Please remember to print your answer for each day's paper question on a sheet
of paper and hand it in at the beginning of class.
Suppose slot_size is set to 16 bytes.
Consider the following code snippet:
char *p = malloc(256);
char *q = p + 256;
char ch = *q;
Explain whether or not baggy bounds checking will raise an exception
at the dereference of q.
Suppose a program has a buffer overflow vulnerability which allows
an attacker to overwrite a function pointer on the stack (which is
invoked shortly after the buffer is overflowed). Explain whether or not
an attacker is able to exploit the vulnerability if the same program is run
What's the worst that could happen if one service in OKWS were to leak
its 20-byte database proxy authentication token?
Would a Unix application running in the Unix environment described
in the KeyKOS paper (i.e., KeyNIX) be susceptible to the confused
deputy problem? Explain.
What are the principals that Java uses for access control?
List possible causes of false negatives (missed vulnerabilities)
and false positives (reported problems that are not vulnerabilities)
in the system described by the paper.
Is the descendant policy just as secure as the child policy
for frame navigation? Either explain why it is so, or describe
a concrete counter-example.
Suppose that a web application developer wants to avoid the security
pitfalls described in the ForceHTTPS paper. The developer uses HTTPS
for the application's entire site, and marks all of the application's
cookies as "Secure". If the developer makes no mistakes in doing so,
are there still reasons to use ForceHTTPS? Explain why not, or provide
examples of specific attacks that ForceHTTPS would prevent.
What is the worst that could happen if the private key of a user is
stolen (i.e., becomes known to an adversary)? Similarly, what is
the worst that could happen if the private key of a service is
stolen? How should the compromised user or service recover? Think
about possible vulnerabilities in the recovery process if the user
or service key is known to an adversary.
The second paper, "Cache Missing for Fun and Profit", suggests
several changes to the operating system that would help mitigate
the timing attack on L1 caches. Can you think of some mechanism
(e.g. OS-level, compiler-level, language-level) that might help
programmers avoid attacks like the RSA timing attack described
in the first paper, "Remote Timing Attacks are Practical"?
Briefly explain how your mechanism might help, or, if you can't
think of any, argue why you believe it doesn't exist.
Could an adversary compromise a server running the system proposed
in the paper without being detected?
Suppose an adversary steals a laptop that uses BitLocker disk encryption.
In BitLocker's design, Windows has a key to decrypt the contents of
- What prevents the adversary from extracting this key from Windows?
- If the adversary cannot extract the key, what prevents him or her
from simply using Windows to access files?
Sketch out the Resin filter and policy objects that would be needed to
avoid cross-site scripting attacks through user profiles in zoobar.
What are the technical risks and benefits of running an onion router
Tor node (i.e., not just a client) on your machine?
Do you think a worm similar to Stuxnet could be designed to compromise
Linux machines? What aspects of Linux or Windows design do you think
make worms easier or harder to write?
What factors control the precision with which Vanish can make data
unreadable after exactly time T?
In Table 1, what causes the secure deallocation lifetime to be
noticeably larger (for some applications) than the ideal lifetime?
How could an adversary circumvent Backtracker, so that an administrator
cannot pinpoint the initial intrusion point?
How does the proposed system deal with an adversary that tries to
frame someone else for the denial-of-service attack by marking the
attack packets they send in some way?
Given that CAPTCHAs can be solved quite cheaply, do you think that
open web sites should continue using CAPTCHAs, switch to some other
mechanism, or not use any mechanism at all (e.g., if you believe
any mechanism will be cheap to break, like CAPTCHAs)? Explain your