M6: Software security - exploits and privilege escalation - C6 Flashcards
What is a race condition in the context of file systems?
It’s when a file’s state changes between the time it’s checked and the time it’s used, potentially leading to security issues.
What is a TOCTOU race?
Time-of-check to time-of-use race, where changes between checking a condition and using it can be exploited.
How can race conditions be mitigated?
By using atomic operations or ensuring the condition and action are inseparable.
What is an integer overflow?
When a calculation exceeds the maximum value a data type can hold, causing it to wrap around.
What is an integer underflow?
When a calculation goes below the minimum value a data type can hold, causing it to wrap around.
Why are integer-based vulnerabilities common in C?
Because C allows operations between different data types and has weak type safety.
What is a buffer overflow?
When more data is written to a buffer than it can hold, overwriting adjacent memory.
What is a stack-based buffer overflow?
An overflow that occurs in the stack memory, often used for function calls and local variables.
How can buffer overflows be exploited?
By overwriting memory to execute malicious code or crash the system.
What is heap spraying?
A technique where an attacker fills the heap with malicious code to increase the chances of successful exploitation.
What is a return-to-libc exploit?
An attack that redirects execution to existing library functions instead of injecting new code.
What is privilege escalation?
Gaining higher access rights than initially granted, often from a regular user to an administrator.
How do attackers use TOCTOU races for privilege escalation?
By changing file bindings between checks and actions to gain unauthorized access.
What is the role of the stack pointer (SP) in function calls?
It tracks the top of the stack, adjusting as functions push and pop data.
What is the frame pointer (FP) used for?
It helps manage stack frames, pointing to the base of the current function’s stack frame.
What is a setuid program?
A Unix program that runs with the privileges of the file’s owner, not the user who runs it.
Why is using the access() syscall for permission checks discouraged?
Because it can be exploited in TOCTOU races, leading to unauthorized actions.
What is a symbolic link (symlink)?
A file that points to another file or directory, used for shortcuts and references.
What is a hard link?
A directory entry that points to the same inode as another file, effectively creating multiple names for the same file.
How can directory permissions affect file security?
Improper permissions can allow unauthorized users to modify or replace files.
What is the difference between signed and unsigned integers?
Signed integers can represent negative values, while unsigned integers can only represent non-negative values.
What is sign extension?
Extending the sign bit of a smaller integer to a larger integer to preserve its value.
What is zero extension?
Extending a smaller unsigned integer to a larger integer by adding zeros to the higher-order bits.
What is pointer arithmetic in C?
Operations that involve adding or subtracting values from pointers, often used for array indexing.
How can integer bugs lead to security vulnerabilities?
They can cause unexpected behavior, such as buffer overflows or incorrect memory access.
What is the carry flag (CF) used for?
It indicates an overflow in unsigned arithmetic operations.
What is the overflow flag (OF) used for?
It indicates an overflow in signed arithmetic operations.
How can developers mitigate integer bugs?
By using safe integer libraries, compiler checks, and careful coding practices.
What is the purpose of the malloc() function in C?
To dynamically allocate memory at runtime.
How can attackers exploit malloc() with integer overflows?
By causing it to allocate incorrect memory sizes, leading to buffer overflows or memory corruption.