Homework 4 COMP 3632

This assignment counts 10% of your final grade.

1. (4pt) As discussed in the lecture, timestamps can be used to replace nonces in designing
secure protocols.

(a) (2pt) What is the main advantage of using timestamps?

(b) (answer): In general, it can help make message communication more efficient
(fewer messages).
(c) (2pt) The following protocol is designed for mutual authentication and to establish
a session key K. Here, T is a timestamp. Please provide an attack to this protocol.

(d) (answer): 1. If Trudy acts within the clock skew, she can send {K}Bob to Bob
and Bob will respond with {K}T rudy so that Trudy can find K.
2. Trudy can be a MiM and forward the first message from Alice to Bob, but
change {K}B ob to say {KT }Bob where KT is a key of Trudy’s choosing. Then
Trudy shares a key with Bob.

2. (6pt) Considering the following protocol. Suppose Certificate is not a problem here; the
correct certificate is delivered from Bob to Alice. The session key is K = h(S, RA , RB ).

(a) (2pt) We discuss constant string like CLNT and SRVR in the lecture. Why do we
need them in typical authentication protocols?

1
 Homework 4 COMP 3632

(b) (answer): To mark the identity of client/server. This way, we avoid a “client” to
reuse msg from “server” and to pretend himself as “server”. The vice versa.
(c) (2pt) Does Alice authenticate Bob? Explain your answer.
(d) (answer): Yes. The value S is needed in order to determine K, which is used
in the final message, and Alice can verify that K was used in the final message.
Only Bob knows his private key, so only Bob could determine S from SBob .
(e) (2pt) Does Bob authenticate Alice? Explain your answer.
(f) (answer): No. Only public key operations are required.

3. (5pt) Smart contract security.

(a) (2pt) Please identify the vulnerability presented in the following smart contract
snippet.
pragma solidity ˆ0.4.0;
contract bug {
uint public supply = 0;

mapping(address => uint256) public balances ;

mapping(address => mapping (address => uint256 )) allowed ;

function bug(uint256 initSupply ) public{

balances [msg. sender ] += initSupply ;
supply = initSupply ;
Transfer(0x0, msg. sender , initSupply ) ;
}

function transfer (address to , uint tokens) public returns (bool success){

require (balances [msg. sender ] − tokens >= 0);
balances [msg. sender ] −= tokens ;
balances [ to ] = balances [ to ] += tokens ;
Transfer(msg. sender , to , tokens ) ;
return true;
}

function approve(address spender , uint tokens) public returns (bool success ) {

require (balances [msg. sender ] >= tokens ) ;
allowed [msg. sender ] [ spender ] = tokens ;
Approval(msg. sender , spender , tokens ) ;
return true;
}
...
function () public payable{

2
 Homework 4 COMP 3632

uint purchasedTokens = msg. value ;

balances [msg. sender ] += purchasedTokens ;
supply += purchasedTokens ;
}
function withdrawEther( uint amount) public returns (bool success){
require (balances [msg. sender ] >= amount) ;
balances [msg. sender ] −= amount;
supply −= amount;
i f ( !msg. sender . send( amount / 2)){
revert ( ) ;
}
return true;
}
}

(b) (answer): Integer underflow

(c) (3pt) Please elaborate on how the identified vulnerability can be exploited by
attackers. How to mitigate this vulnerability?
(d) (answer): There is an integer underflow that appears in the transfer function.
Attacker can exploit the vulnerability by supplying variable tokens with values
that can cause underflow inside the transfer function. By exploiting the issue, the
attacker can withdraw excessive amount of tokens from the contract Mitigation:
Use SafeMath, update the compiler, etc. (Reasonable answers can get full mark)

4. (8pt) We introduce “Proof-of-Work” scheme in the blockchain lecture.

(a) (2pt) What is proof-of-work (PoW)? Please briefly explain your answer. In typical
blockchain scenario, who is responsible to solve PoW?
(b) (answer): PoW uses crypto hash to measure the computations an entity has
taken. Miners do PoW.
(c) (3pt) Ethereum blockchain is adopting a new scheme named “Proof-of-Stake” to
substitute the original scheme. Explain what is “Proof-of-Stake” in your own
language. What is the advantage of PoS comparing to PoW?
(d) (answer): The proof of stake (PoS) attributes mining power to the proportion
of coins held by a miner. A PoS miner is limited to mining a percentage of
transactions that is reflective of his or her ownership stake. Someone holding 1%
of the Bitcoin can mine 1% of the “Proof of Stake blocks”.
(e) (3pt) Another scheme, namely “Proof of Elapsed Time (PoET)”, has also gen-
erated some buzz. Explain what is PoET in your own language. What is the
advantage of PoET comparing to PoW?

3
 Homework 4 COMP 3632

(f) (answer):
In PoET, a separate random timer that operates independently at every node
determines whether or not that node creates the new block of the blockchain and
gets the reward.
Compare to PoW, PoET requires less energy, and it often relies on trusted hard-
ware (Intel SGX, for example) to ensure the random time is not manipulatable

5. (6pt) Smart contract attack and defense.

(a) (4pt) Consider the following contract, which acts as part of a typical Raffle game,
where users transfer certain amount of Ether to function process and also reserve
a number as the function input.
contract Raffle {
mapping ( u i n t 2 5 6 => a d d r e s s ) r e s e r v e d ;

function process ( uint256 value ) public {

// check whether c o r r e s p o n d i n g e n t r y has been i n i t i a l i z e d o r not
// I f i t e q u a l s t o z e r o , then i t i s not i n i t i a l i z e d
i f ( r e s e r v e d [ v a l u e ] == 0 ) {
// can o n l y e n t e r once when u n i n i t i a l i z e d ( 0 )
// msg . s e n d e r i s t he a d d r e s s o f th e u s e r
// v a l u e i s t h e r e s e r v e d number by th e u s e r
r e s e r v e d [ v a l u e ] = msg . s e n d e r ;
}
}
}
Explain the potential “Transaction-Ordering-Dependence” bug of the above smart
contract.
(b) (answer): Suppose a user (i.e., the “victim”) aims to reserve a number 23, then
anyone can see the scheduled transaction in the pending pool before it is com-
mitted. An attacker can schedule a transaction reserving the same number, and
by raising the miner reward higher to the value of the victim’s transaction, the
malicious transaction will be executed first, initializing the corresponding entry in
reserved. Hence, the victim’s reverse will fail, leading to the loss of transaction
fee and the paid Ether.
(c) (2pt) In the class, we have discussed the problem of using block.timestamp as the
source of the randomness for gambling contracts. To mitigate the problems, here
we proposed the following contract as the random number generator and deployed
to public network. What is the advantage or vulnerability of this random number
generator? For this question, you can safely assume the complexity for variable

4
 Homework 4 COMP 3632

seed , key, implementation of the keccak256 and abi.encodePacked wouldn’t

be the source of vulnerability and the key has already been sanitized. The source
code of this smart contract is not open-sourced to public.
c o n t r a c t RandomGenerator i s Ownable {
b y t e s 3 2 private s e e d = ” I a m a l o n g s t r i n g ” ;
f u n c t i o n g e t r a n d ( b y t e s 3 2 key ) public onlyOwner r e t u r n s ( b y t e s 3 2 ) {
s e e d ˆ= key ;
return k e c c a k 2 5 6 ( a b i . encodePacked ( key , seed , ” y 0 u c 4 n n 0 t g u 3 s s ” ) ) ;
}
}
(d) (answer): The seed can be recovered through reverse-engineering the evm byte
code on public network. Hence, the random number generated was predictable.
(Partial points will be given for performing black-box testing in order to guess the
seed)
6. (8pt) Machine Learning Security. Consider a neural network model G for image clas-
sification task is trained on the training dataset Dtrain = {xi , yi }n−1
i=0 , the predict result
for xi is ŷi = G(xi ).
(a) (3pt) Give the definition of adversarial examples and poisoning attacks and de-
scribe the corresponding attacker’s objective.
(b) (answer): The objective of adversarial examples is maxP δ G(xi + δ)[τ ]P− α ∗ ||δ||2 ,
where τ ̸= yi . The objective of poisoning attack is maxG i G(xi )[yi ]+ k G(xtrigger
k )[targetk ],
where {xtrigger
k , targetk
} is the poisoned dataset. (Definition 2 points each, objec-
tive 2 points each.)
(c) (3pt) If we have access to the testing dataset Dtest and the trained model G,
but have no access to the training dataset Dtrain , can we generate adversarial
examples? Can we detect poisoning attacks? Explain your answer.
(d) (answer): We can generate AEs by the test set and the model, reasonable ex-
planation would be ok. (1.5 points) It’s hard to detect poisoning attacks because
the backdoor is injected in the training phase, even though we have access to
the model G, it’s still hard considering the search space would be quite large,
reasonable explanation would be ok. (1.5 points)
(e) (2pt) What would be the possible root cause of adversarial examples for machine
learning models? How can we defeat against adversarial examples? For this
question, you may need to search the Internet; please use your own language to
answer, briefly.
(f) (answer): Cause: the decision boundary is ill-learned (1.0 points; reasonable
answer give full marks)
Defense: adversarial training, data augmentation, ensemble learning or any pos-
sible solution (1 points)

5
 Homework 4 COMP 3632

Submission Instructions
All submissions should be done through the Canvas system. You should submit a pdf doc-
ument with your answers. It is important to name your files correctly. Please check out the
late submission policies on the course website (https://course.cse.ust.hk/comp3632) in
case you didn’t attend the first lecture.