Real Midterm

Question 1

The returns of strcpy() store in what register that have the address of what buffer?

Answer 1

EAX, Destination

Question 2

Which of the following step/steps is/are required to execute a shell code in memory?

Answer 2

Find the vulnerability, store the shellcode to the executable memory, hijack control flow/EIP to shellcode

Question 3

Will comparing a signed integer with an unsigned integer cause an integer overflow?

Answer 3

Yes

Question 4

Why is it important to execute an exit() syscall for the code reuse attacks?

Answer 4

To avoid a crash and leave no attack trace

Question 5

Which one of the following is a safe libc function?

Answer 5

strncpy

Question 6

A shell code can be used for what?

Answer 6

Creating a new user, changing user password, opening a connection to the attackers machine

Question 7

Suppose we have the following gadgets
G1:
pop %ebx
ret
G2:
pop %ecx
ret
G3:
movl %ebx, %(ecx)
To achieve the following operation, determine the order of gadgets
store 10 at memory address 0x805000

Answer 7

G2, 0x805000, G1, 10, G3

Question 8

NOP equivalence for stack pointer (esp) move is a gadget that only contains a what instruction?

Answer 8

ret

Question 9

Finding gadgets is traditionally a what recursive traverse algorithm and searchable through a what representation?

Answer 9

Backward, Trie

Question 10

True or false: Type confusion bugs are caused by inappropriate up-casts.

Answer 10

False

Question 11

Direct function calls are what?

Answer 11

Not exploitable

Question 12

For ROP attacks, any gadget should ends with a what instruction?

Answer 12

ret

Question 13

The leave instruction (AT&T) combines what instructions?

Answer 13

mve %ebp, %esp
pop %ebp

Question 14

Format string specifier %n is significant for what?

Answer 14

Writing the number of characters printed so far in a pointer

Question 15

The following order can be used in position independent shellcode to get the address of a string

Answer 15

Execute jmp to a call instruction sits right before the string, then call instructions goes back to jump+1 after pushing to the return address to the stack

Question 16

True or False: In a double free, an exploitation occurs when the program calls free(q) on a region that contains data set by the attacker and the second free(q) will try to use the fake chunk tag.

Answer 16

True

Question 17

The ret instruction is equivalent to what?

Answer 17

pop %eip

Question 18

To execute a system call, a shellcode must contain what?

Answer 18

Store syscall id in EAX register

Question 19

Why is it difficult to detect a Use-After-Free vulnerability?

Answer 19

They only exist in a particular execution path

Question 20

Code reuse attacks can bypass what defenses?

Answer 20

Code signing and Write or Execute

Question 21

What vulnerability is a double fetch bug a form of?

Answer 21

A race condition

Question 22

In Stack Guard implementation the function prologue does what?

Answer 22

Stores a canary word between return address and locals

Question 23

/GS protection alone is not enough to defend against exception handler based exploits because?

Answer 23

The exception is triggered before the canary is checked

Question 24

In StackGuard implementation the function epilogue does what?

Answer 24

Checks canary before the function returns

Question 25

True or False: Context sensitive CFI policy is simple but imprecise compared to Context-insensitive CFI policy

Answer 25

False

Question 26

The most popular target of heap spray attacks is what?

Answer 26

Browser code

Question 27

Which of the following register is used by the GCC stack smashing protector to locate the random canary?

Answer 27

%gs

Question 28

A terminator canary may consist of what?

Answer 28

\n\n\n\n

Question 29

Which of the following address randomizations is widely deployed?

Answer 29

Address space layout randomization

Question 30

Which of the following principles should be maintained by an inline reference monitor?

Answer 30

Reference monitors must always be invoked

Question 31

Where can a reference monitor be implemented?

Answer 31

Wrapping around the target program, inside the kernel or inside the target program

Question 32

The probability of a successful heap spray attack does not depend on

Answer 32

The length of each targeted sensitive object in the memory

Question 33

StackGuard protection can be bypassed by what?

Answer 33

Leveraging information leak vulnerability

Question 34

/GS Stack frame stores the exceptional handlers just before what?

Answer 34

The canary

Question 35

Which of the following is not a component of CFI defense mechanism?

Answer 35

Code Obfuscation

Question 36

Applications with Write or Exectute (W^X) protection, their stack/heap memory is what?

Answer 36

Writable, but not executable

Question 37

Race windows in a Race condition is a what?

Answer 37

Code segment

Question 38

A race condition vulnerability must consist of what?

Answer 38

A concurrency property
A shared object property
A change state (share object) property

Question 39

In ProPolice protection mechanisms, in addition to canaries?

Answer 39

Local variables are rearranged by their types

Question 40

Intel CET Shadow Stacks maintain a shadow copy of what?

Answer 40

The return address

Question 41

What is a buffer overflow?

Answer 41

A buffer overflow is when data is written outside the bounds of the allocated buffer space

Question 42

Why are buffer overflows common in C/C++ programs?

Answer 42

They are common in C/C++ programs because there are not automatic bounds checking

Question 43

What can buffer overflows be leveraged to do?

Answer 43

Hijack the control flow of a program and execute arbitrary code by overriding the function pointers or return addresses

Question 44

What are some common unsafe C functions that can allow attackers to perform buffer overflows?

Answer 44

strcpy, strcat, gets, and scanf

Question 45

What is a safeish libc function?

Answer 45

strncpy

Question 46

What is commonly used to identify potential buffer overflows?

Answer 46

Fuzz testing (by using random inputs)

Question 47

What can address sanitizing do to help detect buffer overflows?

Answer 47

They help detect out of bound writes during testing

Question 48

When the return address is overwritten by an attacker during a stack buffer overflow what can occur?

Answer 48

The program can then be used to jump to the attackers code

Question 49

What are some defenses against buffer overflows?

Answer 49

Bounds checking, canaries, ASLR ie randomizing the addresses, and using safer functions

Question 50

What was the first major exploit of buffer overflows?

Answer 50

The internet worm using the fingerd service

Question 51

What are some targets for control flow hijacking using buffer overflows?

Answer 51

Function pointers
exception handlers
vtables
longjmp buffers

Question 52

What are heap based buffer overflows?

Answer 52

When the allocated heap buffer is overflowed and causes the overwriting of the adjacent heap metadata structures

Question 53

Why do some defense mechanisms not get implemented?

Answer 53

Because of performance overhead concerns

Question 54

What are type confusions?

Answer 54

Vulnerabilities that occur when code accesses a memory resource using an incompatible type

Question 55

Why does type confusions often occur in C/C++?

Answer 55

There are no runtime type safety checks so pointers can be cast to incompatible types

Question 56

What are some different casting operations that could cause type confusion?

Answer 56

Static casting with static_cast
Dynamic casting with dynamic_cast
C-style casting with (Type)

Question 57

What is a common cause of type confusion bugs?

Answer 57

Illegal downcasts

Question 58

What are some defenses against type confusion bugs?

Answer 58

Runtime type checking, strict casting rules and using type safe languages like java

Question 59

What is an integer overflow?

Answer 59

An integer value that exceeds its maximum value and as a result wraps around

Question 60

Can converting from a signed to an unsigned integer cause an integer overflow?

Answer 60

Yes

Question 61

What are the best practices for using integers?

Answer 61

Using size_t when needing the size of a count
Using uint8_t for specific bit-width
Using intptr_t to have an integer to hold a pointer

Question 62

How do format string bugs occur?

Answer 62

When user-controlled inputs are passed as the format string parameters to certain functions

Question 63

What are some common specifiers using in format string bug attacks?

Answer 63

%p %d %c %u %x %s %n

Question 64

What is a use after free bug?

Answer 64

A program continues to use the memory after it has been freed, leading to an accessing deallocated or stale memory

Question 65

What is the cause of use after free bugs?

Answer 65

Wrongly handled error conditions, unaccounted for program states, confusion over which part of the code is responsible for freeing the memory

Question 66

How can use after free bugs be exploited?

Answer 66

By leading the program to allocate memory over the previously freed area. That area could contain code that the attacker placed there to be used for his advantage

Question 67

Why are use after free bugs hard to detect?

Answer 67

They only manifest in certain states of program execution
The bug is not visible at the time of the free call

Question 68

What are some prevention methods around use after free bugs?

Answer 68

Setting freed pointers to null and checking for null before being used

Question 69

What is a double free vulnerability?

Answer 69

When the same region of memory is freed twice without it being reallocated again in between

Question 70

What is shellcode?

Answer 70

Executable code used by attackers to achieve arbitrary code execution after hijacking the control flow

Question 71

What can the shellcode do?

Answer 71

Nearly anything like creating users, opening backdoors or spawning shells, changing the password of a user

Question 72

What are some solutions to find the addresses of parameters and setting the return addresses?

Answer 72

NOP sleds and position-independent code

Question 73

What are some attacks that can bypass Write or Execute defenses?

Answer 73

Return to libc or return oriented programming

Question 74

Hoes does ROP work?

Answer 74

By chaining together gadgets ending in return instructions to achieve arbitrary computation without code injection.

Question 75

What are the building blocks of ROP?

Answer 75

Constants, control flow, and multiple gadgets

Question 76

What are the steps of executing a system call?

Answer 76

Store syscall number in eax
Save arg 1 iin ebx, arg 2 in ecx and arg3 in edx
Execute int 0x80 or sysenter
Syscall runs and returns the result in eax

Question 77

What are some solutions to knowing the address of memory based parameters?

Answer 77

Pushing the address to the stack and getting addr from esp
Using position independent code

Question 78

How and why are NOP sleds used?

Answer 78

NOP sleds are used to help approximate the return addresses for the shellcode
NOPs simply advance the instruction pointer until it hits the shellcode

Question 79

What are the two main types of code reuse attacks?

Answer 79

Return to libc and return oriented programming

Question 80

How does ROP approximate constants?

Answer 80

Storing the constants on the stack, popping the constants into the register to use

Question 81

How does ROP approximate the control flow?

Answer 81

Conditionally setting the EIP to new values

Question 82

What is an example of an ROP using multiple gadgets to load memory into a register

Answer 82

Loading the address of a source word into %eax
Loading the memory into (%eax) into %ebx

Question 83

What are some recent advances in ROP?

Answer 83

Just in time ROP
Blind ROP
Block Oriented Programming Compiler

Question 84

What is the use of Just in Time ROP?

Answer 84

Defeating fine grained code randomization
Recusrively exploiting a memory disclosure to map the code of the victim process on the fliy
Discovering gadgets and JIT complie a ROP program

Question 85

What is Blind ROP?

Answer 85

Remote brute forcing an ROP without knowing the target program

Question 86

What is Block Oriented Programming Compiler?

Answer 86

Automatically synthesizing arbitrary turning complete data only payloads

Question 87

What is Ret2ret?

Answer 87

Overwriting one byte of the stack pointer with 0 to make it point to the shellcode
The vulnerable buffer sits lower on the stack than the pointer

Question 88

What is Ret2eax?

Answer 88

Overflowing the buf in msglog to place the shellcode in buf
strcpy saves the buf address in eax
Hijacking control flow to a subsequent call *eax and running the shellcode from there

Question 89

What is required for a race condition to occur?

Answer 89

2 concurrent control flows accessing a shared object with at least one flow altering the object state

Question 90

What is a race condition?

Answer 90

The ordering of execution of concurrent threads results in unintended behavior due to unanticipated timing

Question 91

What is the code that access the shared object that could result in a race condition called?

Answer 91

Race window or critical section

Question 92

What can be used to avoid race windows overlapping?

Answer 92

Synchronization primitives such as mutexes and semaphores

Question 93

What are some ways to avoid race conditions?

Answer 93

Mutual exclusion, avoiding sharing, atomics and static/dynamic analysis

Question 94

What is heap spraying?

Answer 94

Filling the heap with shellcode and NOP sleds to make it more likely that a control flow hijack will hit

Question 95

What are some defenses against heap spraying?

Answer 95

Heap layout randomization, isolating browser and javascript heap

Question 96

What are the source of race conditions

Answer 96

Trusted (highly coupled threads of execution) or untrusted (separate application of processes)

Question 97

What is a double fetch bug?

Answer 97

A bug that occurs when the same data is fetched twice from memory by a program

Question 98

What are some scenarios that could lead to double fetch bugs?

Answer 98

Dependency lookup (retrieving some dependent information which gets changed by another thread before being used)
Protocol/signature checking
Information guessing

Question 99

How does a data race occur?

Answer 99

When two or more threads access the same memory location concurrently

Question 100

What is heap spraying?

Answer 100

Filling the heap with a large amount of attack payloads

Question 101

What is used to spray the heap with shellcode and NOP sleds?

Answer 101

Javascript

Question 102

What is pointed in the spray area during a heap spray?

Answer 102

The vtable pointer

Question 103

What is a vulnerable buffer placement?

Answer 103

Placing a vulnerable buf next to an object

Question 104

What does a nozzle do?

Answer 104

Detects heap sprays by checking the prevalence of code on the heap

Question 105

What does OpenBSD do?

Answer 105

Prevent cross page overflow

Question 106

What is the aim of attackers

Answer 106

To hijack the control flow and execute arbitrary code

Question 106

What are some defenses against attackers

Answer 106

Canaries
Write or Executable
StackGuard/ProPolice
SAFESEH/SEHOP
Shadow Stacks/Safe Stacks
Address Randomization
Obfuscation
Reference Monitors
Control Flow Integrity

Question 106

What are some targets of attackers?

Answer 106

Return addresses
Vtables
Function pointers

Question 107

What are canaries?

Answer 107

A technique used to detect stack based buffer overflows

Question 108

The function prologue places a canary value where?

Answer 108

Between the return address and local variables

Question 109

The function epilogue does what?

Answer 109

Checks if the canary is unchanged before returning

Question 110

What did Stack Guard originally do?

Answer 110

Added canaries

Question 111

What are the two types of canaries?

Answer 111

Random canaries where a random value is chosen at the program start and inserted in each stack frame and
Terminator canaries a special value that string functions will not copy over

Question 112

How did ProPolice improve stackguard?

Answer 112

by reordering stack variables to protect pointers

Question 113

What does VS /GS option do?

Answer 113

Combines ProPolice and random canaries and calls exit() on a mismatch

Question 114

What are some things canaries cannot protect against?

Answer 114

Heap overflows or integer overflows

Question 115

What is the point of shadow and safe stacks?

Answer 115

To separate control data from user data

Question 116

Shadow stacks maintain a separate stack for what?

Answer 116

Return addresses

Question 117

Safe stacks splits the program stack into two regions for what?

Answer 117

A safe region for control data and an unsafe region for other data

Question 118

Can safe stacks be implemented in compilers (LLVM and GCC)

Answer 118

Yes

Question 119

Intel’s new shadow stacks will do what?

Answer 119

Have a new shadow stack pointer that call/ret updates automatically

Question 120

Shadow stacks rely on what assumption?

Answer 120

That the location of the shadow/safe stack is hidden from attackers

Question 121

Code pages are marked as what in W^X?

Answer 121

Executable but not writable

Question 122

Data pages (stack, heap, globals) are marked as what?

Answer 122

Writable but not executable

Question 123

W^X is supposed to prevent what?

Answer 123

Code injection atacks

Question 124

What does W^X not protect against?

Answer 124

Code reuse attacks like return to libc or ROP as the reuse existing code

Question 125

If an executable heap is needed what could be used to circumvent W^X?

Answer 125

Heap sprays

Question 126

What does ASLR do?

Answer 126

Randomize the memory layout of a process to make exploits harder

Question 127

What does ASLR do in reguards to exploits like return to libc and stack/heap overflows?

Answer 127

Make them probalistic

Question 128

What are some ways to override ASLR?

Answer 128

Brute force mechanisms, leaking the addresses through other bugs or using code gadgets that are not ranodmized

Question 129

What does fine grained code randomization do?

Answer 129

Randomizes code within programs and libraries themselves

Question 130

At what level does fine grained techniques randomize code?

Answer 130

Function, basic block or instruction level

Question 131

Function block randomization does what?

Answer 131

Shuffles the order of functions within each code section

Question 132

Basic block randomization does what

Answer 132

Randomizes the order of basic blocks within each function

Question 133

Instruction level randomization does what?

Answer 133

Changes the order of instructions within basic blocks through the insertion of unconditional jumps

Question 134

What is code obfuscation?

Answer 134

Transforming programs to make them more difficult for humans to understand while preserving semantics

Question 135

What is the purpose of code obfuscation?

Answer 135

To protect intellectual property and prevent reverse engineering

Question 136

What are some obfuscation techniques?

Answer 136

Lexical transformation
Control transformations
Data transformation
Anti-disassembly tricks
Anti debugging tricks

Question 137

What are some metrics to judge code obfuscation?

Answer 137

Potency, resilience, and low overhead

Question 138

What is lexical transformation?

Answer 138

Var names becoming nonsense

Question 139

What is control transformations

Answer 139

Changing the program flow and logic structure while maintaining functionality

Question 140

What is data transformations?

Answer 140

Modifying data structures and represenations

Question 141

What are anti debugging tricks?

Answer 141

Tricks to detect and impede debuggers

Question 142

What are reference monitors?

Answer 142

A component that monitors a systems execution to enfore compliance with a security policy

Question 143

What are the principles of reference monitors?

Answer 143

Complete mediation
Tamperproof
Verifiable
Low overhead

Question 144

What is the purpose of CFI?

Answer 144

To prevent control flow hijacking by ensuring software execution stays within a predetermined control flow graph

Question 145

How can the effectiveness of a CFI be measured?

Answer 145

By the largest and average EC size

Question 146

What is a EC?

Answer 146

A group of targets that CFI cannot distinguish/separate

Question 147

When are CFG computed?

Answer 147

Statically through program analysis

Question 148

What is SAFESEH?

Answer 148

A linker that produces a binary with a table of safe exception handlers