Quiz 2

Question 1

What is Concurrency?

Answer 1

The execution of multiple flows of operation.

Question 2

What could occur if concurrency is not controlled?

Answer 2

Non-deterministic behavior could occur

Question 3

What are Race Conditions?

Answer 3

Software defects/vulnerabilities resulting from unanticipated execution ordering of concurrent flows

Question 4

What are the three properties of race conditions?

Answer 4

It must be concurrent, it must have a shared object and one of the controls must alter the state of the object

Question 5

What is a Race Window?

Answer 5

A segment of code that access the race object in a way that opens a window of opportunity for a race condition (aka critical section)

Question 6

What are some ways to avoid race conditions?

Answer 6

Ensure race windows do not overlap
Make them mutually exclusive
Use certain language facilities

Question 7

What are Semaphores?

Answer 7

Data structures that provides mutual exclusion to critical sections

Question 8

What are the two operations in semaphores?

Answer 8

Wait(semaphore) decrement and block line of execution until open
Signal(semaphore) increment and allow another thread to enter

Question 9

What occurs when wait() is called by a thread?

Answer 9

If a semaphore is open, the thread continues, else it blocks on a queue

Question 10

What occurs when a semaphore is opened by a signal()?

Answer 10

If the thread is waiting on a queue the thread is unblocked
Else the signal is remembered for the next thread

Question 11

What is a deadlock?

Answer 11

A group of threads wait forever because each of them is waiting for resources that are held by another thread in the group

Question 12

What are the two sources of race conditions?

Answer 12

“Trusted” control flows (highly coupled threads of execution)
“Untrusted” control flows (Separate application of process)

Question 13

What are ToC/ToU (Time of check time of use) race conditions?

Answer 13

A race condition where the race object is first checked then used.

Question 14

How does a ToC/ToU attack work?

Answer 14

The attacker uses the gap between the checking of the object and the use of the object to alter the object to be used to cause the attack

Question 15

What are some common scenarios for double-fetch bugs to occur?

Answer 15

Dependency lookups
Protocol/signature checking
Information guessing

Question 16

What is a data race?

Answer 16

A type of race condition that occurs at the level of atomic memory accesses

Question 17

Data races are the root cause of what?

Answer 17

Synchronization bugs

Question 18

What are some ways to mitigate race conditions?

Answer 18

Eliminating the race object
Checking file properties securely
Mutual exclusion
Thread safe function
Using atomic operations
Controlling access to the race object

Question 19

Race condition detection is what complete?

Answer 19

NP complete meaning that we can only approximate detection of race conditions

Question 20

What are some of the reasons for race condition detection being NP complete

Answer 20

Random time variants
Various different execution paths that could be taken
The time it takes to execute the analzation

Question 21

What is the idea behind heap spraying?

Answer 21

Since browsers place the shellcode on the heap at an unknown location the idea is to “spray the heap” with a bunch of shellcodes there by making that its very likely that it will be chosen at random

Question 22

Heap spray can assist with what?

Answer 22

Bypassing the ASLR

Question 23

What are some defenses against heap spraying?

Answer 23

Protect heap function pointers
Have better browser architectures
Have heap overflow protection to prevent cross page overflows

Question 24

What is Heap feng shui?

Answer 24

Reliable heap exploits on Internet explorer without spraying

Question 25

What is vulnerable buffer placement?

Answer 25

Placing vulnerable buffers next to objects to cause an overflow to the object

Question 26

What is javascript heap spraying?

Answer 26

Pointing the function pointer almost anywhere in the heap to cause the shellcode to execute

Question 27

What is the goal of control flow hijacking?

Answer 27

To take control over a target machine

Question 28

What are some common vulnerabilities in control flow hijacking?

Answer 28

Buffer overflow
Integer overflow
Format string vulnerabilities
UAF and Double-free

Question 29

What are some common targets in control flow hijacking?

Answer 29

Return address
Vtable
Function pointer

Question 30

What are some common exploitations in control flow hijacking?

Answer 30

Code injection
Return to libc
Return oriented programming
Heap spraying

Question 31

What are some ways to make a process safe?

Answer 31

Control flow safety
Memory safety
Type safety

Question 32

What is control flow safety?

Answer 32

All control transfers are possible by the original program ie not jumps no call to library routines that the program did not call

Question 33

What is memory safety?

Answer 33

All memory accesses are correct, so array bounds are respected, other process’s memory is left alone, separation between code and data

Question 34

What is type safety?

Answer 34

All function calls and operations have arguments of a correct type

Question 35

What are some ways to defend against control flow hijacking?

Answer 35

Audit software
Identify vulnerabilities
Rewrite software in a type safe language

Question 36

What are stack canaries?

Answer 36

A segment of code on the stack that is checked occasionally to determine if it has been overwritten and if so stop the execution of the program

Question 37

How are some ways attackers can get around a stack canary?

Answer 37

By using a form of information leak to determine what the canary is and not overwriting it

Question 38

What does pointguard do?

Answer 38

Protect function pointers and setjmp buffers by encrypting them

Question 39

What are the two type of canaries?

Answer 39

Random canaries
Terminator canaries

Question 40

What are the attributes of a random canary?

Answer 40

Random string chosen at program startup
Insert the canary string into every stack frame
Verify canary before returning from the function

Question 41

What are the attributes of a terminator canary?

Answer 41

String functions will not copy beyond the terminator
Attacker cannot use string functions to corrupt the stack

Question 42

How does ProPolice improve stackguard?

Answer 42

It adds buffers after local pointers and function arguments in the stack frame

Question 43

What does the /GS option in visual studio implement?

Answer 43

A combination of propolice and random canary actions
If the cookie mismatches, call_exit(3)
In VS 2010 the protection is added to all functions unless it can be proven unnecessary

Question 44

What are some ways to evade /GS?

Answer 44

Overflow exception handler to the shellcode
Trigger the exception to hijack the control flow

Question 45

What is SAFESHE and SEHOP

Answer 45

SAFESEH is a linker flag that produces a binary with a table of safe exception handlers
The system will not jump to exception handler not on the list
SEHOP is a platform defense that adds a dummy record at the top of the SEH list. When an exception occurs the dummy is checked and if it is not there it terminates the program

Question 46

What are some exploits that can still occur even with canaries?

Answer 46

Heap-based overflows
Integer overflows
Use-after-free
Exception Handling attacks can still occur

Question 47

What is the solution to the stack smashing attacks?

Answer 47

Bridging the implementation and abstraction gap by separating the control stack

Question 48

What are the two segments of the safe stack

Answer 48

The safe stack and the unsafe stack

Question 49

What does the safe stack store?

Answer 49

Return addresses, register spills and local variables

Question 50

What does the unsafe stack store?

Answer 50

Everything that isn’t a return address, register spills and a local variable

Question 51

How is a safe stack actually implemented?

Answer 51

The safe stack is placed in a random place in the address space.

Question 52

What are the properties of intel’s upcoming shadow stack?

Answer 52

There is a new shadow stack pointer
call and ret automatically updates esp and ssp
The shadow stack cannot be updated manually

Question 53

What is Write or Execute?

Answer 53

Its hardware protection that ensures that memory cannot be both writeable and executable at the same time
Code is executable not writeable
Stack, heap, static variables writeable not executable

Question 54

What are some limitations to Write or Execute?

Answer 54

Some apps needs an executable heap
Doesn’t defend against code reuse attacks

Question 55

What is address space randomization?

Answer 55

The memory layout of a running process is randomized
The position independent code that can be loaded at any location is loaded at any location.

Question 56

What are some ways to bypass ASLR?

Answer 56

Brute force attacks
ROP exploits to exploit non-randomized memory
Exploiting information disclose bugs to reveal addresses

Question 57

What are some other code randomization beyond ASLR?

Answer 57

System call randomization
Instruction set randomization
Fine gained code randomization

Question 58

What is code obfuscation?

Answer 58

The generation or alteration of source code and or object code so that its hard to reverse engineer.

Question 59

What are the three main features of code obfuscation?

Answer 59

Potency
Resilience
Cost

Question 60

What are the 5 main methods of code obfuscation?

Answer 60

Lexical transformations
Control transformations
Data transformations
Anti-disassembly
Anti-debugging

Question 61

What is a reference monitor?

Answer 61

A monitor that observes the execution of the program/process on the hardware/OS/network level, if the process violates a policy it halts the execution of the program

Question 62

Where is the reference monitor placed in the kernelized system?

Answer 62

The kernel

Question 63

Where is the reference monitor placed in the wrapper system?

Answer 63

Around the program

Question 64

Where is the reference monitor placed in the instrumented program?

Answer 64

Inside the program

Question 65

How does the OS function as a Reference monitor?

Answer 65

By having a collection of running processes and files which has an access control lists which states which users can read/write/execute them
Also it enforces a variety of safety polices, like checking file access against the ACL, and enforcing isolation, privilege and sharing principles

Question 66

What is the Inline reference monitor?

Answer 66

An instrument program code to enforce expected behavior

Question 67

What are the principles of the Inline reference monior?

Answer 67

Complete mediation reference monitors must always be invoked
Tamper proof reference monitors cannot be modified by attackers
Verifiable correctness reference monitors correctness is preferably verifiable
Performance and compatibility

Question 68

What is Control flow Integrity?

Answer 68

A defense mechanism against control flow hijacking that employs inline reference monitors to enforce the run time control flow of a process must follow the statically computed control flow graph

Question 69

What are the steps of control flow integrity?

Answer 69

Compute the static CFG of the program
Instrument the program code with IRM
Insert monitors to ensure runtime execution always stays within the statically determined CFG

Question 70

What are the two CFI Policies?

Answer 70

Context insensitive and Context sensitve

Question 71

What is context insensitive CFI policies

Answer 71

No extra information is kept

Question 72

What is context sensitive CFI policies

Answer 72

The past execution history is kept