Quiz 1 Flashcards
What are bugs/vulnerabilities?
Malicious functionalities that extends primary intended design
What are exploits/attacks?
Inputs that leverage vulnerabilities to take control of the system or leak sensitive information
What is software security?
Risk management, it involves identifying vulnerabilities and patching vulnerable code
What are the three tasks involved in security management
Software auditing, security test, and patch develoment
What are the six main memory corruption vulnerabilities?
Buffer overflow
Integer overflow
Format String
Race Condition
Use-after-free
Double free
What are the three types of buffer overflows?
Stack overflow
Heap overflow
Type confusion
What is a buffer overflow?
When data is written outside of the space allocated to the buffer
What is the goal of Arbitrary Code Execution?
To take over a target machine
What are the targets of control flow hijacking?
Function pointer/return addresses
Exception handlers
Corrupting vtable
Longjmp buffers
What is a type confusion?
A type of vulnerability caused by exploiting logical errors that emerges from illegal down casts
How do truncation errors occur?
An integer is converted to a smaller integer type and the value of the original integer is outside the range of the smaller type
How does an arithmetic overflow occur?
The result of an integer operation does not fit within the allocated memory space
To avoid integer overflows when you need a size of a count what should you use?
size_t
To avoid integer overflows when you need a specific bit-width what should you use?
uint8_t for 8 bit, uint16_t for 16bit ect
To avoid integer overflows when you need an integer to hold a pointer what should you use?
intptr_t
What is Format String Vulnerability?
When the format of a string is used in such a way to execute code or crash a program
How are format string attacks performed?
The attacker walks up the stack until they find the desired pointer and then writes to arbitrary memory
What is a dangling pointer?
A pointer variable through which the freed memory is accessed
What are Use-After-Free vulnerabilities?
When data on the heap is freed, but a leftover reference/dangling pointer is used by the code as if the data were still valid
What are some causes of use after free errors?
Wrongly handled error conditions
Unaccounted for program states
Confusion over which part of the program is responsible for freeing memory
Why are Use-After-Free attacks so well liked?
Doesn’t require one to corrupt memory
Can be used for info leaks
Can be used to trigger memory corruption or get control of EIP
What does each chunk in the malloc() doubly linked list holds?
A free bit
A link to the next and previous chunk tags
What is a Double Free?
Freeing the same chunk of memory twice, without it being reallocated in between
What is the attacker goal in shellcode?
To execute arbitrary code
What are the steps in shellcoding?
Hijacking the control flow
Spawn a shell
Write the shellcode to the buffer
Hijack EIP to the shellcode
Use exec(“bin/sh/”) syscall
What command is used to spawn a shell?
execve
What are the steps in executing a system call?
1 Store syscall number in eax
2 Save arg 1 in ebx, arg 2 in ecx, arg 3 in edx
3 Execute int 0x80 or sysenter
4 Syscall runs and returns the result in eax
How do you get the address of memory-based parameters?
Push it to the stack and get addr from esp
Use position independent code
What is the use of a NOP sled?
To guess the approximate stack state when the target function is called
What is the idea behind Code Reuse Attacks?
Leverage existing code to perform the function the attacker wants
What are the two types of code reuse attacks?
Return-to-libc attacks
Return-oriented programming to reuse the gadgets of the victim
What are Return to Libc Attacks?
The attacks overwrites the control data (like the return addresses) by address of a library function so the function performs another libc function.
Why would attackers end their attacks with an exit() call?
To prevent a segmentation fault error to avoid detection
What is Return Oriented Programming?
Gaining control of the call stack to hijack the program’s control flow and execute various machine instruction sequences already present in the machine’s memory to perform what is needed for the attack
What are the reasons a return into library attack became more difficult?
The first argument to a function is passed into a register instead of on the stack, as a result an attacker could no longer set up a library call function by simply manipulating the call stack
What is the normal code execution flow?
The Instruction pointer determines which instruction to fetch and execute
The CPU automatically advances EIP to next instruction after executing the current one
Control flow intructions change the value of EIP
What is the Return Oriented Programming execution flow?
The stack pointer determines which instruction sequence to fetch and execute
What is the ROP thesis?
That with any sufficiently large program codebase and an attacker’s control of the stack can lead to arbitrary attacker computation and behvior
How does ROP attacks simulate the NOP instruction?
By using a return only gadget to advance the ESP
How does ROP attacks simulate constants?
By storing constants on the stack and popping them when needed
How does ROP attacks simulate the control flow?
By conditionally setting ESP to new values
