Unit 5,6,7 Flashcards
Which name is rarely used for sections in ELF files?
.text
.data
.rodata
.code
.code
Correct! As a convention, .code is almost never used as a section name for ELF files that are generated by common C compilers, such as GCC and Clang. Common ELF section names include .text, .rodata, .data, and .bss.
Which name is almost never used for sections in ELF files that are generated by common C compilers under Linux?
.bss
.exec
.text
.rodata
.exec
Correct! As a convention, .exec is rarely used as a section name for ELF files that are generated by common C compilers such as GCC and Clang. Common ELF section names include .text, .rodata, .data, and .bss.
In general, which kind of program can be compiled into machine code?
Java programs
C programs
Bash scripts
Perl programs
C programs
Correct! C programs are usually compiled by C compilers, such as GCC, Clang, and MSVC, into executables that comprise executable machine code
For programs that use glibc and run on x86-64 Linux, environment variables can be accessed during the execution of the program. Where are these environment variables stored?
On the hard drive
In the kernel memory region
In the file name of the executable
On the stack
On the stack
Correct! The environment variables are prepared by the libc and are put onto the stack, right above the function frame of the entry point function, which is usually the main function. The third argument to the entry point function envp can be used to access the environment variables on the stack.
Which name is a valid register name in x86-64 CPUs?
eax
a0
r2
rdk
eax
Which x86-64 instruction clears the destination register (i.e., zeroing the destination register), regardless of the register’s value?
set rax=0
add rax, 1
nop
xor rax, rax
xor rax, rax
The 32-bit integer 0xcafebabe (3405691582 in decimal) is used as the magic number of Java bytecode files. What is the little-endian byte representation of this 32-bit integer?
82 15 69 05 34
be ba fe ca
ca fe ba be
eb ab ef ac
be ba fe ca
Correct! In little endian, the least significant byte goes first, and the most significant byte goes last. The least significant byte in 0xcafebabe is 0xbe, and the most significant byte is 0xca. Therefore, be ba fe ca is the correct little-endian representation
In x86-64 Linux, we may invoke a syscall using instruction syscall. When this instruction is executed, in which register should the syscall number be stored?
ecx
a0
syscall_no
rax
rax
Correct! The syscall number is indeed stored in the rax register for syscalls in x86-64 Linux. However, different registers may be used for different operating systems.
On Linux, each process is related to an effective UID (euid) and an effective GID (egid). What is the relationship among euid, egid, permissions of the process, and the ownership of the process executable?
euid is the ID of the user whose file access permissions are used by the process; egid is the ID of the group who owns the process executable.
euid is the ID of the user who owns the process executable; egid is the ID of the group who owns the process executable.
euid is the ID of the user who owns the process executable; egid is the ID of the group whose file access permissions are used by the process.
euid is the ID of the user whose file access permissions are used by the process; egid is the ID of the group whose file access permissions are used by the process.
euid is the ID of the user whose file access permissions are used by the process; egid is the ID of the group whose file access permissions are used by the process.
char path[1024] = {0};
strcpy(path, “/home/myspace/”);
path = strncat(path, user_file);
file = open(path, O_RDWR);
Review Codeblock: Code Snippet. John wrote this piece of code and he hopes to limit users’ file access to under /home/user. Suppose that there is no filtering or sanitization applied on variable user_file before calling strncat(), and the total length of path when calling open() is less than 1024. What vulnerability does this code snippet have?
File access vulnerability
File handler reuse vulnerability
Format string vulnerability
Buffer overflow vulnerability
File access vulnerability
Correct! This snippet has file access vulnerability (e.g., the dot-dot attack). Since there is no sanitization performed on either user_file or free_size, the user may construct a path that includes “../” and end up accessing files that are outside “/home/myspace/”.
On x86-64 Linux, each process has an isolated memory space called stack region. How does the stack region grow?
Either from low addresses to high addresses, or from high addresses to low addresses, as determined by the operating system
From low addresses to high addresses
From high addresses to low addresses
Either from low addresses to high addresses, or from high addresses to low addresses, as determined by each process
From high addresses to low addresses
Correct! The stack in x86-64 grows from high addresses to low addresses. This is inherited from the early days when memory space was very limited (where memory addresses were 16-bits). Back then, having stack memory growing from high addresses to low addresses allows more efficient use of memory and avoids stack overruns.
HEAP grows from low addresses to high addresses
Question 11
In x86-64 assembly, what is the mov rsp, rbp; pop rbp instruction equivalent to?
push rbp; mov rbp, rsp
leave; ret
leave
xor rsp, rbp; mov rbp, rsp; xor rsp, rbp; mov rsp, rbp; hlt
leave
Correct! In x86-64 assembly language, leave is the counterpart of enter and is usually executed at the end of a function. leave restores the initial stack pointer upon function entry from rbp into rsp and restores the stored stack base pointer from the stack to rbp. Hence, leave is the same as mov rsp, rbp; pop rbp.
400080: b8 3b 00 00 00 mov eax,0x3b
400085: 48 bb 2f 62 69 6e 2f movabs rbx,0x68732f6e69622f
40008c: 73 68 00
40008f: 53 push rbx
400090: 48 89 e7 mov rdi,rsp
400093: 6a 00 push 0x0
400095: 57 push rdi
400096: 48 89 e6 mov rsi,rsp
400099: 48 c7 c2 00 00 00 00 mov rdx,0x0
40009e: 0f 05 syscall
4000a0: 48 c7 c0 3c 00 00 00 mov rax,0x3c
4000a5: 48 c7 c7 00 00 00 00 mov rdi,0x0
4000aa: 0f 05 syscall
Review Codeblock: Shellcode. Which instruction has at least one null byte inside?
push rbx
mov eax, 0x3b
mov rdi, rsp
syscall
mov eax, 0x3b
Correct! The instruction mov eax, 0x3b is at 0x400080. Through the objdump output, it is possible to see that there is at least one null byte (0x00) in the instruction bytes.
int var_0 = 0, var_1 = 0;
printf(“CSE543ROCKS!%x\n”, &var_0);
strcpy((char*)&var_1, “CSE543ROCKS\n”);
Review Codeblock: C Code. What vulnerability does this piece of code have?
TOCTTOU vulnerability
There is no vulnerability in this piece of code.
Buffer overflow vulnerability
Format string vulnerability
Buffer overflow vulnerability
Correct! Buffer overflow vulnerabilities are only triggerable when there are buffers and there are writes into buffers. Both var_0 and var_1 can be seen as buffers. This piece of code tries to write 12 bytes into var_1, while var_1 is only an int, which is 4 bytes long. Therefore, it does have a buffer overflow vulnerability.
On Linux, what will Bash always expand path “~/.bashrc” to?
/root/.bashrc
$HOME/.bashrc
/home/user/.bashrc
/tmp/.bashrc
$HOME/.bashrc