Real Midterm Flashcards
(150 cards)
1
Q
The returns of strcpy() store in what register that have the address of what buffer?
A
EAX, Destination
2
Q
Which of the following step/steps is/are required to execute a shell code in memory?
A
Find the vulnerability, store the shellcode to the executable memory, hijack control flow/EIP to shellcode
3
Q
Will comparing a signed integer with an unsigned integer cause an integer overflow?
A
Yes
4
Q
Why is it important to execute an exit() syscall for the code reuse attacks?
A
To avoid a crash and leave no attack trace
5
Q
Which one of the following is a safe libc function?
A
strncpy
6
Q
A shell code can be used for what?
A
Creating a new user, changing user password, opening a connection to the attackers machine
7
Q
Suppose we have the following gadgets
G1:
pop %ebx
ret
G2:
pop %ecx
ret
G3:
movl %ebx, %(ecx)
To achieve the following operation, determine the order of gadgets
store 10 at memory address 0x805000
A
G2, 0x805000, G1, 10, G3
8
Q
NOP equivalence for stack pointer (esp) move is a gadget that only contains a what instruction?
A
ret
9
Q
Finding gadgets is traditionally a what recursive traverse algorithm and searchable through a what representation?
A
Backward, Trie
10
Q
True or false: Type confusion bugs are caused by inappropriate up-casts.
A
False
11
Q
Direct function calls are what?
A
Not exploitable
12
Q
For ROP attacks, any gadget should ends with a what instruction?
A
ret
13
Q
The leave instruction (AT&T) combines what instructions?
A
mve %ebp, %esp
pop %ebp
14
Q
Format string specifier %n is significant for what?
A
Writing the number of characters printed so far in a pointer
15
Q
The following order can be used in position independent shellcode to get the address of a string
A
Execute jmp to a call instruction sits right before the string, then call instructions goes back to jump+1 after pushing to the return address to the stack
16
Q
True or False: In a double free, an exploitation occurs when the program calls free(q) on a region that contains data set by the attacker and the second free(q) will try to use the fake chunk tag.
A
True
17
Q
The ret instruction is equivalent to what?
A
pop %eip
18
Q
To execute a system call, a shellcode must contain what?
A
Store syscall id in EAX register
19
Q
Why is it difficult to detect a Use-After-Free vulnerability?
A
They only exist in a particular execution path
20
Q
Code reuse attacks can bypass what defenses?
A
Code signing and Write or Execute
21
Q
What vulnerability is a double fetch bug a form of?
A
A race condition
22
Q
In Stack Guard implementation the function prologue does what?
A
Stores a canary word between return address and locals
23
Q
/GS protection alone is not enough to defend against exception handler based exploits because?
A
The exception is triggered before the canary is checked
24
Q
In StackGuard implementation the function epilogue does what?
A
Checks canary before the function returns
25
True or False: Context sensitive CFI policy is simple but imprecise compared to Context-insensitive CFI policy
False
26
The most popular target of heap spray attacks is what?
Browser code
27
Which of the following register is used by the GCC stack smashing protector to locate the random canary?
%gs
28
A terminator canary may consist of what?
\n\n\n\n
29
Which of the following address randomizations is widely deployed?
Address space layout randomization
30
Which of the following principles should be maintained by an inline reference monitor?
Reference monitors must always be invoked
31
Where can a reference monitor be implemented?
Wrapping around the target program, inside the kernel or inside the target program
32
The probability of a successful heap spray attack does not depend on
The length of each targeted sensitive object in the memory
33
StackGuard protection can be bypassed by what?
Leveraging information leak vulnerability
34
/GS Stack frame stores the exceptional handlers just before what?
The canary
35
Which of the following is not a component of CFI defense mechanism?
Code Obfuscation
36
Applications with Write or Exectute (W^X) protection, their stack/heap memory is what?
Writable, but not executable
37
Race windows in a Race condition is a what?
Code segment
38
A race condition vulnerability must consist of what?
A concurrency property
A shared object property
A change state (share object) property
39
In ProPolice protection mechanisms, in addition to canaries?
Local variables are rearranged by their types
40
Intel CET Shadow Stacks maintain a shadow copy of what?
The return address
41
What is a buffer overflow?
A buffer overflow is when data is written outside the bounds of the allocated buffer space
42
Why are buffer overflows common in C/C++ programs?
They are common in C/C++ programs because there are not automatic bounds checking
43
What can buffer overflows be leveraged to do?
Hijack the control flow of a program and execute arbitrary code by overriding the function pointers or return addresses
44
What are some common unsafe C functions that can allow attackers to perform buffer overflows?
strcpy, strcat, gets, and scanf
45
What is a safeish libc function?
strncpy
46
What is commonly used to identify potential buffer overflows?
Fuzz testing (by using random inputs)
47
What can address sanitizing do to help detect buffer overflows?
They help detect out of bound writes during testing
48
When the return address is overwritten by an attacker during a stack buffer overflow what can occur?
The program can then be used to jump to the attackers code
49
What are some defenses against buffer overflows?
Bounds checking, canaries, ASLR ie randomizing the addresses, and using safer functions
50
What was the first major exploit of buffer overflows?
The internet worm using the fingerd service
51
What are some targets for control flow hijacking using buffer overflows?
Function pointers
exception handlers
vtables
longjmp buffers
52
What are heap based buffer overflows?
When the allocated heap buffer is overflowed and causes the overwriting of the adjacent heap metadata structures
53
Why do some defense mechanisms not get implemented?
Because of performance overhead concerns
54
What are type confusions?
Vulnerabilities that occur when code accesses a memory resource using an incompatible type
55
Why does type confusions often occur in C/C++?
There are no runtime type safety checks so pointers can be cast to incompatible types
56
What are some different casting operations that could cause type confusion?
Static casting with static_cast
Dynamic casting with dynamic_cast
C-style casting with (Type)
57
What is a common cause of type confusion bugs?
Illegal downcasts
58
What are some defenses against type confusion bugs?
Runtime type checking, strict casting rules and using type safe languages like java
59
What is an integer overflow?
An integer value that exceeds its maximum value and as a result wraps around
60
Can converting from a signed to an unsigned integer cause an integer overflow?
Yes
61
What are the best practices for using integers?
Using size_t when needing the size of a count
Using uint8_t for specific bit-width
Using intptr_t to have an integer to hold a pointer
62
How do format string bugs occur?
When user-controlled inputs are passed as the format string parameters to certain functions
63
What are some common specifiers using in format string bug attacks?
%p %d %c %u %x %s %n
64
What is a use after free bug?
A program continues to use the memory after it has been freed, leading to an accessing deallocated or stale memory
65
What is the cause of use after free bugs?
Wrongly handled error conditions, unaccounted for program states, confusion over which part of the code is responsible for freeing the memory
66
How can use after free bugs be exploited?
By leading the program to allocate memory over the previously freed area. That area could contain code that the attacker placed there to be used for his advantage
67
Why are use after free bugs hard to detect?
They only manifest in certain states of program execution
The bug is not visible at the time of the free call
68
What are some prevention methods around use after free bugs?
Setting freed pointers to null and checking for null before being used
69
What is a double free vulnerability?
When the same region of memory is freed twice without it being reallocated again in between
70
What is shellcode?
Executable code used by attackers to achieve arbitrary code execution after hijacking the control flow
71
What can the shellcode do?
Nearly anything like creating users, opening backdoors or spawning shells, changing the password of a user
72
What are some solutions to find the addresses of parameters and setting the return addresses?
NOP sleds and position-independent code
73
What are some attacks that can bypass Write or Execute defenses?
Return to libc or return oriented programming
74
Hoes does ROP work?
By chaining together gadgets ending in return instructions to achieve arbitrary computation without code injection.
75
What are the building blocks of ROP?
Constants, control flow, and multiple gadgets
76
What are the steps of executing a system call?
Store syscall number in eax
Save arg 1 iin ebx, arg 2 in ecx and arg3 in edx
Execute int 0x80 or sysenter
Syscall runs and returns the result in eax
77
What are some solutions to knowing the address of memory based parameters?
Pushing the address to the stack and getting addr from esp
Using position independent code
78
How and why are NOP sleds used?
NOP sleds are used to help approximate the return addresses for the shellcode
NOPs simply advance the instruction pointer until it hits the shellcode
79
What are the two main types of code reuse attacks?
Return to libc and return oriented programming
80
How does ROP approximate constants?
Storing the constants on the stack, popping the constants into the register to use
81
How does ROP approximate the control flow?
Conditionally setting the EIP to new values
82
What is an example of an ROP using multiple gadgets to load memory into a register
Loading the address of a source word into %eax
Loading the memory into (%eax) into %ebx
83
What are some recent advances in ROP?
Just in time ROP
Blind ROP
Block Oriented Programming Compiler
84
What is the use of Just in Time ROP?
Defeating fine grained code randomization
Recusrively exploiting a memory disclosure to map the code of the victim process on the fliy
Discovering gadgets and JIT complie a ROP program
85
What is Blind ROP?
Remote brute forcing an ROP without knowing the target program
86
What is Block Oriented Programming Compiler?
Automatically synthesizing arbitrary turning complete data only payloads
87
What is Ret2ret?
Overwriting one byte of the stack pointer with 0 to make it point to the shellcode
The vulnerable buffer sits lower on the stack than the pointer
88
What is Ret2eax?
Overflowing the buf in msglog to place the shellcode in buf
strcpy saves the buf address in eax
Hijacking control flow to a subsequent call *eax and running the shellcode from there
89
What is required for a race condition to occur?
2 concurrent control flows accessing a shared object with at least one flow altering the object state
90
What is a race condition?
The ordering of execution of concurrent threads results in unintended behavior due to unanticipated timing
91
What is the code that access the shared object that could result in a race condition called?
Race window or critical section
92
What can be used to avoid race windows overlapping?
Synchronization primitives such as mutexes and semaphores
93
What are some ways to avoid race conditions?
Mutual exclusion, avoiding sharing, atomics and static/dynamic analysis
94
What is heap spraying?
Filling the heap with shellcode and NOP sleds to make it more likely that a control flow hijack will hit
95
What are some defenses against heap spraying?
Heap layout randomization, isolating browser and javascript heap
96
What are the source of race conditions
Trusted (highly coupled threads of execution) or untrusted (separate application of processes)
97
What is a double fetch bug?
A bug that occurs when the same data is fetched twice from memory by a program
98
What are some scenarios that could lead to double fetch bugs?
Dependency lookup (retrieving some dependent information which gets changed by another thread before being used)
Protocol/signature checking
Information guessing
99
How does a data race occur?
When two or more threads access the same memory location concurrently
100
What is heap spraying?
Filling the heap with a large amount of attack payloads
101
What is used to spray the heap with shellcode and NOP sleds?
Javascript
102
What is pointed in the spray area during a heap spray?
The vtable pointer
103
What is a vulnerable buffer placement?
Placing a vulnerable buf next to an object
104
What does a nozzle do?
Detects heap sprays by checking the prevalence of code on the heap
105
What does OpenBSD do?
Prevent cross page overflow
106
What is the aim of attackers
To hijack the control flow and execute arbitrary code
106
What are some defenses against attackers
Canaries
Write or Executable
StackGuard/ProPolice
SAFESEH/SEHOP
Shadow Stacks/Safe Stacks
Address Randomization
Obfuscation
Reference Monitors
Control Flow Integrity
106
What are some targets of attackers?
Return addresses
Vtables
Function pointers
107
What are canaries?
A technique used to detect stack based buffer overflows
108
The function prologue places a canary value where?
Between the return address and local variables
109
The function epilogue does what?
Checks if the canary is unchanged before returning
110
What did Stack Guard originally do?
Added canaries
111
What are the two types of canaries?
Random canaries where a random value is chosen at the program start and inserted in each stack frame and
Terminator canaries a special value that string functions will not copy over
112
How did ProPolice improve stackguard?
by reordering stack variables to protect pointers
113
What does VS /GS option do?
Combines ProPolice and random canaries and calls exit() on a mismatch
114
What are some things canaries cannot protect against?
Heap overflows or integer overflows
115
What is the point of shadow and safe stacks?
To separate control data from user data
116
Shadow stacks maintain a separate stack for what?
Return addresses
117
Safe stacks splits the program stack into two regions for what?
A safe region for control data and an unsafe region for other data
118
Can safe stacks be implemented in compilers (LLVM and GCC)
Yes
119
Intel's new shadow stacks will do what?
Have a new shadow stack pointer that call/ret updates automatically
120
Shadow stacks rely on what assumption?
That the location of the shadow/safe stack is hidden from attackers
121
Code pages are marked as what in W^X?
Executable but not writable
122
Data pages (stack, heap, globals) are marked as what?
Writable but not executable
123
W^X is supposed to prevent what?
Code injection atacks
124
What does W^X not protect against?
Code reuse attacks like return to libc or ROP as the reuse existing code
125
If an executable heap is needed what could be used to circumvent W^X?
Heap sprays
126
What does ASLR do?
Randomize the memory layout of a process to make exploits harder
127
What does ASLR do in reguards to exploits like return to libc and stack/heap overflows?
Make them probalistic
128
What are some ways to override ASLR?
Brute force mechanisms, leaking the addresses through other bugs or using code gadgets that are not ranodmized
129
What does fine grained code randomization do?
Randomizes code within programs and libraries themselves
130
At what level does fine grained techniques randomize code?
Function, basic block or instruction level
131
Function block randomization does what?
Shuffles the order of functions within each code section
132
Basic block randomization does what
Randomizes the order of basic blocks within each function
133
Instruction level randomization does what?
Changes the order of instructions within basic blocks through the insertion of unconditional jumps
134
What is code obfuscation?
Transforming programs to make them more difficult for humans to understand while preserving semantics
135
What is the purpose of code obfuscation?
To protect intellectual property and prevent reverse engineering
136
What are some obfuscation techniques?
Lexical transformation
Control transformations
Data transformation
Anti-disassembly tricks
Anti debugging tricks
137
What are some metrics to judge code obfuscation?
Potency, resilience, and low overhead
138
What is lexical transformation?
Var names becoming nonsense
139
What is control transformations
Changing the program flow and logic structure while maintaining functionality
140
What is data transformations?
Modifying data structures and represenations
141
What are anti debugging tricks?
Tricks to detect and impede debuggers
142
What are reference monitors?
A component that monitors a systems execution to enfore compliance with a security policy
143
What are the principles of reference monitors?
Complete mediation
Tamperproof
Verifiable
Low overhead
144
What is the purpose of CFI?
To prevent control flow hijacking by ensuring software execution stays within a predetermined control flow graph
145
How can the effectiveness of a CFI be measured?
By the largest and average EC size
146
What is a EC?
A group of targets that CFI cannot distinguish/separate
147
When are CFG computed?
Statically through program analysis
148
What is SAFESEH?
A linker that produces a binary with a table of safe exception handlers
