middy1

Question 1

What is authentification?

Answer 1

Proving who you are

Question 2

What are the 4 means of authenticating a user?

Answer 2

Something the user:
1. knows
2. possesses
3. is
4. does

Question 3

Regarding authentication, what is an example of something the user knows?

Answer 3

car model, password, PIN

Question 4

Regarding authentication, what is an example of something the user possesses?

Answer 4

smartphone, physical key, tokens

Question 5

Regarding authentication, what is an example of something the user is?

Answer 5

face, fingerprint, iris

Question 6

Regarding authentication, what is an example of something the user does?

Answer 6

Typing rhythm, voice pattern

Question 7

What is the safe way to store passwords?

Answer 7

By hashing passwords with a salt and storing them in a file only the root user can access.

Question 8

What is a vulnerability?

Answer 8

a flaw that is accessible to an adversary who can exploit that flaw.

Question 9

What is a flaw?

Answer 9

a functionality that violates security and reachable.

Question 10

What is an exploit?

Answer 10

provides input to cause security violation and the adversary can produce an attack payload.

Question 11

What defines how flaws are reachable?

Answer 11

threat models

Question 12

What are the 3 security requirements?

Answer 12

confidentiality, integrity, availability

Question 13

Regarding security, what is confidentiality?

Answer 13

secrecy, sensitive data should be safe from adversary.

Question 14

Regarding security, what is integrity?

Answer 14

when sensitive data is safe from unauthorized modification and is accurate.

Question 15

Regarding security, what is availability?

Answer 15

when the services are available for users.

Question 16

For the line below, what code form is it in? Explain it:

int t = x + y;

Answer 16

( C code )

two integers are being added and the result is stored in t.

Question 17

For the line below, what code form is it in? Explain it:

addl 8(%ebp), %eax

Answer 17

( Assembly code )

adding two 4-byte integers

Question 18

For the line below, what code form is it in?

0x80483ca: 03 45 08

Answer 18

Object code

This 3-byte instruction is being stored at address 0x80483ca.

Question 19

what is eip?

Answer 19

Extended instruction pointer, this register holds the address of the next instruction.

Question 20

what is EFLAGS?

Answer 20

the condition codes.

Question 21

What can modify the eip?

Answer 21

CALL, RET, JMP, and cond. JMP

Question 22

How can we reference memory?

Answer 22

loading a value from memory (mov)
or
loading an address (lea)

Question 23

Is this a direct or indirect jump?

jmp 0x45

Answer 23

direct

Question 24

Is this a direct or indirect jump?

jmp *eax

Answer 24

indirect

Question 25

How does the stack grow?

Answer 25

It grows down towards lower addresses.

Question 26

What is stored on the stack frame?

Answer 26

local variables, arguments, temporary space

Question 27

How are the arguments pushed onto stack? printf("%s, %d", aString, anInt)

Answer 27

------------------------- "%s, %d" ------------------------- aString ------------------------- anInt -------------------------

Question 28

What is buffer overflow?

Answer 28

occurs when data is written outside of the space allocated for the buffer (C does not check that write are in-bound)

Question 29

What are the 2 types of buffer overflow?

Answer 29

Stack-based, Heap-based

Question 30

How do you generate a exploit for a basic buffer overflow?

Answer 30

1. Determine size of stack frame up to head of buffer. 2. Overflow buffer with the right size.

Question 31

What are the root cause of hijacks?

Answer 31

Bugs

Question 32

What are defenses against buffer overflow exploits?

Answer 32

canaries, Data Execution Prevention (DEP) / No execute (NOP), Address Space Layout Randomization (ASLR)

Question 33

How does the canary defense work for buffer overflow?

Answer 33

Put canary words between return addresses and local variables. Check before and after the values of the canaries. If the canary value changes, it was overwritten.

Question 34

What are the disadvantages of the canary defense?

Answer 34

The check of the canary does not happen until epilogue (right before the function returns), a function/data pointer can be overwritten, bypassing the canary

Question 35

What is DEP?

Answer 35

Data execution prevention This is a buffer overflow defense that prevents certain regions in memory non-executable.

Question 36

How can you bypass DEP?

Answer 36

You can modify existing executable code or use ROP.

Question 37

What is ASLR?

Answer 37

Address Space Layout Randomization this bufferflow defense randomizes addresses of each region.

Question 38

What is ROP?

Answer 38

Return oriented programming forging shellcode from existing code by assembling sequences of the code (gadgets).

Question 39

What are the principles of a Reference Monitor?

Answer 39

1. complete mediation - the ref monitor must always be invoked. 2. Tamper-proof 3. Verifiable

Question 40

What are the two main (control) data to worry about?

Answer 40

return address and function pointer

Question 41

What is CFI and its purpose?

Answer 41

Control Flow Integrity, ensures that control flow follows a path in CFG

Question 42

What is heap memory?

Answer 42

An allocation is assigned a contiguous range of virtual mem within the heap (malloc), this is were dynamic mem allocations occur

Question 43

Which defenses helps with heap buffer overflow? - canaries - DEP - ASLR - CFI

Answer 43

No, canaries are too expensive to insert and check. No, DEP has no shellcode to inject and execute. No, ASLR doesnt change relative location of objects and their fields. Yes, CFI can help but only with control flow and not for data attacks.

Question 44

What determines the heap mem layout?

Answer 44

heap allocator

Question 45

How does the heap allocator maintain what it stores?

Answer 45

using a doubly linked list

Question 46

What is one way to attack the heap stack?

Answer 46

1. overwrite the metadata from the next chunk. 2. trigger a malloc operation to remove the chunk. 3. Arbitrary write primitive

Question 47

How do you prevent a use-after-free vulnerability?

Answer 47

Check every free chunk to detect any tampering prior to free-ing.

Question 48

What is use-after-free?

Answer 48

When a prog continues to use a pointer after freeing it.

Question 49

What is RASQ?

Answer 49

Relative Attack Surface Quotient - a metric that counts the number of unsafe instances and is used to compare systems

Question 50

Which of the following describes a denial of service attack? a) it can stop legit users from using a service. b) it is hard to notice. c) it can happen either locally or over the network.

Answer 50

a, b

Question 51

Which of the following are true about passwords? a) if the hard drive is stolen, its easy to steal passwords saved on them. b) passwords should be stored on computers securely (e.g. in hashed or encrypted) c) passwords should alway be stored in hashes. Encryption is bad for passwords.

Answer 51

b

Question 52

Describe the purpose of the instruction CALL.

Answer 52

Jumps to the address of the function being called. - pushes the return address - jumps to function being called

Question 53

Describe the purpose of the instruction LEAVE.

Answer 53

cleans up the stack before returning from a function. - restores the stack pointer to the value it had before the function was called.

Question 54

Describe the purpose of the instruction RET.

Answer 54

returns control to the calling function after a function finishes executing. - pops the return address from the stack and jumps to that address and resumes execution right after the point where the function was called.