Quiz 1

Question 1

What are bugs/vulnerabilities?

Answer 1

Malicious functionalities that extends primary intended design

Question 2

What are exploits/attacks?

Answer 2

Inputs that leverage vulnerabilities to take control of the system or leak sensitive information

Question 3

What is software security?

Answer 3

Risk management, it involves identifying vulnerabilities and patching vulnerable code

Question 4

What are the three tasks involved in security management

Answer 4

Software auditing, security test, and patch develoment

Question 5

What are the six main memory corruption vulnerabilities?

Answer 5

Buffer overflow
Integer overflow
Format String
Race Condition
Use-after-free
Double free

Question 6

What are the three types of buffer overflows?

Answer 6

Stack overflow
Heap overflow
Type confusion

Question 7

What is a buffer overflow?

Answer 7

When data is written outside of the space allocated to the buffer

Question 8

What is the goal of Arbitrary Code Execution?

Answer 8

To take over a target machine

Question 9

What are the targets of control flow hijacking?

Answer 9

Function pointer/return addresses
Exception handlers
Corrupting vtable
Longjmp buffers

Question 10

What is a type confusion?

Answer 10

A type of vulnerability caused by exploiting logical errors that emerges from illegal down casts

Question 11

How do truncation errors occur?

Answer 11

An integer is converted to a smaller integer type and the value of the original integer is outside the range of the smaller type

Question 12

How does an arithmetic overflow occur?

Answer 12

The result of an integer operation does not fit within the allocated memory space

Question 13

To avoid integer overflows when you need a size of a count what should you use?

Answer 13

size_t

Question 14

To avoid integer overflows when you need a specific bit-width what should you use?

Answer 14

uint8_t for 8 bit, uint16_t for 16bit ect

Question 15

To avoid integer overflows when you need an integer to hold a pointer what should you use?

Answer 15

intptr_t

Question 16

What is Format String Vulnerability?

Answer 16

When the format of a string is used in such a way to execute code or crash a program

Question 17

How are format string attacks performed?

Answer 17

The attacker walks up the stack until they find the desired pointer and then writes to arbitrary memory

Question 18

What is a dangling pointer?

Answer 18

A pointer variable through which the freed memory is accessed

Question 19

What are Use-After-Free vulnerabilities?

Answer 19

When data on the heap is freed, but a leftover reference/dangling pointer is used by the code as if the data were still valid

Question 20

What are some causes of use after free errors?

Answer 20

Wrongly handled error conditions
Unaccounted for program states
Confusion over which part of the program is responsible for freeing memory

Question 21

Why are Use-After-Free attacks so well liked?

Answer 21

Doesn’t require one to corrupt memory
Can be used for info leaks
Can be used to trigger memory corruption or get control of EIP

Question 22

What does each chunk in the malloc() doubly linked list holds?

Answer 22

A free bit
A link to the next and previous chunk tags

Question 23

What is a Double Free?

Answer 23

Freeing the same chunk of memory twice, without it being reallocated in between

Question 23

What is the attacker goal in shellcode?

Answer 23

To execute arbitrary code

Question 24

What are the steps in shellcoding?

Answer 24

Hijacking the control flow
Spawn a shell
Write the shellcode to the buffer
Hijack EIP to the shellcode
Use exec(“bin/sh/”) syscall

Question 24

What command is used to spawn a shell?

Answer 24

execve

Question 24

What are the steps in executing a system call?

Answer 24

1 Store syscall number in eax
2 Save arg 1 in ebx, arg 2 in ecx, arg 3 in edx
3 Execute int 0x80 or sysenter
4 Syscall runs and returns the result in eax

Question 25

How do you get the address of memory-based parameters?

Answer 25

Push it to the stack and get addr from esp
Use position independent code

Question 26

What is the use of a NOP sled?

Answer 26

To guess the approximate stack state when the target function is called

Question 27

What is the idea behind Code Reuse Attacks?

Answer 27

Leverage existing code to perform the function the attacker wants

Question 28

What are the two types of code reuse attacks?

Answer 28

Return-to-libc attacks
Return-oriented programming to reuse the gadgets of the victim

Question 29

What are Return to Libc Attacks?

Answer 29

The attacks overwrites the control data (like the return addresses) by address of a library function so the function performs another libc function.

Question 30

Why would attackers end their attacks with an exit() call?

Answer 30

To prevent a segmentation fault error to avoid detection

Question 31

What is Return Oriented Programming?

Answer 31

Gaining control of the call stack to hijack the program’s control flow and execute various machine instruction sequences already present in the machine’s memory to perform what is needed for the attack

Question 32

What are the reasons a return into library attack became more difficult?

Answer 32

The first argument to a function is passed into a register instead of on the stack, as a result an attacker could no longer set up a library call function by simply manipulating the call stack

Question 33

What is the normal code execution flow?

Answer 33

The Instruction pointer determines which instruction to fetch and execute
The CPU automatically advances EIP to next instruction after executing the current one
Control flow intructions change the value of EIP

Question 34

What is the Return Oriented Programming execution flow?

Answer 34

The stack pointer determines which instruction sequence to fetch and execute

Question 35

What is the ROP thesis?

Answer 35

That with any sufficiently large program codebase and an attacker’s control of the stack can lead to arbitrary attacker computation and behvior

Question 36

How does ROP attacks simulate the NOP instruction?

Answer 36

By using a return only gadget to advance the ESP

Question 37

How does ROP attacks simulate constants?

Answer 37

By storing constants on the stack and popping them when needed

Question 38

How does ROP attacks simulate the control flow?

Answer 38

By conditionally setting ESP to new values