P1L2: Software Security

Question 1

What are stack buffer overflows?

Answer 1

Inserting extra instructions into a command to force an overlfow that inserts calls to malware.

Question 2

The stack buffer is used for

Answer 2

Local variables
Parameters passed to the function
Control information (ie return address)

Question 3

what is shellcode?

Answer 3

The code the attacker whats to launch

Question 4

What does shellcode do?

Answer 4

1. Creates a shell from machine code.

2. Must have a return address that is a legitimate return address.

Question 5

What privileges does shellcode allow?

Answer 5

The same privileges that the host program exploited by the shellcode has.
The system service or OS root privileges

Question 6

What variations of buffer overflow exist?

Answer 6

Return-to-libc: return address is overwritten to point to a funciton in a library.

Heap Overflows: Long lived data get stored on the heap (alloc/malloc/globals)

OpenSSL Heartbleed: Attacker reads sensitive data

Question 7

What is Return-to-libc?

Answer 7

return address is overwritten to point to a funciton in a library.

Question 8

Heap Overflows

Answer 8

Long lived data get stored on the heap (alloc/malloc/globals)

Question 9

OpenSSL Heartbleed

Answer 9

Attacker reads sensitive data

Question 10

Example of safe language

Answer 10

Java

Question 11

Example of an unsafe language

Answer 11

C

Question 12

What is the defense if unsafe languages must be used?

Answer 12

Check all input
Use safer functions that do bounds checking
Use automatic tools to analyze code for unsafe functions.

Question 13

What are ways to thwart Buffer Overflow Attacks?

Answer 13

Stack canaries: Values written into the stack frame just before the return address

Address Space Layout Randomization(ASLR): Randomized the stack, heap, etc.

Non-executable Stack: Used with ASLR. Requires hardware support

Question 14

To exploit any type of buffer overflow the attacker needs to identify a buffer overflow vulnerability in some program that can be triggered using externally sourced data under the attackers control. T/F

Answer 14

True

Question 15

At the basic machine level, all of the data manipulated by machine instructions executed by the computer processor are stored in either the processor?s registers or in memory. T/F

Answer 15

True

Question 16

A stack overflow can result in some form of a denial-of-service attack on a system. T/F

Answer 16

True

Question 17

An attacker is more interested in transferring control to a location and code of the attacker’s choosing rather than immediately crashing the program. T/F

Answer 17

True

Question 18

The potential for a buffer overflow exists anywhere that data is copied or merged into a buffer, where at least some of the data is read from outside the program. T/F

Answer 18

True

Question 19

Shell code is not specific to a particular processor architecture. T/F

Answer 19

False

Question 20

There are several generic restrictions on the content of shell-code T/F

Answer 20

False

Question 21

An attacker can generally determine in advance exactly where the targeted buffer will be located in the stack frame of the function in which it is defined. T/F

Answer 21

True

Question 22

It is possible to write a compiler tool to check a program and identify all possible buffer overflow bugs. T/F

Answer 22

False

Question 23

It is possible to develop a run-time monitoring tool to detect the effects of all possible buffer overflow attacks. T/F

Answer 23

False

Question 24

A consequence of a buffer overflow error is _____.

Answer 24

1. corruption of data used by the program.
2. unexpected transfer of control in the program.
3. possible memory access violation.

Question 25

The function of _____ was to transfer control to a user command-line interpreter, which gave access to any program available on the system with the privileges of the attacked program.

Answer 25

Shellcode

Question 26

_____ is a form of overflow attack.

Answer 26

1. Heap overflows
2. Return to system call
3. Replacement stack frame

Question 27

Data is simply an array of

Answer 27

bytes

Question 28

Shellcode has to be ______, which means it cannot contain any absolute address referring to itself.

Answer 28

position dependent

Question 29

______is one of the best known mechanisms that is a GCC compiler extension that inserts additional function entry and exit code.

Answer 29

Stackguard

Question 30

The ____is typically located above the program code and global data and grows up in memory (while the stack grows down towards it).

Answer 30

Heap

Question 31

A _____ value is named after the miner’s bird used to detect poisonous air in a mine and warn miners in time for them to escape.

Answer 31

Canary

Question 32

OpenSSL Heartbleed Vulnerability

Answer 32

read much more of the buffer than just the data, which may include sensitive data.

Question 33

NOP Sled

Answer 33

A bunch of NOPs that helps the attacker make the program run his shellcode

Question 34

What does a Stackguard do at compile time?

Answer 34

writes the canary

Question 35

Guard pages

Answer 35

A range of addresses that are flagged as illegal addresses in case an attacker tries to overflow to them

Question 36

Replacement Stack Frame attack

Answer 36

Overwrites buffer and saved frame pointer address. The saved frame pointer points to a dummy stack frame whose return address is the start of the shellcode in the buffer.