Final

Question 1

Machine Code

Answer 1

code computers execute.

Question 2

Complier

Answer 2

translates high-level code to machine code.(C to assembly to machine code)

Question 3

Assembly

Answer 3

human readable representation of machine code.(
– Intel syntax: <mnemonic> <dst> <src>
– AT&T: <mnemonic> <src> <dst>)</dst></src></mnemonic></src></dst></mnemonic>

Question 4

Memory stores ….

Answer 4

both data and code.

Question 5

little-endian architecture

Answer 5

least significant byte is stored first (ex. 0x112233, 0x33 0x22 0x11)

Question 6

% is for…

Answer 6

register

Question 7

$ is for…

Answer 7

immediate (constant value)

Question 8

Number without a $ …

Answer 8

memory address

Question 9

displacement formula is what?

Answer 9

displacement(base_reg, index_reg, scale)

result = base_reg + displacement + ( index_reg x scale)

Question 10

Memory Layout

Answer 10

-kernel space
-stack
-memory mapping
-heap
-bss
-data
-text

Question 11

Stack frame

Answer 11

-arg2
-arg1
-return address
- saved ebp
- local data

Question 12

security goals

Answer 12

security goals

● Confidentiality
– The property that information is not made available
to unauthorized entities.
● Integrity
– The property that information is not altered or
destroyed in an unauthorized manner.
● Availability
– The property that information is accessible and
usable upon demand by an authorized entity.
● Authentication
– The act of confirming the identity of an entity
interacting with a system.
● Authorization
– The act of assigning rights and privileges to entities
interacting with a system.
● Non-repudiation
– The ability to associate actions or changes to a
unique entity.

Question 13

Jmp + call

Answer 13

Jump to call, calls shell code which will push address on to stack, pop address into register

Question 14

Why can’t we use zero bytes?

Answer 14

string processing functions will stop copying shell code if it encounters 0x00

Question 15

What to do if zero bytes is in shell code?

Answer 15

• use alternative instructions
  -or encode/restructure data

Question 16

what does the byte for Nop?

Answer 16

\x90

Question 17

Nop Sled

Answer 17

Instruction that does nothing, the CPU Jumps to the next Nop until shell code is hit.

Question 18

Shell code injection payload

Answer 18

1.NOP SLED
2. Shell Code
3.Return Address

Question 19

PLT and GOT

Answer 19

PLT (Procedure Linkage Table) jumps to the address
where a function was previously called and saved in GOT(Global Offset Table)

Question 20

Memory Corruption

Answer 20

Go beyond memory bounds.
2) Do something malicious.
a) Hijack the execution flow.
b) Overwrite sensitive data.
c) Overread sensitive data.

Question 21

Human defenses for Memory Corruption prevent from happening in the first place

Answer 21

-Input Validation
- Use safer functions (strncpy instead of strcpy)
- Use memory safe languages
- write better code

Question 22

Shell injection steps

Answer 22

1)Run out of bounds.
2)Inject malicious code.
3)Overwrite control fields.
4)Guess important addresses.

Question 23

Non Executable Memory and example

Answer 23

HARDWARE DEFENSE
If an attacker injects malicious code (shellcode) into those regions — like the stack or heap — the CPU will refuse to execute it and throw a segmentation fault (crash).

Ex. NX, DEP, XD

Question 24

Return-to-libc

Answer 24

Execute existing functions with arguments
you choose.

libc is an attractive target.
– Powerful functions: system(), execve().
– Linked by most programs.
✅ It bypasses NX (Non-Executable) memory protections
✅ Because you’re calling code that already exists in memory
❌ It still requires control over the return address

Question 25

memory region cannot be both

Answer 25

writeable and executable

Question 26

return oriented programming

Answer 26

extends Return-to-libc, very fine grained attacks -Borrow small chunks of code(gadget) -chain them together to exploit

Question 27

Gadget

Answer 27

Usable code chunk that end with the ret instruction - gadget perform tiny updates to the program state - the thinner the better

Question 28

Free Branch

Answer 28

ret jmp call

Question 29

Finding gadgets

Answer 29

-existing instruction -unaligned instruction( doesn’t have to start at the beginning of a real instruction — you can start reading in the middle of a legit instruction if it happens to decode into valid instructions ending in ret.) -can start unaligned then align back to original sequence -

Question 30

Stack Canarie aka cookie

Answer 30

random value in stack, if overwritten and canary is not alive, the code will crash ( how canaries were historically used in coal mines to detect dangerous gases. ) starte with zero byte bc \x00, strcpy, strcpy terminate at zero byte Compiler defense

Question 31

ASLR

Answer 31

Address Space Layout randomization Randomizes the memory addresses of: The stack The heap Libraries (like libc) The executable binary itself (if PIE-enabled) OS level defense

Question 32

Bypass ASLR and Canary

Answer 32

- guess -use memory disclosure vulnerability - attack unprotected resource -

Question 33

Control flow integrity

Answer 33

the intended path the program takes through its functions and code.

Question 34

Printf( "hello %why is this a problem"

Answer 34

treats like a memory location and writes to memory and potentially overwrite memory - can be used to read memory

Question 35

Quick sort scheme

Answer 35

Lomuto partintion pivot = rightmost element partition around pivot repeat for each partition

Question 36

Algorithmic complexity attack

Answer 36

attacker makes input that would cause worse case behavior for algorithm, denial of service.

Question 37

Hash table attack

Answer 37

-find weak hash funtion -control input -overload with data -

Question 38

defense for data structure

Answer 38

limit data input monitor resource use use safest also or structure

Question 39

Side Channel Attack

Answer 39

instead of attack bug, attack indirect effects, data leakage, low level implementation detail

Question 40

TDP

Answer 40

thermal design Point

Question 41

DVFS

Answer 41

dynamic voltage and frequency scaling

Question 42

Hamming weight:

Answer 42

number of 1s in a value

Question 43

Hamming distance:

Answer 43

number of bit differences between two values

Question 44

Fault injection

Answer 44

subject hardware to unexpected condition -cooling -heating -high/low volatge -radiation

Question 45

cold boot Attack

Answer 45

RAm retains data after power off, the colder the longer it retains data

Question 46

Row hammer

Answer 46

flip bits in attack

Question 47

defense for hardware

Answer 47

-constant time -make access to side channel harder - execution control flow should not depend on secret data

Question 48

Accident modeling

Answer 48

predict future to prevent - event chain -direct casualty -reliability -component failure

Question 49

Accident analysis

Answer 49

-traiditonal accident look at root cause

Question 50

reliability

Answer 50

measure of time between failure

Question 51

stamp

Answer 51

systems theoretic accident model & processes

Question 52

three approaches to threat model

Answer 52

-focus assets -focus attacker -focus on system

Question 53

model

Answer 53

shows high level architect DFD data flow diagram

Question 54

STRIDE

Answer 54

SPOOF - authentication Tampering - integrity Repudiation information disclosure Denial of Service Elevation of privlege