M6: Software security - exploits and privilege escalation - C6 Flashcards
What is a race condition in the context of file systems?
M6: Software security - exploits and privilege escalation - C6
It’s when a file’s state changes between the time it’s checked and the time it’s used, potentially leading to security issues.
What is a TOCTOU race?
M6: Software security - exploits and privilege escalation - C6
Time-of-check to time-of-use race, where changes between checking a condition and using it can be exploited.
How can race conditions be mitigated?
M6: Software security - exploits and privilege escalation - C6
By using atomic operations or ensuring the condition and action are inseparable.
What is an integer overflow?
M6: Software security - exploits and privilege escalation - C6
When a calculation exceeds the maximum value a data type can hold, causing it to wrap around.
What is an integer underflow?
M6: Software security - exploits and privilege escalation - C6
When a calculation goes below the minimum value a data type can hold, causing it to wrap around.
Why are integer-based vulnerabilities common in C?
M6: Software security - exploits and privilege escalation - C6
Because C allows operations between different data types and has weak type safety.
What is a buffer overflow?
M6: Software security - exploits and privilege escalation - C6
When more data is written to a buffer than it can hold, overwriting adjacent memory.
What is a stack-based buffer overflow?
M6: Software security - exploits and privilege escalation - C6
An overflow that occurs in the stack memory, often used for function calls and local variables.
How can buffer overflows be exploited?
M6: Software security - exploits and privilege escalation - C6
By overwriting memory to execute malicious code or crash the system.
What is heap spraying?
M6: Software security - exploits and privilege escalation - C6
A technique where an attacker fills the heap with malicious code to increase the chances of successful exploitation.
What is a return-to-libc exploit?
M6: Software security - exploits and privilege escalation - C6
An attack that redirects execution to existing library functions instead of injecting new code.
What is privilege escalation?
M6: Software security - exploits and privilege escalation - C6
Gaining higher access rights than initially granted, often from a regular user to an administrator.
How do attackers use TOCTOU races for privilege escalation?
M6: Software security - exploits and privilege escalation - C6
By changing file bindings between checks and actions to gain unauthorized access.
What is the role of the stack pointer (SP) in function calls?
M6: Software security - exploits and privilege escalation - C6
It tracks the top of the stack, adjusting as functions push and pop data.
What is the frame pointer (FP) used for?
M6: Software security - exploits and privilege escalation - C6
It helps manage stack frames, pointing to the base of the current function’s stack frame.
What is a setuid program?
M6: Software security - exploits and privilege escalation - C6
A Unix program that runs with the privileges of the file’s owner, not the user who runs it.
Why is using the access() syscall for permission checks discouraged?
M6: Software security - exploits and privilege escalation - C6
Because it can be exploited in TOCTOU races, leading to unauthorized actions.
What is a symbolic link (symlink)?
M6: Software security - exploits and privilege escalation - C6
A file that points to another file or directory, used for shortcuts and references.
What is a hard link?
M6: Software security - exploits and privilege escalation - C6
A directory entry that points to the same inode as another file, effectively creating multiple names for the same file.
How can directory permissions affect file security?
M6: Software security - exploits and privilege escalation - C6
Improper permissions can allow unauthorized users to modify or replace files.
What is the difference between signed and unsigned integers?
M6: Software security - exploits and privilege escalation - C6
Signed integers can represent negative values, while unsigned integers can only represent non-negative values.
What is sign extension?
M6: Software security - exploits and privilege escalation - C6
Extending the sign bit of a smaller integer to a larger integer to preserve its value.
What is zero extension?
M6: Software security - exploits and privilege escalation - C6
Extending a smaller unsigned integer to a larger integer by adding zeros to the higher-order bits.
What is pointer arithmetic in C?
M6: Software security - exploits and privilege escalation - C6
Operations that involve adding or subtracting values from pointers, often used for array indexing.
How can integer bugs lead to security vulnerabilities?
M6: Software security - exploits and privilege escalation - C6
They can cause unexpected behavior, such as buffer overflows or incorrect memory access.
What is the carry flag (CF) used for?
M6: Software security - exploits and privilege escalation - C6
It indicates an overflow in unsigned arithmetic operations.
What is the overflow flag (OF) used for?
M6: Software security - exploits and privilege escalation - C6
It indicates an overflow in signed arithmetic operations.
How can developers mitigate integer bugs?
M6: Software security - exploits and privilege escalation - C6
By using safe integer libraries, compiler checks, and careful coding practices.
What is the purpose of the malloc() function in C?
M6: Software security - exploits and privilege escalation - C6
To dynamically allocate memory at runtime.
How can attackers exploit malloc() with integer overflows?
M6: Software security - exploits and privilege escalation - C6
By causing it to allocate incorrect memory sizes, leading to buffer overflows or memory corruption.
