[feat] add past exam questions (#99)

* finish sp23 exam questions * add exam questions from su23-sp24 * add toggles for mem safety * restore gemfile lock * update link formatting for pandoc * fix mem safety toggled links * update links * Update dnssec.md --------- Co-authored-by: davidwagner <[email protected]>
cs161-staff · Nov 20, 2024 · a243f2b · a243f2b
1 parent 559e165
commit a243f2b
Show file tree

Hide file tree

Showing 24 changed files with 232 additions and 1 deletion.
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -274,4 +274,4 @@ DEPENDENCIES
   webrick (~> 1.8)
 
 BUNDLED WITH
-   2.4.2
+   2.4.2
diff --git a/crypto/hashes.md b/crypto/hashes.md
@@ -66,3 +66,12 @@ What if the hacker tries to cheat? If the hacker only has 15 million records, th
 Still, the hacker might decide to spend some time _precomputing_ fake records with low hashes before making a claim. This is called an _offline attack_, since the attacker is generating records offline before interacting with the reporter. We will see more offline attacks when we discuss password hashing later in the notes. We can prevent the offline attack by having the reporter choose a random word at the start of the interaction, like "fubar," and send it to the hacker. Now, instead of hashing each record, the hacker will hash each record, concatenated with the random word. The reporter will give the attacker just enough time to compute 150 million hashes (but no more) before requesting the 10 lowest values. Now, a cheating hacker cannot compute values ahead of time, because they won't know what the random word is.
 
 A slight variation on this method is to hash each record 10 separate times, each with a different reporter-chosen random word concatenated to the end (e.g. "fubar-1," "fubar-2," "fubar-3," etc.). In total, the hacker is now hashing 1.5b (150 million times 10) records. Then, instead of returning the lowest 10 hashes overall, the hacker returns the record with the lowest hash for each random word. Another way to think of this variation is: the hacker hashes all 150 million records with the first random word concatenated to each record, and returns the record with the lowest hash. Then the hacker hashes all 150 million records again with the second random word concatenated to each record, and returns the record with the lowest hash. This process repeats 10 times until the hacker has presented 10 hashes. The math for using the hash values to estimate the total number of lines is slightly different in this variation (the original uses random selection without substitution, while the variant uses random selection with substitution), but the underlying idea is the same.
+
+## Past Exam Questions
+
+Here we've compiled a list of past exam questions that cover cryptographic hashes.
+
+- [Spring 2024 Midterm Question 7: Ephemeral Exchanges](https://assets.cs161.org/exams/sp24/sp24mt.pdf#page=17)
+- [Spring 2024 Midterm Question 6: Authentic Auctions](https://assets.cs161.org/exams/sp24/sp24mt.pdf#page=13)
+- [Fall 2023 Final Question 6: YAAS (Yet Another Authentication Scheme)](https://assets.cs161.org/exams/fa23/fa23final.pdf#page=11)
+- [Fall 2021 Midterm Question 6: Bonsai](https://assets.cs161.org/exams/fa21/fa21mt1.pdf#page=8)
diff --git a/crypto/key-exchange.md b/crypto/key-exchange.md
@@ -123,4 +123,11 @@ The main reason why the Diffie-Hellman protocol is vulnerable to this attack is
 
 {% comment %} TODO: Diffie-Hellman MITM attack (Noura) -peyrin {% endcomment %}
 
+## Past Exam Questions
+
+Here we've compiled a list of past exam questions that cover Diffie-Hellman key exchange.
+
+- [Spring 2024 Final Question 6: Plentiful Playlists](https://assets.cs161.org/exams/sp24/sp24final.pdf#page=10)
+- [Summer 2023 Midterm Question 7: Oblivious Transfer](https://assets.cs161.org/exams/su23/su23mt.pdf#page=15)
+
 [^1]: You don't need to worry about how to choose $$g$$, just know that it satisfies some special number theory properties. In short, $$g$$ must satisfy the following properties: $$1 < g < p-1$$, and there exists a $$k$$ where $$g^k = a$$ for all $$1 \leq a \leq p-1$$.
diff --git a/crypto/macs.md b/crypto/macs.md
@@ -137,6 +137,14 @@ One such mode is called AES-GCM (Galois Counter Mode). The specifics are out of
 
 Some other modes include CCM mode, CWC mode, and OCB mode, but these are out of scope for these notes.
 
+## Past Exam Questions
+
+Here we've compiled a list of past exam questions that cover MACs.
+
+- [Spring 2024 Midterm Question 6: Authentic Auctions](https://assets.cs161.org/exams/sp24/sp24mt.pdf#page=13)
+- [Fall 2023 Midterm Question 6: Mix-and-MAC](https://assets.cs161.org/exams/fa23/fa23mt.pdf#page=12)
+- [Spring 2023 Final Question 6: Lights, Camera, MACtion](https://assets.cs161.org/exams/sp23/sp23final.pdf#page=10)
+
 [^1]: Strictly speaking, there is a very small chance that the tag for $$M$$ will also be a valid tag for $$M'$$. However, if we choose tags to be long enough---say, 128 bits---and if the MAC algorithm is secure, the chances of this happening should be about $$1/2^{128}$$, which is small enough that it can be safely ignored.
 [^2]: The formal definition of "unrelated" is out of scope for these notes. See [this paper](http://cseweb.ucsd.edu/~mihir/papers/kmd5.pdf) to learn more.
 [^3]: The security proof for HMAC just required that ipad and opad be different by at least one bit but, showing the paranoia of cryptography engineers, the designers of HMAC chose to make them very different.
diff --git a/crypto/passwords.md b/crypto/passwords.md
@@ -164,3 +164,11 @@ The bottom line is: don't store passwords in the clear. Instead, sites should st
 $$s,H(H(H(\cdots(H(w,s)) \cdots)))$$
 
 in the database, where $$s$$ is a random salt chosen randomly for that user and $$H$$ is a standard cryptographic hash function.
+
+## Past Exam Questions
+
+Here we've compiled a list of past exam questions that cover passwords.
+
+- [Fall 2023 Final Question 6: YAAS (Yet Another Authentication Scheme)](https://assets.cs161.org/exams/fa23/fa23final.pdf#page=11)
+- [Summer 2023 Final Question 8: EvanBank](https://assets.cs161.org/exams/su23/su23final.pdf#page=13)
+- [Spring 2023 Midterm Question 5: alice161](https://assets.cs161.org/exams/sp23/sp23mt.pdf#page=9)
diff --git a/crypto/public-key.md b/crypto/public-key.md
@@ -188,4 +188,14 @@ There is a problem with public key: it is _slow_. It is very, very slow. When en
 
 Because public key schemes are expensive and difficult to make IND-CPA secure, we tend to only use public key cryptography to distribute one or more _session keys_. Session keys are the keys used to actually encrypt and authenticate the message. To send a message, Alice first generates a random set of session keys. Often, we generate several different session keys for different purposes. For example, we may generate one key for encryption algorithms and another key for MAC algorithms. We may also generate one key to encrypt messages from Alice to Bob, and another key to encrypt messages from Bob to Alice. (If we need different keys for each message direction and different keys for encryption and MAC, we would need a total of four symmetric keys.) Alice then encrypts the message using a symmetric algorithm with the session keys (such as AES-128-CBC-HMAC-SHA-256 [^1]) and encrypts the random session keys with Bob's public key. When he receives the ciphertext, Bob first decrypts the session keys and then uses the session keys to decrypt the original message.
 
+## Past Exam Questions
+
+Here we've compiled a list of past exam questions that cover public-key cryptography.
+
+- [Spring 2024 Final Question 6: Plentiful Playlists](https://assets.cs161.org/exams/sp24/sp24final.pdf#page=10)
+- [Spring 2024 Midterm Question 7: Ephemeral Exchanges](https://assets.cs161.org/exams/sp24/sp24mt.pdf#page=17)
+- [Spring 2024 Midterm Question 6: Authentic Auctions](https://assets.cs161.org/exams/sp24/sp24mt.pdf#page=13)
+- [Fall 2023 Midterm Question 7: Does EvanBot Snore?](https://assets.cs161.org/exams/fa23/fa23mt.pdf#page=17)
+- [Spring 2023 Midterm Question 4: Mallory Forger](https://assets.cs161.org/exams/sp23/sp23mt.pdf#page=7)
+
 [^1]: That is, using AES with 128b keys in CBC mode and then using HMAC with SHA-256 for integrity
diff --git a/crypto/signatures.md b/crypto/signatures.md
@@ -105,4 +105,12 @@ This is a very stringent definition of security, because it declares the signatu
 
 Note however that the security of signatures do rely on the underlying hash function. Signatures have been broken in the past by taking advantage of the ability to create hash collisions when the hash function, not the public key algorithm, is compromised.
 
+## Past Exam Questions
+
+Here we've compiled a list of past exam questions that cover signatures.
+
+- [Spring 2024 Midterm Question 6: Authentic Auctions](https://assets.cs161.org/exams/sp24/sp24mt.pdf#page=13)
+- [Summer 2023 Final Question 6: EvanBot Signature Scheme](https://assets.cs161.org/exams/su23/su23final.pdf#page=8)
+- [Summer 2023 Midterm Question 6: One-Time Signatures](https://assets.cs161.org/exams/su23/su23mt.pdf#page=12)
+
 [^1]: Why do we pick those particular conditions on $$p$$ and $$q$$? Because then $$\varphi(pq) = (p-1)(q-1)$$ will not be a multiple of 3, which is going to allow us to have unique cube roots.
diff --git a/crypto/symmetric.md b/crypto/symmetric.md
@@ -342,6 +342,19 @@ For example, in CTR mode, reusing the IV (nonce) is equivalent to reusing the on
 
 Different modes have different tradeoffs between usability and security. Although proper use of CBC and CTR mode are both IND-CPA, insecure use of either mode (e.g. reusing the IV) breaks IND-CPA security, and the severity of information leakage is different in the two modes. In CBC mode, the information leakage is contained, but in CTR mode, the leakage is catastrophic (equivalent to reusing a one-time pad). On the other hand, CTR mode can be parallelized, but CBC can not, which is why many high performance systems use CTR mode or CTR-mode based encryption schemes.
 
+## Past Exam Questions
+
+Here we've compiled a list of past exam questions that cover symmetric cryptography.
+
+- [Spring 2024 Final Question 5: AES-ROVW](https://assets.cs161.org/exams/sp24/sp24final.pdf#page=8)
+- [Spring 2024 Midterm Question 5: Challenging Constructions](https://assets.cs161.org/exams/sp24/sp24mt.pdf#page=10)
+- [Fall 2023 Final Question 5: Meet Me in the Middle](https://assets.cs161.org/exams/fa23/fa23final.pdf#page=5)
+- [Fall 2023 Midterm Question 5: Not Quite by DESign](https://assets.cs161.org/exams/fa23/fa23mt.pdf#page=9)
+- [Summer 2023 Final Question 5: Ciphertext Thief](https://assets.cs161.org/exams/su23/su23final.pdf#page=8)
+- [Summer 2023 Midterm Question 5: All or Nothing Security](https://assets.cs161.org/exams/su23/su23mt.pdf#page=9)
+- [Spring 2023 Final Question 5: EvanBlock Cipher](https://assets.cs161.org/exams/sp23/sp23final.pdf#page=8)
+- [Spring 2023 Midterm Question 3: IND-CPA and Block Ciphers: evanbotevanbotevanbotevan...](https://assets.cs161.org/exams/sp23/sp23mt.pdf#page=4)
+
 [^1]: Answer: Given $$M$$ and $$C = M \oplus K$$, Eve can calculate $$K = M \oplus C$$.
 [^2]: This is why the only primary users of one-time-pads are spies in the field. Before the spy leaves, they obtain a large amount of key material. Unlike the other encryption systems we'll see in these notes, a one-time pad can be processed entirely with pencil and paper. The spy then broadcasts messages encrypted with the one-time pad to send back to their home base. To obfuscate the spy's communication, there are also "numbers stations" that continually broadcast meaningless sequences of random numbers. Since the one-time pad is IND-CPA secure, an adversary can't distinguish between the random number broadcasts and the messages encoded with a one time pad.
 [^3]: Answer: The key is needed to determine which scrambling setting was used to generate the ciphertext. If decryption didn't require a key, any attacker would be able to decrypt encrypted messages!

diff --git a/memory-safety/mitigations.md b/memory-safety/mitigations.md
@@ -172,5 +172,19 @@ Note that ASLR randomizes absolute addresses by changing the start of sections o
 
 We can use multiple mitigations together to force the attacker to find multiple vulnerabilities to exploit the program; this is a process known as _synergistic protection_, where one mitigation helps strengthen another mitigation. For example, combining ASLR and non-executable pages results in an attacker not being able to write their own shellcode, because of non-executable pages, and not being able to use existing code in memory, because they don't know the addresses of that code (ASLR). Thus, to defeat ASLR and non-executable pages, the attacker needs to find two vulnerabilities. First, they need to find a way to leak memory and reveal the address location (to defeat ASLR). Next, they need to find a way to write to memory and write an ROP chain (to defeat non-executable pages).
 
+## Past Exam Questions
+
+Here we've compiled a list of past exam questions that cover memory safety mitigations.
+
+- [Spring 2024 Final Question 3: Everyone Loves PIE](https://assets.cs161.org/exams/sp24/sp24final.pdf#page=4)
+- [Spring 2024 Final Question 4: Breaking Bot](https://assets.cs161.org/exams/sp24/sp24final.pdf#page=6)
+- [Fall 2023 Final Question 3: exec](https://assets.cs161.org/exams/fa23/fa23final.pdf#page=4)
+- [Spring 2024 Midterm Question 4: I Sawed This Shellcode In Half!](https://assets.cs161.org/exams/sp24/sp24mt.pdf#page=7)
+- [Fall 2023 Midterm Question 3: Homecoming](https://assets.cs161.org/exams/fa23/fa23mt.pdf#page=4)
+- [Fall 2023 Final Question 4: Ins and Outs](https://assets.cs161.org/exams/fa23/fa23final.pdf#page=6)
+- [Summer 2023 Final Question 4: The Last Dance](https://assets.cs161.org/exams/su23/su23final.pdf#page=5)
+- [Summer 2023 Midterm Question 3: Across the Security-Verse](https://assets.cs161.org/exams/su23/su23mt.pdf#page=4)
+- [Summer 2023 Midterm Question 4: Snacktime](https://assets.cs161.org/exams/su23/su23mt.pdf#page=6)
+
 [^1]: The one real performance advantage C has over a garbage collected language like Go is a far more deterministic behavior for memory allocation. But with languages like Rust, which are safe but not garbage collected, this is no longer an advantage for C.
 [^2]: This function is called a MAC (message authentication code), and we will study it in more detail in the cryptography unit.
diff --git a/memory-safety/vulnerabilities.md b/memory-safety/vulnerabilities.md
@@ -320,4 +320,62 @@ The attacker can overwrite the vtable pointer with the address of another attack
 
 This method of injection is very similar to stack smashing, where the attacker overwrites the rip to point to some malicious code. However, overwriting C++ vtables requires overwriting a pointer to a pointer.
 
+## Past Exam Questions
+
+Here we've compiled a list of past exam questions that cover memory safety vulnerabilities.
+
+- [Spring 2024 Final Question 3: Everyone Loves PIE](https://assets.cs161.org/exams/sp24/sp24final.pdf#page=4)
+- [Spring 2024 Final Question 4: Breaking Bot](https://assets.cs161.org/exams/sp24/sp24final.pdf#page=6)
+- [Spring 2024 Midterm Question 3: 'Tis But a Scratch](https://assets.cs161.org/exams/sp24/sp24mt.pdf#page=4)
+- [Spring 2024 Midterm Question 4: I Sawed This Shellcode In Half!](https://assets.cs161.org/exams/sp24/sp24mt.pdf#page=7)
+- [Fall 2023 Final Question 3: exec](https://assets.cs161.org/exams/fa23/fa23final.pdf#page=4)
+- [Fall 2023 Final Question 4: Ins and Outs](https://assets.cs161.org/exams/fa23/fa23final.pdf#page=6)
+- [Fall 2023 Midterm Question 3: Homecoming](https://assets.cs161.org/exams/fa23/fa23mt.pdf#page=4)
+- [Fall 2023 Midterm Question 4: Forbidden Instruction](https://assets.cs161.org/exams/fa23/fa23mt.pdf#page=7)
+- [Summer 2023 Final Question 3: Letter from EvanBot](https://assets.cs161.org/exams/su23/su23final.pdf#page=4)
+- [Summer 2023 Final Question 4: The Last Dance](https://assets.cs161.org/exams/su23/su23final.pdf#page=5)
+- [Summer 2023 Midterm Question 3: Across the Security-Verse](https://assets.cs161.org/exams/su23/su23mt.pdf#page=4)
+- [Summer 2023 Midterm Question 4: Snacktime](https://assets.cs161.org/exams/su23/su23mt.pdf#page=6)
+- [Spring 2023 Final Question 3: No Doubt](https://assets.cs161.org/exams/sp23/sp23final.pdf#page=4)
+- [Spring 2023 Final Question 4: Andor, or XOR?](https://assets.cs161.org/exams/sp23/sp23final.pdf#page=6)
+- [Spring 2023 Midterm Question 6: Cake without Pan](https://assets.cs161.org/exams/sp23/sp23mt.pdf#page=12)
+- [Spring 2023 Midterm Question 7: Valentine's Day](https://assets.cs161.org/exams/sp23/sp23mt.pdf#page=14)
+
+A large portion of memory safety vulnerability questions is identifying what type of vulnerability exists within the code. However, if you'd like to practice a specific type of question, feel free to toggle the options below. Please utilize the links from above.
+<details>
+    <summary>Buffer overflow</summary>
+
+- <a href="https://assets.cs161.org/exams/fa23/fa23mt.pdf#page=7">Fall 2023 Midterm Question 4: Forbidden Instruction</a><br>
+- Involves canaries: <a href="https://assets.cs161.org/exams/sp23/sp23final.pdf#page=6">Spring 2023 Final Question 4: Andor, or XOR?</a><br>
+- Involves ASLR: <a href="https://assets.cs161.org/exams/sp23/sp23mt.pdf#page=14">Spring 2023 Midterm Question 7: Valentine's Day</a>
+</details>
+<details>
+    <summary>Format string vulnerability</summary>
+
+- <a href="https://assets.cs161.org/exams/sp24/sp24mt.pdf#page=7">Spring 2024 Midterm Question 4: I Sawed This Shellcode In Half!</a><br>
+- <a href="https://assets.cs161.org/exams/su23/su23mt.pdf#page=6">Summer 2023 Midterm Question 4: Snacktime</a><br>
+- <a href="https://assets.cs161.org/exams/sp23/sp23mt.pdf#page=12">Spring 2023 Midterm Question 6: Cake without Pan</a>
+</details>
+<details>
+    <summary>Integer conversion vulnerability</summary>
+
+- <a href="https://assets.cs161.org/exams/sp24/sp24mt.pdf#page=4">Spring 2024 Midterm Question 3: 'Tis But a Scratch</a><br>
+- <a href="https://assets.cs161.org/exams/su23/su23final.pdf#page=4">Summer 2023 Final Question 3: Letter from EvanBot</a>
+</details>
+<details>
+    <summary>Off-by-one vulnerability</summary>
+
+- <a href="https://assets.cs161.org/exams/sp24/sp24final.pdf#page=4">Spring 2024 Final Question 3: Everyone Loves PIE</a><br>
+- <a href="https://assets.cs161.org/exams/fa23/fa23final.pdf#page=6">Fall 2023 Final Question 4: Ins and Outs</a><br>
+- <a href="https://assets.cs161.org/exams/fa23/fa23mt.pdf#page=4">Fall 2023 Midterm Question 3: Homecoming</a><br>
+- <a href="https://assets.cs161.org/exams/su23/su23mt.pdf#page=4">Summer 2023 Midterm Question 3: Across the Security-Verse</a>
+</details>
+<details>
+    <summary>Other vulnerabilities</summary>
+
+- <a href="https://assets.cs161.org/exams/sp24/sp24final.pdf#page=6">Use after free: Spring 2024 Final Question 4: Breaking Bot</a><br>
+- <a href="https://assets.cs161.org/exams/su23/su23final.pdf#page=5">Summer 2023 Final Question 4: The Last Dance</a>
+</details>
+
+
 [^1]: You sometimes see variants on this like pwned, 0wned, ownzored, etc.
diff --git a/memory-safety/x86.md b/memory-safety/x86.md
@@ -260,6 +260,12 @@ Since function calls are so common, assembly programmers sometimes use shorthand
 
 Steps 4-6 are sometimes called the _function prologue_, since they must appear at the start of the assembly code of any C function. Similarly, steps 8-10 are sometimes called the _function epilogue_.
 
+## Past Exam Questions
+
+Here we've compiled a list of past exam questions that cover x86. These do require an understanding of memory safety vulnerabilities as well, so we recommend understanding those questions first before coming back to these.
+
+- [Fall 2023 Midterm Question 3: Homecoming](https://assets.cs161.org/exams/fa23/fa23mt.pdf#page=4)
+
 [^1]: Answer: Using the table to look up each sequence of 4 bits, we get `0xC161`.
 [^2]: Answer: $$2^{64}$$ bytes.
 [^3]: In reality your program may not have all this memory, but the operating system gives the program the illusion that it has access to all this memory. Refer to the virtual memory unit in CS 61C or take CS 162 to learn more.

diff --git a/network/bgp.md b/network/bgp.md
@@ -49,5 +49,11 @@ Recall that IP operates on "best effort". Packets are delivered whole, but can b
 
 In practice, there's not much anyone can do to defend against a malicious AS, since each AS operates relatively independently. Instead, we rely on protocols such as TCP at higher layers to guarantee that messages are sent. TCP will resend packets that are lost or corrupted because of malicious ASs. Also, cryptographic protocols at higher layers such as TLS can defend against malicious attackers, by guaranteeing confidentiality (attacker can't read the packets) and integrity (attacker can't modify the packets without detection) on packets. Both TCP and TLS are covered in later sections.
 
+## Past Exam Questions
+
+Here we've compiled a list of past exam questions that cover BGP.
+
+- [Spring 2023 Final Question 8: Life of a Packet](https://assets.cs161.org/exams/sp23/sp23final.pdf#page=15)
+
 [^1]: $$2^8$$. The prefix is 24 bits, so there are 32 - 24 = 8 bits not in the prefix.
 [^2]: Checksums are not cryptographic. The malicious AS could modify the packet and create a new checksum for the modified packet.