CS 155: Spring 2008June 2008CS 155 Final ExamThis exam is open books and open notes. You may use course notes and documents thatyou have stored on a laptop, but you may NOT use a laptop to search the web or communicatewith a friend. You have 2 hours. Print your name legibly and sign and abide by the honorcode written below. All of the intended answers may be written well within the space provided.You may use the back of the preceding page for scratch work. If you want to use the back sideof a page to write part of your answer, be sure to mark your answer clearly.The following is a statement of the Stanford University Honor Code:A. The Honor Code is an undertaking of the students, individually and collectively:(1) that they will not give or receive aid in examinations; that they will not give orreceive unpermitted aid in class work, in the preparation of reports, or in any otherwork that is to be used by the instructor as the basis of grading;(2) that they will do their share and take an active part in seeing to it that others aswell as themselves uphold the spirit and letter of the Honor Code.B. The faculty on its part manifests its confidence in the honor of its students by refrainingfrom proctoring examinations and from taking unusual and unreasonable precautionsto prevent the forms of dishonesty mentioned above. The faculty will also avoid, as faras practicable, academic procedures that create temptations to violate the Honor Code.C. While the faculty alone has the right and obligation to set academic requirements, thestudents and faculty will work together to establish optimal conditions for honorableacademic work.I acknowledge and accept the Honor Code.(Signature)eSENIOR? (Print your name, legibly!)Prob # 1 # 2 # 3 # 4 # 5 # 6 # 7 TotalScoreMax 18 13 13 14 14 12 16 1001. (18 points) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Short Answer(a) (3 points) Basic buffer overflow attacks use the fact that the return address is at ahigher memory address than the local variables (buffer). Explain how to carry outa buffer overflow attack if the stack layout is reversed. In the reversed layout, thestack grows from lower-numbered memory locations to higher ones, and the returnaddress is at a lower memory address than the local variables allocated in the samestack activation record.(b) (3 points) The same origin policy (SOP) for DOM access is based on the triple(protocol, host, port). Suppose SOP did not include protocol (i.e. SOP was definedusing only host and port — as was the case in Safari until Safari 3.0). What goeswrong? For example, explain how a network attacker could steal gmail secure cook-ies (i.e. cookies sent only over HTTPS). Note that reading document.cookie in anHTTP context does not reveal secure cookies.(c) WPAD is a protocol used by IE to automatically configure the browser’s HTTP andHTTPS proxy settings. Before fetching its first page, IE will use DNS to locate aWPAD file, and if one is found, will use its contents to configure IE’s proxy settings.If the network name for a computer is pc.cs.stanford.edu the WPAD protocol iter-atively looks for wpad files at the following locations:http : //wpad.cs.stanford.edu/wpad.dathttp : //wpad.stanford.edu/wpad.dathttp : //wpad.edu/wpad.dat (prior to 2005)2i. (4 points) Explain what capabilities were inadvertently given to the ownerof the domain wpad.edu as a result of this protocol. Explain how personalinformation can be exposed as a result of this issue.ii. (2 points) Are pages served over SSL protected from the problem you de-scribed? If so, explain why; if not, explain why not.(d) (6 points) A stateless packet-filter firewall decides whether to allow a packet totraverse the firewall based on the TCP/IP header of the packet, without regard topast traffic through the firewall. Assume a stateless packet-filter firewall is in-stalled between an enterprise network and the external Internet, for the purpose ofprotecting users on the enterprise network.Circle the following attacks that can be detected and mitigated (to a significantdegree) by the firewall:i. Port sweepii. Syn floodingiii. DNS cache poisoningiv. a Phishing attack in which users are asked to visit a known bad web sitev. viruses in incoming email addressed to enterprise usersvi. DNS rebinding32. (13 points) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Detecting executable tamperingMedia players enforcing content protection rules need to ensure that their executableimage on disk has not been modified by the user (otherwise, one could bypass contentprotection by disabling the content protection component). These mechanisms are in-tended to defend against attackers who modify the executable instructions.(a) (2 points) A simple method for a program to detect tampering with its executableis follows: at startup the program hashes (using SHA-1) the executable imageloaded in memory and compares the result with a pre-computed hash value (say,stored in the executable header). The program exits in case of mismatch. Explainhow an attacker could defeat this mechanism with a single word change to the exe-cutable image.(b) (7 points) Many proposals try to improve on the method outlined in part (a) byrelying on obfuscation and repeated hashing. Let us examine a generic attack onthis approach. Modern processors have an instruction cache used to cache memorypages containing code and a data cache used to cache memory pages containing data(a page that contains both code and data may be cached twice). When the processorwants to load a page into either cache, it first translates the page’s virtual addressinto a physical address. This translation is done using the TLB. If the TLB doesnot contain an entry for the required address (a TLB miss) then an exception istriggered requesting the operating system to populate the TLB with an appropriateentry.On the UltraSparc a different exception is signaled depending on whether the pageis to be loaded into the data cache or into the instruction cache. In other words, theOS can tell whether the page is being accessed as data or as code.Design an OS memory manager for the UltraSparc that defeats any tamper detec-tion mechanism based on hashing segments of the executable image in memory.Explain exactly how your memory manager responds to TLB misses.Hint: You are allowed to keep two copies of the media player application in memory.4(c) (4 points) Suppose you
View Full Document
Unlocking...