compiler techniques

Question 1

Vulnerability:

Answer 1

A weakness which allows an attacker to reduce a system’s information
assurance.

Question 2

Exploit:

Answer 2

A technique that takes advantage of a vulnerability, and used by the attacker
to attack a system

Question 3

Payload:

Answer 3

A custom code that the attacker wants the system to execute

Question 4

are there increased vulnerabilities per year

Answer 4

yes

Question 5

what is the significance of Vulnerabilities

Answer 5

Taking longer time to remediate

Huge financial and business cost

Question 6

what are memory safety violations

Answer 6

buffer overflows and over reads

dangling pointers

Question 7

what are input validation errors

Answer 7

format string attacks
SQL injection
code injection
cross site scripting in web apps

Question 8

what are race conditions

Answer 8

time-to-check-to-time-of-use bugs

Symlink races

Question 9

what are privilege confusion bugs

Answer 9

cross site request foregery in web apps
clickjacking
ftp bounce attack

Question 10

what is privilege escalation

Answer 10

privilege escalation

Question 11

what is a side channel attack

Answer 11

timing attack

Question 12

adware

Answer 12

Display unwanted

advertisement

Question 13

Ransomware

Answer 13

Block user’s data

until a ransom is paid.

Question 14

Spyware

Answer 14

gather information
about the user and
send it to attacker

Question 15

Crimeware

Answer 15

designed
specifically to
automate
cybercrime

Question 16

Worms

Answer 16

Propagate to different
computers without
user intervention

Question 17

Viruses

Answer 17

Propagate to different
computers. Needs to
be triggered by a user

Question 18

Trojans

Answer 18

Pretend to do
something useful,
but mask malicious
behaviors

Question 19

Rootkits

Answer 19

Obtains root
privileges to
compromise
the computer

Question 20

Backdoor

Answer 20

Allow a remote
party to gain access
to the computer

Question 21

Why is C good

Answer 21

One of the most common language
 Used in many implementations of operating systems, compilers and system
libraries
 More efficient compared to other high-level languages, like Java and C#.

Question 22

Why is C baed

Answer 22

A major source of software bugs:
 Mainly due to more flexible handling of pointers/references.
 Lack of strong typing;
 Manual memory management. Easier for programmers to make mistakes.

Question 23

char

Answer 23

(8-bit): characters

Question 24

int

Answer 24

(16-bit or 32-bit): signed integers.
 For 32-bit int, value range is −2^31 − 1, 2^31 (one bit reserved for
representing ‘sign’).

Question 25

long

Answer 25

(32-bit or 64-bit): signed integers.

 For 64-bit long, value range is −2^63 − 1, 2^63

Question 26

float

Answer 26

(32-bit): single precision floating points

Question 27

double

Answer 27

(64-bit): double precision floating points

Question 28

pointer

Answer 28

Contain memory addresses.
 Syntax: add “*” to the type name.
 E.g., int* denotes a type which is a pointer to a memory location containing data
of type int.
 int* x is the same as int *x

Question 29

&

Answer 29

Get the memory location of a variable

Question 30

Array

Answer 30

The name of the array is a pointer

 For a n-element array, index starts at 0 and ends at 𝑛-1

Question 31

String

Answer 31

An array of char’s
 A string must end with a NULL (or `\0’). So an array of char with length 𝑛
can hold only strings of length 𝑛−1. (The last character in the array is
reserved for NULL.)

Question 32

char* strcpy (char* dest, char* src)

Answer 32

Copy string src to dest
 No checks on whether either or both arguments are NULL.
 No checks on the length of the destination string.

Question 33

int strlen (char* str)

Answer 33

Return the length of the string st

Question 34

char* strcat (char* dest, char* src)

Answer 34

Append the string src to the end of the string dest.

Question 35

malloc

Answer 35

Allocates a block of memory
 Takes one argument specifying the size (in bytes) of the memory block to
be allocated.
 If successful, pointer to the memory block is returned; otherwise, the
NULL value is returned

Question 36

Memory layout (for many languages)

Answer 36

code area
static data
stack
heap

Question 37

Code area

Answer 37

: fixed size and read only

Question 38

Static data

Answer 38

: statically allocated data

 variables/constants

Question 39

Stack:

Answer 39

parameters and local variables of methods
as they are invoked
 Each invocation of a method creates one
frame (activation record) which is pushed
onto the stack

Question 40

 Heap

Answer 40

: dynamically allocated data
 class instances/data array
 Stack and heap grow towards each other

Question 41

Stack in depth

Answer 41

Store local variables (including method parameters) and
intermediate computation results
A stack is subdivided into multiple frames:
 A method is invoked: a new frame is pushed onto the stack to store
local variables and intermediate results for this method;
 A method exits: its frame is popped off, exposing the frame of its caller
beneath it

Question 42

Inside a frame for one function

Answer 42

Two pointers:
 BP: base pointer. Fixed at the frame base
 SP: stack pointer. Current pointer in frame
A frame consists of the following parts:
 Function parameters
 Return address of the caller function
 When the function is finished, execution
continues at this return address
 Stack pointer of the caller function
 Local variables
 Intermediate operands
 dynamically grows and shrinks

Question 43

what is buffer overflow

Answer 43

More input are placed into a buffer than the capacity allocated, overwriting
other information

Question 44

what If the buffer is on stack, heap, global data, overwriting adjacent memory
locations:

Answer 44

 corruption of program data
 unexpected transfer of control
 memory access violation
 execution of code chosen by attacker

Question 45

name the common buffer overflow attack mechanisms

Answer 45

1988 Morris Worm
 2001 Code Red
 2003 Slammer
 2004 Sasser

Question 46

what is the problem with strcpy

Answer 46

does not check boundaries

Question 47

what is stack smashing

Answer 47

(1) Inject the malicious code into the memory of the target program
 (2) Find a buffer on the runtime stack of the program, and overwrite the return
address with the malicious address.
 (3) When the function is completed, it jumps to the malicious address and runs the
malicious code.

Question 48

How to set the malicious return address?

Answer 48

Need the absolute address of malicious code, which is sometimes infeasible.
 Guess the return address.
 Incorrect address can cause system crash
 Unmapped address, protected kernel code, data segmentation

Improve the guess chance
 Insert many NOP instructions before the malicious code
 NOP: does nothing but advancing to the next instruction

Question 49

Injecting ShellCode

Answer 49

The worst thing the attacker can do
 Run any command he wants
 Run a shellcode: a program whose only goal is to launch a shell
 Convert shellcode from C to assembly code, and then store binary to a buffer

Question 50

Morris Worm

Answer 50

History
 Released on 2 November 1988 by Robert Tappan Morris, a graduate
student at Cornell University
 Launched from the computer system of MIT, trying to confuse the
public that this is written by MIT students, not Cornell.
 Buffer overflow in sendmail, fingerd network protocol, rsh/rexec, etc.
Impact
 ~6,000 UNIX machines infected (10% of computers in Internet)
 Cost: $100,000 - $10,000,000
Morris’ life
 Tried and convicted of violation of Computer Fraud and Abuse Act.
 Sentenced to three years’ probation, 400 hours of community service,
and a fine of $13,326
 Had to quit PhD at Cornell. Completed PhD in 1999 at Harvard.
 Became a tenured professor at MIT in 2006. Elected to the National
Academy of Engineering in 2019

Question 51

Following Morris Worm

Answer 51

Code Red (2001)
 Targeting Microsoft’s IIS web server. Affected 359,000 machines in 14 hours
SQL Slammer (2003)
 Targeting Microsoft’s SQL Server and Desktop Engine database. Affected 75,000 victims in 10 minutes
Sasser (2005)
 Targeting LSASS in Windows XP and 2000. Affected around 500,000 machines
 Author: 18-year-old German Sven Jaschan. Received 21-month suspended sentence
Conficker (2008)
 Targeting Windows RPC. Affected around 10 million machines
Stuxnet (2010)
 Targeting industrial control systems, and responsible for causing substantial damage to the nuclear
program of Iran
Flame (2012)
 Targeting cyber espionage in Middle Eastern countries