cs591 logo
rainbow animatio

CS591 S2007 Midterm Test Web Page

Enter your answers on the web page and after completing your answers, print a hard copy for your own record and push the submit button.  You have until 3/21/2007 11:59pm to finish the midterm. Treat these questions as multiple-choice questions. You must choose either yes or no for each answer. There are five open questions that require you to enter answers to the textareas.
Print a copy of your answers before hitting the submit button.   If you have problem accessing the web server for submitting the answer, slide your hard copy with answers under my office door Thursday Morning.
Enter the following information. The password is used to verify the person submitting the answers.
Your name:
Your login on CS UNIX machines:
Your password (All nine digits of your Student ID no dash):

  1. Introduction

    2. Classify attacks according to the basic types of threats

    1. The W32/Netsky.p@mm virus puts itself in windows directory as FVProtect.exe and insert "Norton Antivirus AV" = %WinDir%\FVProtect.exe into HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
      which specifies the list of program to run at boot time. What type of threats is this?
      2. 1. interception Yes No
      2. interruption Yes No
      3. modification Yes No
      4. fabrication Yes No
    2. What threads Slammer implements?
      3. 1. interception. Yes No
      2. interruption. Yes No
      3. modification. Yes No
      4. fabrication Yes No
    3. The original midterm web page is not secure.
      4. 1. It uses poor passwords. Only four digits. Subject to Brute force attacks
      		 Yes No
      2. It uses password based web access. Attackers can guess the password Yes No
      3. It can be improved by adding sleep(10); to delay 10 seconds when password does not match. Yes No
      4. The machine that serves the web page is shared by other users. A careless access right change mistake can expose the midterm data. Yes No
    4. List three areas of the security improvement with the new midterm web access design (https://archie.uccs.edu/secure/cs591/f2005midterm.html):
    5. Confidentiality, Integrity, and Availability are three basic security services.
      6. 1. What service protects us from eavesdropping?
      2. Provide multiple paths between senders and receivers help improve .
      3. What service provides authentication of users?
  2. Basic Cryptography
    1. AES
        2. 1. What is the block size when we use AES?  
        2. Does it include s-box and p-box operations? Yes No
    2. A file x.txt contains the following content:
      -----BEGIN RSA PRIVATE KEY-----
      Proc-Type: 4,ENCRYPTED
      DEK-Info: DES-EDE3-CBC,B06049B0B1D5EB5E

      J91DHHOaq7fGIUyJ9urUZX/7xmsykZFpeTi/0aBiBTOrzxCuNVLb62hO3AISLp1Q
      89uRuGJAgeTtGD6ghQSdai9DGEUZ0C0t6I4JiMmcUiSoDJc56IafSeDdxCh8aMQ1
      dtqCStv7KD0/5GweetAZVqcugG0FF9qoQ2gIqW0GgimxXSRWc2jYQTYTbMWb+6Nz
      DRNgBhLY78suNOC+f5SY47nYjrAOnLKnK5Oj/KjgBK0A4bTDsaUDyLrEbEvb8P7q
      sZbG3d+nn4APetol8hY71HTcPCrjIJIx3nxxMrE77ZKrvI+dn82XdZAfDRjKHINs
      13nbZdv+4YmrJ9r6KNqYT1Mtd76hhyM3ZR56TNuVBtYu98d66z23YFLJCrWHt9o9
      kuheyqJNyrAXtWbpeGd2RXCUoioG/DrlYVxC1bz4RgXHVIz3+uRw3iThrD2bHGXz
      2R7u3yCSqFhqdtbKlm8Kx5+x0ALKwYLa3o/BtNy/jf1lP4uIL4Eb8V38ZqkqEjyp
      Alo2LSXQ0nErCsz/LYx8PKkNboFIU6ZxmXP4eBOmXouYa1WyBAMWCW4Re935gCbg
      uyDEWe8+cs8kH2F9u/P8gJwg+FeZx70i8NQTk5A2wHensZUvHW5C8HxYcuFboEHo
      WQdz8xndvRtbsjbZBwBzm+K/qgCeQ4LHPunZpDVr/tOCJN7ltnMoLYyvyMJb3JQT
      Bb4mkecn23ylH5msSJmFN6/x2AZnPFv6HxdOZd/jYg5Ph+r+ctoRYJExtltGeKrq
      Z4PUJC95vAgZTYwMSjCR+J87DyNKby1DDm+IindgMZItEwJrF6GWsw==
      -----END RSA PRIVATE KEY-----

      3. 1. What is B06049B0B1D5EB5E?  
      2. What is the key size that is used to encrypted the above data
  3. Buffer Overflow Exploits and the Related Defenses
    1. Elias' Smashing Stack
      2. 1. NOP instructions in exploit data sequence help increase the chance of catching the execution flow. Yes No
      2. Given two reasons why we cannot accurately calculate the return address to be used at the end of the exploit data sequence.
             		 
      3. When we get "illegal instruction" error after applying the exploit, is that possible the return address is pointed to one of the bytes in the shell code? Yes No
    2. For the following program,
      int main(int argc, char* argv[ ])
      {
      char a[128];
      gets( a );
      printf("a=%s\n", a);
      }
      3. 1. What buffer size would you use?  
      2. Can the exploit data sequence include Line Feed characters? Yes No
      3. The shellcode used by expGets() needs to close the stdin and reopen it. Yes No
    3. Buffer Overflow Defense Techniques.
      4. 1. Put canary guard in stack and compare their values when call returns. Yes No
      2. Not allow code to be executed on stack Yes No
      3. Randomize the address space allocated for the stack area Yes No
  4. Program Security
    1. In Software We Trust.
      archie.uccs.edu is installed with Fedora Core 4 software distribution downloaded from a mirror site at USC.
      The directory contains iso (CD image) files and a file SHA1SUM which contains the following content:

      -----BEGIN PGP SIGNED MESSAGE-----
      Hash: SHA1

      2f151a7329846da685c2a72fcb40eba3e8a355a0 FC4-i386-DVD.iso
      aa82f4be0be901777537b6ad0906c4f3c2d84bc3 FC4-i386-SRPMS-disc1.iso
      e43a0db88bf537f6dab6e49513c6391a4aa9b549 FC4-i386-SRPMS-disc2.iso
      37c0a3dacf0e803e402474ecca6a16bf177490b4 FC4-i386-SRPMS-disc3.iso
      72fd68d72a2c7563b74073c25dccb903a2a34a01 FC4-i386-SRPMS-disc4.iso
      3fb2924c8fb8098dbc8260f69824e9c437d28c68 FC4-i386-disc1.iso
      31fdc2d7a1f1709aa02c9ea5854015645bd69504 FC4-i386-disc2.iso
      032455cdf457179916be3a739ca16add75b768b7 FC4-i386-disc3.iso
      f560f26a32820143e8286afb188f7c36d905a735 FC4-i386-disc4.iso
      736e1555e88740d6131c5c84fbe69ed1073ba82d FC4-i386-rescuecd.iso
      -----BEGIN PGP SIGNATURE-----
      Version: GnuPG v1.2.1 (GNU/Linux)

      iD8DBQFCpdjJtEJp0E8qb9IRAunQAJ9jUj+Oaixsc3NnvaK02/CvOU6SVgCfVgMS
      lDTAIErqWlDdYTpglgEjfAA=
      =+hVy
      -----END PGP SIGNATURE-----

      Feeding this SHA1SUM file to PGP desktop software package. It shows the KeyID = 0x4F2A6FD2 and signer is unknown with unknown signing key. Further google search with "verifying PGP signature" list the url http://wwwkeys.pgp.net:11371/pks/lookup?op=get&search=0x4F2A6FD2 which show the related public key block associated with this KeyID.
      Another url http://stinkfoot.org:11371/pks/lookup?op=index&search=0x4F2A6FD2 shows

      Type bits/keyID               Date                            User ID
      pub 1024D/4F2A6FD2 2003-10-27 Fedora Project <fedora@redhat.com>
      Look like it is signed by Fedora Project.

        2. 1. After we downloaded FC4-i386-SRPMS-disc1.iso file from the USC mirror site, and run "sha1sum FC4-i386-SRPMS-disc1.iso" it prints out
        aa82f4be0be901777537b6ad0906c4f3c2d84bc3 FC4-i386-SRPMS-disc1.iso
        Does the sha1sum result tell us the iso image is authentic and comes from Fedora Core project?

        		 Yes No
        2. If the above sha1sum result does not tell us the iso image is authentic, what it really proves to us?

        3. The lower part of SHA1SUM file contains a PGP signature. The signature included the keyID and signed hash. Yes No
        4. The signed hash is generated by running sha1sum on the
        2f151a7329846da685c2a72fcb40eba3e8a355a0 FC4-i386-DVD.iso
        aa82f4be0be901777537b6ad0906c4f3c2d84bc3 FC4-i386-SRPMS-disc1.iso
        e43a0db88bf537f6dab6e49513c6391a4aa9b549 FC4-i386-SRPMS-disc2.iso
        37c0a3dacf0e803e402474ecca6a16bf177490b4 FC4-i386-SRPMS-disc3.iso
        72fd68d72a2c7563b74073c25dccb903a2a34a01 FC4-i386-SRPMS-disc4.iso
        3fb2924c8fb8098dbc8260f69824e9c437d28c68 FC4-i386-disc1.iso
        31fdc2d7a1f1709aa02c9ea5854015645bd69504 FC4-i386-disc2.iso
        032455cdf457179916be3a739ca16add75b768b7 FC4-i386-disc3.iso
        f560f26a32820143e8286afb188f7c36d905a735 FC4-i386-disc4.iso
        736e1555e88740d6131c5c84fbe69ed1073ba82d FC4-i386-rescuecd.iso
        then encrypt the generated sha1 hash with the fedora project's private key.
        		Yes No
        5. We can verify the signed sha1 hash with the public key listed in http://wwwkeys.pgp.net:11371/pks/lookup?op=get&search=0x4F2A6FD2
        But that means we need to trust wwwkeys.pgp.net site.
        		 Yes No
        6. What would you suggest Fedora Project to improve this download web page in terms of integrity and authentication?

        		  
    2. For the midterm secure web access, not only we trust fedora project for the Linux kernel which we install on archie.uccs.edu. We also trust them for the many software packages they integrated in the software distribution. I also trusted the software update package called yum does a good job updating the installed software packages. We assume that archie was not broken into by attackers.
      1. How can I be sure I am not signing a client certificate from an attacker? What additional defense I have?

      2. How can you be sure that your certificate are signed by me? List three network services you need to trust.
      3. How can you verify that you are not accessing a fake web site?
  5. Firewall
    1. Assume that an outer firewall has eth1 connected to Internet, what iptables firewall rule will allow a machine from Intranet or DMZ LAN to initiate connection to Internet?

    2. How MASQUERADE is used? Is this service only dealing with outbound packets (to Internet)?

    3. How DNAT is used? Is it applied in PREROUTING or POSTROUTING?

If you feel some of the questions are ambiguous, state the problem # and your assumptions on the answers.