Page 1

1) What is a strong collision resistance

Strong collision resistance is a property of cryptographic hash functions. It means that it is computationally
infeasible to find any two distinct inputs, x and y, such that the hash function produces the same hash
function value for both inputs (H(x) = H(y)). This property is important for ensuring data integrity and
security in various cryptographic applications.
2) In SSL protocol, explain the role of "change cipher spec control"
The change cipher spec protocol in SSL and TLS is used to signal the transition in ciphering strategies
during the handshake process. When this message is sent, it indicates that all subsequent data sent between
the client and server will be encrypted using the negotiated keys and algorithms. It essentially marks the
end of the SSL/TLS handshake phase and the beginning of the encrypted session.
3) Supposed that Alice chooses for an RSA system that primes p = 23 and q = 17, and the public key
e = 7. Encrypt the plaintext M = 15.
n = p x q = 23 x 17 = 391
O(n) = (p - 1)(q - 1) = 22 x 16 = 352
e = 7 , M = 15 hence
C = M^e mod n =====> 15^7 mod 391
4) Compare signature based and behavior based virus detection

• Signature based virus detection: This method involves scanning files and comparing their contents
to a database of known virus signatures. It is effective against known viruses but cannot detect new or
unknown viruses that do not match any existing signature.

• Behavior based virus detection: This method monitors the behavior of programs in real-time to
identify suspicious activities that are characteristic of malicious behavior, such as modifying system
files or sending data to unknown servers. It can detect new and unknown viruses based on their actions
but may generate false positives if legitimate programs exhibit similar behavior.

5) What is a sandbox? How does it work, and why do we use it

A security is a security mechanism for separating running programs to prevent malware or harmful code
from affecting the rest of the system. It works by creating a controlled, isolated environment where code
can be executed and tested without risking harm to the host system.
Sandboxes are used to analyze and run untrusted programs safely, test software, and detect malicious
behavior by providing a safe space where the code's actions are contained and monitored.
6) What are some strategies that can be used to prevent or mitigate DoS attacks? How effective are
these strategies, and what are some limitations or trade-offs to consider?

• Rate Limiting: Restricts the number of requests a user can make to a service, helping to prevent
overwhelming the server. This is effective but can limit legitimate high-volume users.

• Firewalls and intrusion detection systems: These can filter and block malicious traffic before it
reaches the server. They are effective for known attack patterns but may struggle with
sophisticated or new attack methods.

• Redundancy and load balancing: Distributing traffic across multiple servers can help manage
high traffic volumes. This improves resilience but requires more resources and can be costly.

• Blackholding and sinkholding: Redirecting malicious traffic to a null route or a specialized

server to absorb the attack. While effective in handling traffic, it can inadvertently block
legitimate traffic if not carefully managed.

Page 2
1)List and explain two methods used by virus-writers to hide from anti-virus programs
1. Polymorphic code: virus-writers use polymorphic code to change the virus's appearance each time it
infects a new system. The virus encrypts its code with a different encryption key each time, making it
difficult for signature-based anti-virus to detect it.
2. Metamorphic Code: Unlike polymorphic code, which changes the appearance of the code,
metamorphic code actually changes its internal structure and logic. The virus rewrites its own code each
time it infects a new host, creating different versions of itself, thus evading detection by anti-virus
software.
2) Given the following code:
void MyFunction(char *input) {

char buffer[10];

strcpy(buffer, input);

printf("Buffer content: %s\n", buffer);

int main() {

char* name;

printf("Enter your name");

fgets(name);

MyFunction(name);

return 0;

}
a) Can an attacker craft a malicious input that overflows the buffer and overwrites other parts of
the program's memory? If so, what areas of memory can be overwritten, and what are the potential
consequences? Draw the stack before and after reading the variables.
Yes an attacker can craft a malicious input that overflows the buffer. Since 'buffer' is only 10 bytes, any
input longer than 10 bytes will cause a buffer overflow, potentially overwriting adjacent memory
locations, such as the return address or other variables on the stack. This can lead to arbitrary code
execution or crashing the program.

Before Overflow: After Overflow:

| Address | Data | | Address | Data |
|-----------|------------| |-----------|------------|
| ... | ... | | ... | ... |
| High | Return Addr| | High | Attack Code|
| | Local vars | | | Overflow |
| | buffer[9] | | | buffer[19] |
| | buffer[8] | | | buffer[18] |
| | buffer[7] | | | buffer[17] |
| | buffer[6] | | | buffer[16] |
| | buffer[5] | | | buffer[15] |
| | buffer[4] | | | buffer[14] |
| | buffer[3] | | | buffer[13] |
| | buffer[2] | | | buffer[12] |
| | buffer[1] | | | buffer[11] |
| | buffer[0] | | | buffer[10] |
| Low | ... | | | Attack Code|
| Low | ... |

b) How could the program be modified to prevent buffer overflow attacks in MyFunction?
The program can be modified by using safer functions such as 'strncpy', which allows the man number of
characters to be specified. Another option is to use 'fgets' with a size limit to ensure the input does not
exceed the buffer size.

void MyFunction(char *input) {

char buffer[10];
strncpy(buffer, input, sizeof(buffer) - 1);
buffer[sizeof(buffer) - 1] = '\0'; // Ensure null termination
printf("Buffer content: %s\n", buffer);
}
c) How could the program be tested to ensure that it is secure against buffer overflow attacks?
What do we call this type of testing?
The program can be tested using fuzz testing, where random and unexpected data is input to the program
to discover vulnerabilities such as buffer overflows. Additionally static analysis tools can be used to analyze
the code for potential security flaws without executing it.

3) What is the purpose of adding NOP operations before or after shellcode in a buffer overflow
attack?
The purpose of adding NOP (No Operation) operations before or after shellcode in a buffer overflow attack
is to create a "NOP sled". This makes it easier for the execution flow to reach the shellcode, as the
instruction pointer (IP) can land anywhere within the NOP sled and slide down to execute the shellcode.
This increases the likelihood of successful operation.

4) What is the difference between a virus and a worm? How do these types of malwares propagate?

Aspect Virus Worm

A virus attaches itself to a host
file or a program and requires
human action (such as running
Difference the infected program) to spread.
It can replicate itself and spread
to other files or programs on the
same computer.
A worm is a standalone malware
that can self-replicate and spread
across networks without human
intervention. Worms exploit
vulnerabilities in network,
protocols to propagate.

Spreads by infecting files or Spreads autonomously over

programs that are shared or networks by exploiting security
Propagation transmitted between systems. vulnerabilities, often causing
network congestion and system
damage.
 Page 3

5) Suppose you are the network administrator for a small company that has recently installed a
firewall to protect its internal network from external threats. The firewall has two interfaces, one
connected to the Internet, and one connected to the internal network. You have been tasked with
configuring the firewall to allow only necessary traffic to pass through, both inbound and
outbound. The following table shows the current rules for the firewall:

Direction Protocol Source IP Source Port Destination IP Destination Port Action

Inbound TCP Any Any 192.168.0.1 80 Allow

Inbound UDP Any Any 192.168.0.1 53 Allow
Outbound TCP 192.168.0.0/24 Any Any Any Allow
Outbound UDP 192.168.0.0/24 Any Any Any Allow

a) Explain the first rule:

The first rule in the firewall configuration allows inbound TCP traffic from any source IP and any source
port to the internal IP address '192.168.0.1' on port 80. This rule is typically used to allow HTTP traffic
(Web server requests) to enter the internal network.

b)Are there any potential security risks or vulnerabilities in the current firewall rules? How could
the rules be modified to improve security while still allowing necessary traffic to pass through?
Yes there are security risks:
-Overly permissive rules: The inbound rules allow traffic from any source IP address. This can
expose the internal network to attacks from any external sources.
-No restrictions on outbound traffic: The outbound rules allow all TCP and UDP traffic from the
internal network to any destination. This could be exploited if a device inside the network is
compromised, allowing the attacker to exfiltrate data.

Modifications to improve security:

-Restrict source IPs for Inbound Traffic
-Implement specific outbound rules
-Enable Logging and Monitoring
6. Given the following scenarios, choose between a firewall, proxy, bastion host, or antivirus:
(5 points)

Scenario Security Solution

A company wants to protect its internal network
from external threats. Firewall

A company wants to control access to specific

web resources and restrict access to certain Proxy
websites.

A company wants to provide secure remote access

to its internal resources for employees who work
from home Bastion Host

A company wants to filter out malicious traffic

and prevent malware infections on its network. Antivirus

A small business wants to improve the security of

its network without compromising performance. Firewall