diff --git a/Gemfile.lock b/Gemfile.lock
index 0865222..95c2b3e 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -274,4 +274,4 @@ DEPENDENCIES
webrick (~> 1.8)
BUNDLED WITH
- 2.4.2
+ 2.4.2
\ No newline at end of file
diff --git a/crypto/hashes.md b/crypto/hashes.md
index 3c016e7..8392697 100644
--- a/crypto/hashes.md
+++ b/crypto/hashes.md
@@ -66,3 +66,12 @@ What if the hacker tries to cheat? If the hacker only has 15 million records, th
Still, the hacker might decide to spend some time _precomputing_ fake records with low hashes before making a claim. This is called an _offline attack_, since the attacker is generating records offline before interacting with the reporter. We will see more offline attacks when we discuss password hashing later in the notes. We can prevent the offline attack by having the reporter choose a random word at the start of the interaction, like "fubar," and send it to the hacker. Now, instead of hashing each record, the hacker will hash each record, concatenated with the random word. The reporter will give the attacker just enough time to compute 150 million hashes (but no more) before requesting the 10 lowest values. Now, a cheating hacker cannot compute values ahead of time, because they won't know what the random word is.
A slight variation on this method is to hash each record 10 separate times, each with a different reporter-chosen random word concatenated to the end (e.g. "fubar-1," "fubar-2," "fubar-3," etc.). In total, the hacker is now hashing 1.5b (150 million times 10) records. Then, instead of returning the lowest 10 hashes overall, the hacker returns the record with the lowest hash for each random word. Another way to think of this variation is: the hacker hashes all 150 million records with the first random word concatenated to each record, and returns the record with the lowest hash. Then the hacker hashes all 150 million records again with the second random word concatenated to each record, and returns the record with the lowest hash. This process repeats 10 times until the hacker has presented 10 hashes. The math for using the hash values to estimate the total number of lines is slightly different in this variation (the original uses random selection without substitution, while the variant uses random selection with substitution), but the underlying idea is the same.
+
+## Past Exam Questions
+
+Here we've compiled a list of past exam questions that cover cryptographic hashes.
+
+- [Spring 2024 Midterm Question 7: Ephemeral Exchanges](https://assets.cs161.org/exams/sp24/sp24mt.pdf#page=17)
+- [Spring 2024 Midterm Question 6: Authentic Auctions](https://assets.cs161.org/exams/sp24/sp24mt.pdf#page=13)
+- [Fall 2023 Final Question 6: YAAS (Yet Another Authentication Scheme)](https://assets.cs161.org/exams/fa23/fa23final.pdf#page=11)
+- [Fall 2021 Midterm Question 6: Bonsai](https://assets.cs161.org/exams/fa21/fa21mt1.pdf#page=8)
diff --git a/crypto/key-exchange.md b/crypto/key-exchange.md
index c5c34ec..a4882c7 100644
--- a/crypto/key-exchange.md
+++ b/crypto/key-exchange.md
@@ -123,4 +123,11 @@ The main reason why the Diffie-Hellman protocol is vulnerable to this attack is
{% comment %} TODO: Diffie-Hellman MITM attack (Noura) -peyrin {% endcomment %}
+## Past Exam Questions
+
+Here we've compiled a list of past exam questions that cover Diffie-Hellman key exchange.
+
+- [Spring 2024 Final Question 6: Plentiful Playlists](https://assets.cs161.org/exams/sp24/sp24final.pdf#page=10)
+- [Summer 2023 Midterm Question 7: Oblivious Transfer](https://assets.cs161.org/exams/su23/su23mt.pdf#page=15)
+
[^1]: You don't need to worry about how to choose $$g$$, just know that it satisfies some special number theory properties. In short, $$g$$ must satisfy the following properties: $$1 < g < p-1$$, and there exists a $$k$$ where $$g^k = a$$ for all $$1 \leq a \leq p-1$$.
diff --git a/crypto/macs.md b/crypto/macs.md
index b87da29..d00e6b1 100644
--- a/crypto/macs.md
+++ b/crypto/macs.md
@@ -137,6 +137,14 @@ One such mode is called AES-GCM (Galois Counter Mode). The specifics are out of
Some other modes include CCM mode, CWC mode, and OCB mode, but these are out of scope for these notes.
+## Past Exam Questions
+
+Here we've compiled a list of past exam questions that cover MACs.
+
+- [Spring 2024 Midterm Question 6: Authentic Auctions](https://assets.cs161.org/exams/sp24/sp24mt.pdf#page=13)
+- [Fall 2023 Midterm Question 6: Mix-and-MAC](https://assets.cs161.org/exams/fa23/fa23mt.pdf#page=12)
+- [Spring 2023 Final Question 6: Lights, Camera, MACtion](https://assets.cs161.org/exams/sp23/sp23final.pdf#page=10)
+
[^1]: Strictly speaking, there is a very small chance that the tag for $$M$$ will also be a valid tag for $$M'$$. However, if we choose tags to be long enough---say, 128 bits---and if the MAC algorithm is secure, the chances of this happening should be about $$1/2^{128}$$, which is small enough that it can be safely ignored.
[^2]: The formal definition of "unrelated" is out of scope for these notes. See [this paper](http://cseweb.ucsd.edu/~mihir/papers/kmd5.pdf) to learn more.
[^3]: The security proof for HMAC just required that ipad and opad be different by at least one bit but, showing the paranoia of cryptography engineers, the designers of HMAC chose to make them very different.
diff --git a/crypto/passwords.md b/crypto/passwords.md
index 737ce3d..519e6a6 100644
--- a/crypto/passwords.md
+++ b/crypto/passwords.md
@@ -164,3 +164,11 @@ The bottom line is: don't store passwords in the clear. Instead, sites should st
$$s,H(H(H(\cdots(H(w,s)) \cdots)))$$
in the database, where $$s$$ is a random salt chosen randomly for that user and $$H$$ is a standard cryptographic hash function.
+
+## Past Exam Questions
+
+Here we've compiled a list of past exam questions that cover passwords.
+
+- [Fall 2023 Final Question 6: YAAS (Yet Another Authentication Scheme)](https://assets.cs161.org/exams/fa23/fa23final.pdf#page=11)
+- [Summer 2023 Final Question 8: EvanBank](https://assets.cs161.org/exams/su23/su23final.pdf#page=13)
+- [Spring 2023 Midterm Question 5: alice161](https://assets.cs161.org/exams/sp23/sp23mt.pdf#page=9)
diff --git a/crypto/public-key.md b/crypto/public-key.md
index 50ba259..47e915d 100644
--- a/crypto/public-key.md
+++ b/crypto/public-key.md
@@ -188,4 +188,14 @@ There is a problem with public key: it is _slow_. It is very, very slow. When en
Because public key schemes are expensive and difficult to make IND-CPA secure, we tend to only use public key cryptography to distribute one or more _session keys_. Session keys are the keys used to actually encrypt and authenticate the message. To send a message, Alice first generates a random set of session keys. Often, we generate several different session keys for different purposes. For example, we may generate one key for encryption algorithms and another key for MAC algorithms. We may also generate one key to encrypt messages from Alice to Bob, and another key to encrypt messages from Bob to Alice. (If we need different keys for each message direction and different keys for encryption and MAC, we would need a total of four symmetric keys.) Alice then encrypts the message using a symmetric algorithm with the session keys (such as AES-128-CBC-HMAC-SHA-256 [^1]) and encrypts the random session keys with Bob's public key. When he receives the ciphertext, Bob first decrypts the session keys and then uses the session keys to decrypt the original message.
+## Past Exam Questions
+
+Here we've compiled a list of past exam questions that cover public-key cryptography.
+
+- [Spring 2024 Final Question 6: Plentiful Playlists](https://assets.cs161.org/exams/sp24/sp24final.pdf#page=10)
+- [Spring 2024 Midterm Question 7: Ephemeral Exchanges](https://assets.cs161.org/exams/sp24/sp24mt.pdf#page=17)
+- [Spring 2024 Midterm Question 6: Authentic Auctions](https://assets.cs161.org/exams/sp24/sp24mt.pdf#page=13)
+- [Fall 2023 Midterm Question 7: Does EvanBot Snore?](https://assets.cs161.org/exams/fa23/fa23mt.pdf#page=17)
+- [Spring 2023 Midterm Question 4: Mallory Forger](https://assets.cs161.org/exams/sp23/sp23mt.pdf#page=7)
+
[^1]: That is, using AES with 128b keys in CBC mode and then using HMAC with SHA-256 for integrity
diff --git a/crypto/signatures.md b/crypto/signatures.md
index 5df1d5a..f6aea67 100644
--- a/crypto/signatures.md
+++ b/crypto/signatures.md
@@ -105,4 +105,12 @@ This is a very stringent definition of security, because it declares the signatu
Note however that the security of signatures do rely on the underlying hash function. Signatures have been broken in the past by taking advantage of the ability to create hash collisions when the hash function, not the public key algorithm, is compromised.
+## Past Exam Questions
+
+Here we've compiled a list of past exam questions that cover signatures.
+
+- [Spring 2024 Midterm Question 6: Authentic Auctions](https://assets.cs161.org/exams/sp24/sp24mt.pdf#page=13)
+- [Summer 2023 Final Question 6: EvanBot Signature Scheme](https://assets.cs161.org/exams/su23/su23final.pdf#page=8)
+- [Summer 2023 Midterm Question 6: One-Time Signatures](https://assets.cs161.org/exams/su23/su23mt.pdf#page=12)
+
[^1]: Why do we pick those particular conditions on $$p$$ and $$q$$? Because then $$\varphi(pq) = (p-1)(q-1)$$ will not be a multiple of 3, which is going to allow us to have unique cube roots.
diff --git a/crypto/symmetric.md b/crypto/symmetric.md
index 05e31cb..9e7115f 100644
--- a/crypto/symmetric.md
+++ b/crypto/symmetric.md
@@ -342,6 +342,19 @@ For example, in CTR mode, reusing the IV (nonce) is equivalent to reusing the on
Different modes have different tradeoffs between usability and security. Although proper use of CBC and CTR mode are both IND-CPA, insecure use of either mode (e.g. reusing the IV) breaks IND-CPA security, and the severity of information leakage is different in the two modes. In CBC mode, the information leakage is contained, but in CTR mode, the leakage is catastrophic (equivalent to reusing a one-time pad). On the other hand, CTR mode can be parallelized, but CBC can not, which is why many high performance systems use CTR mode or CTR-mode based encryption schemes.
+## Past Exam Questions
+
+Here we've compiled a list of past exam questions that cover symmetric cryptography.
+
+- [Spring 2024 Final Question 5: AES-ROVW](https://assets.cs161.org/exams/sp24/sp24final.pdf#page=8)
+- [Spring 2024 Midterm Question 5: Challenging Constructions](https://assets.cs161.org/exams/sp24/sp24mt.pdf#page=10)
+- [Fall 2023 Final Question 5: Meet Me in the Middle](https://assets.cs161.org/exams/fa23/fa23final.pdf#page=5)
+- [Fall 2023 Midterm Question 5: Not Quite by DESign](https://assets.cs161.org/exams/fa23/fa23mt.pdf#page=9)
+- [Summer 2023 Final Question 5: Ciphertext Thief](https://assets.cs161.org/exams/su23/su23final.pdf#page=8)
+- [Summer 2023 Midterm Question 5: All or Nothing Security](https://assets.cs161.org/exams/su23/su23mt.pdf#page=9)
+- [Spring 2023 Final Question 5: EvanBlock Cipher](https://assets.cs161.org/exams/sp23/sp23final.pdf#page=8)
+- [Spring 2023 Midterm Question 3: IND-CPA and Block Ciphers: evanbotevanbotevanbotevan...](https://assets.cs161.org/exams/sp23/sp23mt.pdf#page=4)
+
[^1]: Answer: Given $$M$$ and $$C = M \oplus K$$, Eve can calculate $$K = M \oplus C$$.
[^2]: This is why the only primary users of one-time-pads are spies in the field. Before the spy leaves, they obtain a large amount of key material. Unlike the other encryption systems we'll see in these notes, a one-time pad can be processed entirely with pencil and paper. The spy then broadcasts messages encrypted with the one-time pad to send back to their home base. To obfuscate the spy's communication, there are also "numbers stations" that continually broadcast meaningless sequences of random numbers. Since the one-time pad is IND-CPA secure, an adversary can't distinguish between the random number broadcasts and the messages encoded with a one time pad.
[^3]: Answer: The key is needed to determine which scrambling setting was used to generate the ciphertext. If decryption didn't require a key, any attacker would be able to decrypt encrypted messages!
diff --git a/memory-safety/mitigations.md b/memory-safety/mitigations.md
index a485d0b..9487ac0 100644
--- a/memory-safety/mitigations.md
+++ b/memory-safety/mitigations.md
@@ -172,5 +172,19 @@ Note that ASLR randomizes absolute addresses by changing the start of sections o
We can use multiple mitigations together to force the attacker to find multiple vulnerabilities to exploit the program; this is a process known as _synergistic protection_, where one mitigation helps strengthen another mitigation. For example, combining ASLR and non-executable pages results in an attacker not being able to write their own shellcode, because of non-executable pages, and not being able to use existing code in memory, because they don't know the addresses of that code (ASLR). Thus, to defeat ASLR and non-executable pages, the attacker needs to find two vulnerabilities. First, they need to find a way to leak memory and reveal the address location (to defeat ASLR). Next, they need to find a way to write to memory and write an ROP chain (to defeat non-executable pages).
+## Past Exam Questions
+
+Here we've compiled a list of past exam questions that cover memory safety mitigations.
+
+- [Spring 2024 Final Question 3: Everyone Loves PIE](https://assets.cs161.org/exams/sp24/sp24final.pdf#page=4)
+- [Spring 2024 Final Question 4: Breaking Bot](https://assets.cs161.org/exams/sp24/sp24final.pdf#page=6)
+- [Fall 2023 Final Question 3: exec](https://assets.cs161.org/exams/fa23/fa23final.pdf#page=4)
+- [Spring 2024 Midterm Question 4: I Sawed This Shellcode In Half!](https://assets.cs161.org/exams/sp24/sp24mt.pdf#page=7)
+- [Fall 2023 Midterm Question 3: Homecoming](https://assets.cs161.org/exams/fa23/fa23mt.pdf#page=4)
+- [Fall 2023 Final Question 4: Ins and Outs](https://assets.cs161.org/exams/fa23/fa23final.pdf#page=6)
+- [Summer 2023 Final Question 4: The Last Dance](https://assets.cs161.org/exams/su23/su23final.pdf#page=5)
+- [Summer 2023 Midterm Question 3: Across the Security-Verse](https://assets.cs161.org/exams/su23/su23mt.pdf#page=4)
+- [Summer 2023 Midterm Question 4: Snacktime](https://assets.cs161.org/exams/su23/su23mt.pdf#page=6)
+
[^1]: The one real performance advantage C has over a garbage collected language like Go is a far more deterministic behavior for memory allocation. But with languages like Rust, which are safe but not garbage collected, this is no longer an advantage for C.
[^2]: This function is called a MAC (message authentication code), and we will study it in more detail in the cryptography unit.
diff --git a/memory-safety/vulnerabilities.md b/memory-safety/vulnerabilities.md
index 82a71a6..4f9e65c 100644
--- a/memory-safety/vulnerabilities.md
+++ b/memory-safety/vulnerabilities.md
@@ -320,4 +320,62 @@ The attacker can overwrite the vtable pointer with the address of another attack
This method of injection is very similar to stack smashing, where the attacker overwrites the rip to point to some malicious code. However, overwriting C++ vtables requires overwriting a pointer to a pointer.
+## Past Exam Questions
+
+Here we've compiled a list of past exam questions that cover memory safety vulnerabilities.
+
+- [Spring 2024 Final Question 3: Everyone Loves PIE](https://assets.cs161.org/exams/sp24/sp24final.pdf#page=4)
+- [Spring 2024 Final Question 4: Breaking Bot](https://assets.cs161.org/exams/sp24/sp24final.pdf#page=6)
+- [Spring 2024 Midterm Question 3: 'Tis But a Scratch](https://assets.cs161.org/exams/sp24/sp24mt.pdf#page=4)
+- [Spring 2024 Midterm Question 4: I Sawed This Shellcode In Half!](https://assets.cs161.org/exams/sp24/sp24mt.pdf#page=7)
+- [Fall 2023 Final Question 3: exec](https://assets.cs161.org/exams/fa23/fa23final.pdf#page=4)
+- [Fall 2023 Final Question 4: Ins and Outs](https://assets.cs161.org/exams/fa23/fa23final.pdf#page=6)
+- [Fall 2023 Midterm Question 3: Homecoming](https://assets.cs161.org/exams/fa23/fa23mt.pdf#page=4)
+- [Fall 2023 Midterm Question 4: Forbidden Instruction](https://assets.cs161.org/exams/fa23/fa23mt.pdf#page=7)
+- [Summer 2023 Final Question 3: Letter from EvanBot](https://assets.cs161.org/exams/su23/su23final.pdf#page=4)
+- [Summer 2023 Final Question 4: The Last Dance](https://assets.cs161.org/exams/su23/su23final.pdf#page=5)
+- [Summer 2023 Midterm Question 3: Across the Security-Verse](https://assets.cs161.org/exams/su23/su23mt.pdf#page=4)
+- [Summer 2023 Midterm Question 4: Snacktime](https://assets.cs161.org/exams/su23/su23mt.pdf#page=6)
+- [Spring 2023 Final Question 3: No Doubt](https://assets.cs161.org/exams/sp23/sp23final.pdf#page=4)
+- [Spring 2023 Final Question 4: Andor, or XOR?](https://assets.cs161.org/exams/sp23/sp23final.pdf#page=6)
+- [Spring 2023 Midterm Question 6: Cake without Pan](https://assets.cs161.org/exams/sp23/sp23mt.pdf#page=12)
+- [Spring 2023 Midterm Question 7: Valentine's Day](https://assets.cs161.org/exams/sp23/sp23mt.pdf#page=14)
+
+A large portion of memory safety vulnerability questions is identifying what type of vulnerability exists within the code. However, if you'd like to practice a specific type of question, feel free to toggle the options below. Please utilize the links from above.
+
+ Buffer overflow
+
+- Fall 2023 Midterm Question 4: Forbidden Instruction
+- Involves canaries: Spring 2023 Final Question 4: Andor, or XOR?
+- Involves ASLR: Spring 2023 Midterm Question 7: Valentine's Day
+
+
+ Format string vulnerability
+
+- Spring 2024 Midterm Question 4: I Sawed This Shellcode In Half!
+- Summer 2023 Midterm Question 4: Snacktime
+- Spring 2023 Midterm Question 6: Cake without Pan
+
+
+ Integer conversion vulnerability
+
+- Spring 2024 Midterm Question 3: 'Tis But a Scratch
+- Summer 2023 Final Question 3: Letter from EvanBot
+
+
+ Off-by-one vulnerability
+
+- Spring 2024 Final Question 3: Everyone Loves PIE
+- Fall 2023 Final Question 4: Ins and Outs
+- Fall 2023 Midterm Question 3: Homecoming
+- Summer 2023 Midterm Question 3: Across the Security-Verse
+
+
+ Other vulnerabilities
+
+- Use after free: Spring 2024 Final Question 4: Breaking Bot
+- Summer 2023 Final Question 4: The Last Dance
+
+
+
[^1]: You sometimes see variants on this like pwned, 0wned, ownzored, etc.
diff --git a/memory-safety/x86.md b/memory-safety/x86.md
index be02a58..b09e440 100644
--- a/memory-safety/x86.md
+++ b/memory-safety/x86.md
@@ -260,6 +260,12 @@ Since function calls are so common, assembly programmers sometimes use shorthand
Steps 4-6 are sometimes called the _function prologue_, since they must appear at the start of the assembly code of any C function. Similarly, steps 8-10 are sometimes called the _function epilogue_.
+## Past Exam Questions
+
+Here we've compiled a list of past exam questions that cover x86. These do require an understanding of memory safety vulnerabilities as well, so we recommend understanding those questions first before coming back to these.
+
+- [Fall 2023 Midterm Question 3: Homecoming](https://assets.cs161.org/exams/fa23/fa23mt.pdf#page=4)
+
[^1]: Answer: Using the table to look up each sequence of 4 bits, we get `0xC161`.
[^2]: Answer: $$2^{64}$$ bytes.
[^3]: In reality your program may not have all this memory, but the operating system gives the program the illusion that it has access to all this memory. Refer to the virtual memory unit in CS 61C or take CS 162 to learn more.
diff --git a/network/bgp.md b/network/bgp.md
index 08bc857..8e9ad99 100644
--- a/network/bgp.md
+++ b/network/bgp.md
@@ -49,5 +49,11 @@ Recall that IP operates on "best effort". Packets are delivered whole, but can b
In practice, there's not much anyone can do to defend against a malicious AS, since each AS operates relatively independently. Instead, we rely on protocols such as TCP at higher layers to guarantee that messages are sent. TCP will resend packets that are lost or corrupted because of malicious ASs. Also, cryptographic protocols at higher layers such as TLS can defend against malicious attackers, by guaranteeing confidentiality (attacker can't read the packets) and integrity (attacker can't modify the packets without detection) on packets. Both TCP and TLS are covered in later sections.
+## Past Exam Questions
+
+Here we've compiled a list of past exam questions that cover BGP.
+
+- [Spring 2023 Final Question 8: Life of a Packet](https://assets.cs161.org/exams/sp23/sp23final.pdf#page=15)
+
[^1]: $$2^8$$. The prefix is 24 bits, so there are 32 - 24 = 8 bits not in the prefix.
[^2]: Checksums are not cryptographic. The malicious AS could modify the packet and create a new checksum for the modified packet.
diff --git a/network/dhcp.md b/network/dhcp.md
index 23c88bf..f0b36b7 100644
--- a/network/dhcp.md
+++ b/network/dhcp.md
@@ -61,5 +61,11 @@ In reality, many networks just accept DHCP spoofing as a fact of life and rely o
Defending against low-layer attacks like DHCP spoofing is hard, because there is no trusted party to rely on when we're first connecting to the network.
+## Past Exam Questions
+
+Here we've compiled a list of past exam questions that cover DHCP.
+
+- [Spring 2023 Final Question 8: Life of a Packet](https://assets.cs161.org/exams/sp23/sp23final.pdf#page=15)
+
[^1]: A: Before DHCP, the client has no idea where the servers are.
[^2]: Source, since it's an outgoing packet.
diff --git a/network/dns.md b/network/dns.md
index 49ede82..df7c719 100644
--- a/network/dns.md
+++ b/network/dns.md
@@ -232,6 +232,15 @@ Recall that UDP is a transport-layer protocol like TCP, so a UDP packet requires
Sanity check: How much extra security does source port randomization provide against on-path attackers?[^3]
+## Past Exam Questions
+
+Here we've compiled a list of past exam questions that cover DNS.
+
+- [Spring 2024 Final Question 8: Check Please](https://assets.cs161.org/exams/sp24/sp24final.pdf#page=17)
+- [Fall 2023 Final Question 9: Double-Check Your Work](https://assets.cs161.org/exams/fa23/fa23final.pdf#page=18)
+- [Summer 2023 Final Question 10: DNS Hack Finding](https://assets.cs161.org/exams/su23/su23final.pdf#page=18)
+- [Spring 2023 Final Question 10: Don't Need Security](https://assets.cs161.org/exams/sp23/sp23final.pdf#page=18)
+
[^1]: A: MITM and on-path can read the ID field. Off-path must guess the ID field.
[^2]: Query `a.edu-servers.net`, whose location we know because of the records in the additional section. Query for the IP address of `eecs.berkeley.edu` just like before.
[^3]: A: None, on-path attackers can see the source port value.
diff --git a/network/dnssec.md b/network/dnssec.md
index f985de2..0871e0a 100644
--- a/network/dnssec.md
+++ b/network/dnssec.md
@@ -327,6 +327,12 @@ The order of the domain names has changed, but the process is the same - if some
Of course, an attacker could buy a GPU and precompute hashes to learn domain names anyway... and [NSEC5](https://datatracker.ietf.org/doc/draft-vcelak-nsec5/) was born. Fortunately, it's still out of scope for this class.
+## Past Exam Questions
+
+Here we've compiled a list of past exam questions that cover DNSSEC.
+
+- [Spring 2024 Final Question 8: Check Please](https://assets.cs161.org/exams/sp24/sp24final.pdf#page=17)
+
[^1]: A: DNS responses don't contain sensitive data. Anyone could query the name servers for the same information.
[^2]: A: The ZSK of the `.edu` name server.
[^3]: A: Denial of service (DoS). Flood the name server with requests for nonexistent domains, and it will be forced to sign all of them.
diff --git a/network/intro.md b/network/intro.md
index 3fbf591..7f0a683 100644
--- a/network/intro.md
+++ b/network/intro.md
@@ -112,3 +112,10 @@ Network adversaries can be sorted into 3 general categories. They are, from weak
**In-path Adversaries**: can read, modify, and block packets. Also known as a **man-in-the-middle**.
Note that all adversaries can send packets of their own, including faking or **spoofing** the packet headers to appear like the message is coming from somebody else. This is often as simple as setting the "source\" field on the packet header to somebody else's address.
+
+## Past Exam Questions
+
+Here we've compiled a list of past exam questions that cover an introduction to networking or network adversaries in specific.
+
+- [Fall 2023 Final Question 11: New Phone Who This](https://assets.cs161.org/exams/fa23/fa23final.pdf#page=20)
+- [Summer 2023 Final Question 9: Passwords-R-Us](https://assets.cs161.org/exams/su23/su23final.pdf#page=15)
diff --git a/network/tls.md b/network/tls.md
index c27320d..7eafc5c 100644
--- a/network/tls.md
+++ b/network/tls.md
@@ -91,6 +91,14 @@ These days TLS is effectively free. The computational overhead is minor to the p
This leaves the biggest cost of TLS in managing the private keys. Previously CAs charged a substantial amount to issue a certificate, but [LetsEncrypt](https://letsencrypt.org/) costs nothing because they have fully automated the process. You run a small program on your web server that generates keys, sends the public key to LetsEncrypt, and LetsEncrypt instructs that you put a particular file in a particular location on your server, acting to prove that you control the server. So LetsEncrypt has reduced the cost in two ways: It makes the TLS certificate monetarily free and, as important, makes it very easy to generate and use.
+## Past Exam Questions
+
+Here we've compiled a list of past exam questions that cover TLS.
+
+- [Spring 2024 Final Question 9: Key Rotation](https://assets.cs161.org/exams/sp24/sp24final.pdf#page=19)
+- [Fall 2023 Final Question 11: New Phone Who This](https://assets.cs161.org/exams/fa23/fa23final.pdf#page=20)
+- [Spring 2023 Final Question 9: TLS Times Two](https://assets.cs161.org/exams/sp23/sp23final.pdf#page=17)
+
[^1]: A: No. An attacker can obtain the genuine server's certificate by starting its own TLS connection with the genuine server, and then present a copy of that certificate in step 2.
[^2]: A: It was signed by a certificate authority in the previous step.
[^3]: A: TCP is insecure against on-path and MITM attackers, who can spoof messages.
diff --git a/network/tor.md b/network/tor.md
index d28ac2a..271f794 100644
--- a/network/tor.md
+++ b/network/tor.md
@@ -56,3 +56,9 @@ Tor uses this type of onion routing for anonymous web browsing and censorship ci
One of the downsides in onion routing is performance, as the message has to bounce off of several proxy servers before it reaches its destination, it takes a lot longer to get there. Each time the message goes through a proxy, there is an extra delay that is added to the latency. However, it should be noted that performance decreases linearly with the number of proxies added, and if you estimate that roughly half of the available proxy servers are honest then you only need to chain together a small number of proxies before you can be fairly sure that you have gained some level of anonymity (you can think of security going up exponentially, but performance going down linearly with the number of proxy servers added).
Another possible attack is one that was mentioned in the previous section, when the first and last proxy servers are under malicious control. The attacker can use timing information to link Alice and Bob, but, as mentioned earlier, this depends on the amount of traffic that is flowing through the proxy servers at that time. A possible defense is to pad messages (this is what Tor does but they note that it's not enough for defense), introduce significant delays, or if Bob is ready to accept encrypted messages, then the original message $$M$$ can be encrypted.
+
+## Past Exam Questions
+
+Here we've compiled a list of past exam questions that cover Tor.
+
+- [Fall 2023 Final Question 10: A TORrible Mistake](https://assets.cs161.org/exams/fa23/fa23final.pdf#page=19)
\ No newline at end of file
diff --git a/network/transport.md b/network/transport.md
index 1f44fb7..0e9cf5a 100644
--- a/network/transport.md
+++ b/network/transport.md
@@ -105,4 +105,10 @@ The main problem here is that TCP by itself provides no confidentiality or integ
One important defense against off-path attackers is using random, unpredictable initial sequence numbers. This forces the off-path attacker to guess the correct sequence number with very low probability.
+## Past Exam Questions
+
+Here we've compiled a list of past exam questions that cover the Transport Layer.
+
+- [Spring 2023 Final Question 8: Life of a Packet](https://assets.cs161.org/exams/sp23/sp23final.pdf#page=15)
+
[^1]: The sequence number is 32 bits, so guessing a random sequence number succeeds with probability $$1/2^{32}$$.
diff --git a/principles/principles.md b/principles/principles.md
index fe25564..19f3dc8 100644
--- a/principles/principles.md
+++ b/principles/principles.md
@@ -169,4 +169,10 @@ So suppose that your current account balance is $100 and you want to withdraw $1
This is known as a _Time-Of-Check To Time-Of-Use_ (TOCTTOU) vulnerability, because between the check and the use of whatever state was checked, the state somehow changed. In the above example, between the time that the balance was checked and the time that balance was set, the balance was somehow changed.
+## Past Exam Questions
+
+Here we've compiled a list of past exam questions that cover security principles.
+
+- [Fall 2021 Midterm Question 3: EvanBot Alpha](https://assets.cs161.org/exams/fa21/fa21mt1.pdf#page=4)
+
[^1]: For example, Windows XP consisted of about 40 million lines of code---all of which were in the TCB. With that much code, it's a virtual certainty there will be security vulnerabilities somewhere.
diff --git a/web/cookies.md b/web/cookies.md
index 71670c3..ef86636 100644
--- a/web/cookies.md
+++ b/web/cookies.md
@@ -55,6 +55,14 @@ Secure session tokens should be random and unpredictable, so an attacker cannot
It is easy to confuse session tokens and cookies. Session tokens are the values that the browser sends to the server to associate the request with a logged-in user. Cookies are how the browser stores and sends session tokens to the server. Cookies can also be used to save other state, as discussed earlier. In other words, session tokens are a special type of cookie that keep users logged in over many requests and responses.
+## Past Exam Questions
+
+Here we've compiled a list of past exam questions that cover cookies.
+
+- [Fall 2023 Final Question 7: Unscramble](https://assets.cs161.org/exams/fa23/fa23final.pdf#page=13)
+- [Summer 2023 Final Question 8: EvanBank](https://assets.cs161.org/exams/su23/su23final.pdf#page=13)
+- [Spring 2023 Final Question 7: Botgram](https://assets.cs161.org/exams/sp23/sp23final.pdf#page=12)
+
[^1]: The lack of restriction on the `Path` attribute has caused problems in the past, as cookies are presented to the server and JavaScript as an unordered set of name/value pairs, but is stored internally as name/path/value tuples, so if two cookies with the same name and host but different path are present, both will be presented to the server in unspecified order.
diff --git a/web/csrf.md b/web/csrf.md
index 6f36c1e..9c460f2 100644
--- a/web/csrf.md
+++ b/web/csrf.md
@@ -57,6 +57,13 @@ In practice, Referer headers may be removed by the browser, the operating system
_Further reading:_ [OWASP Cheat Sheet on CSRF](https://owasp.org/www-community/attacks/csrf)
+## Past Exam Questions
+
+Here we've compiled a list of past exam questions that cover CSRF.
+
+- [Fall 2023 Final Question 7: Unscramble](https://assets.cs161.org/exams/fa23/fa23final.pdf#page=13)
+- [Spring 2023 Final Question 7: Botgram](https://assets.cs161.org/exams/sp23/sp23final.pdf#page=12)
+
[^1]: Yes, the "Referer" field represents a roughly three decade old misspelling of referrer. This is a silly example of how "legacy", that is old design decisions, can impact things decades later because it can be very hard to change things
## 21.4. Defense: SameSite Cookie Attribute
diff --git a/web/sqli.md b/web/sqli.md
index 0f2cbc8..3bdc57f 100644
--- a/web/sqli.md
+++ b/web/sqli.md
@@ -223,3 +223,12 @@ The biggest problem with parameterized SQL is compatibility. SQL is a (mostly) g
In practice, most modern SQL libraries support parameterized SQL and prepared statements. If the library you are using does not support parameterized SQL, it is probably best to switch to a different SQL library.
_Further reading:_ [OWASP Cheat Sheet on SQL Injection](https://owasp.org/www-community/attacks/SQL_Injection)
+
+## Past Exam Questions
+
+Here we've compiled a list of past exam questions that cover SQL Injection.
+
+- [Spring 2024 Final Question 7: Suspicious SQL](https://assets.cs161.org/exams/sp24/sp24final.pdf#page=13)
+- [Fall 2023 Final Question 8: Word Game](https://assets.cs161.org/exams/fa23/fa23final.pdf#page=16)
+- [Summer 2023 Final Question 7: Barbenheimer](https://assets.cs161.org/exams/su23/su23final.pdf#page=11)
+- [Spring 2023 Final Question 7: Botgram](https://assets.cs161.org/exams/sp23/sp23final.pdf#page=12)
\ No newline at end of file
diff --git a/web/xss.md b/web/xss.md
index 4c61ae8..021feb7 100644
--- a/web/xss.md
+++ b/web/xss.md
@@ -90,3 +90,9 @@ CSPs are defined by a web server and enforced by a browser. In the HTTP response
If you enable CSP, you can no longer run _any_ scripts that are embedded directly in the HTML document. You can only load external scripts specified by the `script` tag and an external URL. These scripts can only be fetched from the sites specified in the CSP. This prevents an attacker from directly injecting scripts into an HTML document or modifying the HTML document to fetch scripts from the attacker's domain.
_Further reading:_ [OWASP Cheat Sheet on XSS](https://owasp.org/www-community/attacks/xss/)
+
+## Past Exam Questions
+
+Here we've compiled a list of past exam questions that cover XSS.
+
+- [Fall 2023 Final Question 7: Unscramble](https://assets.cs161.org/exams/fa23/fa23final.pdf#page=13)
\ No newline at end of file