Homework 3 COMP 3632

Some questions in the written assignment come from the textbook: Information Security
Principles and Practice. This assignment counts 10% of your final grade.

1. (7 pt) Advanced software exploitation.

(a) (2pt) Please give one possible root cause of SQL injection, and provide a prevention
measure base on the root cause you provided.
(b) (answer): Root cause: Insufficient validation when parsing user supplied inputs.
Prevention: Use bound variables with prepared statements
(c) (2pt) What is double-free vulnerability? How to prevent double-free?
(d) (answer): The program calls free twice with the same memory address.
Prevention: Set unused pointers to NULL, using smart pointer, don’t use C (unsafe
programming languages), or any possible solution.
(e) (3pt) What is format string vulnerability? Briefly clarify how to use format string
attack to perform arbitrary memory write.
(f) (answer): Attackers can control the format string and cause arbitrary memory
read and even memory write. To launch arbitrary memory write, attackers need
to control the special format string “%n”. This special format string tells the
printf to write the number of bytes written via the format string processing up to
that point to an address specified by the argument.

2. (9pt) Static and dynamic security analysis.

(a) (3pt) Compare the difference between information flow and data flow, and explain
which one is more preferred in security analysis.
(b) (answer): (2pt) Data flow captures program (sensitive) values propagated via
variables. Information flow captures both data flow and other implicit information
propagations. In the slides (and during the class), I mention several different
implicit information flow propagations, for instance: a piece of data affects the
execution of certain if/else branch.
(c) (3pt) Can taint analysis be implemented as a “dynamic analysis”? Explain your
answer.
(d) (answer): Yes. Basically we can perform taint analysis during program execu-
tion, by tracking the taint propagation dynamically on the execution trace. It is
mentioned on page 28 of the taint analysis lecture slide (https://course.cse.
ust.hk/comp3632/comp3632-taint.pdf).
(e) (3pt) Can you use taint analysis to find format string vulnerability? If not, explain
why. If yes, try to define taint source and taint sink.

1
 Homework 3 COMP 3632

(f) (answer): Yes. Taint source would be user inputs and taint sink would be any
function takes format string as inputs.

3. (10pt) Side channel.

(a) (3pt) What are three key components that form a side channel attack?
(b) (answer): mentioned in the lecture 1) Secret dependent program information flow,
2) Information flow affects physical environment, and 3) Physical environment is
exploitable by adversarial.
(c) (3pt) Suppose a piece of software, when processing two private user images i and
j, arbitrarily accesses the first four cache line (i.e., its accessed cache lines are not
fixed). Would that count as a “cache side channel”? Explain your answer. Suppose
attackers’ goal is to infer the content of both user image i and j, and attackers’
can precisely observe which cache line has been accessed by this software.
(d) (answer): No. In our scenario, in general, side channel describes input-dependent
cache access behavior. On the other hand, our example is NOT input dependent.
It’s rather a cache access different (in an arbitrary way), but couldn’t leak any
useful information.
(e) (4pt) Is it doable to launch taint analysis to detect software timing-based side
channel vulnerabilities? Please explain why.
(f) (answer):
Answer for yes: Yes, as you can use taint analysis to track how secrets affect the
execution paths (4 pt)
Answer for no: No. Because even if you can identify how secret may influence
execution paths, it is still unclear how long each path takes to execute. (4 pt)

4. (6pt) This problem deals with storing passwords in a file.

(a) (2pt) What is the problem for saving password in plaintext format?
(b) (answer): (2pt) If the attacker get the password file, he can get the password.
(c) (2pt) Compare to saving the encrypted version of the password file, what is the
advantage of only saving the password as a hash?
(d) (answer): (2pt) The key must be available and if the attacker gets the file, he
probably get the key as well. (or, the password plaintext is still there, but hash
can completely “eliminate” the password)
(e) (2pt) What is a salt and why should a salt be used whenever passwords are hashed?
(f) (answer): (2pt) A salt is a random, non-secret value appended to a password
before it is hashed. Salting makes dictionary attacks much more difficult.

2
 Homework 3 COMP 3632

5. (8pt) This problem deals with biometrics.

(a) (2pt) What is the equal error rate, how is it determined, and why is it useful?
(b) (answer): The error rate when the parameters of the biometric are adjusted
so that the fraud rate equals the insult rate. It’s useful for comparing different
biometrics.
(c) (2pt) A sonogram is a visual representation of sound. If you are going to develop
a reliable biometric based on voice recognition, what kinds of characteristics of
the sonograms might be useful for distinguishing speakers?
(d) (answer): (2pt) Statistics can be extracted from speech (spectral characteristics
of voice ) or any possible solution.
(e) (4pt) Give a possible attack to biometric based on voice recognition and a defense
of your proposed attack vector.
(f) (answer): (2pt) Spoofing/replay attack.
Defense: System requires user to read out a specific text for every authentication
session OR determine the legitimacy of the speech with statistical characteristics
or any possible solution.

6. (8pt) From a holistic perspective, the anomaly-based intrusion detection example pre-
sented in the slides is based on file-use statistics.

(a) (2pt) List the advantages of an anomaly-based IDS, in contrast to a signature-

based IDS.
(b) (answer): Anomaly-based detection gives us a chance of detecting previously
unseen attacks.
(c) (2pt) Many other statistics could be used as part of an anomaly-based IDS. For
example, network usage would be a sensible statistic to consider. List four other
statistics that could reasonably be used in an anomaly-based IDS.
(d) (answer): commands issused, typing speed, mouse movements, versus activity,
time of use (open question; reasonable answer get full marks).
(e) (2pt) Why might it not be a good idea to combine several statistics rather than
relying on just a few?
(f) (answer): more statistics would make it slower, and it might also tend to give
more false almars, since a legitimate user is more likely to vary from one of the
stats. (at least need to point out ”cost”).
(g) (2pt) Why might it be a good idea to combine several statistics rather than relying
on just a few?
(h) (answer): more statistics would give a clearer view of the user’s activity. (open
question)

3
 Homework 3 COMP 3632

7. (6 pt) Some network attacks (taught in the lecture) are currently being launched. Please
analyze and answer: 1) the type of attack, 2) how it works and 3) how to detect/prevent
it according to the description. You can assume that each scenario is under one attack.

(a) (3pt) You received reports from customer support about the end-user cannot plac-
ing order. You look at the logs and find a huge ping packets.
(b) (answer): Ping of death attack (1 point). This type of attack uses IP packets to
ping a target system and cause denial-of-service attack. (briefly mention how it
works, 1 points).
Detect/prevent it: you can recognize this kind of attack by looking at the log.
The ping of death attacks can be prevented by using a firewall that will check
fragmented IP packets for maximum size. (Or any other reasonable answers) (1
points)
(c) (3pt) You find out the correct IP address and type it correctly but still cannot
reach to the website (or reach to another website).
(d) (answer): ARP poison (1 point).
ARP poison is a technique by which an attacker sends (spoofed) Address Resolu-
tion Protocol (ARP) messages onto a local area network. Generally, the aim is to
associate the attacker’s MAC address with the IP address of another host, such
as the default gateway, causing any traffic meant for that IP address to be sent
to the attacker instead. (1 points) If the table contains two different IP addresses
that have the same MAC address, this indicates an ARP poison attack is taking
place.
To prevent it, for example, you can use a static ARP. (Or any other reasonable
answers) (1 points).

8. (9pt) In this course, we discussed three types of firewalls: packet filter, stateful packet
filter, and application proxy.

(a) (3pt) What information is available to each of these firewalls? Please answer with
two types of information for each of these firewalls.
(b) (answer):
Packet filter: static information, for example IP, port number, protocols (any 2
out of these 3 OR any other possible solution)
Stateful packet filter: Everything for packet filter + TCP connections and on go-
ing conversations
Application proxy: Everything for stateful packet filter + application data

(c) (3pt) An application proxy firewall is able to scan all incoming application data
for viruses. It would be more efficient to have each host scan the application data

4
 Homework 3 COMP 3632

it receives for viruses, since this would effectively distribute the workload among
the hosts. Why might it still be preferable to have the application proxy perform
this function?
(d) (answer):
From an administrative point of view, it is easier to make sure that one machine is
doing things correctly, as opposed to having to make sure that a bunch of machines
are all doing the right thing.
(e) (3pt) Suppose that a packet filter firewall resets the TTL field to 255 for each
packet that it allows through the firewall. Then the Firewalk port scanning tool
described in the lecture will fail. Why? Does this proposed solution create any
problems?
(f) (answer): The “time exceeded” messages are not sent out (2 pt). Well, in that
sense, the errant packages would circulate longer than they would otherwise (1pt).
If students answer ”not a problem”, also fine.

5
 Homework 3 COMP 3632

Submission Instructions
All submissions should be done through the Canvas system. You should submit a pdf doc-
ument with your answers. It is important to name your files correctly. Please check out the
late submission policies on the course website (https://course.cse.ust.hk/comp3632) in
case you didn’t attend the first lecture.