United States Naval Academy Electrical and Computer Engineering Department EC310-6 Week Midterm Spring 2015

Transcription

1 United States Naval Academy Electrical and Computer Engineering Department EC310-6 Week Midterm Spring Do a page check: you should have 8 pages including this cover sheet. 2. You have 50 minutes to complete this exam. 3. A calculator may be used for this exam. 4. This is a closed book and closed notes exam. You may use one single-sided hand-written page of notes. 5. Turn in your single-sided hand-written page of notes with your exam. 6. This exam may be given as a makeup exam to several midshipmen at a later time. No communication is permitted concerning this exam with anyone who has not yet taken the exam. Name: Instructor: Page 1 of 8

2 Question 1. (31 pts) A C program begins: #include<stdio.h> int main( ) int a = 101; char mystring[4] = "ENS" ; <more code> The program is paused immediately after executing the line char mystring[4] = "ENS" ; but before executing the section that says <more code>. The stack for the program at this point in time is shown below. Note specifically that the address for the integer variable a and the address of the array mystring are shown on the figure. In the figure below, the main memory addresses are shown on the left (in hexadecimal). (a) (b) (c) (5 pts) Annotate the diagram above to show the addresses for each of the next ten memory locations. For each address, the first five hexadecimal digits are already filled in for you; you only need to indicate the last three hexadecimal digits. (3 pts) Why did the programmer state that the size of the array mystring should be 4 when the array only holds three characters? In other words, why didn't the programmer declare the array mystring as: char mystring[3] = "ENS" ; (4 pts) Annotate the diagram above to show how the array mystring is stored in memory. Express all values in hexadecimal. THIS PROBLEM CONTINUES ON NEXT PAGE Page 2 of 8

3 (d) (5 pts) Annotate the diagram above to show how the value of the variable a is stored in memory. Express all values in hexadecimal. In addition to annotating the diagram, show your work below. (e) (f) (1 pt) If, at this point, your diagram above still has blank memory locations, write "gar" in all of the blank locations to indicate garbage values. (2 pts) What would be displayed by the command: x/xb bffff7f8 (g) (3 pts) Convert the value stored in mystring[ 2 ] to binary. Returning to the C program, the section shown as <more code> is actually this: strcpy( mystring, "2ndLT" ); printf("\n %d \n", a ); Do not make any changes to your diagram on the previous page, since that diagram holds your answers to questions (a) through (e)!!! (h) (3 pts) What is printed out by the printf statement in the box above? (i) (3 pts) In the space below, explain (using, if helpful, the drawing of main memory shown below) how you arrive at your answer to part (h). (Do not modify your picture on the previous page!) (j) (2 pts) You have grown sick of this problem! So you save your C program and turn off your computer. Where is your C program now? (Circle one choice) In secondary memory In the operating system In the CPU hardware In main memory Page 3 of 8

4 Question 2. (25 pts) Consider the C program named funtimes.c shown below: 1. #include<stdio.h> 2. int main( ) int i; 5. int number = 7; for( i = 10 ; i > number ; i = i - 1 ) if( i == 9 ) 10. printf( "%s\n", "Fun" ) ; 11. else 12. printf( "%s\n", "Not Fun" ) ; 13. } 14. } (a) (5 pts) What is the exact output of this C program? You run this program and examine the debugger's partial output, shown below. THIS PROBLEM CONTINUES ON NEXT PAGE Page 4 of 8

5 (b) (2 pts) Where (physically) is the eip register? (Circle one choice) In the C program In the operating system In the CPU hardware In main memory (c) (d) (e) (f) (3 pts) What is the next assembly language instruction that will be executed? (3 pts) Suppose, given the picture above, you enter the command: nexti. After you enter this command, what is the value stored in the eip register? (2 pts) Complete the sentence: The eip register holds an address in the program's (circle one choice) i. CPU section ii. iii. iv. Stack frame Text segment Dynamic memory space v. Variable allocation (3 pts) Considering the values of esp and ebp, how many bytes are in this stack frame? Show your reasoning. (g) (4 pts) What is the address where the variable number is stored in memory? Your answer should be an address expressed as eight hexadecimal digits. Briefly explain your answer. (h) (3 pts) Consider the assembly language instruction cmp DWORD PTR [ebp-4],0x9 What line of C code does this correspond to? Page 5 of 8

6 Question 3. (5 pts) What is the fundamental issue with the C programming language that makes a buffer overflow exploit possible? (Your answer should be limited to a sentence or two.) Question 4. (8 pts) Consider the C program below: 1. #include<stdio.h> 2. int main() char saying[20] = "To be or not to be." ; char *ptr ; ptr = saying + 4; strcpy( ptr, "ring" ); printf( "%s\n", saying ); 13. } Note that the string named saying is initialized in line 4, and saying is then printed out on line 12. What is the output of this C program? Explain your answer in a few sentences or a sketch. Page 6 of 8

7 Question 5. (16 pts) Consider the program shown on the right: (a) (2 pts) How many functions are in this program? (b) (2 pts) In the line of code: void myfunction() what does the word void mean? (Choose one) i. The function has no arguments. ii. iii. iv. The function has no parameters. The function does not return a value. The function does not perform a useful task. #include<stdio.h> void myfunction() int a = 2003; } int main() myfunction(); } v. Copies of the values of the arguments are plugged in to the parameters. (c) (6 pts) Before myfunction is called, two items will be placed onto the stack. What are the names of these two items? (For example, if you believe that the items placed on the stack before the function call are the stack pointer and the address of main, your answer would be: Item 1: esp, Item 2: main's address.) Item 1: Item 2: (d) (6 pts) The program above is run up to the point immediately before the function named myfunction is called. The debugger output shown below is produced. Determine the correct values for the answers you gave for part (c) above; i.e., determine the correct values for the two items that must be saved on the stack prior to the function call. Write your answers next to the two item names in part (c) above. Page 7 of 8

8 Question 6. (15 pts) Consider the program below, named welcoming_message.c. The program prompts the user to enter their name, then provides them a warm and comforting welcome message. And what could be wrong with that? #include<stdio.h> void greetings(int length_of_name) int year = 2015; char name[length_of_name]; } printf("enter your name: "); scanf("%s", name); printf("hello: %s! Welcome to %d.\n", name, year); int main() int name_len = 15; greetings(name_len); } Assume that no padding (extra space) is created when stack frames are created. (a) (10 pts) When you are prompted to enter your name, what is the minimum number of characters you can enter to completely overwrite the value of the variable name_len which is declared in main? Justify your reasoning and show your work. (b) (5 pts) Is it possible to change the value of the variable named year declared in the function greetings by performing a buffer overflow attack? Why or why not? Justify your reasoning. Turn in your equation sheet with your exam! Page 8 of 8