Lab 1, 2, 3, 4, Mid and finals
CYBR 8410 – Distributed System Security
Midterm Exam (100 points)
Name: _________________________
NUID: _________________________
1. Design a scheme/protocol that fulfills the following requirements when entity A sends a message to entity B. (30 points)
· The message must be confidential during its transmission from A to B;
· B can detect any modification on the message during its transmission;
· B cannot claim any his forged message was sent from A;
· B can detect any replayed message from A (hint: timestamp or challenge).
2. It was stated that the inclusion of the salt in the UNIX password scheme increases the difficulty of guessing by a factor of 4096. But the salt is stored in plaintext in the same entry as the corresponding ciphertext password. Although those two characters are known to the attacker and need not be guessed, the salt still increases security. (20 points)
2.1. Assuming there are at most N accounts on the password file, how many bits do we need for the salt? (10 points)
2.2. Assuming that you have successfully answered 2.1 and understand the significance of the salt, here is another question. Wouldn’t it be possible to thwart completely all password crackers by dramatically increasing the salt size to, say, 24 or 48 bits? (10 points)
3. Supposing we are designing an authentication system. Please discuss what aspects we need to consider in this design. These aspects may include but are not limited to the risk assessment / assurance level / impact level, authentication method (such as password, biometric, and even the multi-factor authentication), protocol, potential attacks and defenses, etc. (30 points)
4. Please describe what the DoS attack is? You may answer this question from aspects including but not limited to what type of resources are required, what types of resources are targeted, and what techniques can be used and how they are used, etc. (10 points)
5. What defenses are possible against various types of DoS / DDoS attacks that we have learned. You may answer this question from aspects including but not limited to the detection, prevention, source tracing, and recovery, etc. (10 points)
CYBR 8410 – Distributed System Security
Final Exam (100 points)
Name: _________________________
NUID: _________________________
1. Command injection attacks (30 pts)
1.1. Write a website that is vulnerable to command injection attacks. Please upload your source code together with this document onto Canvas and write down the filenames of your source code here. You are not allowed to use the code in our Lab Assignment 3. (10 pts)
1.2. Please give an example on how to inject commands to your website. (10 pts)
1.3. What can you propose to defend against your command injection attack? Please elaborate it in detail by using your attack. (10 pts)
2. XSS attacks (40 pts)
2.1. Write a website that is vulnerable to XSS attacks. Please upload your source code together with this document onto Canvas and write down the filenames of your source code here. You are not allowed to use the code in our Lab Assignment 3. (10 pts)
2.2. What type of XSS attack have you written in the last question? (5 pts)
2.3. Please give an example on how to perform XSS attacks to your website. (5 pts)
2.4. Is Same Origin Policy (SOP) able to defend against your XSS attack? Please justify your answer (why or why not). (10 pts)
2.5. What can you propose to defend against your XSS attack? Please elaborate it in detail by using your attack. (10 pts)
3. Firewall rules (one research paper that we had discussed in the class) (30 pts)
Following is a set of rules on a firewall:
1. deny tcp 10.1.10.10/25 any
2. accept udp any 192.168.10.0/24
3. deny tcp 10.1.10.192/25 any
4. deny udp 172.16.10.0/16 192.168.10.0/24
5. accept tcp 10.1.10.0/24 any
6. deny udp 10.1.10.0/24 192.168.0.0/16
7. accept udp 172.16.10.0/16 any
3.1. What is shadowing regarding firewall inconsistency? Does it exist in the rules above? If so, where is it? (10 pts)
3.2. What is generalization regarding firewall inconsistency? Does it exist in the rules above? If so, where is it? (10 pts)
3.3. What is correlation regarding firewall inconsistency? Does it exist in the rules above? If so, where is it? (10 pts)
Note: For the term of shadowing, generalization, and correlation among firewall rules please refer to this paper “Arguing About Firewall Policy” at http://www.sci.brooklyn.cuny.edu/~parsons/publications/conferences/comma12b.pdf
Note: 10.1.10.10/25 is a subnet of 10.1.10.0/24, 192.168.10.0/24 is a subnet of 192.168.0.0/16
DescriptionIn this final assignment, the students will demonstrate their ability to apply two ma
Path finding involves finding a path from A to B. Typically we want the path to have certain properties,such as being the shortest or to avoid going t
Develop a program to emulate a purchase transaction at a retail store. Thisprogram will have two classes, a LineItem class and a Transaction class. Th
1 Project 1 Introduction - the SeaPort Project series For this set of projects for the course, we wish to simulate some of the aspects of a number of
1 Project 2 Introduction - the SeaPort Project series For this set of projects for the course, we wish to simulate some of the aspects of a number of