2019 Exam

C Code

void func(const char* arg) {
char buffer[42];
if (length(arg) <= 42) {
strcpy(buffer, arg);
}
}

What can get overwritten?

Saved Frame Pointer

Return Pointer

No overflow because of a length check

Solution
This code is vulnerable to an off-by-one-overflow, because strlen(arg) returns the length without the \0 byte while strcpy(buffer, arg) copies everything including the \0 byte.
Therefore our input can have the length 43 (incl. the \0 byte) while the buffer can only take 42 bytes.
Therefore:
1. ✅ Saved Frame Pointer
1. ❌ Return Pointer
1. ❌ No overflow because of a length check

Address Layout randomization

Which of the following is true?

Is always better than DEP

Randomizes memory layout

Can be bypassed with knowledge about addresses and local variables

Prevents a buffer overflow

Solution
1. ASLR is a countermeasure against ret2link and ROP attacks that bypass DEP by reusing code instead of injecting code into the stack to execute it. Therefore ASLR without DEP would not be secure and is not necessarily better. ❌
1. Makes stack addresses, addresses of library routines, etc. unpredictable and different from machine to machine → Random base addresses for: system call IDs, instruction sets, most importantly pointers. ✅
1. Can still be bypassed with Return/Jump/Data Oriented Programming and knowledge about addresses and local variables. ✅
1. Has nothing to do with it ❌

PHP Code

Which of the following is true?

<html> Output: <?php echo $_GET[argument] ?> </html>

CSRF is possible

XSS is possible and the server sees the attack scripts

XSS is possible and the server does not see the attack scripts

No exploits possible

Solution
Server side attacks in summary:
RCE: executing code (php or shell) remotely on the server
Client side attacks in summary:
CSRF: auto-triggering a request from clients browser to another cross site webpage
XSS: executing scripts on the clients browser (that get detected by the server-side except in the XSS-DOM attack if there is no logging)
In this case
Server side attacks:
RCE:
```
GET ?argument=a; system("Shell Code"); HTTP/2
Host: example.com
```
```
GET ?argument=a; eval("PHP Code"); HTTP/2
Host: example.com
```
Client side attacks:
CSRF: possible by triggering a remote code injection from clients browser
XSS: reflected
```
GET ?argument="bogus content made by attacker"; HTTP/2
Host: example.com
```
1. CSRF is possible : ✅ the attacker can auto trigger a request from the victims browser that contains a payload in the query.
1. XSS is possible and the server sees the attack scripts : ✅ Reflected XSS attacks: can display data that the attacker chose once the vicitm clicked on a link containing the attackers payload. (ie. using echo to display an arbitrary message)
  A stored XSS attack is not possible because we can not store stuff into the html directly. (ie. as a forum post)
  📎 In depth explaination
1. XSS is possible and the server does not see the attack scripts : ❌
1. No exploits possible : ❌ the server sees all attack scripts no matter if they are stored or not because it has to process each request. (even in the case of DOM-XSS it can still be logged)

Cryptographic Protocols

$A \larr \{A,B,n_B\} -B$

$A - \{\text{Enc}(m,~\text{sig}(m,~n_B,sk_A)\}_{pk_B} \rarr B$

Which of the following is true?

Injective agreement $A\rarr B$

non injective agreement

no agreement at all

confidentiality of $m$

Solution
This is a type of PC-Handshake.
If we would place the authentication log events, then the protocol would look like this:
$A \larr \{A,B,n_B\} -B$
$\text { event } {begin}(A, B, M)$
$A - \{\text{Enc}(m,~\text{sig}(m,~n_B,sk_A)\}_{pk_B} \rarr B$
$\text { event } {end}(A, B, M)$
1. Injective agreement $A\rarr B$ : Yes - $B$ can check the freshness of the nonce ✅
1. non injective agreement : No - the challenge could have been sent by anyone. ❌
1. no agreement at all: ❌
1. confidentiality of $m$ : is preserved, because only $B$ can read the message encrypted with their public key.

Electronic Codebook ECB

Which of the following is true?

Plaintext patterns are visible

parallel encryption is possible

parallel decryption is possible

random access is possible

Solution
All of the options above are true.
We can also see the plaintext- patterns that the ECB reveals:
$\LARGE\Downarrow$

Cookies

Cookie 1:
name=uid value=1 domain=tuwien.ac.at secure=falseCookie 2:
name=sid value=2 domain=secpriv.tuwien.ac.at secure=false

Which cookies get sent with a request to https://tuwien.ac.at ?

Cookie 1

Cookie 2

Both

None

Solution
The domain property requires that - if set - the cookie only gets attacked to websites that have its value as their suffix or be equal.
The secure property requires the protocol to be HTTPS.
Therefore only Cookie 1 gets attached. (Only the first option is true).

Access Control

Which concept allows only authorized subjects to have write access to data?

Accountability

Availability

Integrity

Confidentialty

Accessibility

Solution
Integrity: Data only changed when authorized / System behaves as expected

The ElGamal Proof

Which of the following is true?

We assume that if there is an adversary that can break DDH, then we can use it to break ELGamal

We assume that if there is an adversary that can break ElGamal, then we can use it to break DDH

The proof is about how $(g^x, g^y, g^{xy})$ can not be differenciated from $(g^x, g^y, g^r)$

The proof is about how $(g^x, g^y, g^{xy})$ can not be differenciated from $(g^x, g^y, g^{x+y})$

Solution
Proof by contradiction
We can break ElGamal if we can break the DDH assumption.
If $\exists A$ algorithm that breaks ElGamal with any $pk$ then we imitate the challenger to break DDH with his advantage $\operatorname{Adv} >0$ of distinguishing correctly.
Decisional Diffie-Hellman Assumption
$|G| \approx 2^n$ and we choose random $g\in \Z_p^*$ .
With given $g^a, g^b, Z$ we can not decide whether $Z = g^{ab}$ for any $a,b,Z \in \{1,\dots,|\Z_p^*|\}$ .
Therefore:
1. ❌
1. ✅
1. ✅
1. ❌

Textbook RSA

Which of the following is true?

Textbook RSA is correct

Textbook RSA is CPA secure

A small $e$ can be used without sacrificing security

A small $d$ can be used without sacrificing security

Solution
All of them are false execpt the first one:
1. ✅ Correctness means that the encryption process and decryption processes function as expected for any given (finite) plaintext.
1. ❌
1. ❌
1. ❌
Textbook / naive RSA is insecure:
No randomization of encryption function.
Not secure against passive attacks because it is deterministic.
Same messages result in the same ciphers: $m=m^{\prime} \Rightarrow \operatorname{Enc}(p k, m)=\operatorname{Enc}\left(p k, m^{\prime}\right)$

ACL and Capabilities

Which of the following is true?

There is a reference monitor that checks every access

ACL are object centered, Capabilities are subject centered

ACL are subject centered, Capabilities are object centered

Only capabilities can be inherited

Its easier to revoke an ACL

Solution
1. ✅
1. ✅
1. ❌
1. yes - by just passing the token ✅
1. yes - revocation of tokens requires extra bookkeeping ✅

CSRF

What are successful countermeasures?

Tokens in Forms

Referrer header

Custom HTTP Header

Setting cookie properties to secure and httpOnly

Solution
1. ✅
1. ✅
1. ✅
1. ❌ but the sameSite cookie attribute would be effective to some extent

XSS

What are successful countermeasures?

httpOnly cookies

HTTPS protocol

not allowing the word <script> and validating user input

Solution
1. ❌ - the httpOnly cookie property disables javascript access to the cookies. This is only a useful counter
1. ❌
1. ✅

Collision Resistant Hash Function

Which of the following is true?

always maps to the same length

maps to any length

its infeasible to find 2 plaintexts with the same hash

Users with the same passwords get different hashes in Unix

Solution
ie: MD5 (broken), SHA1 (broken), SHA2 family, SHA3 family, $\dots$
One-way functions Easy to compute output, infeasible to find the input from output
Collision-resistance Infeasible to find different inputs that map to the same output
Collision $\big(H(m_1) = H(m_2)\big) \wedge \big(m_1 \not = m_2 \big)$
1. ✅ → definition from slides: "A hash function is any function that can be used to map data of arbitrary size to data of fixed size."
1. ❌
1. ✅
1. ✅ yes - because we use salt

OTP

What gets leaked when we use the same key multiple times for two different plaintexts ?

$m_1 \oplus m_2$

the key $k$ itself

$m_1 \oplus m_2 \oplus k$

nothing

Solution
1. ✅
  Important: Key must be used once for entire $m$
  To save storage, one might try to split $m$ up in smaller pieces and encrypt them with the same $c$ .
  $c_1=\operatorname{Enc}(k,m_1)= k \oplus m_1$
  $c_2=\operatorname{Enc}(k,m_2)= k \oplus m_2$
  $c_{1} \oplus c_{2}= ( k \oplus m_1)\oplus(k \oplus m_2)= m_{1} \oplus {m}_{2}$
  which is vulnerable to frequency analysis.
1. ❌
1. ❌
1. ❌

Stack Canaries

Which of the following is true?

Get validated just when we want to return from a function

Prevent overwriting the return address

Have no performance impact

Require a recompilation for activation

Solution
1. ✅
1. ❌ If pointer and its content both overwritable → changing any memory on or off the stack possible, therefore also the return address. like: *dst=buf[0]
1. ❌ Checking before each return does have a cost.
1. ✅ aswell as a modified compiler.

SOP

What does the SOP check for the DOM?

Protocol

Domain

Port

Path

Solution
Javascript scripts can only read and write on same-origin-resources like the DOM.
same-origin means pages must share the same: protocol, domain, subdomain, hostname, port.
1. ✅
1. ✅
1. ✅
1. ❌