('Dawn Song', 'Midterm 1', '(solution)') Spring 2012

C 2 points return oriented programming arc injection

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: ired to be overwritten. (c) (2 points) Return oriented programming (arc-injection) is a viable technique to use to defeat stack canaries. ◦ True. Reason: ◦ False. Reason: Answer: False. The canary is stored on the stack at a lower memory address than the return address. Meaning, when the buffer is overflowed to change the return address for an arc injection attack, the canary will also be over-written, causing the data injection to fail. Arc injection in general, only defeats non-executable stack protection. Page 3 2. (10 points) Symbolic Execution Consider the following program: 1 void c a l l e r ( i n t a , i n t b) { 2 int ∗ ptr ; 3 4 i f ( b > 0) { 5 ptr = getbuf (a , b) ; 6 i f ( p t r != NULL) 7 ptr [ 0 ] = 0; 8 } 9} 10 11 i n t ∗ g e t b u f ( i n t x , i n t y ) { 12 13 / ∗ i n i t i a l i z e a l l e l e m e n t s to z e r o ∗ / 14 i n t buf [ 2 0 ] = { 0 } ; 15 int z ; 16 17 i f (x > y) 18 r e t u r n NULL; 19 i f ( x < 0) 20 z = −x ; 21 else 22 z = x; 23 i f ( z < 20) 24 buf [ z ] = y ; 25 return buf ; 26 } (a) (2 points) Consider the assignment at line 7. Is this assignment memory safe? Explain your reasoning in one sentence. ◦ Yes. Reason: ◦ No. Reason: Answer: No. The pointer points to a local buffer allocated on stack; it’s gone when the function returns. (b) (4 points) Suppose we employ whitebox fuzzing to check if the program is vulnerable to a buffer overflow, i.e., applying dynamic symPage 4 bolic execution for automatic test case generation. In each run, whitebox fuzzing creates new test cases for the parameters a and b to function caller. By converting the program statements into SSA (Static Single Assignment) form, write down the path constraints P on the symbolic inputs necessary to reach line number 24. Express P in terms of symbolic variables a0 , b0 , x1 , y1 and z1 . Answer: (b0 > 0) ∧ (x1 == a0 ) ∧ (y1 == b0 ) ∧ ¬(x1 > y1 ) ∧ (z1 == ((x1 < 0)? − x1 : x1 )) ∧ (z1 < 20) (1) (2) (3) (4) (5) 1 pt for each non-equivalent clause: (1), (3), (4) and (5). (c) (1 point) Write down t...
View Full Document

This document was uploaded on 02/23/2014.

Ask a homework question - tutors are online