Unit 5,6,7

Question 1

Which name is rarely used for sections in ELF files?

.text
.data
.rodata
.code

Answer 1

.code

Correct! As a convention, .code is almost never used as a section name for ELF files that are generated by common C compilers, such as GCC and Clang. Common ELF section names include .text, .rodata, .data, and .bss.

Question 2

Which name is almost never used for sections in ELF files that are generated by common C compilers under Linux?

.bss

.exec

.text

.rodata

Answer 2

.exec

Correct! As a convention, .exec is rarely used as a section name for ELF files that are generated by common C compilers such as GCC and Clang. Common ELF section names include .text, .rodata, .data, and .bss.

Question 3

In general, which kind of program can be compiled into machine code?

Java programs

C programs

Bash scripts

Perl programs

Answer 3

C programs

Correct! C programs are usually compiled by C compilers, such as GCC, Clang, and MSVC, into executables that comprise executable machine code

Question 4

For programs that use glibc and run on x86-64 Linux, environment variables can be accessed during the execution of the program. Where are these environment variables stored?

On the hard drive

In the kernel memory region

In the file name of the executable

On the stack

Answer 4

On the stack

Correct! The environment variables are prepared by the libc and are put onto the stack, right above the function frame of the entry point function, which is usually the main function. The third argument to the entry point function envp can be used to access the environment variables on the stack.

Question 5

Which name is a valid register name in x86-64 CPUs?

eax

a0

r2

rdk

Answer 5

eax

Question 6

Which x86-64 instruction clears the destination register (i.e., zeroing the destination register), regardless of the register’s value?

set rax=0

add rax, 1

nop

xor rax, rax

Answer 6

xor rax, rax

Question 7

The 32-bit integer 0xcafebabe (3405691582 in decimal) is used as the magic number of Java bytecode files. What is the little-endian byte representation of this 32-bit integer?

82 15 69 05 34

be ba fe ca

ca fe ba be

eb ab ef ac

Answer 7

be ba fe ca

Correct! In little endian, the least significant byte goes first, and the most significant byte goes last. The least significant byte in 0xcafebabe is 0xbe, and the most significant byte is 0xca. Therefore, be ba fe ca is the correct little-endian representation

Question 8

In x86-64 Linux, we may invoke a syscall using instruction syscall. When this instruction is executed, in which register should the syscall number be stored?

ecx

a0

syscall_no

rax

Answer 8

rax

Correct! The syscall number is indeed stored in the rax register for syscalls in x86-64 Linux. However, different registers may be used for different operating systems.

Question 9

On Linux, each process is related to an effective UID (euid) and an effective GID (egid). What is the relationship among euid, egid, permissions of the process, and the ownership of the process executable?

euid is the ID of the user whose file access permissions are used by the process; egid is the ID of the group who owns the process executable.

euid is the ID of the user who owns the process executable; egid is the ID of the group who owns the process executable.

euid is the ID of the user who owns the process executable; egid is the ID of the group whose file access permissions are used by the process.

euid is the ID of the user whose file access permissions are used by the process; egid is the ID of the group whose file access permissions are used by the process.

Answer 9

euid is the ID of the user whose file access permissions are used by the process; egid is the ID of the group whose file access permissions are used by the process.

Question 10

char path[1024] = {0};
strcpy(path, “/home/myspace/”);
path = strncat(path, user_file);
file = open(path, O_RDWR);

Review Codeblock: Code Snippet. John wrote this piece of code and he hopes to limit users’ file access to under /home/user. Suppose that there is no filtering or sanitization applied on variable user_file before calling strncat(), and the total length of path when calling open() is less than 1024. What vulnerability does this code snippet have?

File access vulnerability

File handler reuse vulnerability

Format string vulnerability

Buffer overflow vulnerability

Answer 10

File access vulnerability

Correct! This snippet has file access vulnerability (e.g., the dot-dot attack). Since there is no sanitization performed on either user_file or free_size, the user may construct a path that includes “../” and end up accessing files that are outside “/home/myspace/”.

Question 11

On x86-64 Linux, each process has an isolated memory space called stack region. How does the stack region grow?

Either from low addresses to high addresses, or from high addresses to low addresses, as determined by the operating system

From low addresses to high addresses

From high addresses to low addresses

Either from low addresses to high addresses, or from high addresses to low addresses, as determined by each process

Answer 11

From high addresses to low addresses

Correct! The stack in x86-64 grows from high addresses to low addresses. This is inherited from the early days when memory space was very limited (where memory addresses were 16-bits). Back then, having stack memory growing from high addresses to low addresses allows more efficient use of memory and avoids stack overruns.

HEAP grows from low addresses to high addresses

Question 12

Question 11

In x86-64 assembly, what is the mov rsp, rbp; pop rbp instruction equivalent to?

push rbp; mov rbp, rsp

leave; ret

leave

xor rsp, rbp; mov rbp, rsp; xor rsp, rbp; mov rsp, rbp; hlt

Answer 12

leave

Correct! In x86-64 assembly language, leave is the counterpart of enter and is usually executed at the end of a function. leave restores the initial stack pointer upon function entry from rbp into rsp and restores the stored stack base pointer from the stack to rbp. Hence, leave is the same as mov rsp, rbp; pop rbp.

Question 13

400080: b8 3b 00 00 00 mov eax,0x3b
400085: 48 bb 2f 62 69 6e 2f movabs rbx,0x68732f6e69622f
40008c: 73 68 00
40008f: 53 push rbx
400090: 48 89 e7 mov rdi,rsp
400093: 6a 00 push 0x0
400095: 57 push rdi
400096: 48 89 e6 mov rsi,rsp
400099: 48 c7 c2 00 00 00 00 mov rdx,0x0
40009e: 0f 05 syscall
4000a0: 48 c7 c0 3c 00 00 00 mov rax,0x3c
4000a5: 48 c7 c7 00 00 00 00 mov rdi,0x0
4000aa: 0f 05 syscall

Review Codeblock: Shellcode. Which instruction has at least one null byte inside?

push rbx

mov eax, 0x3b

mov rdi, rsp

syscall

Answer 13

mov eax, 0x3b

Correct! The instruction mov eax, 0x3b is at 0x400080. Through the objdump output, it is possible to see that there is at least one null byte (0x00) in the instruction bytes.

Question 14

int var_0 = 0, var_1 = 0;

printf(“CSE543ROCKS!%x\n”, &var_0);

strcpy((char*)&var_1, “CSE543ROCKS\n”);

Review Codeblock: C Code. What vulnerability does this piece of code have?

TOCTTOU vulnerability

There is no vulnerability in this piece of code.

Buffer overflow vulnerability

Format string vulnerability

Answer 14

Buffer overflow vulnerability

Correct! Buffer overflow vulnerabilities are only triggerable when there are buffers and there are writes into buffers. Both var_0 and var_1 can be seen as buffers. This piece of code tries to write 12 bytes into var_1, while var_1 is only an int, which is 4 bytes long. Therefore, it does have a buffer overflow vulnerability.

Question 15

On Linux, what will Bash always expand path “~/.bashrc” to?

/root/.bashrc

$HOME/.bashrc

/home/user/.bashrc

/tmp/.bashrc

Answer 15

$HOME/.bashrc

Question 16

URI stands for Uniform Resource Identifier. A URI requires a series of specific items in a specific order. Which URI is invalid?

https: //www.google.com/ncr
ftp: //ftp.ietf.org/rfc/rfc1808.txt

../../../../etc/passwd

mailto:user@example.com

Answer 16

../../../../etc/passwd

Correct! This is not a valid URI. A valid URI includes these five items: scheme, authority, path, query, and fragment. A valid URI must also follow this specific syntax: :/?#, with percent encoding applied on reserved characters. This path does not follow the required syntax because no scheme is provided, so it is an invalid URI. However, this is a valid path on a file system

Question 17

Connection to www.google.com 80 port [tcp/http] succeeded!

Review Codeblock: Output Message. Which program or command may generate this output message?

ls

tcpdump

netcat

curl

Answer 17

netcat

Correct! Netcat (nc) can be used to connect to a port of an IP address via either TCP or UDP. The provided output message is what the user will see when netcat successfully connects to the specified IP and port.

Question 18

q = “SELECT * FROM homework_assignments WHERE user=” + username + “ AND key=” + password

Review Codeblock: Python Statement. This Python statement builds on an SQL query for authentication, where username and password are two variables derived from user input. Which combination of username and password values will lead to a bypass of the authentication?

root; password

’ ‘ or 1=1;– ; “ “ (an empty string)

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa ; “ “ (an empty string)

alert(1) ;

Answer 18

’ ‘ or 1=1;– ; “ “ (an empty string)

Correct! Setting username to ‘ ‘ or 1=1;– will alter the original intent of the SQL query. The first two single quotes will correctly terminate the user= query parameter. Then it adds a new boolean query parameter or 1=1, which is essentially the same as or TRUE. Finally, it uses ;– to specify that all characters that follow should be treated as comments, which effectively eliminates the pass= query parameter. The value of password does not matter anymore.

Question 19

Cookies are small pieces of data that an HTTP server sends to client users’ browsers, which may store cookies locally or send them back to the server upon making future HTTP requests. JavaScript code has access to cookies. Which statement most accurately describes the security of cookies?

Cookies are secure. They cannot be stolen by malicious JavaScript code or leaked when being transferred through HTTP.

Cookies cannot be stolen by malicious JavaScript code. But they can be leaked when transferred through HTTP.

Cookies can be stolen by malicious JavaScript code. But they cannot be leaked when transferred through HTTP.

Cookies can be stolen by malicious JavaScript code. They can also be leaked when transferred through HTTP.

Answer 19

Cookies can be stolen by malicious JavaScript code. They can also be leaked when transferred through HTTP.

Question 20

SUID executables can drop privileges by calling setuid(). Under which circumstance can setuid() be called?

setuid() can only be called when euid is 0.

setuid() can only be called when euid is not 0.

setuid() can only be called when euid is 1000.

setuid() can be called regardless of the value of euid.

Answer 20

setuid() can be called regardless of the value of euid.

Question 21

C programs must be compiled before running. What is an example of a commonly used C compiler under Linux?

Clang

Sh

ld

Python

Answer 21

Clang

Question 22

In general, which type of program can be compiled into an executable form that contains machine code prior to execution?

Bash scripts

C programs

Java programs

Python programs

Answer 22

C programs

Correct! C programs are usually compiled by C compilers, such as GCC, Clang, and MSVC, into executables that comprise executable machine code.

Question 23

4df4: 41 57 push r15
4df6: 41 56 push r14
4df8: 41 55 push r13
4dfa: 41 54 push r12
4dfc: 41 89 fc mov r12d,edi
4dff: 55 push rbp
4e00: 48 89 f5 mov rbp,rsi
4e03: 53 push rbx
4e04: 48 83 ec 48 sub rsp,0x48
4e08: 48 8b 3e mov rdi,QWORD PTR [rsi]
4e0b: 64 48 8b 04 25 28 00 mov rax,QWORD PTR fs:0x28
4e12: 00 00
4e14: 48 89 44 24 38 mov QWORD PTR [rsp+0x38],rax
4e19: 31 c0 xor eax,eax
4e1b: e8 b0 e4 00 00 call 132d0
4e20: 48 8d 35 d7 49 01 00 lea rsi,[rip+0x149d7]
4e27: bf 06 00 00 00 mov edi,0x6
4e2c: e8 cf fd ff ff call 4c00

Review Codeblock: Shellcode. Which instruction has at least one null byte inside?

xor eax, eax

sub rsp, 0x48

mov rdi,QWORD PTR [rsi]

mov edi, 0x6

Answer 23

mov edi, 0x6

Question 24

int var_0 = 0, var_1 = 0;

printf(“CSE543ROCKS%80x%1$n\n”, &var_0, &var_1);

Review Codeblock: C Code. What vulnerability does this piece of code have?

Format string vulnerability

TOCTTOU vulnerability

There is no vulnerability in this piece of code.

Buffer overflow vulnerability

Answer 24

There is no vulnerability in this piece of code.

Correct! This piece of code uses printf() and may look like it is triggering a format string vulnerability. However, since the format string is fully specified and user input has no way to impact the format string, there is no vulnerability in this piece of code.

Question 25

URI stands for Uniform Resource Identifier. A URI requires a series of specific items in a specific order. Which URI is valid?

https://

/etc/shadow

mailto:user@example.com

user

Answer 25

mailto:user@example.com

Question 26

q = “SELECT user, age, gender FROM users WHERE user=” + username + “ AND pass=” + password

Review Codeblock: Python Statement. This Python statement builds on an SQL query for authentication, where username and password are two variables derived from user input. Which combination of username and password values will lead to a bypass of the authentication?

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa ; “ “ (an empty string)

’ ‘ or 2=2;– ; “ “ (an empty string)

admin; admin888

alert(“you are hacked!”) ;

Answer 26

’ ‘ or 2=2;– ; “ “ (an empty string)

Question 27

Sometimes web applications will embed some encrypted secret data as hidden input fields on a web page. The secret data will be sent back to the server upon future requests. A major application for the secret data in these hidden input fields is to prevent cross-site scripting attacks. JavaScript code has access to these hidden input fields and the values inside. Which statement most accurately describes how secure this secret data is?

The secret data can be stolen by malicious JavaScript code. It can also be leaked when transferred through HTTP.

Hidden input fields are secure. As a result, the secret data cannot be stolen by malicious JavaScript code or leaked when being transferred through HTTP.

The secret data can be stolen by malicious JavaScript code. But it cannot be leaked when transferred through HTTP.

The secret data cannot be stolen by malicious JavaScript code. But it can be leaked when transferred through HTTP.

Answer 27

The secret data can be stolen by malicious JavaScript code. It can also be leaked when transferred through HTTP.

Question 28

In Linux, processes may start with root privileges and then drop privileges at a later time for better security. Privilege dropping can be done by calling setuid(). Under which circumstance can setuid() be called?

setuid() can only be called when euid is not 0.

setuid() can be called regardless of the value of euid.

setuid() can only be called when euid is 0.

setuid() can only be called when euid is 1000.

Answer 28

setuid() can be called regardless of the value of euid.

Question 29

C programs must be compiled before running. What is an example of a commonly used C compiler under Linux?

file

Bash

CPython

GCC

Answer 29

GCC

Question 30

Which name is a valid register name in x86-64 CPUs?

eay

r0

rsp

a0

Answer 30

rsp

Question 31

In x86-64 assembly, leave is an instruction that is commonly seen in function epilogues. leave can be represented by a few more instructions. What are these other representations?

mov rsp, rbp; pop rbp; ret

mov rsp, rbp; pop rbp

pop rbp; mov rsp, rbp

push rbp; mov rbp, rsp

Answer 31

mov rsp, rbp; pop rbp