Professional Documents
Culture Documents
Cryptography Exam
Cryptography Exam
• Signature based virus detection: This method involves scanning files and comparing their contents
to a database of known virus signatures. It is effective against known viruses but cannot detect new or
unknown viruses that do not match any existing signature.
• Behavior based virus detection: This method monitors the behavior of programs in real-time to
identify suspicious activities that are characteristic of malicious behavior, such as modifying system
files or sending data to unknown servers. It can detect new and unknown viruses based on their actions
but may generate false positives if legitimate programs exhibit similar behavior.
• Rate Limiting: Restricts the number of requests a user can make to a service, helping to prevent
overwhelming the server. This is effective but can limit legitimate high-volume users.
• Firewalls and intrusion detection systems: These can filter and block malicious traffic before it
reaches the server. They are effective for known attack patterns but may struggle with
sophisticated or new attack methods.
• Redundancy and load balancing: Distributing traffic across multiple servers can help manage
high traffic volumes. This improves resilience but requires more resources and can be costly.
Page 2
1)List and explain two methods used by virus-writers to hide from anti-virus programs
1. Polymorphic code: virus-writers use polymorphic code to change the virus's appearance each time it
infects a new system. The virus encrypts its code with a different encryption key each time, making it
difficult for signature-based anti-virus to detect it.
2. Metamorphic Code: Unlike polymorphic code, which changes the appearance of the code,
metamorphic code actually changes its internal structure and logic. The virus rewrites its own code each
time it infects a new host, creating different versions of itself, thus evading detection by anti-virus
software.
2) Given the following code:
void MyFunction(char *input) {
char buffer[10];
strcpy(buffer, input);
int main() {
char* name;
fgets(name);
MyFunction(name);
return 0;
}
a) Can an attacker craft a malicious input that overflows the buffer and overwrites other parts of
the program's memory? If so, what areas of memory can be overwritten, and what are the potential
consequences? Draw the stack before and after reading the variables.
Yes an attacker can craft a malicious input that overflows the buffer. Since 'buffer' is only 10 bytes, any
input longer than 10 bytes will cause a buffer overflow, potentially overwriting adjacent memory
locations, such as the return address or other variables on the stack. This can lead to arbitrary code
execution or crashing the program.
b) How could the program be modified to prevent buffer overflow attacks in MyFunction?
The program can be modified by using safer functions such as 'strncpy', which allows the man number of
characters to be specified. Another option is to use 'fgets' with a size limit to ensure the input does not
exceed the buffer size.
3) What is the purpose of adding NOP operations before or after shellcode in a buffer overflow
attack?
The purpose of adding NOP (No Operation) operations before or after shellcode in a buffer overflow attack
is to create a "NOP sled". This makes it easier for the execution flow to reach the shellcode, as the
instruction pointer (IP) can land anywhere within the NOP sled and slide down to execute the shellcode.
This increases the likelihood of successful operation.
4) What is the difference between a virus and a worm? How do these types of malwares propagate?
5) Suppose you are the network administrator for a small company that has recently installed a
firewall to protect its internal network from external threats. The firewall has two interfaces, one
connected to the Internet, and one connected to the internal network. You have been tasked with
configuring the firewall to allow only necessary traffic to pass through, both inbound and
outbound. The following table shows the current rules for the firewall:
b)Are there any potential security risks or vulnerabilities in the current firewall rules? How could
the rules be modified to improve security while still allowing necessary traffic to pass through?
Yes there are security risks:
-Overly permissive rules: The inbound rules allow traffic from any source IP address. This can
expose the internal network to attacks from any external sources.
-No restrictions on outbound traffic: The outbound rules allow all TCP and UDP traffic from the
internal network to any destination. This could be exploited if a device inside the network is
compromised, allowing the attacker to exfiltrate data.