Real Midterm Flashcards
The returns of strcpy() store in what register that have the address of what buffer?
EAX, Destination
Which of the following step/steps is/are required to execute a shell code in memory?
Find the vulnerability, store the shellcode to the executable memory, hijack control flow/EIP to shellcode
Will comparing a signed integer with an unsigned integer cause an integer overflow?
Yes
Why is it important to execute an exit() syscall for the code reuse attacks?
To avoid a crash and leave no attack trace
Which one of the following is a safe libc function?
strncpy
A shell code can be used for what?
Creating a new user, changing user password, opening a connection to the attackers machine
Suppose we have the following gadgets
G1:
pop %ebx
ret
G2:
pop %ecx
ret
G3:
movl %ebx, %(ecx)
To achieve the following operation, determine the order of gadgets
store 10 at memory address 0x805000
G2, 0x805000, G1, 10, G3
NOP equivalence for stack pointer (esp) move is a gadget that only contains a what instruction?
ret
Finding gadgets is traditionally a what recursive traverse algorithm and searchable through a what representation?
Backward, Trie
True or false: Type confusion bugs are caused by inappropriate up-casts.
False
Direct function calls are what?
Not exploitable
For ROP attacks, any gadget should ends with a what instruction?
ret
The leave instruction (AT&T) combines what instructions?
mve %ebp, %esp
pop %ebp
Format string specifier %n is significant for what?
Writing the number of characters printed so far in a pointer
The following order can be used in position independent shellcode to get the address of a string
Execute jmp to a call instruction sits right before the string, then call instructions goes back to jump+1 after pushing to the return address to the stack
True or False: In a double free, an exploitation occurs when the program calls free(q) on a region that contains data set by the attacker and the second free(q) will try to use the fake chunk tag.
True
The ret instruction is equivalent to what?
pop %eip
To execute a system call, a shellcode must contain what?
Store syscall id in EAX register
Why is it difficult to detect a Use-After-Free vulnerability?
They only exist in a particular execution path
Code reuse attacks can bypass what defenses?
Code signing and Write or Execute
What vulnerability is a double fetch bug a form of?
A race condition
In Stack Guard implementation the function prologue does what?
Stores a canary word between return address and locals
/GS protection alone is not enough to defend against exception handler based exploits because?
The exception is triggered before the canary is checked
In StackGuard implementation the function epilogue does what?
Checks canary before the function returns
True or False: Context sensitive CFI policy is simple but imprecise compared to Context-insensitive CFI policy
False
The most popular target of heap spray attacks is what?
Browser code
Which of the following register is used by the GCC stack smashing protector to locate the random canary?
%gs
A terminator canary may consist of what?
\n\n\n\n
Which of the following address randomizations is widely deployed?
Address space layout randomization
Which of the following principles should be maintained by an inline reference monitor?
Reference monitors must always be invoked
Where can a reference monitor be implemented?
Wrapping around the target program, inside the kernel or inside the target program
The probability of a successful heap spray attack does not depend on
The length of each targeted sensitive object in the memory
StackGuard protection can be bypassed by what?
Leveraging information leak vulnerability
/GS Stack frame stores the exceptional handlers just before what?
The canary
Which of the following is not a component of CFI defense mechanism?
Code Obfuscation
Applications with Write or Exectute (W^X) protection, their stack/heap memory is what?
Writable, but not executable
Race windows in a Race condition is a what?
Code segment
A race condition vulnerability must consist of what?
A concurrency property
A shared object property
A change state (share object) property
In ProPolice protection mechanisms, in addition to canaries?
Local variables are rearranged by their types
Intel CET Shadow Stacks maintain a shadow copy of what?
The return address
What is a buffer overflow?
A buffer overflow is when data is written outside the bounds of the allocated buffer space
Why are buffer overflows common in C/C++ programs?
They are common in C/C++ programs because there are not automatic bounds checking
What can buffer overflows be leveraged to do?
Hijack the control flow of a program and execute arbitrary code by overriding the function pointers or return addresses
What are some common unsafe C functions that can allow attackers to perform buffer overflows?
strcpy, strcat, gets, and scanf
What is a safeish libc function?
strncpy
What is commonly used to identify potential buffer overflows?
Fuzz testing (by using random inputs)
What can address sanitizing do to help detect buffer overflows?
They help detect out of bound writes during testing
When the return address is overwritten by an attacker during a stack buffer overflow what can occur?
The program can then be used to jump to the attackers code
What are some defenses against buffer overflows?
Bounds checking, canaries, ASLR ie randomizing the addresses, and using safer functions
What was the first major exploit of buffer overflows?
The internet worm using the fingerd service
What are some targets for control flow hijacking using buffer overflows?
Function pointers
exception handlers
vtables
longjmp buffers
What are heap based buffer overflows?
When the allocated heap buffer is overflowed and causes the overwriting of the adjacent heap metadata structures
Why do some defense mechanisms not get implemented?
Because of performance overhead concerns
What are type confusions?
Vulnerabilities that occur when code accesses a memory resource using an incompatible type
Why does type confusions often occur in C/C++?
There are no runtime type safety checks so pointers can be cast to incompatible types
What are some different casting operations that could cause type confusion?
Static casting with static_cast
Dynamic casting with dynamic_cast
C-style casting with (Type)
What is a common cause of type confusion bugs?
Illegal downcasts
What are some defenses against type confusion bugs?
Runtime type checking, strict casting rules and using type safe languages like java
What is an integer overflow?
An integer value that exceeds its maximum value and as a result wraps around
Can converting from a signed to an unsigned integer cause an integer overflow?
Yes
What are the best practices for using integers?
Using size_t when needing the size of a count
Using uint8_t for specific bit-width
Using intptr_t to have an integer to hold a pointer
How do format string bugs occur?
When user-controlled inputs are passed as the format string parameters to certain functions
What are some common specifiers using in format string bug attacks?
%p %d %c %u %x %s %n
What is a use after free bug?
A program continues to use the memory after it has been freed, leading to an accessing deallocated or stale memory
What is the cause of use after free bugs?
Wrongly handled error conditions, unaccounted for program states, confusion over which part of the code is responsible for freeing the memory
How can use after free bugs be exploited?
By leading the program to allocate memory over the previously freed area. That area could contain code that the attacker placed there to be used for his advantage
Why are use after free bugs hard to detect?
They only manifest in certain states of program execution
The bug is not visible at the time of the free call
What are some prevention methods around use after free bugs?
Setting freed pointers to null and checking for null before being used
What is a double free vulnerability?
When the same region of memory is freed twice without it being reallocated again in between
What is shellcode?
Executable code used by attackers to achieve arbitrary code execution after hijacking the control flow
What can the shellcode do?
Nearly anything like creating users, opening backdoors or spawning shells, changing the password of a user
What are some solutions to find the addresses of parameters and setting the return addresses?
NOP sleds and position-independent code
What are some attacks that can bypass Write or Execute defenses?
Return to libc or return oriented programming
Hoes does ROP work?
By chaining together gadgets ending in return instructions to achieve arbitrary computation without code injection.
What are the building blocks of ROP?
Constants, control flow, and multiple gadgets
What are the steps of executing a system call?
Store syscall number in eax
Save arg 1 iin ebx, arg 2 in ecx and arg3 in edx
Execute int 0x80 or sysenter
Syscall runs and returns the result in eax
What are some solutions to knowing the address of memory based parameters?
Pushing the address to the stack and getting addr from esp
Using position independent code
How and why are NOP sleds used?
NOP sleds are used to help approximate the return addresses for the shellcode
NOPs simply advance the instruction pointer until it hits the shellcode
What are the two main types of code reuse attacks?
Return to libc and return oriented programming
How does ROP approximate constants?
Storing the constants on the stack, popping the constants into the register to use
How does ROP approximate the control flow?
Conditionally setting the EIP to new values
What is an example of an ROP using multiple gadgets to load memory into a register
Loading the address of a source word into %eax
Loading the memory into (%eax) into %ebx
What are some recent advances in ROP?
Just in time ROP
Blind ROP
Block Oriented Programming Compiler
What is the use of Just in Time ROP?
Defeating fine grained code randomization
Recusrively exploiting a memory disclosure to map the code of the victim process on the fliy
Discovering gadgets and JIT complie a ROP program
What is Blind ROP?
Remote brute forcing an ROP without knowing the target program
What is Block Oriented Programming Compiler?
Automatically synthesizing arbitrary turning complete data only payloads
What is Ret2ret?
Overwriting one byte of the stack pointer with 0 to make it point to the shellcode
The vulnerable buffer sits lower on the stack than the pointer
What is Ret2eax?
Overflowing the buf in msglog to place the shellcode in buf
strcpy saves the buf address in eax
Hijacking control flow to a subsequent call *eax and running the shellcode from there
What is required for a race condition to occur?
2 concurrent control flows accessing a shared object with at least one flow altering the object state
What is a race condition?
The ordering of execution of concurrent threads results in unintended behavior due to unanticipated timing
What is the code that access the shared object that could result in a race condition called?
Race window or critical section
What can be used to avoid race windows overlapping?
Synchronization primitives such as mutexes and semaphores
What are some ways to avoid race conditions?
Mutual exclusion, avoiding sharing, atomics and static/dynamic analysis
What is heap spraying?
Filling the heap with shellcode and NOP sleds to make it more likely that a control flow hijack will hit
What are some defenses against heap spraying?
Heap layout randomization, isolating browser and javascript heap
What are the source of race conditions
Trusted (highly coupled threads of execution) or untrusted (separate application of processes)
What is a double fetch bug?
A bug that occurs when the same data is fetched twice from memory by a program
What are some scenarios that could lead to double fetch bugs?
Dependency lookup (retrieving some dependent information which gets changed by another thread before being used)
Protocol/signature checking
Information guessing
How does a data race occur?
When two or more threads access the same memory location concurrently
What is heap spraying?
Filling the heap with a large amount of attack payloads
What is used to spray the heap with shellcode and NOP sleds?
Javascript
What is pointed in the spray area during a heap spray?
The vtable pointer
What is a vulnerable buffer placement?
Placing a vulnerable buf next to an object
What does a nozzle do?
Detects heap sprays by checking the prevalence of code on the heap
What does OpenBSD do?
Prevent cross page overflow
What is the aim of attackers
To hijack the control flow and execute arbitrary code
What are some defenses against attackers
Canaries
Write or Executable
StackGuard/ProPolice
SAFESEH/SEHOP
Shadow Stacks/Safe Stacks
Address Randomization
Obfuscation
Reference Monitors
Control Flow Integrity
What are some targets of attackers?
Return addresses
Vtables
Function pointers
What are canaries?
A technique used to detect stack based buffer overflows
The function prologue places a canary value where?
Between the return address and local variables
The function epilogue does what?
Checks if the canary is unchanged before returning
What did Stack Guard originally do?
Added canaries
What are the two types of canaries?
Random canaries where a random value is chosen at the program start and inserted in each stack frame and
Terminator canaries a special value that string functions will not copy over
How did ProPolice improve stackguard?
by reordering stack variables to protect pointers
What does VS /GS option do?
Combines ProPolice and random canaries and calls exit() on a mismatch
What are some things canaries cannot protect against?
Heap overflows or integer overflows
What is the point of shadow and safe stacks?
To separate control data from user data
Shadow stacks maintain a separate stack for what?
Return addresses
Safe stacks splits the program stack into two regions for what?
A safe region for control data and an unsafe region for other data
Can safe stacks be implemented in compilers (LLVM and GCC)
Yes
Intel’s new shadow stacks will do what?
Have a new shadow stack pointer that call/ret updates automatically
Shadow stacks rely on what assumption?
That the location of the shadow/safe stack is hidden from attackers
Code pages are marked as what in W^X?
Executable but not writable
Data pages (stack, heap, globals) are marked as what?
Writable but not executable
W^X is supposed to prevent what?
Code injection atacks
What does W^X not protect against?
Code reuse attacks like return to libc or ROP as the reuse existing code
If an executable heap is needed what could be used to circumvent W^X?
Heap sprays
What does ASLR do?
Randomize the memory layout of a process to make exploits harder
What does ASLR do in reguards to exploits like return to libc and stack/heap overflows?
Make them probalistic
What are some ways to override ASLR?
Brute force mechanisms, leaking the addresses through other bugs or using code gadgets that are not ranodmized
What does fine grained code randomization do?
Randomizes code within programs and libraries themselves
At what level does fine grained techniques randomize code?
Function, basic block or instruction level
Function block randomization does what?
Shuffles the order of functions within each code section
Basic block randomization does what
Randomizes the order of basic blocks within each function
Instruction level randomization does what?
Changes the order of instructions within basic blocks through the insertion of unconditional jumps
What is code obfuscation?
Transforming programs to make them more difficult for humans to understand while preserving semantics
What is the purpose of code obfuscation?
To protect intellectual property and prevent reverse engineering
What are some obfuscation techniques?
Lexical transformation
Control transformations
Data transformation
Anti-disassembly tricks
Anti debugging tricks
What are some metrics to judge code obfuscation?
Potency, resilience, and low overhead
What is lexical transformation?
Var names becoming nonsense
What is control transformations
Changing the program flow and logic structure while maintaining functionality
What is data transformations?
Modifying data structures and represenations
What are anti debugging tricks?
Tricks to detect and impede debuggers
What are reference monitors?
A component that monitors a systems execution to enfore compliance with a security policy
What are the principles of reference monitors?
Complete mediation
Tamperproof
Verifiable
Low overhead
What is the purpose of CFI?
To prevent control flow hijacking by ensuring software execution stays within a predetermined control flow graph
How can the effectiveness of a CFI be measured?
By the largest and average EC size
What is a EC?
A group of targets that CFI cannot distinguish/separate
When are CFG computed?
Statically through program analysis
What is SAFESEH?
A linker that produces a binary with a table of safe exception handlers
