ipl-logo

August 2021

.pdf
School
King's College London**We aren't endorsed by this school
Course
ENG 7CSM552
Subject
Computer Science
Date
Jan 4, 2025
Pages
11
Uploaded by MinisterElementReindeer46
King’s College LondonThis paper is part of an examination of the College counting towards the award of a degree.Examinations are governed by the College Regulations under the authority of the AcademicBoard.Examination PeriodAugust 2021(Period 3)Module Code7CCSMSEN (AY2021) - online examModule TitleSecurity EngineeringFormat of ExaminationWritten questionsStart timeTBD GMTTime AllowedONE AND A HALF hoursInstructionsYou are permitted to access any materials you wish, but this is notmandated and is not expected. You may use a calculator if you findthis helpful.RubricANSWER THREE OF FOUR QUESTIONS.Each question awards a maximum of 25 marks. All questions carryequal marks. If more than three questions are answered, the threeanswers with highest marks will count.(Therefore the maximumexam mark is overall 75 over 75.)The rubric for this paper must be followed and extra answers should not be submitted. Foranswers that are handwritten, write with blue/black ink on light coloured paper.Include theModule code, question number and student number on every page to be submitted. For an-swers that are typed, use the template provided.Submission DeadlineTBDSubmission ProcessWork must be submitted to thelevel 7Informatics AssessmentsKEATS page.Your work must be submitted as a PDF file. If you have prepared some answers on computer,and some on paper (which have then been digitised), you may upload at most two PDF files– one for computer-prepared answers, one for digitised answers. Do not duplicate answersacross the two PDFs – if you do this, the computer-prepared answer will be taken. You shouldcheck that your work displays correctly after it has been uploaded.ACADEMIC HONESTY AND INTEGRITYStudents at King’s are part of an academic community that values trust, fairness and respectand actively encourages students to act with honesty and integrity. It is a College policy thatstudents take responsibility for their work and comply with the university’s standards and re-quirements. Online proctoring / invigilation will not be used for our online assessments. Bysubmitting their answers students will be confirming that the work submitted is completely theirown. Misconduct regulations remain in place during this period and students can familiarisethemselves with the procedures on the College websiteImportant: Students should copy out the following statement and include it with theirsubmission for each examination:I agree to abide by the expectations as to my conduct, as described in the academic honestyand integrity statement.2021 King’s College London
Background image
August 20217CCSMSEN (AY2021) - online exam1. Question.Consider the following C code fragment:1void2foobar ( char*arg )3{45charmsg [ 2 5 6 ] ;67memset (msg ,0 ,s i z e o f (msg ) ) ;89//s h a l lwet r u s ttheuser ?Never !10i f( s t r l e n ( arg ) <s i z e o f( arg ))11s t rc p y (msg ,arg ) ;1213//let ’ sj u s tbenice14s n p r i n t f (msg ,s i z e o f(msg)-1 ,arg ) ;1516return ;17}1819i n t20main ( i n targc ,char**argv )21{2223i f( argc!=2)e x i t ( 1 ) ;2425foobar ( argv [ 1 ] ) ;2627p r i n t f ("Hey !Nicetomeetya %s \n" ,argv [ 1 ] ) ;2829e x i t ( 0 ) ;30}QUESTION 1 CONTINUES ON NEXT PAGEPage 2SEE NEXT PAGE
Background image
August 20217CCSMSEN (AY2021) - online exama.Give a thorough description of the program’s vulnerability. In particular,name the vulnerability (1 mark), its location (1 mark), and provide adetailed overview of its exploitation (2 marks). Then, identify and ex-plain thoroughly all the components that are involved in the exploit (4marks).[8 marks]b.How would an attacker exploit the vulnerability? Hint: describe in detailwhat the injection vector would look like (and what retaddr and retlocthe attacker may use). Use symbolic values and addresses when needed(no need to write down the shellcode).[10 marks]c.Would bounds checkers mitigate the vulnerability (1 mark)?Explainclearly the reasons (1 mark).[2 marks]d.Would StackGuard mitigate the vulnerability (1 mark)? Explain clearlythe reasons (2 marks).[3 marks]e.How can the program be fixed?[2 marks]Page 3SEE NEXT PAGE
Background image
August 20217CCSMSEN (AY2021) - online exam2. Question.Static analysis is a program analysis technique to analyze aprogram’s code without running it.a.List, and explain the reasons, of 2 of the benefits static analysis provides.[2]b.List, and explain the reasons, of 3 of the drawbacks static analysis pro-vides.[3]c.What impact on the software development process does static analysishave?[4]d.What does it mean when a static analysis is sound?[2]e.What does it mean when a static analysis is complete?[2]f.Consider a static taint flow analysis as we have discussed in class. Con-sider the following code snippet:1i n tp r i n t f ( untaintedchar*fmt ,. . . ) ;2voidread ( int ,t a i n t e dchar*input ,i n t ) ;34charname [ 1 0 ] ;56read (0 ,name ,s i z e o f(name ) ) ;7char*x = name ;8p r i n t f ( x ) ;Let us assume we are interested in an analysis that identifies no tainteddata flows (where untainted<tainted in a lattice).Given the initialtaint source and untainted sink:i. Create a name for each missing type qualifier, assuming a flow-/path-/context-insensitive analysis.[2]QUESTION 2 CONTINUES ON NEXT PAGEPage 4SEE NEXT PAGE
Background image
August 20217CCSMSEN (AY2021) - online examii. For each statement in the program, generate constraints on possiblesolutions, assuming a flow-/path-/context-insensitive analysis..[3]iii. Solve the constraints to produce solutions for the type qualifiers iden-tified earlier (1 mark) and state whether the resulting flow is legal orillegal (1 mark). As above, assume a flow-/path-/context-insensitiveanalysis.[2]g.Consider a taint flow analysis as we have discussed in class. Considerthe following code snippet:1i n tp r i n t f ( untaintedchar*fmt ,. . . ) ;2voidread ( int ,t a i n t e dchar*input ,i n t ) ;34charname [ 1 0 ] ;56read (0 ,name ,s i z e o f(name ) ) ;7char*x ;8x = name ;9x = " h e l l o !"10p r i n t f ( x ) ;Let us assume we are interested in an analysis that identifies no tainteddata flows (where untainted<tainted in a lattice).Given the initialtaint source and untainted sink:i. Show how the program would be changed if we carried out a flow-sensitive static analysis, assuming a flow-sensitive and path-/context-insensitive analysis.[1]ii. Create a name for each missing type qualifier, assuming a flow-sensitive analysis, assuming a flow-sensitive and path-/context-insensitiveanalysis.[1]QUESTION 2 CONTINUES ON NEXT PAGEPage 5SEE NEXT PAGE
Background image
August 20217CCSMSEN (AY2021) - online examiii. For each statement in the program, generate constraints on possi-ble solutions, assuming a flow-sensitive and path-/context-insensitiveanalysis.[1]iv. Solve the constraints to produce solutions for the type qualifiers iden-tified earlier (1 mark) and state whether the resulting flow is legalor illegal (1 mark).As above, assume a flow-sensitive and path-/context-insensitive analysis.[2]Page 6SEE NEXT PAGE
Background image
August 20217CCSMSEN (AY2021) - online exam3. Question.A secure software development lifecycle requires security engi-neering to fit into all the phases of the software development process.a.In which way does security engineering fit into requirements, design,implementation, and testing/assurance? Motivate your answer.[7]b.What is a threat model and why is it important?[4]c.Consider Leslie Lamport’s Gold Standard.i. What is it?[2]ii. Explain each of Lamport’s Gold Standard.[12]Page 7SEE NEXT PAGE
Background image
August 20217CCSMSEN (AY2021) - online exam4. Question.Consider the following C code fragment and assume the pro-gram name is fixed tovuln, it is invoked as./vuln(i.e.,argv[0])andcannot be changed by an attacker.1i n t2main ( i n targc ,char**argv )3{4i f( argv [ 1 ] )5returnfoo ( argv [ 1 ] ) ;6e l s e7returnfoo ( argv [ 0 ] ) ;8}910i n t11foo ( char*arg )12{1314charbar [ 1 2 8 ] ;1516i f( s i z e o f ( arg ) > 128){17s t r cp y ( bar ,arg ) ;1819//neverreturntomainsoeveni fv u l n e r a b l e20//nor e ti sexecutedandnos h e l l c o d ei st r i g g e r e d21e x i t ( 0 ) ;22}2324s t r cp y ( bar ,arg ) ;2526returns t r l e n ( bar ) ;27}QUESTION 4 CONTINUES ON NEXT PAGEPage 8SEE NEXT PAGE
Background image
August 20217CCSMSEN (AY2021) - online exama.Does the program suffer from a memory corruption vulnerability? If not,explain the reasons. If yes, explain the reasons and and how it is possibletosuccessfully exploitthis vulnerability.In other words, is it possible to provide specific input to such a programto take advantage of its vulnerability and thus execute arbitrary code(for instance, spawning a shell), on x86-32 architectures? If yes, explainhow you would exploit it (high-level steps, including what input and sizeyou should provide). If not, explain why and what you would change inthe code to make it exploitable.[5 marks]QUESTION 4 CONTINUES ON NEXT PAGEPage 9SEE NEXT PAGE
Background image
August 20217CCSMSEN (AY2021) - online examb.Assuming that the above code is vulnerable (or can be modified to be-come vulnerable) and that the vulnerability can be successfully exploited(or can be modified to be exploited), then consider the following x86assembly code fragment, which may be used to exploit the previousvulnerability:1i n t2main ( void )3{45__asm__(6"jmpahead\n"7"back :\ n"8"popl %ebx\n"9"movl %ebx ,0x8(%ebx )\n"10"x o r l %eax , %eax\n"11"movb %al ,0x7(%ebx )\n"12"movl %eax ,0xc(%ebx )\n"13"movl %eax , %edx\n"14"movl$0xb , %eax\n"15"movl0xc(%ebx ) , %ecx \n"16"i n t$0x80\n"17"ahead :\ n"18"c a l lback\n"19". s t r i n g\"/ bin /sh \""20) ;21}i. Assuming the above assembly snippet (shown in Question 4 (b)) isplaced on the stack, what does the assembly code do? Add commentsto each line and explain its semantics in the context of the shellcode.For instance, the instructionmov $0xb, %eaxcopies the constantvalue0xbinto the register%eax.This represents the index thatQUESTION 4 CONTINUES ON NEXT PAGEPage 10SEE NEXT PAGE
Background image
August 20217CCSMSEN (AY2021) - online examrefers to the system callexecve.[12 marks]ii. An attacker creates a suitable injection vector to exploit the afore-mentioned memory error. To this end, he places the shellcode in theinjection vector, pads it with his initials so as to create a messagelong enough to overflowbar; then the attacker adds the appropriateaddress at the right place and terminates the message with aNULL(’\0’).In other words, the injection vector looks as follows:+-----------------+-----------------+------------+----+|nop sled| shellcode| 0xbfff1234 | \0 |+-----------------+-----------------+------------+----+Next, he runs the program giving this injection vector to it as its firstargument.To his surprise, the attack fails.He asks you for help.State why the attack cannot work.[2 marks]iii. Show how the shellcode can be modified to make the attack pos-sible.(Note: don’t worry if you do not know the exact syntax ofinstructions; marks will be awarded for a clear explanation.)[2 marks]c.Assume the code shown at the beginning of the question is vulnerable(or can be modified to be so) and the vulnerability can be successfullyexploited. State and describe what technique(s) would an attacker useto exploit the vulnerability shown at the beginning of the question, ifthe kernel enforces a non-executable stack protection (again, assumethe small program shown at the beginning of the question is exploitableor can be modified to be exploited successfully)?[4 marks]Page 11FINAL PAGE
Background image