Lec 9: Software Security 2: Implementation Vulnerabilities 2: Heap, Integer, Format Strings Flashcards
What is the malicious code assumption of Return-oriented Programming?
Suppose you have a stack overflow but can only redirect control flow to existing code. What can you (the attacker) do?
You can still jump to any legitimate instruction
Suppose you have a stack overflow but can only redirect control flow to existing code? What if you jump into the middle of some code and that code ends witha RET instruction? Where does control flow go now? Who controls that value?
What is return-oriented programming?
What vulnerability in a RET instruction is used in ROP?
What does ROP do?
What is an example of an ROP attack?
Are heap overflows are reliable exploit?
How do simple heap overflows work?
What is PointerGuard?
A defense against heap overflows and return-to-libc attacks that allow adversary to currpy code pointers but prevent them from controling the contents
How does PointerGuard work?
In PointerGuard, when are pointers encrpyed and decrypted?
How do generic heap overflows work?
What is a typical heap overflow problem?
When can you do a heap overflow attack?
What has been done to prevent heap overflows from happening on Windows?
What causes integer vulnerabilities?
What is an example of an integer vulnerability?
C/C++ Integer review (type representation)
How many bits in a char, short, int, long long, and what are the ranges os signed vs unsigned?
What type of integer errors can occur?
What is an integer truncation error?
What are integer sign errors?
What is done to protect from integer errors?
How does SafeInt work?
What are format strings?
How are format strings implemented?
What does printf look like on the stack?
What is the key problem with format strings?
How can format strings be exploited?
How can you use format strings to read the stack?
How do you use format strings to view other parts of memory besides the stack?
Can format strings be overflowed? Why or why not?
How can you perform a writing format string exploit?
What can be done to prevent format string exploits?
What is a cannonicalization problem in security?
What is the Turkish-I problem and how do you properly handle it?
What is the problem with terminating a loop (*url++ != ‘/’)?
What is the vulnerability in terminating a loop with (*url++ != ‘/’) && (*url != 0);?
What is a bitfield?
What are the vulnerabilities with Bitfields?
How are arrays of objects allocated/deallocated?
What is the problem with using delete on an array of objects instead of delete[]?
What is wrong with this code?
What is the key issue that causes TOCTOU vulnerabilities?
What is an example of TOCTOU?
What is the problem with this?
What is suid and what does it do?
What is the vulnerability of this code? How would you attack it?
How realistic is a TOCTOU suid attack?
What do you do to protect against TOCTOU attacks?
What are prevention tips against suid attacks?
