Final Exam, Spring 2012 Date: May 14th, 2012

Similar documents
Final Exam, Fall 2013 Date: December 16th, 2013

Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

Final exam. Scores. Fall term 2012 KAIST EE209 Programming Structures for EE. Thursday Dec 20, Student's name: Student ID:

BUFFER OVERFLOW. Jo, Heeseung

Buffer Overflow. Jo, Heeseung

CMPSC 497 Buffer Overflow Vulnerabilities

Project 1 Buffer Overflow

Software Vulnerabilities. Jeff Foster University of Maryland, College Park

Computer Systems CEN591(502) Fall 2011

CMPSC 311 Exam 2. March 27, 2015

CS 161 Computer Security. Week of January 22, 2018: GDB and x86 assembly

Buffer Overflows. Buffer Overflow. Many of the following slides are based on those from

Introduction to Computer Systems. Exam 1. February 22, This is an open-book exam. Notes are permitted, but not computers.

Linux Memory Layout. Lecture 6B Machine-Level Programming V: Miscellaneous Topics. Linux Memory Allocation. Text & Stack Example. Topics.

Introduction to Computer Systems , fall th Lecture, Sep. 28 th

ROP It Like It s Hot!

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask

MEMORY SAFETY ATTACKS & DEFENSES

Introduction to Computer Systems. Exam 1. February 22, Model Solution fp

SYSTEM CALL IMPLEMENTATION. CS124 Operating Systems Fall , Lecture 14

CS61, Fall 2012 Midterm Review Section

What the CPU Sees Basic Flow Control Conditional Flow Control Structured Flow Control Functions and Scope. C Flow Control.

Lecture 05 Integer overflow. Stephen Checkoway University of Illinois at Chicago

BUFFER OVERFLOW DEFENSES & COUNTERMEASURES

CS , Fall 2001 Exam 1

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I

This is an open book, open notes exam. But no online or in-class chatting.

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I

MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I

Homework 3 CS161 Computer Security, Fall 2008 Assigned 10/07/08 Due 10/13/08

You may work with a partner on this quiz; both of you must submit your answers.

Sungkyunkwan University

CSE 361S Intro to Systems Software Lab Assignment #4

Buffer Overflows Defending against arbitrary code insertion and execution

Buffer overflow background

CS , Fall 2002 Exam 1

CIS 2107 Computer Systems and Low-Level Programming Spring 2012 Final

Lecture 4 September Required reading materials for this class

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

CS61 Section Solutions 3

Software Security: Buffer Overflow Attacks

Function Calls COS 217. Reading: Chapter 4 of Programming From the Ground Up (available online from the course Web site)

NAME: int x=7; int y=9; int z=10*(x/y); assert(z>0);

Offensive Security My First Buffer Overflow: Tutorial

Secure Programming Lecture 3: Memory Corruption I (Stack Overflows)

Machine Programming 4: Structured Data

Fundamentals of Computer Security

Format string vulnerabilities

CPSC 213. Introduction to Computer Systems. Procedures and the Stack. Unit 1e

Assembly Language: Function Calls

Question 4.2 2: (Solution, p 5) Suppose that the HYMN CPU begins with the following in memory. addr data (translation) LOAD 11110

CS , Fall 2004 Exam 1

CS 2505 Computer Organization I Test 2. Do not start the test until instructed to do so! printed

Lecture 09 Code reuse attacks. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017

CS 2505 Computer Organization I Test 2. Do not start the test until instructed to do so! printed

System Programming and Computer Architecture (Fall 2009)

Assembly Language: Function Calls" Goals of this Lecture"

Roadmap: Security in the software lifecycle. Memory corruption vulnerabilities

CMSC 313 Lecture 12 [draft] How C functions pass parameters

Midterm 1 Review. Memory Safety & Web Attacks

Assembly Language: Function Calls" Goals of this Lecture"

Program Security and Vulnerabilities Class 2

CPSC 213. Introduction to Computer Systems. Procedures and the Stack. Unit 1e

x86 assembly CS449 Fall 2017

Lecture 08 Control-flow Hijacking Defenses

UW CSE 351, Winter 2013 Midterm Exam

New York University CSCI-UA : Advanced Computer Systems: Spring 2016 Midterm Exam

18-600: Recitation #4 Exploits (Attack Lab)

4) C = 96 * B 5) 1 and 3 only 6) 2 and 4 only

Sample Midterm (Spring 2010)

TCP packet goes to OS kernel. OS looks up which process is listening on that port, sends data to stdin

Final Exam. Fall Semester 2015 KAIST EE209 Programming Structures for Electrical Engineering. Name: Student ID:

Processes (Intro) Yannis Smaragdakis, U. Athens

Assembly Language: Function Calls. Goals of this Lecture. Function Call Problems

Machine- Level Programming V: Advanced Topics

Buffer Overflow. Jinkyu Jeong Computer Systems Laboratory Sungkyunkwan University

EECS 213 Fall 2007 Midterm Exam

Process Layout, Function Calls, and the Heap

CSE 333 Midterm Exam 5/10/13

Foundations of Network and Computer Security

Buffer overflows (a security interlude) Address space layout the stack discipline + C's lack of bounds-checking HUGE PROBLEM

CSE 509: Computer Security

CS241 Computer Organization Spring Loops & Arrays

Understanding C/C++ Strict Aliasing

18-600: Recitation #4 Exploits

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I Solutions

Machine-Level Programming V: Unions and Memory layout

CMSC 313 COMPUTER ORGANIZATION & ASSEMBLY LANGUAGE PROGRAMMING PREVIEW SLIDES 16, SPRING 2013

Machine-Level Programming V: Miscellaneous Topics Sept. 24, 2002

Final Exam. Fall Semester 2016 KAIST EE209 Programming Structures for Electrical Engineering. Name: Student ID:

Process Layout and Function Calls

CS 161 Computer Security

1. A student is testing an implementation of a C function; when compiled with gcc, the following x86-32 assembly code is produced:

From Over ow to Shell

Biography. Background

Procedure Calls. Young W. Lim Mon. Young W. Lim Procedure Calls Mon 1 / 29

Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

administrivia today start assembly probably won t finish all these slides Assignment 4 due tomorrow any questions?

typedef void (*type_fp)(void); int a(char *s) { type_fp hf = (type_fp)(&happy_function); char buf[16]; strncpy(buf, s, 18); (*hf)(); return 0; }

Procedure Calls. Young W. Lim Sat. Young W. Lim Procedure Calls Sat 1 / 27

Transcription:

Full Name: Final Exam, Spring 2012 Date: May 14th, 2012 Instructions: This final exam takes 1 hour and 30 minutes. Read through all the problemsandcompletetheeasy ones first. This exam is OPEN BOOK. You may use any books or notes you like. However, laptop usage is limited to browsing the e-book only. 1(xx/20) 2(xx/20) 3(xx/20) 4(xx/20) 5(xx/20) Total (xx/100) Page 1 of 12

Problem 1 (20 pts) Ben Bitdiddle is working on a machine that only supports 8-bit integercomputation.sincehiscomputation requires using bigger integers, Ben decides to emulate 16-bit integer arithematic in software. Ben s code skeleton is shown below. Ben uses a struct of two 8-bit integers to represent a 16-bit integer in 2 s complement representation. The high field of BigInt is a signed 8-bit integer which contains the high-order 8 bits in the 2 s complement representation including the 2 s complement sign bit. The low field of BigInt is an unsigned 8-bit integer which contains the low-order 8 bits in the 2 s complement representation. For example, suppose BigInt x represents decimal 260 (0x0104), then x.high = 0x01 and x.low = 0x04. As another example, suppose x represents decimal -1 (0xffff), then x.high = 0xff and x.low = 0xff. typedef struct BigInt char high; /* high-order 8 bits including 2 s complement sign bit */ unsigned char low;/* low-order 8 bits of 2 s complement*/ BigInt add(bigint a, BigInt b) BigInt c; /* compute c = a + b */ return c; BigInt sub(bigint a, BigInt b) BigInt c; /* compute c = a - b */ return c; (a) (2 pts) Given BigInt x such that x.high = 0x80 and x.low = 0x00,whatisx s value in decimal? (b) (10 pts) Please complete add and sub functions for Ben Bitdiddle. Page 2 of 12

(c) (8 pts) Alyssa P. Hacker has convinced Ben to test the correctness of his code on x86 which does support 16-bit integers. Alyssa wrote the following test code skeleton for Ben. Please help Ben complete the two functions BigInt to short and short to BigInt. short BigInt_to_short(BigInt a) short x; /* convert BigInt a to a short (16-bit) integer*/ return x; BigInt short_to_bigint(short x) BigInt a; /* convert short integer x to BigInt representation*/ return a; void test(short x, short y) short z; BigInt a,b,c; a = short_to_bigint(x); b = short_to_bigint(y); c = add(a,b); z = BigInt_to_short(c); assert(z == (short)(x+y)); c = sub(a,b); z = BigInt_to_short(c); assert(z == (short)(x-y)); void main() int i; for (i = 0; i <10000000; i++) test(random(), random()); Page 3 of 12

Problem 2 (20 pts) Ben Bitdiddle has written the following program to print a string of character a (the number of a s is given by the command line argument). For example, when typing $./a.out 5, the program is supposed to output the string content of buf is aaaaa. char init_char = a ; char *buf; void create_string(char *b, int len) int i; b = (char *) malloc(len+1); for (i = 0; i < len; i++) b[i] = init_char; b[len]= \0 ; void main() create_string(buf, atoi(argv[1])); printf("content of buf is %s\n", buf); (a) (12 pts) For each of the following variable, please indicate the size of the memory storage it occupies AND which region of the program it occupies. This program runs ona32-bitmachinesandthevalid program regions are.text/.rodata/.data/.bss/stack/heap. variable size region init char buf b b[0] len i (b) (8 pts) Does Ben s program do what he intends it to do? If not, please correct his error. (You can ignore the error of not freeing the malloc-ed buffer.) Page 4 of 12

Problem 3 (20 pts) Ben Bitdiddle is trying to figure out what the following x86-32 assemblydoes. HehassofarwrittenaC function skeleton to describe what the assembly does. <foo>: pushl %ebp movl %esp, %ebp subl $16, %esp movl $0, -8(%ebp) movl $0, -4(%ebp) jmp.l2.l3: addl $1, -8(%ebp) movl 12(%ebp), %eax addl %eax, -4(%ebp).L2: movl -4(%ebp), %eax cmpl 8(%ebp), %eax jl.l3 movl -8(%ebp), %eax leave ret <main>: pushl %ebp movl %esp, %ebp subl $24, %esp movl $8, 4(%esp) movl $16, (%esp) call foo movl %eax, -4(%ebp) leave ret int foo(int x, int y) int i; int n; ; for ( ; ; ) ; ; void main() int n = foo(16,8); Page 5 of 12

(a) (12 pts) Please help Ben complete the C code equivalent of the assembly. (b) (8 pts) In function foo s assembly code, what is being stored at following memory locations? Memory location 12(%ebp) 8(%ebp) -8(%ebp) -4(%ebp) Page 6 of 12

Problem 4 (20 pts) Ben Bitdiddle has to use the library function unsafe getinput which has a buffer overrun vulnerability. Ben s code using unsafe getinput is shown below. #define LEN 100 void f1() L1: f2(); L2: void f2() L3: char buf[len]; /* the largest legitimate input is LEN bytes long*/ L4: f3(buf); L5: void f3(char *buf) L6: unsafe_getinput(buf); /* this function might overrun buf */ L7: (a) (4 pts) When the attacker exploits the buffer overrun bug in unsafe getinput to execute malicious code by overwriting a return address. Which function would that return address have been pointing to if the attack had not occurred? (b) (8 pts) Ben asks Alyssa to think of a way to detect the buffer overrun. AlyssasuggestsBenallocate avariableonthestacknexttothebufferandtoinitializeitwith a random value. If the buffer is overrun, then the initialized value in the variable will be destroyed. By checking if the content of the variable has changed, one can detect whether unsafe getinput has resulted an overflow. Suppose the code to allocate and initialized the variable is int canary = 0xdeadbeef; Using the labels given in the code, please indicate where Ben should putthiscode. Suppose the code to check whether the canary value is destroyed is assert(canary==0xdeadbeef); Using the labels given in the code, please indicate where Ben should put this code. Page 7 of 12

(c) (8 pts) After Googling the literature on stack overflow defenses, Alyssa realizes that her solution based on stack canary might not work in all cases. Alyssa brainstormed with her fellow CSO students and found another solution based on virtual memory protection. This time, Ben is to allocate an entire memory page next to the buffer and makes it not writable. Thus, when the buffer is about to be overrun, a page fault will occur and cause the program to be aborted. Please help Ben write the code to implement Alyssa s idea. You caneitherwriteyourcodedirectlyontop of the original code, or write your code in the space below and indicate where it belongs using the labels given above. (Hint: you need to use the mprotect syscall and its man page is shown in the next page) Page 8 of 12

MPROTECT(2) Linux Programmer s Manual MPROTECT(2) NAME mprotect - set protection on a region of memory SYNOPSIS #include <sys/mman.h> int mprotect(const void *addr, size_t len, int prot); DESCRIPTION mprotect() changes protection for the calling process s memory page(s) containing any part of the address range in the interval [addr, addr+len-1]. addr must be aligned to a page boundary. If the calling process tries to access memory in a manner that violates the protection, then the kernel generates a SIGSEGV signal for the process. prot is either PROT_NONE or a bitwise-or of the other values in the following list: PROT_NONE The memory cannot be accessed at all. PROT_READ The memory can be read. PROT_WRITE The memory can be modified. PROT_EXEC The memory can be executed. RETURN VALUE On success, mprotect() returns zero. On error, -1 is returned, and errno is set appropriately. Page 9 of 12

Problem 5 (20 pts) Courtney E. Compileur is writing a program that will scan through source code looking for mistakes. She wants to write the part of the program that will count and log three types of messages: errors, warnings, and infos. She writes a function that her program will use, which is called once for each message. As its arguments it takes the type of message (error, warning, or info) and a string holding the current message. The function is responsible for updating the global num errors, num warnings,andnum infos variables and writing the message to a log file. When it writes the message to the log, it prepends it with the correct current count of errors, warnings, and info. She flexes her fingers and gets to work, composing this function: #define MSG_ERROR 0 #define MSG_WARN 1 #define MSG_INFO 2 int num_errors = 0; int num_warnings = 0; int num_infos = 0; int logfile_open = 0; FILE* logfile; void do_log(int type_of_msg, char* msg) // Update message counts switch(type_of_msg) case MSG_ERROR: num_errors++; break; case MSG_WARN: num_warnings++; break; case MSG_INFO: num_infos++; break; if (!logfile_open) logfile = fopen("somefile.log","w"); //assume this succeeds logfile_open = 1; //Write something like "e1 w40 i84 Message goes here" to log fprintf(logfile,"e%d w%d i%d\t%s\n",num_errors,num_warnings,num_infos,msg); //caller function eventually closes logfile properly. Page 10 of 12

Courtney is working with an admirably helpful system on whicheverysystemcallsucceeds,soshedoesn t need to check the return value of system calls. The above function works nicely in her single-threaded program. Unfortunately, she wants to scan through the 15 million lines of code in the 3.2 Linux kernel, and it s taking way too long. She has a quad-core machine, and figures that she can scan at least four files at a time by threading her program. However, when she starts testing it, she finds that the messages don t look right, and some of the error/warning/info counts are wrong. (a) (10 pts) What s wrong with her implementation when used in a threaded program? What specific bugs will she see? (b) (10 pts) Courtney realizes that she should be using some sort of mutices to synchronize accesses to global state to make her function thread-safe. Help her add the global mutices and use the P() and V() primitives to perform locking by annotating the code above. She wants to write optimized code, so help her use as few mutices as possible and keep locks held for as brief atimeaspossible.watchoutfordeadlocks! Write the code as if the counts should match the messages, but it s ok if the full lines written to the logfile get reordered. What would change in her creation and use of the muticesifshewantedtokeepthelinesin order? Page 11 of 12

... Page 12 of 12

Solution P1 (a) 2 15 P1 (b) BigInt add(bigint a, BigInt b) BigInt c; /* compute c = a + b */ c.high = a.high + b.high; c.low = a.low + b.low; if (c.low < a.low) c.high++; return c; BigInt sub(bigint a, BigInt b) BigInt c; /* compute c = a - b */ c.high = a.high - b.high; c.low = a.low - b.low; if (c.low > a.low) c.high--; return c; P1(c) short BigInt_to_short(BigInt a) short x; x = a.high << 8; x = a.low; return x; BigInt short_to_bigint(short x) BigInt a; a.high = x >> 8; a.low = x; return a; Page 13 of 12

P2 (a) variable size (in bytes) region init char 1.data buf 4.bss b 4 stack b[0] 1 heap len 4 stack i 4 stack Page 14 of 12

P2 (b) The create string function is not passing back the malloc-ed buffer to the caller. One way to fix this is as follows: void create_string(char **b, int len) int i; char *new_buf = (char *) malloc(len+1); for (i = 0; i < len; i++) new_buf[i] = init_char; new_buf[len]= \0 ; *b = new_buf; void main() create_string(&buf, atoi(argv[1]); printf("content of buf is %s\n", buf); P3 (a) int foo(int x, int y) int i; int n; n = 0; for ( i = 0; i < x ; i+=y) n++; return n; P3 (b) Memory location 12(%ebp) 8(%ebp) -8(%ebp) -4(%ebp) y x n i Page 15 of 12

P4 (a) f1 P4 (b) L3 and L5. See below. void f2() int canary=0xdeadbeef; char buf[len]; /* the largest legitimate input is LEN bytes long*/ f3(buf); assert(canary==0xdeadbeef); P4 (c) #define PAGE_SIZE (1<<12) void f2() /* allocate two pages on stack just above buf*/ /* we need two pages for alignment purpose*/ char guard[2*page_size]; char buf[len]; /* do mprotect by aligning guard to page boundary. */ assert(mprotect(guard+page_size-((int)guard&(page_size-1))), PAGE_SIZE, PROT_NONE)==0); f3(buf); P5 Page 16 of 12

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback