detect and mitigate malware, the solution needs to inspect the actual content of HTTP responses, not just the headers or metadata.
   • Real-Time Scanning: The system must scan content in real-time to block any malicious content before it reaches the end-user.
2. Types of Packet Filters:
   
   • Packet Filtering Firewall: Operates at the network layer (Layer 3) and filters packets based on IP addresses, ports, and protocols. It does not inspect the actual content of the packets.
   • Stateful Inspection Firewall: Operates at the transport layer (Layer 4) and maintains the state of active connections. It can track sessions and make more complex decisions but still does not inspect content.
   • Application Proxy (HTTP Proxy): Operates at the application layer (Layer 7) and can inspect the content of traffic. It can analyze, modify, and filter content based on complex criteria.
3. Effectiveness Against Malware:
   
   • Signature-Based Detection: The anti-virus needs to check the content against a database of known malware signatures.
   • Behavioral Analysis: Advanced proxies can sometimes analyze behavior patterns to detect zero-day exploits or unknown malware.
   • Encrypted Traffic (HTTPS): If traffic is encrypted, the proxy must be able to perform SSL/TLS decryption and re-encryption to inspect the content.

1. Content Inspection Capability:
   
   • Deep Packet Inspection (DPI): HTTP proxies can inspect the entire content of HTTP responses, allowing for thorough malware scanning.
   • Detailed Analysis: They can parse and understand the structure of HTTP traffic, enabling them to detect malicious scripts, payloads, and other threats embedded in web pages.
2. Enhanced Security Controls:
   
   • Content Filtering: HTTP proxies can block access to known malicious websites and filter out unwanted content based on URL filtering, reputation databases, and real-time threat intelligence.
   • User Authentication and Access Control: Proxies can enforce user authentication and implement granular access controls, ensuring that only authorized users access specific resources.
3. Logging and Monitoring:
   
   • Detailed Logs: HTTP proxies provide detailed logs of all web traffic, which can be used for auditing, compliance, and further analysis.
   • Real-Time Alerts: They can generate real-time alerts for suspicious or malicious activities, enabling prompt response and mitigation.
4. Support for Additional Security Features:
   
   • SSL/TLS Interception: Many HTTP proxies can decrypt and inspect HTTPS traffic, providing visibility into encrypted threats.
   • Data Loss Prevention (DLP): They can also integrate with DLP systems to prevent sensitive data from leaving the network.
5. Performance Considerations:
   
   • Caching: HTTP proxies can cache frequently accessed content, improving performance and reducing bandwidth usage.
   • Load Balancing: They can distribute traffic across multiple servers, ensuring optimal use of resources and improved reliability.

1. Deploy the Proxy:
   
   • Installation: Install the HTTP proxy server on a dedicated hardware appliance or a virtual machine.
   • Configuration: Configure the proxy with appropriate rules for traffic inspection, malware scanning, content filtering, and access controls.
2. Integrate with Anti-Virus:
   
   • AV Engine: Integrate the proxy with a robust anti-virus engine capable of real-time scanning and signature updates.
   • Policies: Set policies for how to handle detected malware (e.g., block, quarantine, or alert).
3. Configure Network Settings:
   
   • Routing: Ensure that all HTTP traffic from the employees’ LAN is routed through the HTTP proxy.
   • Firewall Rules: Update firewall rules to direct outbound HTTP traffic to the proxy and block direct Internet access.
4. Test and Monitor:
   
   • Testing: Test the proxy setup to ensure it correctly filters and scans traffic as expected.
   • Monitoring: Continuously monitor the proxy’s performance, logs, and alerts to ensure it operates effectively and adapts to new threats.

By implementing an HTTP proxy, the bank can ensure that all HTTP traffic is thoroughly inspected and any potential malware is detected and blocked before it reaches employees’ computers, thereby significantly enhancing the network’s security posture.

Question 41

The bank is worried that, as employees have full access to the Internet, their computer could become infected with malware. Thus, he decides to install a system to analyze the content of any HTTP response and scan it with an anti-virus for the presence of known malware. Assume we’re interested in filtering traffic to HTTP pages only. What kind of packet filter should the bank put between the employees’ LAN and the Internet zone? Why?

Is it possible to reach the same goal if the pages are served via HTTPS? How?

Answer 41

When dealing with HTTPS traffic, achieving the same goal of inspecting and filtering content for malware becomes more challenging due to the encryption that protects the data from eavesdropping. However, it is still possible by employing a technique known as SSL/TLS interception or SSL/TLS decryption. Here’s a detailed explanation of how this can be accomplished:

SSL/TLS interception involves decrypting HTTPS traffic at the proxy, inspecting it for threats, and then re-encrypting it before forwarding it to the destination. This allows the proxy to analyze the content of HTTPS responses, just as it would with HTTP traffic.

1. Deploy the HTTP Proxy with SSL/TLS Interception Capabilities:
   
   • Ensure the proxy supports SSL/TLS decryption and re-encryption. Many modern HTTP proxies and next-generation firewalls (NGFWs) offer this feature.
2. Install a Trusted Certificate Authority (CA) Certificate:
   
   • The proxy will act as a man-in-the-middle (MitM) by generating certificates for HTTPS connections on the fly. For this to work seamlessly, the proxy must be trusted by the client devices.
   • Generate or obtain a CA certificate that the proxy will use to sign certificates for intercepted HTTPS connections.
   • Install this CA certificate on all client devices within the network. This step ensures that browsers and applications on these devices trust the proxy-generated certificates.
3. Configure the Proxy for SSL/TLS Interception:
   
   • Enable SSL/TLS interception on the proxy and specify which traffic should be intercepted (e.g., all HTTPS traffic or traffic to specific domains).
   • Configure the proxy to use the CA certificate for signing the intercepted traffic.
4. Traffic Decryption and Re-Encryption:
   
   • When a client initiates an HTTPS connection, the proxy intercepts this connection and establishes an SSL/TLS session with the client using the proxy’s CA certificate.
   • Simultaneously, the proxy establishes a separate SSL/TLS session with the destination server.
   • This process allows the proxy to decrypt the traffic, inspect it for malware, and then re-encrypt it before forwarding it to the client or server.

• Content Inspection: The proxy can inspect the decrypted HTTPS content for malware, perform content filtering, and apply security policies.
• Uniform Security Policies: The same level of security and inspection applied to HTTP traffic can be extended to HTTPS traffic.
• Visibility into Encrypted Traffic: The organization gains visibility into potentially malicious encrypted traffic that would otherwise bypass traditional security measures.

• Privacy Concerns: Decrypting HTTPS traffic involves inspecting potentially sensitive data. This should be done with privacy and compliance regulations in mind.
• Performance Impact: SSL/TLS interception can introduce latency and require significant processing power for encryption and decryption.
• Certificate Management: Ensuring that the CA certificate is correctly distributed and trusted by all client devices can be an administrative overhead.

Here’s a high-level example of how you might configure SSL/TLS interception on a proxy:

1. Generate or Import CA Certificate:
   
   • Generate a self-signed CA certificate or import an existing one into the proxy.

   bash
   openssl genpkey -algorithm RSA -out proxyCA.key
   openssl req -x509 -new -nodes -key proxyCA.key -sha256 -days 3650 -out proxyCA.crt

2. Install the CA Certificate on Client Devices:
   
   • Distribute the proxyCA.crt file to all client devices and import it into their trusted root certificate store.
3. Enable SSL/TLS Interception on the Proxy:
   
   • In the proxy’s management console, navigate to the SSL/TLS interception settings and enable the feature.
   • Specify the CA certificate and key file locations.
   • Define policies for which traffic should be intercepted.
4. Define Inspection Rules:
   
   • Create rules to inspect decrypted traffic for malware, block malicious content, and log relevant information.

By following these steps, the bank can extend its content inspection and malware scanning capabilities to include HTTPS traffic, ensuring comprehensive protection for both HTTP and HTTPS communications.

Question 42

Whoops! You discover that a network expert customer was able to enter the branch, locate a spare network outlet connected to the employees network (Z_LAN), connect his\her laptop and intercept all the HTTP communication between the a bank employee and the branch web server exploiting the gateway, with terrible consequences! Now the bank CISO wants a detailed report on what could have happened and on how we could prevent this to ever happen in the future. Please answer the following questions:

(a) Can you guess a technique that the customer could have used to reach this goal? State the name and briefly describe how it works in general.

(b) Detail all the steps that the customer could have performed in order to intercept the communication between a bank employee’s computer and the web server in this specific scenario.

Answer 42

(a) ARP spoofing

(b) The customer uses ARP spoofing to pose as the network gateway and sniff all the communication between the employee’s computer and the gateway, including the traffic to the WS.
1. The customer learns the IP address (e.g., by obtaining it via DHCP, or, if DHCP is not enabled, by passively sniffing the network broadcast traffic) and the real MAC address of the gateway (via ARP);
2. The customer broadcasts ARP messages with the gateway IP address and the customer’s own MAC address;
3. If the spoofing succeeds, the traffic to the gateway is directed to the customer (the customer also forwards traffic to the real gateway). This, way, the customer is able to sniff all the information between the client and the gateway and, thus, between the client and the local web server.

Question 43

Whoops! You discover that a network expert customer was able to enter the branch, locate a spare network outlet connected to the employees network (Z_LAN), connect his\her laptop and intercept all the HTTP communication between the a bank employee and the branch web server exploiting the gateway, with terrible consequences! Now the bank CISO wants a detailed report on what could have happened and on how we could prevent this to ever happen in the future. Please answer the following questions:

(c) Describe a possible way for the branch to prevent, or mitigate, this type of attack in this specific scenario, besides disabling/locking/damaging the spare network outlet found by the customer.

Answer 43

From the application point of view: use HTTPS with a certificate trusted by the browsers of the employee computers (BONUS: in this case it is important also to enable HSTS to prevent the customer to try to downgrade the communication to unencrypted HTTP or to train the employees to always check whether the communication is encrypted). From the network point of view: various techniques; for example, 802.1x to authenticate clients connected to ethernet ports or attempt, … (in general this approach is complementary to the use of HTTPS).

To address the scenario where a network expert was able to connect a laptop to a spare network outlet and intercept HTTP communication between a bank employee and the branch web server, the solution should encompass both application-level and network-level security measures. Here’s a detailed explanation of the points to be considered and why they are important:

• Encryption: HTTPS encrypts the communication between the client and the server, protecting the data from being intercepted and read by unauthorized parties.
• Integrity: HTTPS ensures that the data sent between the client and the server is not tampered with during transit.
• Authentication: HTTPS uses SSL/TLS certificates to authenticate the server, ensuring that the client is communicating with the legitimate server and not an imposter.

1. Obtain an SSL/TLS Certificate:
   
   • Get a certificate from a trusted Certificate Authority (CA).
   • Ensure the certificate is installed on the branch web server.
2. Configure Web Servers to Use HTTPS:
   
   • Configure the web server to use HTTPS for all communications.
   • Redirect HTTP requests to HTTPS to ensure all traffic is encrypted.
3. Enable HTTP Strict Transport Security (HSTS):
   
   • HSTS: Enforces the use of HTTPS and prevents users from downgrading to HTTP.
   • Configure the server to include the HSTS header in responses.
   • This helps to prevent man-in-the-middle attacks where an attacker could attempt to downgrade the connection to HTTP.
4. Employee Training:
   
   • Train employees to recognize HTTPS connections and understand the importance of secure communication.
   • Encourage them to report any warnings or errors related to SSL/TLS certificates.

• Port-Based Network Access Control: 802.1x provides an authentication mechanism to devices wishing to connect to a LAN or WLAN.
• Prevents Unauthorized Access: By requiring authentication before granting network access, it prevents unauthorized devices from connecting to the network and potentially intercepting communications.

1. Configure Network Switches for 802.1x:
   
   • Enable 802.1x on all network switches.
   • Configure the switches to require 802.1x authentication for all connected devices.
2. Set Up a RADIUS Server:
   
   • Use a RADIUS server to authenticate devices. The server will validate the credentials of the devices attempting to connect.
   • Ensure that the RADIUS server is properly integrated with the organization’s directory services (e.g., Active Directory).
3. Deploy Supplicant Software:
   
   • Ensure that all employee devices have 802.1x supplicant software installed and configured.
   • This software will handle the authentication process with the network.
4. Monitor and Audit Network Connections:
   
   • Regularly monitor logs and audit network connections to detect any unauthorized access attempts.
   • Implement alerting mechanisms for suspicious activities.

• Separate Networks: Implement VLANs to segment the network and isolate sensitive areas.
• Limit Access: Only allow necessary communication between segments and apply strict access control policies.

• Control Physical Access: Ensure that network outlets and switches are in secure locations with restricted physical access.
• Security Policies: Implement policies to regularly check for and secure unused network outlets.

• Endpoint Compliance: Use NAC solutions to ensure that devices meet security policies before they are allowed to connect to the network.
• Remediation: Automatically remediate or quarantine non-compliant devices.

By implementing HTTPS with HSTS and 802.1x authentication, the bank can significantly reduce the risk of unauthorized network access and man-in-the-middle attacks. These measures ensure that even if an attacker gains physical access to a network outlet, they would not be able to intercept sensitive communications or gain unauthorized access to the network.

• HTTPS and HSTS: Protects the integrity and confidentiality of communications and prevents downgrading attacks.
• 802.1x Authentication: Ensures that only authenticated devices can connect to the network.
• Network Segmentation and Physical Security: Adds layers of security to prevent and mitigate unauthorized access.
• Employee Training: Enhances awareness and adherence to security practices.

These combined approaches create a robust defense-in-depth strategy, addressing both application and network-level vulnerabilities.

Question 44

As the network security administrator for the network hit by this attack (i.e., you control the border firewall and can add arbitrary rules), can you mitigate the effect of this attack or prevent it altogether? Why?

Answer 44

To address the network security problem described in the [Question] and [Solution], it’s essential to understand the nature of the attack and the proposed mitigation strategies in detail. Here’s a comprehensive explanation:

• Type of Attack: The attack in question appears to be a type of Distributed Denial of Service (DDoS) attack using a protocol that has amplifying properties.
• Amplification Factor: The protocol mentioned has a 24x amplification factor, meaning that a small amount of data sent by the attacker results in a much larger amount of data being sent to the victim.
• Bandwidth Considerations: If the attacker’s bandwidth, when amplified, is greater than or equal to the victim’s bandwidth, the attacker can overwhelm the victim’s network.

• Amplification Impact: Due to the high amplification factor, even a relatively low bandwidth attacker can generate enough traffic to overwhelm the victim, making it challenging to mitigate purely based on network bandwidth.
• Victim’s Bandwidth Limit: If the victim’s bandwidth is less than the amplified traffic, the attack will likely succeed in causing a Denial of Service (DoS).

• Targeted Victim: If the specific victim is a machine with the IP address 104.28.1.1.
• Internal Network Bottlenecks: The bottleneck might not be the Internet-to-company link but could be due to other factors such as internal network bandwidth, the capabilities of the targeted machine, or some intermediary network device.

1. Dropping Specific Traffic:
   
   • UDP Source Port 27960: Implementing a firewall rule to drop UDP packets from source port 27960 can mitigate the attack if the attack traffic is identifiable and consistently using this source port.
2. Steps to Implement the Firewall Rule:
   
   • Access the Firewall Management Interface:
     
     • Log in to the border firewall’s management console.
   • Create a New Rule:
     
     • Navigate to the section where firewall rules are defined.
     • Add a new rule to block UDP packets from the specified source port.
   Example Configuration (Syntax will vary based on the firewall system):
   

   bash
   iptables -A INPUT -p udp --sport 27960 -j DROP

3. Verification:
   
   • Monitor Traffic: After implementing the rule, monitor network traffic to ensure that the rule is effectively blocking the attack traffic.
   • Performance Checks: Check the performance of the victim machine to verify that it is no longer being overwhelmed.

1. Effectiveness of Mitigation:
   
   • Specific Mitigation: While dropping traffic from source port 27960 can mitigate this specific attack, it is a narrow solution and may not protect against other attack vectors or more sophisticated attacks.
2. Potential for More Powerful Attacks:
   
   • Attack Adaptation: Attackers may change their tactics, such as using different source ports or other protocols, to bypass the implemented firewall rule.
   • Higher Bandwidth Attacks: Attackers with more resources can launch more powerful DDoS attacks that may overcome the firewall rule or exploit other vulnerabilities.
3. Additional Security Measures:
   
   • Rate Limiting: Implement rate limiting to control the amount of traffic allowed from any source to prevent overwhelming the network.
   • Traffic Analysis and Anomaly Detection: Use advanced traffic analysis tools to detect and respond to unusual traffic patterns indicative of a DDoS attack.
   • Load Balancing and Redundancy: Distribute network traffic across multiple servers and use redundancy to mitigate the impact of an attack on a single target.

• Amplification Factor: The protocol’s 24x amplification makes the attack powerful and difficult to mitigate purely based on bandwidth.
• Specific Mitigation: Dropping UDP packets from source port 27960 can mitigate this specific attack if the attack traffic is consistent and identifiable.
• Broader Protection: Consider additional measures such as rate limiting, traffic analysis, and network redundancy to provide more comprehensive protection against various types of DDoS attacks.
• Limitations: The proposed firewall rule is specific and may not protect against adaptive or more powerful attacks.

Implementing a multi-layered security strategy that includes both specific mitigations like firewall rules and broader protections like anomaly detection and rate limiting can provide a more robust defense against DDoS attacks.

Question 45

Consider the case of a public software archive: the software distributor has designed the following highly efficient scheme to protect the integrity of the distributed software. The distributor claims that the scheme avoids the issues in key management, is fast, and guarantees both the integrity of the distributed software and its origin.
The scheme goes as follows: given a piece of software (e.g. a Linux distribution package), consider it as a (long) bitstring s and distribute the bitstring obtained concatenating the strings a,s,b,c, where:
● a is obtained as SHA-256(s)
● b is obtained as SHA-256(s||a)
● c is obtained as SHA-256(a||s||b)
Argue on the fact that the proposed scheme provides integrity and origin authentication of the distributed software, either showing an attack against each property, or proving (an informal sketch is enough), that the scheme provides such property.
Design a simple and effective scheme to protect the integrity and authenticity of a piece of software which you are willing to distribute. Assume that the machines on which you are distributing your software have a network connection, and a reliable time reference.

Answer 45

The proposed scheme involves creating three hashes (a, b, and c) based on the software bitstring ( s ):

1. a = SHA-256(s)
2. b = SHA-256(s||a)
3. c = SHA-256(a||s||b)

These hashes are then concatenated to form the final string for distribution: a||s||b||c.

Let’s analyze the scheme’s claimed properties of integrity and origin authentication in detail:

1. Integrity:
   
   • Claim: The scheme guarantees the integrity of the distributed software.
   • Analysis: Integrity means ensuring that the software has not been altered after its creation. In this scheme, since ( s ), ( a ), ( b ), and ( c ) are all derived from the software ( s ) using SHA-256, any change in ( s ) would necessitate recomputing ( a ), ( b ), and ( c ). However, an attacker who can modify ( s ) can also recompute these hash values without any special difficulty. Thus, the scheme does not provide a robust mechanism to detect unauthorized modifications, as it does not prevent an attacker from generating consistent hash values for a tampered ( s ).
2. Origin Authentication:
   
   • Claim: The scheme guarantees the origin of the distributed software.
   • Analysis: Origin authentication ensures that the software comes from a trusted source. The proposed scheme lacks any mechanism to bind ( s ) to a specific origin. An attacker could create their own software ( s’ ), compute the corresponding ( a ), ( b ), and ( c ), and distribute it. There is no use of any secret or unique identifier linked to the originator, such as a digital signature. Thus, the scheme fails to provide any assurance regarding the origin of the software.

Given these points, we conclude that the proposed scheme fails to provide both integrity and origin authentication.

To effectively protect the integrity and authenticity of a piece of software, a more robust scheme is required. A common approach used in secure software distribution, such as in Linux distributions, involves digital signatures. Here’s a detailed explanation of how such a scheme works:

1. Digital Signatures:
   
   • Signing the Software: When a software package is built, the distributor signs it using their private key. This involves computing a hash of the software package and then encrypting the hash with their private key to create a digital signature.
   • Distributing the Software and Signature: The software package and its digital signature are distributed together.
   • Verifying the Signature: When a user downloads the software, they use the distributor’s public key to decrypt the digital signature, obtaining the original hash. They then compute the hash of the downloaded software package and compare it to the decrypted hash. If the hashes match, the software is verified as authentic and unaltered.
2. Trustworthy Public Key Distribution:
   
   • The public key of the distributor must be distributed in a trustworthy manner. This can be done through several methods:
     
     • Bundled with the OS Installation: The public key can be included with the operating system installation package, ensuring that it is obtained from a trusted source.
     • Public Key Infrastructure (PKI): A PKI can be used to manage and distribute public keys securely.
     • Certificates: The public key can be part of a digital certificate issued by a trusted Certificate Authority (CA).
3. Timestamping:
   
   • To enhance security further, especially in environments with network connectivity and reliable time references, timestamping the signature can be beneficial. This prevents replay attacks where an old, potentially vulnerable version of the software could be redistributed.

1. Generate Keys:
   
   • The distributor generates a key pair (public and private keys).
2. Sign the Software:
   
   • Compute the hash of the software package: ( \text{Hash}(s) ).
   • Encrypt the hash with the private key to create the digital signature: ( \text{Signature} = \text{Encrypt}_{\text{private_key}}(\text{Hash}(s)) ).
3. Distribute:
   
   • Distribute the software package ( s ) and the digital signature ( \text{Signature} ).
4. Verification:
   
   • The user computes the hash of the received software package.
   • The user decrypts the signature using the distributor’s public key to obtain the original hash.
   • The user compares the computed hash with the decrypted hash. If they match, the software is verified as authentic and unaltered.

By employing digital signatures and ensuring the public keys are distributed securely, this scheme robustly provides both integrity and origin authentication for the software.

Question 46

How exactly happen the distribution of the public key?

Answer 46

The distribution of the public key is a critical aspect of ensuring the integrity and authenticity of the software distribution scheme. Here are detailed methods for securely distributing the public key:

Explanation:
- The public key of the software distributor is included with the initial installation of the operating system (OS). This ensures that the key comes from a trusted source (the OS vendor).

Steps:
- The OS vendor includes the public key of the software distributor in a secure location within the OS installation package.
- When the OS is installed, the public key is also installed and stored securely on the user’s machine.
- Users can verify the authenticity of the software packages using this pre-installed public key.

Security:
- The trustworthiness of this method relies on the initial installation of the OS, which is typically obtained from a trusted source.

Explanation:
- PKI involves a hierarchy of digital certificates issued by a trusted Certificate Authority (CA). The CA’s root certificate is trusted by the user’s system, and it can verify the authenticity of subordinate certificates.

Steps:
- The software distributor obtains a digital certificate from a CA, which includes their public key.
- This certificate is signed by the CA’s private key, and the CA’s root certificate is already trusted by the user’s system.
- When distributing the software, the distributor also includes their certificate.
- Users verify the software by checking the certificate against the CA’s root certificate.

Security:
- This method relies on the trust placed in the CA, which is responsible for verifying the identity of the certificate holders.

Explanation:
- The public key is embedded in a digital certificate issued by a trusted CA. Users trust the CA’s root certificate, allowing them to verify the authenticity of the distributor’s certificate.

Steps:
- The software distributor requests a certificate from a CA.
- The CA verifies the identity of the distributor and issues a certificate containing the distributor’s public key.
- The certificate is digitally signed by the CA’s private key.
- The distributor includes this certificate with the software distribution.
- Users verify the certificate against the CA’s root certificate, which is pre-installed on their systems.

Security:
- Trust is based on the CA’s reputation and the secure distribution of the CA’s root certificate.

Explanation:
- In a WoT, users validate each other’s keys through direct interaction or mutual acquaintances. This is commonly used in PGP (Pretty Good Privacy) systems.

Steps:
- The distributor’s public key is signed by multiple trusted individuals or entities within the WoT.
- Users who trust one or more of these entities can verify the distributor’s public key.
- The public key and signatures are distributed together with the software or made available on public key servers.

Security:
- Trust is decentralized and relies on the network of trusted signers.

Explanation:
- The public key is distributed through secure channels separate from the software distribution channel.

Steps:
- The distributor provides the public key through secure means such as in-person delivery, secure email, or trusted websites.
- Users obtain the public key through these channels and manually verify its authenticity.
- Once verified, the key is used to authenticate software distributions.

Security:
- This method depends on the security of the out-of-band channel and the thoroughness of the manual verification process.

Explanation:
- Similar to bundling with the OS, this involves pre-installing a repository of trusted public keys.

Steps:
- The OS or software management system includes a repository of trusted public keys from various software distributors.
- These keys are securely installed and managed by the OS or system vendor.
- Users rely on this pre-installed repository to verify software packages.

Security:
- The trustworthiness of this method relies on the initial secure installation of the repository by the OS or system vendor.

• Initial Trust Establishment: The key factor in all these methods is establishing an initial trust in the public key or certificate. This initial trust is often based on the security of the OS installation, the reputation of the CA, or secure out-of-band verification.
• Key Revocation and Updates: There should be mechanisms in place to handle key revocation and updates in case a key is compromised or needs to be rotated. This is typically managed through certificate revocation lists (CRLs) in PKI systems or manual updates in simpler schemes.
• User Awareness: Users should be educated about the importance of verifying the public key and how to do it correctly to prevent man-in-the-middle attacks or other forms of impersonation.

By carefully implementing and managing these methods, the integrity and authenticity of distributed software can be effectively protected.