Unit 5,6,7 Flashcards
Which name is rarely used for sections in ELF files?
.text
.data
.rodata
.code
.code
Correct! As a convention, .code is almost never used as a section name for ELF files that are generated by common C compilers, such as GCC and Clang. Common ELF section names include .text, .rodata, .data, and .bss.
Which name is almost never used for sections in ELF files that are generated by common C compilers under Linux?
.bss
.exec
.text
.rodata
.exec
Correct! As a convention, .exec is rarely used as a section name for ELF files that are generated by common C compilers such as GCC and Clang. Common ELF section names include .text, .rodata, .data, and .bss.
In general, which kind of program can be compiled into machine code?
Java programs
C programs
Bash scripts
Perl programs
C programs
Correct! C programs are usually compiled by C compilers, such as GCC, Clang, and MSVC, into executables that comprise executable machine code
For programs that use glibc and run on x86-64 Linux, environment variables can be accessed during the execution of the program. Where are these environment variables stored?
On the hard drive
In the kernel memory region
In the file name of the executable
On the stack
On the stack
Correct! The environment variables are prepared by the libc and are put onto the stack, right above the function frame of the entry point function, which is usually the main function. The third argument to the entry point function envp can be used to access the environment variables on the stack.
Which name is a valid register name in x86-64 CPUs?
eax
a0
r2
rdk
eax
Which x86-64 instruction clears the destination register (i.e., zeroing the destination register), regardless of the register’s value?
set rax=0
add rax, 1
nop
xor rax, rax
xor rax, rax
The 32-bit integer 0xcafebabe (3405691582 in decimal) is used as the magic number of Java bytecode files. What is the little-endian byte representation of this 32-bit integer?
82 15 69 05 34
be ba fe ca
ca fe ba be
eb ab ef ac
be ba fe ca
Correct! In little endian, the least significant byte goes first, and the most significant byte goes last. The least significant byte in 0xcafebabe is 0xbe, and the most significant byte is 0xca. Therefore, be ba fe ca is the correct little-endian representation
In x86-64 Linux, we may invoke a syscall using instruction syscall. When this instruction is executed, in which register should the syscall number be stored?
ecx
a0
syscall_no
rax
rax
Correct! The syscall number is indeed stored in the rax register for syscalls in x86-64 Linux. However, different registers may be used for different operating systems.
On Linux, each process is related to an effective UID (euid) and an effective GID (egid). What is the relationship among euid, egid, permissions of the process, and the ownership of the process executable?
euid is the ID of the user whose file access permissions are used by the process; egid is the ID of the group who owns the process executable.
euid is the ID of the user who owns the process executable; egid is the ID of the group who owns the process executable.
euid is the ID of the user who owns the process executable; egid is the ID of the group whose file access permissions are used by the process.
euid is the ID of the user whose file access permissions are used by the process; egid is the ID of the group whose file access permissions are used by the process.
euid is the ID of the user whose file access permissions are used by the process; egid is the ID of the group whose file access permissions are used by the process.
char path[1024] = {0};
strcpy(path, “/home/myspace/”);
path = strncat(path, user_file);
file = open(path, O_RDWR);
Review Codeblock: Code Snippet. John wrote this piece of code and he hopes to limit users’ file access to under /home/user. Suppose that there is no filtering or sanitization applied on variable user_file before calling strncat(), and the total length of path when calling open() is less than 1024. What vulnerability does this code snippet have?
File access vulnerability
File handler reuse vulnerability
Format string vulnerability
Buffer overflow vulnerability
File access vulnerability
Correct! This snippet has file access vulnerability (e.g., the dot-dot attack). Since there is no sanitization performed on either user_file or free_size, the user may construct a path that includes “../” and end up accessing files that are outside “/home/myspace/”.
On x86-64 Linux, each process has an isolated memory space called stack region. How does the stack region grow?
Either from low addresses to high addresses, or from high addresses to low addresses, as determined by the operating system
From low addresses to high addresses
From high addresses to low addresses
Either from low addresses to high addresses, or from high addresses to low addresses, as determined by each process
From high addresses to low addresses
Correct! The stack in x86-64 grows from high addresses to low addresses. This is inherited from the early days when memory space was very limited (where memory addresses were 16-bits). Back then, having stack memory growing from high addresses to low addresses allows more efficient use of memory and avoids stack overruns.
HEAP grows from low addresses to high addresses
Question 11
In x86-64 assembly, what is the mov rsp, rbp; pop rbp instruction equivalent to?
push rbp; mov rbp, rsp
leave; ret
leave
xor rsp, rbp; mov rbp, rsp; xor rsp, rbp; mov rsp, rbp; hlt
leave
Correct! In x86-64 assembly language, leave is the counterpart of enter and is usually executed at the end of a function. leave restores the initial stack pointer upon function entry from rbp into rsp and restores the stored stack base pointer from the stack to rbp. Hence, leave is the same as mov rsp, rbp; pop rbp.
400080: b8 3b 00 00 00 mov eax,0x3b
400085: 48 bb 2f 62 69 6e 2f movabs rbx,0x68732f6e69622f
40008c: 73 68 00
40008f: 53 push rbx
400090: 48 89 e7 mov rdi,rsp
400093: 6a 00 push 0x0
400095: 57 push rdi
400096: 48 89 e6 mov rsi,rsp
400099: 48 c7 c2 00 00 00 00 mov rdx,0x0
40009e: 0f 05 syscall
4000a0: 48 c7 c0 3c 00 00 00 mov rax,0x3c
4000a5: 48 c7 c7 00 00 00 00 mov rdi,0x0
4000aa: 0f 05 syscall
Review Codeblock: Shellcode. Which instruction has at least one null byte inside?
push rbx
mov eax, 0x3b
mov rdi, rsp
syscall
mov eax, 0x3b
Correct! The instruction mov eax, 0x3b is at 0x400080. Through the objdump output, it is possible to see that there is at least one null byte (0x00) in the instruction bytes.
int var_0 = 0, var_1 = 0;
printf(“CSE543ROCKS!%x\n”, &var_0);
strcpy((char*)&var_1, “CSE543ROCKS\n”);
Review Codeblock: C Code. What vulnerability does this piece of code have?
TOCTTOU vulnerability
There is no vulnerability in this piece of code.
Buffer overflow vulnerability
Format string vulnerability
Buffer overflow vulnerability
Correct! Buffer overflow vulnerabilities are only triggerable when there are buffers and there are writes into buffers. Both var_0 and var_1 can be seen as buffers. This piece of code tries to write 12 bytes into var_1, while var_1 is only an int, which is 4 bytes long. Therefore, it does have a buffer overflow vulnerability.
On Linux, what will Bash always expand path “~/.bashrc” to?
/root/.bashrc
$HOME/.bashrc
/home/user/.bashrc
/tmp/.bashrc
$HOME/.bashrc
URI stands for Uniform Resource Identifier. A URI requires a series of specific items in a specific order. Which URI is invalid?
https: //www.google.com/ncr
ftp: //ftp.ietf.org/rfc/rfc1808.txt
../../../../etc/passwd
mailto:user@example.com
../../../../etc/passwd
Correct! This is not a valid URI. A valid URI includes these five items: scheme, authority, path, query, and fragment. A valid URI must also follow this specific syntax: :/?#, with percent encoding applied on reserved characters. This path does not follow the required syntax because no scheme is provided, so it is an invalid URI. However, this is a valid path on a file system
Connection to www.google.com 80 port [tcp/http] succeeded!
Review Codeblock: Output Message. Which program or command may generate this output message?
ls
tcpdump
netcat
curl
netcat
Correct! Netcat (nc) can be used to connect to a port of an IP address via either TCP or UDP. The provided output message is what the user will see when netcat successfully connects to the specified IP and port.
q = “SELECT * FROM homework_assignments WHERE user=” + username + “ AND key=” + password
Review Codeblock: Python Statement. This Python statement builds on an SQL query for authentication, where username and password are two variables derived from user input. Which combination of username and password values will lead to a bypass of the authentication?
root; password
’ ‘ or 1=1;– ; “ “ (an empty string)
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa ; “ “ (an empty string)
alert(1) ;
’ ‘ or 1=1;– ; “ “ (an empty string)
Correct! Setting username to ‘ ‘ or 1=1;– will alter the original intent of the SQL query. The first two single quotes will correctly terminate the user= query parameter. Then it adds a new boolean query parameter or 1=1, which is essentially the same as or TRUE. Finally, it uses ;– to specify that all characters that follow should be treated as comments, which effectively eliminates the pass= query parameter. The value of password does not matter anymore.
Cookies are small pieces of data that an HTTP server sends to client users’ browsers, which may store cookies locally or send them back to the server upon making future HTTP requests. JavaScript code has access to cookies. Which statement most accurately describes the security of cookies?
Cookies are secure. They cannot be stolen by malicious JavaScript code or leaked when being transferred through HTTP.
Cookies cannot be stolen by malicious JavaScript code. But they can be leaked when transferred through HTTP.
Cookies can be stolen by malicious JavaScript code. But they cannot be leaked when transferred through HTTP.
Cookies can be stolen by malicious JavaScript code. They can also be leaked when transferred through HTTP.
Cookies can be stolen by malicious JavaScript code. They can also be leaked when transferred through HTTP.
SUID executables can drop privileges by calling setuid(). Under which circumstance can setuid() be called?
setuid() can only be called when euid is 0.
setuid() can only be called when euid is not 0.
setuid() can only be called when euid is 1000.
setuid() can be called regardless of the value of euid.
setuid() can be called regardless of the value of euid.
C programs must be compiled before running. What is an example of a commonly used C compiler under Linux?
Clang
Sh
ld
Python
Clang
In general, which type of program can be compiled into an executable form that contains machine code prior to execution?
Bash scripts
C programs
Java programs
Python programs
C programs
Correct! C programs are usually compiled by C compilers, such as GCC, Clang, and MSVC, into executables that comprise executable machine code.
4df4: 41 57 push r15
4df6: 41 56 push r14
4df8: 41 55 push r13
4dfa: 41 54 push r12
4dfc: 41 89 fc mov r12d,edi
4dff: 55 push rbp
4e00: 48 89 f5 mov rbp,rsi
4e03: 53 push rbx
4e04: 48 83 ec 48 sub rsp,0x48
4e08: 48 8b 3e mov rdi,QWORD PTR [rsi]
4e0b: 64 48 8b 04 25 28 00 mov rax,QWORD PTR fs:0x28
4e12: 00 00
4e14: 48 89 44 24 38 mov QWORD PTR [rsp+0x38],rax
4e19: 31 c0 xor eax,eax
4e1b: e8 b0 e4 00 00 call 132d0
4e20: 48 8d 35 d7 49 01 00 lea rsi,[rip+0x149d7]
4e27: bf 06 00 00 00 mov edi,0x6
4e2c: e8 cf fd ff ff call 4c00
Review Codeblock: Shellcode. Which instruction has at least one null byte inside?
xor eax, eax
sub rsp, 0x48
mov rdi,QWORD PTR [rsi]
mov edi, 0x6
mov edi, 0x6
int var_0 = 0, var_1 = 0;
printf(“CSE543ROCKS%80x%1$n\n”, &var_0, &var_1);
Review Codeblock: C Code. What vulnerability does this piece of code have?
Format string vulnerability
TOCTTOU vulnerability
There is no vulnerability in this piece of code.
Buffer overflow vulnerability
There is no vulnerability in this piece of code.
Correct! This piece of code uses printf() and may look like it is triggering a format string vulnerability. However, since the format string is fully specified and user input has no way to impact the format string, there is no vulnerability in this piece of code.
URI stands for Uniform Resource Identifier. A URI requires a series of specific items in a specific order. Which URI is valid?
https://
/etc/shadow
mailto:user@example.com
user
mailto:user@example.com
q = “SELECT user, age, gender FROM users WHERE user=” + username + “ AND pass=” + password
Review Codeblock: Python Statement. This Python statement builds on an SQL query for authentication, where username and password are two variables derived from user input. Which combination of username and password values will lead to a bypass of the authentication?
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa ; “ “ (an empty string)
’ ‘ or 2=2;– ; “ “ (an empty string)
admin; admin888
alert(“you are hacked!”) ;
’ ‘ or 2=2;– ; “ “ (an empty string)
Sometimes web applications will embed some encrypted secret data as hidden input fields on a web page. The secret data will be sent back to the server upon future requests. A major application for the secret data in these hidden input fields is to prevent cross-site scripting attacks. JavaScript code has access to these hidden input fields and the values inside. Which statement most accurately describes how secure this secret data is?
The secret data can be stolen by malicious JavaScript code. It can also be leaked when transferred through HTTP.
Hidden input fields are secure. As a result, the secret data cannot be stolen by malicious JavaScript code or leaked when being transferred through HTTP.
The secret data can be stolen by malicious JavaScript code. But it cannot be leaked when transferred through HTTP.
The secret data cannot be stolen by malicious JavaScript code. But it can be leaked when transferred through HTTP.
The secret data can be stolen by malicious JavaScript code. It can also be leaked when transferred through HTTP.
In Linux, processes may start with root privileges and then drop privileges at a later time for better security. Privilege dropping can be done by calling setuid(). Under which circumstance can setuid() be called?
setuid() can only be called when euid is not 0.
setuid() can be called regardless of the value of euid.
setuid() can only be called when euid is 0.
setuid() can only be called when euid is 1000.
setuid() can be called regardless of the value of euid.
C programs must be compiled before running. What is an example of a commonly used C compiler under Linux?
file
Bash
CPython
GCC
GCC
Which name is a valid register name in x86-64 CPUs?
eay
r0
rsp
a0
rsp
In x86-64 assembly, leave is an instruction that is commonly seen in function epilogues. leave can be represented by a few more instructions. What are these other representations?
mov rsp, rbp; pop rbp; ret
mov rsp, rbp; pop rbp
pop rbp; mov rsp, rbp
push rbp; mov rbp, rsp
mov rsp, rbp; pop rbp
