Quiz 3

Question 1

What makes two variables aliases?

Answer 1

They reference the same memory location

Question 2

What has to decided for every pair of pointers at every program’s point?

Answer 2

Do the pointers point to the same memory location

Question 3

What are the issues that may arise when analyzing pointers?

Answer 3

Do each pair of pointers point to the same memory location?
What pointers to report that do or may alias
Which pointers are ambiguous.

Question 4

What will occur with this code?
Char *p;
*p = ‘A’;

Answer 4

It may or may not result in a segmentation fault because the pointer is not initialized

Question 5

Give the alias set for the following code
int x,y;
int *p = &x;
int *q = &y;
int *r = p;
int *r = p;
int **s = &q;

Answer 5

{x, *p, *r}
{y, *q, **s}
{q, *s}

Question 6

Give the Alias for this code.
int x = 10;
int y = 20;
int *p;
if (true)
p = &x;
else
p = &y;

Answer 6

{x, *p}
{y, *p}
{p}

Question 7

What is a checker?

Answer 7

A program that is defined by a state diagram with state transitions and error states

Question 8

How does the checker runs?

Answer 8

It assigns an initial state to each program variable
States at program point depends on state at previous point, program actions
Emits an error if a error state is reached

Question 9

What are the three ways programs can be analyzed?

Answer 9

Static Analysis
Dynamic Analysis
Concolic Analysis

Question 10

What is static analysis?

Answer 10

Inspecting code or run a automated method to find errors or gain confidence about their absence

Question 11

What is dynamic analysis?

Answer 11

Running code with sample test input, possible under instrumented conditions, to see if there are likely problems

Question 12

What is concolic analysis?

Answer 12

A hybrid program verification technique that performs symbolic execution, along a concrete execution path

Question 13

What is symbolic execution?

Answer 13

A classical technique that treats program variables as symbolic variables

Question 14

What are some examples of static analysis?

Answer 14

FindBugs, Fortify, Coverity, MS Tools

Question 15

What is static analysis best used for?

Answer 15

Problem identification

Question 16

Why is static analysis best used for problem identification?

Answer 16

It checks thoroughly and consistently
Can point to the root cause of the problem
Helps find error/bugs early in development
New information can be easily incorporated to recheck a given system

Question 17

What is program verification?

Answer 17

Checks if a given input results in a correct given output

Question 18

What are the advantage and disadvantage of static analysis?

Answer 18

Advantage: achieves completeness
Disadvantage: suffers soundenss

Question 19

What is the most critical component of static analysis?

Answer 19

Constructing the model using data flows, control flows and pointer analysis

Question 20

What is static analysis used for in security?

Answer 20

Finding bugs, verifying program correctness

Question 21

Why isn’t dynamic analysis useful on its own?

Answer 21

It doesn’t give you a good enough explanation of what went wrong when the program fails

Question 22

What is the leading cause of errors in C?

Answer 22

Memory corruption

Question 23

What errors does AddressSanitizer detect?

Answer 23

Out-of-bounds array accesses
Use pointer after call to free()
Use stack variables after it is out of scope
Double frees or other invalid frees
Memory leaks

Question 24

What are some issues with static analysis?

Answer 24

I can give alot of noise or unneeded information
It has both false positives and false negatives
Defects must be visible to the tool

Question 25

What is the definition of soundness in regard to static analysis?

Answer 25

Sound for reporting correctness ie if theres a bug it reports it

Question 26

What is the definition of completeness?

Answer 26

Complete for reporting correctness

Question 27

What are the properties of static analysis?

Answer 27

Considering all possible inputs Find bugs and vulnerabilities Could prove the absence of bugs in some cases

Question 28

What are the properties of dynamic analysis?

Answer 28

The sample test input must be chosen Can find bug vulnerabilities but not prove their absence Uses instrument code for testing There is also blackbox testing for dynamic analysis: fuzzing and penetration testing

Question 29

What is valgrind?

Answer 29

A general purpose dynamic analysis tool

Question 30

What is valgrind used for?

Answer 30

Memory debugging, memory leak detection and profiling

Question 31

How does valgrind function?

Answer 31

It runs programs on a virtual machine, this gives it a large amount of arbitrary transformations on the program

Question 32

Why does valgrind have a very high overhead?

Answer 32

It shadows all program values: registers and memory, this also requires threads to be serialized

Question 33

What are two use cases where valgrind would want to be used?

Answer 33

Complex memory bugs that are not detected by simpler tools Complex profiling tasks

Question 34

What does valgrind memcheck do?

Answer 34

Validates memory operations in a program

Question 35

How does valgrind memcheck validate mem operations in a program?

Answer 35

Each allocation is freed once Each access is to a currently allocated space All reads are to locations already written this results in around 10-20x overhead

Question 36

What is the structure for instrumentation granularity?

Answer 36

Instruction Basic Block Trace

Question 37

What is in the basic block for instrumentation granularity?

Answer 37

A sequence of instructions Single entry, single exit Termination point with one control flow instruction

Question 38

What is in the trace for instrumentation granularity?

Answer 38

A sequence of executed basic block

Question 39

What is Symbolic Execution?

Answer 39

Executing the program with symbolic valued inputs

Question 40

What are some areas where symbolic execution is implemented?

Answer 40

KLEE, angr, Triton, Java PathFinder, etc

Question 41

What is the symbolic engine?

Question 42

What is the SMT solver?

Answer 42

A very complex mathematical solver

Question 43

What are some issues with the symbolic engine?

Answer 43

Infinite execution tree Exponentially many paths

Question 44

What is concolic execution?

Answer 44

Combining concrete execution and symbolic execution?

Question 45

What is the intention of concolic execution?

Answer 45

To visit deep into the program execution tree

Question 46

What is Fuzzing?

Answer 46

Automated software testing

Question 47

How does fuzzing work?

Answer 47

It generates invalid unexpected or random inputs to the program

Question 48

What is dumb fuzzing?

Answer 48

Blindly mutating existing valid inputs

Question 49

What is smart fuzzing?

Answer 49

It has two principles being generation based and being guided

Question 50

What is generation based smart fuzzing?

Answer 50

Generating inputs according to protocol specification

Question 51

What is guided fuzzing?

Answer 51

Collecting feedback to guide the next round of mutations

Question 52

What is mutation based fuzing?

Answer 52

adding anomalies to existing valid inputs

Question 53

What are some examples of things changed through mutations?