Fall 2010

Paper Reading Questions

Please remember to print your answer for each day's paper question on a sheet of paper and hand it in at the beginning of class.

Suppose slot_size is set to 16 bytes. Consider the following code snippet:

      char *p = malloc(256);
      char *q = p + 256;
      char ch = *q;
    

Explain whether or not baggy bounds checking will raise an exception at the dereference of q.

Suppose a program has a buffer overflow vulnerability which allows an attacker to overwrite a function pointer on the stack (which is invoked shortly after the buffer is overflowed). Explain whether or not an attacker is able to exploit the vulnerability if the same program is run under XFI.

What's the worst that could happen if one service in OKWS were to leak its 20-byte database proxy authentication token?

Would a Unix application running in the Unix environment described in the KeyKOS paper (i.e., KeyNIX) be susceptible to the confused deputy problem? Explain.

What are the principals that Java uses for access control?

List possible causes of false negatives (missed vulnerabilities) and false positives (reported problems that are not vulnerabilities) in the system described by the paper.

Is the descendant policy just as secure as the child policy for frame navigation? Either explain why it is so, or describe a concrete counter-example.

Suppose that a web application developer wants to avoid the security pitfalls described in the ForceHTTPS paper. The developer uses HTTPS for the application's entire site, and marks all of the application's cookies as "Secure". If the developer makes no mistakes in doing so, are there still reasons to use ForceHTTPS? Explain why not, or provide examples of specific attacks that ForceHTTPS would prevent.

What is the worst that could happen if the private key of a user is stolen (i.e., becomes known to an adversary)? Similarly, what is the worst that could happen if the private key of a service is stolen? How should the compromised user or service recover? Think about possible vulnerabilities in the recovery process if the user or service key is known to an adversary.

The second paper, "Cache Missing for Fun and Profit", suggests several changes to the operating system that would help mitigate the timing attack on L1 caches. Can you think of some mechanism (e.g. OS-level, compiler-level, language-level) that might help programmers avoid attacks like the RSA timing attack described in the first paper, "Remote Timing Attacks are Practical"? Briefly explain how your mechanism might help, or, if you can't think of any, argue why you believe it doesn't exist.

Could an adversary compromise a server running the system proposed in the paper without being detected?

Suppose an adversary steals a laptop that uses BitLocker disk encryption. In BitLocker's design, Windows has a key to decrypt the contents of the drive.

  1. What prevents the adversary from extracting this key from Windows?
  2. If the adversary cannot extract the key, what prevents him or her from simply using Windows to access files?

Sketch out the Resin filter and policy objects that would be needed to avoid cross-site scripting attacks through user profiles in zoobar. Assume that you have a PHP function to strip out JavaScript.

What are the technical risks and benefits of running an onion router Tor node (i.e., not just a client) on your machine?

Do you think a worm similar to Stuxnet could be designed to compromise Linux machines? What aspects of Linux or Windows design do you think make worms easier or harder to write?

What factors control the precision with which Vanish can make data unreadable after exactly time T?

In Table 1, what causes the secure deallocation lifetime to be noticeably larger (for some applications) than the ideal lifetime?

How could an adversary circumvent Backtracker, so that an administrator cannot pinpoint the initial intrusion point?

How does the proposed system deal with an adversary that tries to frame someone else for the denial-of-service attack by marking the attack packets they send in some way?

Given that CAPTCHAs can be solved quite cheaply, do you think that open web sites should continue using CAPTCHAs, switch to some other mechanism, or not use any mechanism at all (e.g., if you believe any mechanism will be cheap to break, like CAPTCHAs)? Explain your reasoning.

Questions or comments regarding 6.858? Send e-mail to the course staff at 6.858-staff@pdos.csail.mit.edu.

Top // 6.858 home // Last updated Friday, 29-Jan-2016 11:49:25 EST