Fall 2011

Paper Reading Questions

Please remember to print your answer for each day's paper question on a sheet of paper and hand it in at the beginning of class.

Warning: You must have Javascript enabled to view a specific question.

Suppose slot_size is set to 16 bytes. Consider the following code snippet:

      char *p = malloc(256);
      char *q = p + 256;
      char ch = *q;
    

Explain whether or not baggy bounds checking will raise an exception at the dereference of q.

Suppose a program has a buffer overflow vulnerability which allows an attacker to overwrite a function pointer on the stack (which is invoked shortly after the buffer is overflowed). Explain whether or not an attacker is able to exploit the vulnerability if the same program is run under XFI.

What's the worst that could happen if one service in OKWS were to leak its 20-byte database proxy authentication token?

Would a Unix application running in the Unix environment described in the KeyKOS paper (i.e., KeyNIX) be susceptible to the confused deputy problem? Explain.

What are the principals that Java uses for access control?

List possible causes of false negatives (missed vulnerabilities) and false positives (reported problems that are not vulnerabilities) in the system described by the paper.

Is the descendant policy just as secure as the child policy for frame navigation? Either explain why it is so, or describe a concrete counter-example.

Suppose that a web application developer wants to avoid the security pitfalls described in the ForceHTTPS paper. The developer uses HTTPS for the application's entire site, and marks all of the application's cookies as "Secure". If the developer makes no mistakes in doing so, are there still reasons to use ForceHTTPS? Explain why not, or provide examples of specific attacks that ForceHTTPS would prevent.

What is the worst that could happen if the private key of a user is stolen (i.e., becomes known to an adversary)? Similarly, what is the worst that could happen if the private key of a service is stolen? How should the compromised user or service recover? Think about possible vulnerabilities in the recovery process if the user or service key is known to an adversary.

What are some other situations where an adversary may be able to learn confidential information by timing certain operations? Propose some ideas for how an application developer might mitigate such vulnerabilities.

Could an adversary compromise a server running the system proposed in the paper without being detected?

Suppose an adversary steals a laptop that uses BitLocker disk encryption. In BitLocker's design, Windows has a key to decrypt the contents of the drive.

  1. What prevents the adversary from extracting this key from Windows?
  2. If the adversary cannot extract the key, what prevents him or her from simply using Windows to access files?

Sketch out the Resin filter and policy objects that would be needed to avoid cross-site scripting attacks through user profiles in zoobar. Assume that you have a PHP function to strip out JavaScript.

What are the technical risks and benefits of running an onion router Tor node (i.e., not just a client) on your machine?

Do you think a worm similar to Stuxnet could be designed to compromise Linux machines? What aspects of Linux or Windows design do you think make worms easier or harder to write?

What factors control the precision with which Vanish can make data unreadable after exactly time T?

In Table 1, what causes the secure deallocation lifetime to be noticeably larger (for some applications) than the ideal lifetime?

How could an adversary circumvent Backtracker, so that an administrator cannot pinpoint the initial intrusion point?

How does the proposed system deal with an adversary that tries to frame someone else for the denial-of-service attack by marking the attack packets they send in some way?

Given that CAPTCHAs can be solved quite cheaply, do you think that open web sites should continue using CAPTCHAs, switch to some other mechanism, or not use any mechanism at all (e.g., if you believe any mechanism will be cheap to break, like CAPTCHAs)? Explain your reasoning.

A browser cross-site scripting filter is a common client-side XSS prevention mechanism built into many modern browsers. Here's a brief description of what it does, in the words of Adam Barth, one of the creators of such filters, XSS Auditor: "Basically, the filter checks each script before it executes to see whether the script appears in the request that generated the page. If it finds a match, it blocks the script from executing. [...]". Do you think such a filter may be effective at detecting DOM-based (entirely client-side) cross-site scripting? Please explain.

The paper only mentions one potential false positives arising because of the use of regular expression. Explain why it is indeed a false positive.

Why is it necessary to treat innerHTML field assignments in a special way in the Gatekeeper analysis?

Security and performance are often at odds in computer systems. Do you feel that object views is a performant enough mechanism for everyday use?

What are some of the disadvantages of fast-propagating worms?

The paper discusses the possibility of using memory scanning to deal with the problems of obfuscation, encryption, and polymorphism. While memory scanning will enable signature-based detection, do you see any drawbacks of this approach?

JavaScript malware often uses a variety of environment detection techniques. One such technique is to check the version of the browser, plugins such as Adobe Acrobat or Flash, operating system, etc. before delivering an exploit deliberately designed for that platform and environment configuration, as illustrated by the pseudocode below.

if(browser-is-ie-6 && adober-flash-version==10.1){
  heap_spray();
}
This leads to more reliable, successful exploits for the attacker. Do you see how this pattern may lead to false negatives in a runtime detector?

The paper mentions that typical Android applications execute on top of a Java virtual machine. What is the role of Java in ensuring overall security?

Would it be reasonable to run TaintDroid to track what data applications may be exfiltrating from your phone at all times? Would it be reasonable to use TaintDroid to enforce policies like ``no application can send my IMEI to the Internet''? Explain why or why not, and what changes would be needed to make TaintDroid applicable, if not.

While privacy seems to be one clear benefit of client-side personalization, what are some of the disadvantages of it?

What are the disadvantages of using a human-readable, pseudonymous identifier for the user within a federated identity system, instead of a crypto key or a long string of hexadecimal numbers?

How could the operators of the spam value chain, studied in this paper, make it more difficult to repeat such studies in the future?

After reading this paper, propose some ideas for how you might improve the usability of securely accessing WebSIS (http://student.mit.edu).

Suppose you are building an online multi-person game. You are worried that a player can cheat in various ways by modifying the game software, since it runs on the player's own computer, or sending arbitrary network messages to your game server. What security properties could you get by using TrInc in your game (e.g., a trinket comes in the box when you buy a game)? What security problems cannot be solved with TrInc?

Questions or comments regarding 6.858? Send e-mail to the course staff at 6.858-staff@pdos.csail.mit.edu.

Top // 6.858 home // Last updated Friday, 29-Jan-2016 11:49:32 EST