• No results found

Security 29 June 2015

N/A
N/A
Info
Downloaden
Protected

Academic year: 2021

Share "Security 29 June 2015"

Copied!
5
0
0

Bezig met laden.... (Bekijk nu de volledige tekst)

Download het nu ( 5 pagina )

Hele tekst

(1)

Security

29 June 2015

• This exam consists of two parts:

(1) eight short questions, worth 5 points each and

(2) one problem consisting of five parts, worth 10 points each.

The final grade is calculated as (P ointsAttained + 10)/10.

• Mark every page with your name and student number.

• You are not allowed to use a calculator, books, notes, nor other additional material.

• Do not use pencil or red ink.

• Answer in English. Encrypted answers are not accepted!

1 Short Questions (40 points: 8 × 5 points)

Answer all of the questions below. Make sure you answer all parts of each question.

1. What is the ‘glue’ in a DNS response? Why is it necessary? Provide a (simple) example of a query and a response which involves glue. (Make sure to include the record types.)

2. A user can be authenticated based on something they know, such as a password or PIN. What are the 3 other categories/factors which can be used to authenticate someone? Provide an example of each of them.

3. Give four examples of (substantially different) techniques which might be used for defense-in-depth of a web server, and (briefly) explain what they each defend against.

4. What does it mean for a cryptosystem to be ‘Shannon secure’ ? Can a public-key cryptosystem be Shannon secure? What about one based on one-time pads?

5. What is meant by the same-origin policy? (Provide an example of two different origins.) Where is it used? Does it provide protection against related-path attacks?

6. Give an example of three (different) types of web server misconfigurations which could leak informa- tion which might be useful to an attacker.

7. In a threat model, what is a ‘use scenario’ ? Provide an example of a supported use and an unsup- ported use.

8. How is the secret key calculated, using the Diffie-Hellman key exchange method? Does this help against a man-in-the-middle attack?

(2)

2 Problem 1: Code Review (50 points: 5 × 10)

The source code on the next 3 pages (Listing 2) contains 5 different vulnerabilities. You have to find them (by reviewing the code), and for each of the 5 vulnerabilities, answer the following questions:

1. Name the vulnerabilty, and provide a short description. [2pt]

2. Explain (briefly) why the vulnerability is a problem. [1pt]

3. Specify where the problem is located in the code. [1pt]

4. Explain why the code has this vulnerability. [1pt]

5. Describe how the vulnerability could be exploited by an attacker. [2.5pt]

6. Explain how the vulnerability could be prevented by changing the code. [2.5pt]

The code is responsible for the checkout process for a webstore. It has to compute the total amount that a customer has to pay, and verify the payment information they provide.

It is written in JavaServer Pages (JSP), which is a technology which is used to dynamically generate HTML webpages (similar to PHP) using Java code. The scripts are enclosed in delimiters. The delimiters <% ... %> contain a fragment of Java code that is executed when the page is requested.

(The delimiters <%@ ... %> are only used below to import the Util class.)

You are only being asked to do a security review; you can ignore any other problems with the code.

You should consider both what is present in the code, as well as anything which might be missing, but you can ignore any problems outside the scope of this code (for example, there is no need to consider DoS attacks, nor server misconfigurations).

The rest of this page contains an example. Turn to the next page to see the code you should review.

For example, Listing 1 contains some vulnerable C code (you don’t have to understand it):

Listing 1: Example (this is not the code you should review) 1 int main ( int argc , char ** argv ) {

2 char * name [16];

3

4 if ( argc != 2) return 1;

5 strcpy ( name , & argv [1]);

6 printf ( " Hello % s !\ n " , name );

7 return 0;

8 }

And here is an example answer for one vulnerability (remember, you must discuss all 5):

1. The listing contains a buffer-overflow vulnerability, which is a vulnerabilty that allows an at- tacker to write data beyond the bounds of an array and overwrite adjacent memory locations.

These adjacent memory locations can hold sensitive information that allows an attacker to com- promise the execution of the application or modify the behavior in application specific ways.

2. An attacker can craft an input, passed as the first argument, that overwrites the return address with an attacker specified address. This allows the attacker to redirect the execution when the main function returns and can result in arbitrary code-execution.

3. The vulnerability is introduced by the unsafe function strcpy , located on line 5, that doesn’t perform bounds checking.

4. The vulnerability can be patched by using the safer strncpy function. The strcpy(name, &argv[1]) function should be replaced by strncpy(name, &argv[1], sizeof(name) - 1) followed by name[sizeof(name) - 1] = ’\0’, because strncpy doesn’t NUL terminate the destination if the source string is greater than or equal to the length of the argument!

(3)

Listing 2: JSP code to be reviewed 1 <% @ page import = " work . security - home . Utils " >

2 3 <%!

4 public String decrypt ( String data ) {

5 Cipher cipher = Cipher . getInstance ( " AES / ECB / PKCS5PADDING " );

6 SecretKeySpec secretKey = new SecretKeySpec ( SECRET_KEY , " AES " );

7 cipher . init ( Cipher . DECRYPT_MODE , secretKey );

8 return new String ( cipher . doFinal ( Base64 . decodeBase64 ( data )));

9 }

10

11 /*

12 The session is stored in encrypted form in a cookie with the 13 following format :

14

15 username = STRING & password = STRING & mode = STRING 16

17 The password is stored using the unix password scheme .

18 The mode can be either the string production or development , which

19 allows developers to test the code by skipping the creditcard processing .

20 */

21 public Hashtable < String , String > getSession () { 22 Cookie [] cookies = request . getCookies ();

23 if ( cookies != null ) {

24 for ( int i = 0; i < cookies . length ; i ++) {

25 if ( cookies [ i ]. getName (). equals ( " session " )) {

26 String rawSession = decrypt ( cookies [ i ]. getValue ());

27 return Utils . parseSession ( rawSession );

28 }

29 }

30 }

31 return null ;

32 }

33

34 public String escapeDbParam ( String s ) { 35 String escape = " \ x00 \ n \ r \\ ’\"\ x1a " ; 36

37 for ( int i = 0; i < escape . length (); i ++) {

38 s = s . replace ( escape . charAt ( i ) , " \\ " + escape . charAt ( i ));

39 }

40

41 return s ;

42 }

43

44 public boolean isAuthentic at e d () {

45 Hashtable < String , String > session = getSession ();

46 String fmt = " SELECT * FROM users WHERE "

47 + " username = ’%1 s ’ AND password = ’%2 s ’" ; 48 String query = String . format ( fmt ,

49 session . get ( " username " ) ,

50 session . get ( " password " ));

51

52 ResultSet rs = Utils . executeQuery ( query );

53

54 return Utils . getRowCount ( rs ) == 1;

55

56 }

57 58

(4)

60 public int getDiscount ( String coupon ) {

61 String fmt = " SELECT * FROM coupons WHERE coupon = ’%1 s ’" ; 62 String query = String . format ( fmt , escapeDbParam ( coupon ));

63 ResultSet rs = Utils . executeQuery ( query );

64

65 if ( Utils . getRowCount ( rs ) == 1) { 66 rs . getInt ( " discount " );

67 }

68

69 return 0;

70 }

71

72 public int computeTot al A mo u nt () {

73 int amount = Utils . toInt ( request . getParameter ( " amount " ));

74 int donations = Utils . toInt ( request . getParameter ( " donations " ));

75 int discount = getDiscount ( request . getParameter ( " coupon " ));

76

77 int total = amount + donations - discount ; 78

79 // To prevent a negative total amount ( which happens if the 80 // discount > amount + donations ) , we return 0 in that case .

81 if ( total < 0 )

82 return 0;

83 else

84 return total ;

85

86 }

87

88 public String escapeShell P ar am ( String s ) { 89 String escape = " &| > <*? ‘ $ (){}[]!# " ; 90

91 for ( int i = 0; i < escape . length (); i ++) {

92 s = s . replace ( escape . charAt ( i ) , " \\ " + escape . charAt ( i ));

93 }

94

95 return s ;

96 }

97

98 public inDebugMode () {

99 Hashtable < String , String > session = getSession ();

100 if (! session ) reponse . sendRedirect ( INTERNAL_E R RO R _P A GE );

101

102 String mode = session . get ( " mode " );

103 if ( mode . equals ( " development " )) return true ;

104 return false ;

105 }

106 107 108 109 110 111 112 113 114 115 116 117 118 119

(5)

121 public boolean isValidCC () {

122 // Skip verification if we are in debug mode . 123 if ( inDebugMode ()) return true ;

124

125 String cardNumber = request . getParameter ( " cardnumber " );

126 String expirationDat e = request . getParameter ( " expirationdat e " );

127 String issuer = request . getParameter ( " issuer " );

128 String cvv = request . getParameter ( " cvv " );

129 String firstname = request . getParameter ( " firstname " );

130 String lastname = request . getParameter ( " lastname " );

131

132 // Because the Luhn algorithm implementatio n we have created isn ’t 133 // yet fully tested , we use our legacy CC verification tool to perform 134 // the validation

135 String fmt = " ccvalidate ’%1 s ’ ’%2 s ’ ’%3 s ’ ’%4 s ’ ’%5 s ’ ’%6 s ’" ; 136

137 // Since we do not trust the users input , escape the string we are 138 // going to execute !

139 String command = String . format ( fmt ,

140 escapeShellP a ra m ( cardNumber ) ,

141 escapeShellP a ra m ( expirationDat e ) ,

142 escapeShellP a ra m ( issuer ) ,

143 escapeShellP a ra m ( cvv ) ,

144 escapeShellP a ra m ( firstname ) ,

145 escapeShellP a ra m ( lastname );

146

147 // This executes the command on the ( UNIX ) host machine . 148 Runtime rt = Runtime . getRuntime ();

149 Process p = rt . exec ( command );

150

151 // When the ccvalidate tool returns 0 , the cc is valid . 152 return p . waitFor () == 0;

153 }

154

155 public void performChec ko ut () {

156 // First , check if we are authenticated . 157 if (! isAuthentica te d ()) {

158 reponse . sendRedirect ( LOGIN_PAGE );

159 }

160

161 // Then , verify the provided creditcard information . 162 if (! isValidCC ()) {

163 reponse . sendRedirect ( INVALID_CC_P A GE );

164 }

165

166 // Finally if we are autenticated and provided valid CC 167 // information , finalize the checkout .

168 int amount = computeTot a lA m ou n t ();

169 finalizeCh ec ko u t ( amount );

170 }

171

172 performChec ko ut ();

173 } 174 % >

175

176 < html >... </ html >

Referenties

Download het nu ( PDF - 5 pagina - 66.54 KB )

GERELATEERDE DOCUMENTEN

What you see is what you get!?

Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of

3. Does there any problems taken place when you conduct performance appraisal in the Chinese context?

Based on you mentioned previously, do these common criteria can be applied at the Dutch operations in the Chinese context?. Are you familiar with the Chinese

Click as Fast as You Can:

H 3 Watching an online video ad on a touch-based device (vs. non-touch-based devices) positively affects the customer’s probability to skip

Can changing what you eat SAVE THE PLANET?

vegetarian or eschew red meat choose their diet on the grounds of ethics (intensive farming, animal welfare) or health (high blood

Het Meerjarenplan Verkeersveiligheid, Meningen en verwachtingen

Het systeem moet niet allen veilig zijn voor diegenen die zich erin bevinden, maar ook voor diegenen die aarzelen ervan gebruik te maken omdat het onveilig

GENT CONGRES - WHAT WE CAN DO FOR YOU?

Founded by the city of Ghent, the province of East Flanders, the Ghent division of the Ho.Re.Ca Federation and the University of Ghent, Gent Congres represents all parties

You can’t be what you can’t see

The group focuses on the importance of diversity and inclusion in the faculty by showing the strength of having diversity in characteristics and traits in the workplace, how

Can Istanbul be as competitive as Paris in the context of regional development process? : which lessons can be drawn?

After concluding the first chapter by a literature review about regional competitiveness, in Chapter 2, Paris (Ile de France) will be taken under focus as it is the second leading