# Exam 2: Final

## Solutions and Commentary

### Final Exam

Mean   =                          X
Median = 15.1           X   X     X     X
X   X X X X     X   X   X
_______________X_X___X_X_X_X_X_X_X___X_X___X_X_X_X_X___X__________
0 . 2 . 4 . 6 . 8 . 10. 12. 14. 16. 18. 20. 22. 24. 26. 28. 30

### Total of Midterm and Final

mean   = 22.52
median = 21.9           X
X     X     X X
X X     X     X X         X X
_______X___X_X_X_X_____X_X___X_X_____X___X_X_X_X_X_X___________X_X________
8 . 10. 12. 14. 16. 18. 20. 22. 24. 26. 28. 30. 32. 34. 36. 38. 40. 42

### Homeworks 1 to 10

X
X
X
X
mean   = 43.88                                    X
median = 46.1                                     X
X                 X X
X   X                 X X
_______X_______X_X_____X_X___X_X_X_X_X_X_X_X_X_X_X_X______
26. 28. 30. 32. 34. 36. 38. 40. 42. 44. 46. 48. 50. 52

### Total Scores

median = 65.8                              U = undergrad liberal arts

G G             G     G
G   U U   U     E   E     G G         U
_____U___U_U_U_U_G_U_G_E_U___U_G_G_U_U_G_______U__________
44. 48. 52. 56. 60. 64. 68. 72. 76. 80. 84. 88. 92. 96
+ + + - - -   B B   + + + - - -   A A   + + +

## Solutions and Commentary

1. Background: Starting over 30 years ago, computers began to replace mechanisms in slot machines. Today's slot machine is a general purpose computer with a display screen, credit-card reader or dollar bill reader to charge for play, touch screen for player input, and a cash dispenser for jackput payout, and a receipt printer for credit card transactions. Many of today's casino games are multifunction, allowing gamblers to pick from among a menu of games. Frequently, the games are networked to a server, so new games can be downloaded from the server. All credit card transactions are carried out on-line, and no gambler is allowed to use credit cards to place bets beyond their credit limit.

Gamblers, of course, would love to find a way to beat the posted odds and win jackpots on demand. Casino employees who discover weaknesses in the slot machines could exploit them or tell their friends how to exploit them. Employees of the game developers could do the same.

Casinos frequently lease slot machines (and the server to which they connect) from game vendors. Leases are generally for a share of the game profit. To support this, slot machines (and the server to which they connect) usually include accounting software.

Casinos can profit by understating the slot-machine profit in order to cut down their payments to the vendor. If a casino can rig a game to have a lower likelihood of a jackpot than advertised, they can increase their profit. Vendors sometimes offer to rig games for casinos in exchange for a share in the increased profit. Organized crime has a long history of involvement in the gambling industry. Millions of dollars are at stake, even in a small casino.

To keep casinos honest, state gambling regulators require that the posted odds of winning each game match the real odds. They both do experimental tests to verify this and they inspect source code, object code and game mechanisms. The Casino, in contrast, has no source code for any of the software involved. Auditors from the state also periodically visit casinos, unannounced, and seize machines to check that they have not been modified.

To prevent casinos from running unauthorized code on computerized slot machines, the state controls the ROM chip that is used to bootstrap each gambling machine. The code in this ROM computes and checks the cryptographic hash of the system it loads from the server, and it refuses to load code that does not match this hash. When auditors check a machine, they always check that the boot ROM contains the authorized content. Boot ROMs are only installed and replaced by state agents.

The vendor claims that the network connecting slot machines to the casino's server is never connected to the Internet, so they don't need to worry about security on this network or internal operating-system security on the slot machines or the server, aside from the security provided by the special state-owned boot ROM used on these machines.

a) Physical access is very important to all the questions that follow. Realistically, who has physical access to the slot machine, who has physical access to the server, and who has physical access to the network connecting them.

Gamblers, casino employees, and state auditors have access to slot machines in the casino, while vendor employees have access during manufacture and delivery.

Casino employees have access to the server in the casino, and vendor employees have access during manufacture and delivery.

Casino employees have access to the network infrastructure within the casino building. The physical security of slot machines is such that nobody else has access to the wires.

About 1/3 of the class did well here. Everyone earned at least partial credit.

b) Suppose one of the popular games supported by the slot machines had a buffer overflow vulnerability. Could this be exploited to steal money from gamblers? If so, how and by whom?

The most likely overflow vulnerability would be from the game's network port. The casino has access to the network, and could exploit this to force a bogus version of the game-select program into the slot machine. The bogus version would behave just like the real one, except that it would tinker with the games it loads from the server in a way that reduces the likelihood of a payout. This robs the gamblers and benefits both the casino and the vendor.

Only 1/8 of the class did well here, and 1/6 earned no credit. Typical errors that led to partial credit included forgetting to say who benefits, forgetting to say what input to the slot machine might be vulnerable, or forgetting to say how the attack works.

c) Suppose one of the popular games supported by the slot machines had a buffer overflow vulnerability. Could this be exploited to steal money from the casino? If so, how and by whom?

A casino employee could access the network to force code into the slot machine, just as above, but the code could include a secret knock by which a gambler playing the game could force a jackpot. The employee and gambler would typicaly share in the profit from this hack.

Only 1/15 did well here, and 1/6 earned no credit. The problems were similar to those above, compounded with stranged ideas about entering a buffer overflow from the front panel of the slot machine -- Buffer overflow attacks from a touch-screen are extraordinarily difficult to imagine. Buffer overflow attacks from a rigged credit card are a bit more plausible. Buffer overflow attacks from the public internet are very unlikely.

d) Suppose the server has a buffer overflow vulnerability. In the absence of vulnerabilities on the slot machines, could this be exploited to steal money? If so, by whom and from whom.

If the casino can use this vulnerability to mislead the accounting system in the server, the casino could mislead the vendor into thinking that the games were less profitable than they really were, thus allowing the casino to steal from the vendor. The attack could operate by blocking the recording of income from the slot machine, or by recording jackpots that did not actually get paid out.

1/8 of class gave good answers, and 1/3 earned no credit. The problems were as above, compounded with the idea that the server could somehow deliver incorrect games to the slot machine. It should have been clear from the background information given that the state does not trust the server and does everything it can to prevent the slot machine from running any applications not on the state's approved list, using cryptographically secure hashing to do this, not merely a list of approved applications by name.

e) The code in the boot ROM only has one cryptographic hash in it, yet the casino server contains multiple games. To deal with this, the boot ROM loads the game-select application, and once the player selects a game, the game select application loads and runs the appropriate game. What can the game-select application do to prevent loading of unapproved games?

The game-select application should include, within itself, the secure hash codes of each permitted game. If an attempt is made to load a game that has the wrong hash, the game select application should refuse to run it.

1/3 did well here, and an equal number earned no credit. Partial credit came for such suggestions as "maintain a white-list of permitted games" with no suggestion of how this white-list would be tested or enforced. Suggestions that relied on trusting the server were also penalized.

f) You, the game vendor, discover a cosmetic bug in one of your games. You fix it and send a copy to the casino, to be installed on their server. What other code must be changed (on the server or on the slot-machine) to allow your repaired code to be run? The correct answer depends, in part on your answer to part c.

The hash for the altered game must be changed in the game select application, and to permit the new game select application, the boot ROM must also be upgraded.

1/3 did well. an equal number earned no credit.

g) The vendor is worried that the casino might interfere with the network to corrupt the accounting function. The casino could inject forged transactions into the network. What other attacks could the casino perpetrate?

Intercept transactions and alter their contents, or simply block delivery of selected transactions.

1/5 did well, 1/3 earned no credit. Partial credit was offered for one or the other of the above.

h) The vendor is worried that the casino might interfere with the network to corrupt the accounting function. Suggest how the vendor's code on the slot machine and server could defend itself against injection of forged transactions.

The vendor could:

a) take advantage of the fact that the code is proprietary, known only to the vendor and state, not to the casino. This allows slot machines and the server code to share a secret key not known to the vendor, so all transactions could be encrypted using it.

b) The same considerations allow each slot machine to hold a secret key while the server holds their public keys.

c) There is no need to encrypt the content of the transaction. All that is needed to authenticate it is a keyed secure hash function, using secrets shared by the slot machine and the server as suggested in answer a).

1/3 did well, 1/3 earned no credit. Partial credit was given for solutions that were vague, but merely suggesting that the transaction be authenticated was not sufficient.

i) The claim that there is no Internet connection is disingenuous (misleading). What network connections does this claim deliberately ignore?

If credit card transactions are being debited in real time and gamblers' credit limits are being enforced, there must be some kind of network connection to a credit-card service organization. It may not be an Internet connection, but it is an outside network connection that must be considered in any evaluation of the security of the system.

Also, game updates must be delivered to the casino's server somehow. The mechanism by which these are delivered may vary from physical delivery of storage media to some kind of network connection. Whatever mechanism is used could potentially be exploited as an attack vector.

Over half earned full credit, but 1/3 earned no credit.

j) Suppose gamblers using credit cards were required to buy tokens from the casino teller which they could then deposit in the gambling machines. Winnings would be paid in tokens that could then be taken to the teller and deposited in the credit card or converted to cash. What security problem(s) does this solve, and what problems does this create?

This introduced an air-gap between the credit-card network and the casino's internal network, thus defending the casino against attack from that network. It creates the risk of counterfeit tokens and therefore the need for token authentication.

1/3 earned full credit, while almost all of the remaineder earned partial credit. Typicall partial credit answers only covered the risk addressed by the air gap or the problem created, but not both.

2. Background: Consider the class stack and two instances of this class a and b. All stacks have methods push and pop, and a hidden representation rep that depends on the stack implementation. Users of stacks cannot determine the representation, and in fact, there may be multiple stack implementations (subclasses) using different implementations.

For mysterious reasons, you have decided that stacks are objects in a Unix-like file system. The push method pushes whatever it gets from standard input, and the pop method outputs what it pops to standard output. As a result if s1 and s2 are the file names associated with stack objects, the following shell command would pop an element from s1 and push it onto s2 using the Unix shell's pipe mechanism to connect the output of the pop method to the input of the push method.

s1/pop | s2/push

Assume that you have written your own push and pop programs, and that you have created a file rep containing the representation of an empty stack that matches your code. Assume all of these are in your current directory.

a) Give the sequence of shell commands to create a new stack object mystack in your current directory. For this problem, do not worry about access rights on files. That comes next. (For a slight reduction in credit, use English, for example, say "make a directory named x" instead of "mkdir x")

mkdir mystack
cat emptystack >mystack/rep
ln push mystack/push
ln pop mystack/pop

Almost nobody did perfectly, and 1/3 earned no credit. By far the most common failure leading to partial credit involved small penalties for making copies of the push and pop routines instead of linking them. Wrong answers were dominated by those who did not understand that stack objects are represented by directories, something that was clearly and unambiguously implied by the problem statement.

b) What access rights should be set on your push and pop programs, in the form that the end user of the stack will execute? In all questions of access rights, assume that you are trying to maximize protection, that is, trying to minimize unnecessary access rights.

--s-----x

2/5 gave essentially this answer, 1/7 earned no credit.

c) What access rights should be set on the file rep in its final form.

rw-------

2/5 gave essentially this answer, 1/6 earned no credit.

d) I have a directory called ~dwjones/dropbox. What access rights should be set on mystack before it is put in dropbox?

rwx-----x

Note that, in this context, since the stack object is a directory, the x access right allows traversal of that directory but not listing of its contents.

Only 1/10 earned full credit, and 1/5 earned no credit. Students who did notx understand the full implications of the fact that stack objects were directories obviously had difficulty.

e) I have a directory called ~dwjones/dropbox that you can write but not read. Give a command to put your stack object in my directory. ALSO: Would it have been possible for you to build the stack object in that directory, or is it necessary for you to build it first and then deposit it? Why?

mv mystack ~dwjones/dropbox

You must build it first, because you don't know that you have read or traverse access to my dropbox file.

1/6 did well, only a few earned no credit. By far the most common problems involved failure to understand that mystack is a directory, failure to answer the second half of the problem.

3. Background: HTTPS is the Secure Hypter-Text Transmission Protocol. It should be used whenever the content of a web page is sensitive, or whenever the content of a URL is sensitive -- note that when you fill in a web form, it is transmitted to the server as an extended URL.

SHTML is the Apache Server-side Hypertext Markup Language. SHTML web pages may contain directives that execute programs on the web server in order to generate web content, and they may contain directives that parameterize the web content with information about the client and with parameters that were included in the URL.

a) Explain why Diffie Hellman key exchange is relevant to implementing HTTPS.

When a client tries to open an encrypted connection to a web server, they begin with no knowledge of each other and no support from a public key infrastructure. Diffiel-Hellman key exchange allows them to create shared secret keys in this context.

1/4 did well, and 1/4 earned no credit. Merely defining Diffie-Hellman key exchange was sufficient for partial credit, but giving implementation detail was no substitute for explaining the problem it solved.

b) What kinds of security vulnerabilities would you expect to be created by SHTML.

It allows a broad range of injection attacks and buffer overflow attacks against the Unix commands that are executed. The best known of these are SQL injection attacks, but depending on how the server is configured, there could be mamy others.

1/5 did well, 1/3 earned no credit. Those who focused solely on SQL injection vulnerabilities earned partial credit.

c) Does using HTTPS protect against any of the vulnerabilities created by SHTML?

It does not protect against any of the attacks mentioned above. These are all attacks by the client against the server, and the secure channel from client to server created by HTTPS is irrelevant to defending against these attacks.

It does protect against eavesdropping, but that is not a vulnerability created by SHTML. Eavesdropping poses a threat with or without SHTML, althouth the added functionality of SHTML may make this threat more significant.

1/4 did well, 1/2 earned no credit. A remarkable number of students asserted that HTTPS solves all problems.

4. Background: Back to the casino! The slot machine manufacturer has had serious difficulty with people using counterfeit game tokens in their slot machines. They have decided to create a new generation game token technology. They call their new tokens e-tokens. An e-token looks and feels just like an old token, but it contains small processor chip with a tiny flash memory and a short-range proximity antenna. Tokens have different values (white chips are \$1, red are \$5, blue are \$10, and so on).

Casino customers are likely to keep a few tokens as souveniers, but some customers are the kind of people who might try to reverse engineer tokens, and some of those will have access to well equipped laboratories.

a) What security advantages does a smart token recognizer have that a wireless credit card recognizer does not have? Hint: Where is the credit card when it is being tested? Where is the token? Does this make a difference?

A smart token recognizer has physical posession of the token at the time it tests it. It can shut out eavesdropping on the testing transactions, and it can measure physical properties of the token such as weight and size. With a wireless smart credit card, the reader has no physical way to verify that an actual credit card is being used, nor can it prevent monitoring of the dialogue between the card and the reader.

1/6 did well, 1/4 earned no credit.

b) Describe a protocol that could be used to securely query a token to see if it is valid.

If each token contains a unique large integer, and tokens are invalidated immediately after verification, and the casino server maintains a database of valid tokens, and tokens are reprogrammed with numbers drawn from a cryptographically secure pseudorandom series, the casino is reasonably safe.

Other workable solutions include those based building a public key infrastructure and having each key hold a private key, or using a nonce verification protocol to test that the secret integer in each token is the same as that in the database.

1/2 did well here, only a few earned no credit. 1/5 of the class gave answers that were based on one of the approaches suggested above but contained errors, while 1/4 of the class gave creative answers that might, with significant debugging, be reduced to something that could be made to work.