Description
1. (4pt) As discussed in the lecture, timestamps can be used to replace nonces in designing
secure protocols.
(a) (2pt) What is the main advantage of using timestamps?
(b) (2pt) The following protocol is designed for mutual authentication and to establish
a session key K. Here, T is a timestamp. Please provide an attack to this protocol.
2. (6pt) Considering the following protocol. Suppose Certificate is not a problem here; the
correct certificate is delivered from Bob to Alice. The session key is K = h(S, RA, RB).
(a) (2pt) We discuss constant string like CLNT and SRVR in the lecture. Why do we
need them in typical authentication protocols?
(b) (2pt) Does Alice authenticate Bob? Explain your answer.
(c) (2pt) Does Bob authenticate Alice? Explain your answer.
3. (5pt) Smart contract security.
(a) (2pt) Please identify the vulnerability presented in the following smart contract
snippet.
1
Homework 4 COMP 3632
pragma solidity ˆ0.4.0;
contract bug {
uint public supply = 0;
mapping(address => uint256) public balances ;
mapping(address => mapping (address => uint256 )) allowed ;
function bug(uint256 initSupply ) public{
balances [msg. sender ] += initSupply ;
supply = initSupply ;
Transfer(0x0, msg. sender , initSupply );
}
function transfer (address to , uint tokens) public returns (bool success){
require (balances [msg. sender ] − tokens >= 0);
balances [msg. sender ] −= tokens ;
balances [ to ] = balances [ to ] += tokens ;
Transfer(msg. sender , to , tokens );
return true;
}
function approve(address spender , uint tokens ) public returns (bool success ) {
require (balances [msg. sender ] >= tokens );
allowed [msg. sender ] [ spender ] = tokens ;
Approval(msg. sender , spender , tokens );
return true;
}
. . .
function () public payable{
uint purchasedTokens = msg. value ;
balances [msg. sender ] += purchasedTokens;
supply += purchasedTokens;
}
function withdrawEther(uint amount) public returns (bool success){
require (balances [msg. sender ] >= amount);
balances [msg. sender ] −= amount;
supply −= amount;
i f (!msg. sender . send( amount / 2)){
revert ( );
}
return true;
}
}
(b) (3pt) Please elaborate on how the identified vulnerability can be exploited by
2
Homework 4 COMP 3632
attackers. How to mitigate this vulnerability?
4. (8pt) We introduce “Proof-of-Work” scheme in the blockchain lecture.
(a) (2pt) What is proof-of-work (PoW)? Please briefly explain your answer. In typical
blockchain scenario, who is responsible to solve PoW?
(b) (3pt) Ethereum blockchain is adopting a new scheme named “Proof-of-Stake” to
substitute the original scheme. Explain what is “Proof-of-Stake” in your own
language. What is the advantage of PoS comparing to PoW?
(c) (3pt) Another scheme, namely “Proof of Elapsed Time (PoET)”, has also generated some buzz. Explain what is PoET in your own language. What is the
advantage of PoET comparing to PoW?
5. (6pt) Smart contract attack and defense.
(a) (4pt) Consider the following contract, which acts as part of a typical Raffle game,
where users transfer certain amount of Ether to function process and also reserve
a number as the function input.
c o n t r a c t R aff l e {
mapping ( ui n t256 => a d d r e s s ) r e s e r v e d ;
f u n c ti o n p r o c e s s ( ui n t256 val u e ) p u bli c {
// check whether co r r e s po n di ng e n t r y has been i n i t i a l i z e d o r not
// I f i t e q u al s to ze ro , then i t i s not i n i t i a l i z e d
i f ( r e s e r v e d [ val u e ] == 0 ) {
// can onl y e n t e r once when u n i n i t i a l i z e d ( 0 )
// msg . s e n d e r i s the a d d r e s s of the u s e r
// val u e i s the r e s e r v e d number by the u s e r
r e s e r v e d [ val u e ] = msg . s e n d e r ;
}
}
}
Explain the potential “Transaction-Ordering-Dependence” bug of the above smart
contract.
(b) (2pt) In the class, we have discussed the problem of using block.timestamp as the
source of the randomness for gambling contracts. To mitigate the problems, here
we proposed the following contract as the random number generator and deployed
to public network. What is the advantage or vulnerability of this random number
generator? For this question, you can safely assume the complexity for variable
seed , key, implementation of the keccak256 and abi.encodePacked wouldn’t
be the source of vulnerability and the key has already been sanitized. The source
code of this smart contract is not open-sourced to public.
3
Homework 4 COMP 3632
c o n t r a c t RandomGenerator i s Ownable {
b y t e s 3 2 private s e e d = ” I a m a l o n g s t r i n g ” ;
f u n c ti o n g e t r a n d ( b y t e s 3 2 key ) public onlyOwner r e t u r n s ( b y t e s 3 2 ){
s e e d ˆ= key ;
return kecc ak 2 5 6 ( a bi . encodePacked ( key , seed , ” y 0 u c 4 n n 0 t g u 3 s s ” ) ) ;
}
}
6. (8pt) Machine Learning Security. Consider a neural network model G for image classification task is trained on the training dataset Dtrain = {xi
, yi}
n−1
i=0 , the predict result
for xi
is ˆyi = G(xi).
(a) (3pt) Give the definition of adversarial examples and poisoning attacks and describe the corresponding attacker’s objective.
(b) (3pt) If we have access to the testing dataset Dtest and the trained model G,
but have no access to the training dataset Dtrain, can we generate adversarial
examples? Can we detect poisoning attacks? Explain your answer.
(c) (2pt) What would be the possible root cause of adversarial examples for machine
learning models? How can we defeat against adversarial examples? For this
question, you may need to search the Internet; please use your own language to
answer, briefly.
4
Homework 4 COMP 3632
Submission Instructions
All submissions should be done through the Canvas system. You should submit a pdf document with your answers. It is important to name your files correctly. Please check out the
late submission policies on the course website (https://course.cse.ust.hk/comp3632) in
case you didn’t attend the first lecture.
5
