CSCI862-Assignment 2 Solved

Part One: Short Answer                                                                 
For questions where you are referencing material outside the lecture notes, you should provide appropriate referencing.

1.    Consider that you have two puzzles

Puzzle A: One sub–puzzles. k = 8.

Puzzle B: Four sub–puzzles. k = 6.

For each puzzle provide

(a)    A graph of the distribution of the number of hashes needed.         

(b)   The average number of hashes needed.        

(c)    The standard deviation for the distribution of the number of hashes needed.              

(d)   Describe the method you used to obtain your solutions to (c). Don’t go into too many detailsor show working, it’s more “I wrote a C++ program to ... and then using ... I ...”.

You should assume that if there are N possible solutions you check the Nth by hashing even if all others have failed and there has to be a solution.

2.    Using a TCP SYN spoofing attack, the attacker aims to flood the table of TCP connection requestson a system so that it is unable to respond to legitimate connection requests. Consider a server system with a table for 1024 connection requests. This system will retry sending the SYN-ACK packet five times when it fails to receive an ACK packet in response, at 45 second intervals, before purging the request from its table. Assume that no additional countermeasures are used against this attack and that the attacker has filled this table with an initial flood of connection requests. At what rate (per minute) must the attacker continue to send TCP connection requests to this system in order to ensure that the table remains full? Assuming that the TCP SYN packet is 50 bytes in size (ignoring framing overhead). How much bandwidth does the attacker consume to continue this attack?   

3.    What is a password mangler and why would we use one?  

4.    What is a Cinderella attack? In particular, describe the target, the vulnerability being exploited,and the likely effect.   

5.    Every hour the malware X spreads from each infected computer to two previously uninfected computers. In answering these questions you should explain how you determined your answers.

(a)    Give a table showing the number of infected computers at each hour across a 24 hour period.

                           At time t = 0 the number of X infected computers is N = 1.                         

(b)   By time t = 10.5 a counter worm W has been developed and it is deployed on one infected computer. W removes malware X from any host W is on. The counter worm W spreads slightly more quickly than X, with each W spreading to three X infected hosts each hour, provided such hosts are available.

Provide another table showing the spread of W and the impact on X across a relevant time frame, starting from t = 0 again.

Note the offset in time means that at t = 10.5 the number of X infected computers reduces by

1, so the spread of t = 11 will be slightly smaller than before.

 (c) Graph the two cases against each other, clearly indicating on it where N = 0.

(d) Assume that at time t = 12, X evolves to spread to three uninfected computers each hour.

                       What subsequently happens?                                                                                        

6.    In the context of phishing, list 8 points that can be used in checking the legitimacy of an email.Justify why each is appropriate as an indicator. Note that some points could relate to characteristics of legitimate messages, and others could be indicators of a phishing message.

7.    What protection is provided at the memory level by using the private access specifier in declaring aclass in C++? Is it possible to overflow into private variables?

Part Two: Buffer overflow                                                           
The Windows executable overIT.exe is given. The corresponding C/C++ code was compiled with Dev– C++ and is executable on PC’s only. It should work happily in the lab. It can be used as follows: