6.858 / Fall 2012 / Paper Reading Questions

Warning: You must have Javascript enabled to view a specific question.

Suppose slot_size is set to 16 bytes. Consider the following code snippet:

      char *p = malloc(256);
      char *q = p + 256;
      char ch = *q;

Explain whether or not baggy bounds checking will raise an exception at the dereference of q.

Suppose a program has a buffer overflow vulnerability which allows an attacker to overwrite a function pointer on the stack (which is invoked shortly after the buffer is overflowed). Explain whether or not an attacker is able to exploit the vulnerability if the same program is run under XFI.

What's the worst that could happen if one service in OKWS were to leak its 20-byte database proxy authentication token?

Would a Unix application running in the Unix environment described in the KeyKOS paper (i.e., KeyNIX) be susceptible to the confused deputy problem? Explain.

What are the principals that Java uses for access control?

List possible causes of false negatives (missed vulnerabilities) and false positives (reported problems that are not vulnerabilities) in the system described by the paper.

Is the descendant policy just as secure as the child policy for frame navigation? Either explain why it is so, or describe a concrete counter-example.

Suppose that a web application developer wants to avoid the security pitfalls described in the ForceHTTPS paper. The developer uses HTTPS for the application's entire site, and marks all of the application's cookies as "Secure". If the developer makes no mistakes in doing so, are there still reasons to use ForceHTTPS? Explain why not, or provide examples of specific attacks that ForceHTTPS would prevent.

What is the worst that could happen if the private key of a user is stolen (i.e., becomes known to an adversary)? Similarly, what is the worst that could happen if the private key of a service is stolen? How should the compromised user or service recover? Think about possible vulnerabilities in the recovery process if the user or service key is known to an adversary.

What are some other situations where an adversary may be able to learn confidential information by timing certain operations? Propose some ideas for how an application developer might mitigate such vulnerabilities.

Could an adversary compromise a server running the system proposed in the paper without being detected?

Suppose an adversary steals a laptop that uses BitLocker disk encryption. In BitLocker's design, Windows has a key to decrypt the contents of the drive.

What prevents the adversary from extracting this key from Windows?
If the adversary cannot extract the key, what prevents him or her from simply using Windows to access files?

Sketch out the Resin filter and policy objects that would be needed to avoid cross-site scripting attacks through user profiles in zoobar. Assume that you have a PHP function to strip out JavaScript.

What are the technical risks and benefits of running an onion router Tor node (i.e., not just a client) on your machine?

Do you think a worm similar to Stuxnet could be designed to compromise Linux machines? What aspects of Linux or Windows design do you think make worms easier or harder to write?

What factors control the precision with which Vanish can make data unreadable after exactly time T?

In Table 1, what causes the secure deallocation lifetime to be noticeably larger (for some applications) than the ideal lifetime?

How could an adversary circumvent Backtracker, so that an administrator cannot pinpoint the initial intrusion point?

How does the proposed system deal with an adversary that tries to frame someone else for the denial-of-service attack by marking the attack packets they send in some way?

Given that CAPTCHAs can be solved quite cheaply, do you think that open web sites should continue using CAPTCHAs, switch to some other mechanism, or not use any mechanism at all (e.g., if you believe any mechanism will be cheap to break, like CAPTCHAs)? Explain your reasoning.

A browser cross-site scripting filter is a common client-side XSS prevention mechanism built into many modern browsers. Here's a brief description of what it does, in the words of Adam Barth, one of the creators of such filters, XSS Auditor: "Basically, the filter checks each script before it executes to see whether the script appears in the request that generated the page. If it finds a match, it blocks the script from executing. [...]". Do you think such a filter may be effective at detecting DOM-based (entirely client-side) cross-site scripting? Please explain.

The paper only mentions one potential false positives arising because of the use of regular expression. Explain why it is indeed a false positive.

Why is it necessary to treat innerHTML field assignments in a special way in the Gatekeeper analysis?

Security and performance are often at odds in computer systems. Do you feel that object views is a performant enough mechanism for everyday use?

What are some of the disadvantages of fast-propagating worms?

The paper discusses the possibility of using memory scanning to deal with the problems of obfuscation, encryption, and polymorphism. While memory scanning will enable signature-based detection, do you see any drawbacks of this approach?

JavaScript malware often uses a variety of environment detection techniques. One such technique is to check the version of the browser, plugins such as Adobe Acrobat or Flash, operating system, etc. before delivering an exploit deliberately designed for that platform and environment configuration, as illustrated by the pseudocode below.

if(browser-is-ie-6 && adober-flash-version==10.1){
  heap_spray();
}

This leads to more reliable, successful exploits for the attacker. Do you see how this pattern may lead to false negatives in a runtime detector?

The paper mentions that typical Android applications execute on top of a Java virtual machine. What is the role of Java in ensuring overall security?

Would it be reasonable to run TaintDroid to track what data applications may be exfiltrating from your phone at all times? Would it be reasonable to use TaintDroid to enforce policies like ``no application can send my IMEI to the Internet''? Explain why or why not, and what changes would be needed to make TaintDroid applicable, if not.

While privacy seems to be one clear benefit of client-side personalization, what are some of the disadvantages of it?

What are the disadvantages of using a human-readable, pseudonymous identifier for the user within a federated identity system, instead of a crypto key or a long string of hexadecimal numbers?

How could the operators of the spam value chain, studied in this paper, make it more difficult to repeat such studies in the future?

After reading this paper, propose some ideas for how you might improve the usability of securely accessing WebSIS (http://student.mit.edu).

Suppose you are building an online multi-person game. You are worried that a player can cheat in various ways by modifying the game software, since it runs on the player's own computer, or sending arbitrary network messages to your game server. What security properties could you get by using TrInc in your game (e.g., a trinket comes in the box when you buy a game)? What security problems cannot be solved with TrInc?

The authors of the Capsicum paper describe several strategies for how to use Capsicum in several applications (Section 4). How would you recommend using Capsicum in the different components of OKWS? Are there features missing from Capsicum that would have made it easier to build OKWS?

Suppose you are helping the developers of a complex web site at http://bitdiddle.com/ to evaluate their security. This web site uses an HTTP cookie to authenticate users. The site developers are worried an adversary might steal the cookie from one of the visitors to the site, and use that cookie to impersonate the victim visitor.

What should the developers look at in order to determine if a user's cookie can be stolen by an adversary? In other words, what kinds of adversaries might be able to steal the cookie of one of the visitors to http://bitdiddle.com/, what goes "wrong" to allow the adversary to obtain the cookie, and how might the developers prevent it?

Note: an exhaustive answer might be quite long, so you can stop after about 5 substantially-different issues that the developers have to consider.

Why is it important to prevent access to scope objects?

Suppose an adversary discovers a bug in NaCl where the checker incorrectly determines the length of a particular x86 instruction. How could an adversary exploit this to escape the inner sandbox?

Based on the different schemes described in the paper, what do you think would be a reasonable choice for authenticating users in the following scenarios, and what trade-offs would you have to make:

Logging in to a public Athena machine in a cluster.
Checking your balance on a bank's web site via HTTPS from a private laptop.
Accessing Facebook from an Internet cafe.
Withdrawing cash from an ATM.

Which of the vulnerabilities described in this paper (A1 through A5) do you think could have been found with some kind of automated tool (such as fuzzing or program analysis) and what might such a tool look like?

Think about other applications that you run on your mobile phone. How might you apply Koi's techniques to help ensure privacy in these other applications? What other techniques could be useful?

Could large email providers, such as GMail, Yahoo Mail, or Hotmail, use ideas from SybilLimit to better detect spam email? What assumptions would they need to check?