Professional Documents
Culture Documents
ENEE459C
HOMEWORK#1
PROBLEM 1:
Using the simple replication, the minimum number of blocks that can be
deleted in order to make some bI irretrievable is 2; since this method is a one
to one replication then the deletion of the two copies makes it impossible for
the hacker to retrieve data using the other blocks. In the second technique,
deleting any n block out of the 2n blocks still allows data retrieval simply by
using the polynomial interpolation technique. If we consider the polynomial
of the form P(x)=(x-b1)(x-b2).(x-bn) where we store b1 to bn and P(R1) to
P(Rn) for random Rs; since there would be n equations and n unknowns then
adversary would need to delete n+1 blocks to make data irretrievable for a
certain bi.
PROBLEM 2:
1. The multiple cipher texts can be XORd together in order to get rid of
the key and get both plaintexts XORd together. The common or
expected words can then be XORd with the previous step until legible
words or phrases appear. This might not decipher the entire text but
will reveal the position of the word used. For example, if one plain text
says CLOSE THE DOOR and the other says IN THE KITCHEN and the
adversary XORs the cipher texts and another XOR with a common word
like THE then they would find KITC and SE TH. If they had more
known words available, they would easily be able to use this technique
to get the majority of the plaintext. Once the plaintexts are found, they
can simply XOR one of them with its cipher in order to reveal the key
used to encode them.
2. If the adversary knows SOLDIERS and WITHDRAW occur in the
plaintext, they can XOR the two cipher texts together to get rid of the
key (A XOR K XOR B XOR K = A XOR B) and then they can XOR
00000000SOLDIERS and 00000000WITHDRAW with A XOR B and
keep moving until they find legible text. In this case --------
So the output comes out of this code give us the following (this is not the full
output as it is too long to put in a word document):
XORing CRYPTOGRAPHIC with AB:
^BMFR&@B[]'W"/ruDls9
SFOV=HWHL?V(S/ruDls9
WD_9S_]_.N)YY/ruDls9
UT0WDUJ=_1XSD/ruDls9
E;^@NB(L @RND/ruDls9
*UIJY Y3QJONT/ruDls9
DBC];Q&B[WO^U/ruDls9
SHT?J.WHFW__C/ruDls9
Y_6N5_]UFG^IC/ruDls9
N=G1DU@UVFHIM/ruDls9
,L8@NH@EWPHGC/ruDls9
]3IJSHPDAPFI&/ruDls9
"BCWSXQRA^H, /ruDls9
SH^WCYGROP-*_/ruDls9
YU^GBOG\A5+UU/ruDls9
DUNFTOIR$3T_G/ruDls9
DEOPTAG7"L^M7/ruDls9
TDYPZO"1]FL=^/ruDls9
URY^T*$NWT<TA/ruDls9
CRWP1,[DE$UKP/ruDls9
C\Y57SQV5MJZN/ruDls9
MR<3HYC&\R[D_/ruDls9
C7:LBK3OCCEUR/ruDls9
&1EFP;ZPR]TX*/ruDls9
NOT REALLY H/ruDls9
_D]$IMT_]A!B"/ruDls9
UV-MV\JNP9C(Z/ruDls9
G&DRGB[C([)PB/ruDls9
7O[CYSV;J1QH:/ruDls9
^PJ]H^.Y II0D/ruDls9
AATLE&L3XQ1N,/ruDls9
P_EA=D&K@)O&*/ruDls9
NNH9_.^S8W' I/ruDls9
_C0[5VF+F?!C&/ruDls9
R;R1MN>U.9B,E/ruDls9
*Y8IU6@=(Z-OG/ruDls9
H3@Q-H(;K5NMR/ruDls9
"KX)S .X$VLXB/ruDls9
ZS W;&M7GTYHJ/ruDls9
B+^?=E"TEAI@B/ruDls9
GNG;NM!CAEM\>/ruDls9
_U;JU<UV_EM\>/ruDls9
D)JQ$H@HIEM\>/ruDls9
8XQ P]^^YEM\>/ruDls9
IC TECHNIEM\>/ruDls9
R2TA[UX^"EM\>/ruDls9
#FA_MEH5IEM\>/ruDls9
WS_I]U#^DEM\>/ruDls9
BMIYM>HS EM\>/ruDls9
\[YI&UE70EM\>/ruDls9
JKI"MX!'SEM\>/ruDls9
Z["I@<1DOEM\>/ruDls9
J0ID$,RXOEM\>/ruDls9
![D 4ONX^EM\>/ruDls9
JV 0WSNI<EM\>/ruDls9
G20SKS_+[EM\>/ruDls9
#"SOKB=LOEM\>/ruDls9
3AOOZ ZX2EM\>/ruDls9
P]O^8GN%NEM\>/ruDls9
L]^<_S3YZEM\>/ruDls9
LL<[K.OMNEM\>/ruDls9
].[O6R[YXEM\>/ruDls9
?IO2JFOO6EM\>/ruDls9
X]2N^RY!UEM\>/ruDls9
L NZJD7BWEM\>/ruDls9
1\ZN\*T@^EM\>/ruDls9
MHNX2IVIIEM\>/ruDls9
Y\X6QK_^0EM\>/ruDls9
MJ6USBH'IEM\>/ruDls9
[$UWZU1^=EM\>/ruDls9
5GW^M,H*>EM\>/ruDls9
VE^I4U<)YEM\>/ruDls9
TLI0M!?NMEM\>/ruDls9
][0I9"XZFEM\>/ruDls9
J"I=:ELQVEM\>/ruDls9
3[=>]QGAFEM\>/ruDls9
J/>YIZWQ.EM\>/ruDls9
WH_X9C$K.EM\>/ruDls9
IYR [)\S.EM\>/ruDls9
XT*B1QD+.EM\>/ruDls9
U,H(II<U.EM\>/ruDls9
-N"PQ1B=.EM\>/ruDls9
O$ZH)O*;.EM\>/ruDls9
%\B0W',X.EM\>/ruDls9
]D:N?!O7.EM\>/ruDls9
E<D&9B T.EM\>/ruDls9
=B, Z-CV.EM\>/ruDls9
C**C5NAC.EM\>/ruDls9
+,I,VLTS.EM\>/ruDls9
-O&OTYD[.EM\>/ruDls9
N EMAILS.EM\>/ruDls9
PJ1NA@[7S->\>/ruDls9
F$RLHW"N'.Y\>/ruDls9
(GPE_.[:$IM\>/ruDls9
KEYR&W/9C]F\>/ruDls
XORing MATHEMATICS with AC:
]FOKEKRS\ZT\>/ruDls9
JZWHC^FAPDT\>/ruDls9
VBTNVJTMND0\>/ruDls9
NAR[BXXSN 0\>/ruDls9
MGGOPTFS* N\>/ruDls9
KRS]\JF7*^F\>/ruDls9
^FAQBJ"7TVX\>/ruDls9
JTMOB."I\H^\>/ruDls9
XXSO&.\ABNO\>/ruDls9
TFS+&PT_D_I\>/ruDls9
JF7+XXJYUY"\>/ruDls9
J"7UPFLHS2G\>/ruDls9
."I]N@]N8WD\>/ruDls9
.\ACHQ[%]TE\>/ruDls9
PT_EYW0@^US\>/ruDls9
XJYT_<UC_CO\>/ruDls9
FLHR4YVBI_Y\>/ruDls9
@]N9QZWTUIK\>/ruDls9
Q[%\R[AHC[*\>/ruDls9
W0@_SM]^Q:!\>/ruDls9
<UC^EQKL01Y\>/ruDls9
YVBHYGY-;I\\>/ruDls9
ZWTTOU8&CL?\>/ruDls9
[AHB]43^F/R\>/ruDls9
M]^P<?K[%BK\>/ruDls9
QKL17GN8H['\>/ruDls9
GY-:OB-UQ7S\>/ruDls9
U8&BJ!@L=CW\>/ruDls9
43^G)LY IGL\>/ruDls9
?K[$DU5TM\V\>/ruDls9
GN8I]9APVF'\>/ruDls9
B-UP1MEKL7N\>/ruDls9
!@L<EI^Q=^_\>/ruDls9
LY HARD TO \>/ruDls9
With a simply but tedious scanning of the code, we obtain the following
results:
And after associating every bit of phrase to its right position and text we
obtain the three following plaintext messages:
Message A: SUBSTITUTION CIPHERS ARE NOT REALLY HARD TO DECIPHER
Message B: NEVER SEND PASSWORDS OR CRYPTOGRAPHIC KEYS IN EMAILS
Message C: CRYPTOGRAPHIC TECHNIQUES RELY ON MATHEMATICS MOSTLY.
PROBLEM 3:
The int payload in the heartbeat code is the length of the heartbeat and its
value is from p in line 14 which comes from the sender in lines 2.4. This
means that the sender can give an arbitrary value for the payload. The
memcpy in line 37 will copy over whatever value of the users memory is
specified by pl; if this amount is more than the actual length of payload, then
the other parts of memory will be sent back along with pl. This can allow the
sender to see extra data. We could fix this by checking if the length of the
string the user sends is actually the same as the length of the payload using
the strlen() function.
Check = strlen(p);
If (payload != check) {
Goto Deny_pl();
} else
<the code>
The official fix for HeartBleed was :
/* Read type and payload length first */
if (1 + 2 + 16 > s->s3->rrec.length)
return 0; /* silently discard */
hbtype = *p++;
n2s(p, payload);
if (1 + 2 + payload + 16 > s->s3->rrec.length)
return 0; /* silently discard per RFC 6520 sec. 4 */
pl = p;
This denies the 0 length payload values and payload values that are larger
than the actual length of pl thus denying access to extra data and ending the
program if the lengths dont match.
PROBLEM 4:
In this problem, we executed the Hello World code provided to make sure
that everything was working fine and then we started working on our attack
which will be explained in detail using the following screenshots and their
annotations:
This is the modified version of our myprog.cgi that adds an extra line to go
fetch for information in another directory without permission and return
whatever is supposed to be in test. This is how the Shellshock attack is
launched i.e. acquiring data that is not supposed to be accessible. As you
can see in the screenshot, the files located in the etc directory include the
test file that we created and that we will try to access.
This is the text file we created called test that we will try to extract
indirectly using the previous CGI program. This is information shouldnt be
displayed. Why is hacking so easy? (I know there is a typo, sorry!)
As we can see, when we execute the curl command we get to extract the
extra information that was enclosed in the test file. So the attack was
successful.