Paper Reading Questions

For each paper, your assignment is two-fold. By 10PM the evening before lecture:

  • Submit your answer for each lecture’s paper question (and own questions) via the submission web site in a file named lec[n].txt (e.g,, lec2.txt for the second lecture)

kint

First, ignoring range metadata, what constraint would KINT generate for the count variable in the code from Figure 3?

Second, how can you simplify the snippet of code in Figure 1 using the NaN integers as described in Section 7?

checksec

Do you have linux machines (perhaps TSO)? It’s time to know more about security-related configurations of your distributions. Download checksec.sh, and submit outputs of following commands:

$ lsb_release --all
...
$ ./checksec.sh --dir /sbin
...
$ ./checksec.sh --kernel
...
$ ./checksec.sh --proc-all
...

Also, how to interpret each output? anything surprising?

iworm

List up two potential reasons that may lead to over-estimation and under-estimation in the measurement?

srop

As discussed in previous lectures, we have a web server written as follows:

void read_req(void) {
  char buf[128];
  int i;
  gets(buf);
  i = atoi(buf);
}

The stack is non-executable (NX-enabled), and all address spaces are completely randomized (ASLR enabled with -fPIE, -pie). If the web server runs on a typical Linux/x86-64 machine, how can we create the SROP payload to spawn a shell? Write down your assumptions (if you have) and explain your SROP payload.

sfi

How can we translate (manually) the assembly code (below) with SFI described in p28-42? Write down your assumptions if you have.

; <main>::
0: call   read_req()

; <read_req>::
1: push   %ebp
2: mov    %esp -> %ebp
3: sub    132, %esp
4: lea    -128(%ebp) -> %eax
5: push   %eax
6: call   gets()
...
7: mov    %ebp -> %esp
8: pop    %ebp
9: ret

cfi

How can we translate (manually) the assembly code (below) with ICF proposed by the paper? Write down your assumptions if you have.

; <main>::
0: call   read_req()

; <read_req>::
1: push   %ebp
2: mov    %esp -> %ebp
3: sub    132, %esp
4: lea    -128(%ebp) -> %eax
5: push   %eax
6: call   gets()
...
7: mov    %ebp -> %esp
8: pop    %ebp
9: ret

poirot

You have a php application (as in Figure 3 in the paper).

  <?php
  function name($nm) {
-   return $nm;
+   return htmlspecialchars($_GET['name']);
  }

  if ($_GET['q'] == 'test') {
    $nm = ucfirst($_GET['name']);
    $s  = "Script ";
    $s .= $_SERVER['SCRIPT_URL'];
    $s .= " says hello to ";
    $s .= name($nm);
    echo $s;
  }
  ?>

Referring to the Figure 5, what is the generated template of below requests?

/script.php?q=test&name=alice
/script.php?q=test&name=bob
/script.php?q=test&name=<script>..</script>

And what’s the output of both original and patched code (see the patch above with +/- marked) when executing the generated template with all of above requests?

aslr

Q1: Is there any other architectures similar to Android’s Zygote mechanisms?

Q2: Is there any possibilities to further optimize the Dalvik’s memory usage in Morula?

iphone

Q1. evasi0n7 exploits 3 symlink vulnerabilities. Point out all and list up possible mitigation techniques from previous lectures.

Q2. Here are the binaries of the system daemons in iOS 7.1.2 (from iPad 4). Could you find a path from the lockdownd daemon to exploit the symlink vulnerability? Hint: find fchown(). You might want to use IDA to explore binaries.

xss

Go to this site and find out any kinds of XSS vulnerabilities. Please, don’t search the web.

maegis

Could you differentiate M-Aegis from other work that provides privacy guarantees such as Telegram (https://telegram.org)?

klee

KLEE uses a satisfiability (SAT/SMT) solver to implement symbolic execution. What would go wrong if KLEE did not use a SAT/SMT solver, and instead tried all branches? What would go wrong if KLEE just guessed randomly about what a symbolic value could be?

dns

Say, whenever you access a website, it records your information into its database (e.g., for auditing). But for testing, let’s consider below code snippet:

<php?
  $out = dns_get_record("yourdomain.com");
  $txt = $out[0]["txt"];
  mysql_query("UPDATE log SET detail='$txt'");
?>

Using nbtool, in particular by running dnsxss, how can you delete ‘log’ database? Please download and play with these tools before the class.

webhacking

How is your favorite web hacking technique from the slide? and why? what’s possible (practical) mitigation against it?

embassies

Do you really believe that Embassies can make our web more secure than now? Is there any new attack vector you can imagine in Embassies world? What are the major obstacles for Embassies to replace the current web (e.g., I cannot do X/Y/Z on Embassies)?

hails

What is the role of type system (language level confinement), OS-level and browser-level confinement? Can we safely host javascript applications (nodejs) instead of using Haskell? Could you find any existing web application that you can dramatically improve its security, privacy and features with Hails?

kbugs

Could you propose (or imagine) possible mitigation techniques against this kernel exploit, full-nelson.c?

cryptdb

Consider the following query:

SELECT SUM(GREATEST(salary, 100)) FROM employees;

The GREATEST(a, b) function returns the larger of a and b, so the above query returns the sum of all salaries in the employees table, rounding up any salaries below 100 to 100.

How could CryptDB rewrite this query to execute over encrypted data, using the encryption schemes described in the paper?

a11y

1. Find three OS-default accessibility features in any OS that is not exploited for the attacks in the paper. And then, specify that which of new path(s) is created by the feature (input, output, or both).

2. Attacks described in the paper requires to use the interface (clicking a button on the UIs, microphone, etc) that human user uses to launch the attacks. Hence, it could easily be discovered by the user when the attack is unfolding. Then, how the attacker could hide their attack from it?

ret2dir

Suppose we deployed one of mitigation techniques proposed by the ret2dir paper, so our kernel becomes free from any sorts of attacks? Can you think of any possible attack vectors to mount a local privilege escalation attack?

In other words, how can we mount full-nelson.c without returning to the userspace?

Please list up two questions regarding kernel exploits.

side-channel

This is a typical construction of a timing channel (timing.tar.gz).

_images/out.png 
$ tar zxvf timing.tar.gz
$ make
# require gnuplot
$ ./run.sh

How fine-grained could you tweak the given programs to send a bit from trojan to spy? Could you explain the source code of torjan.c and spy.c? and generate a similar graph?

haven

Do you think using haven is a secure way to use cloud? In specific, can we say running applications with haven is actually secure? Why? or why not?

What are the appropriate applications (examples) that can benefit from haven, any applications/services around you?

tor

Could you redesign tor to take advantage of Intel SGX (or Haven)? Do you think your new design can prevent the attack described in the spoiled onion paper?