cmpsc 497 midterm review
play

CMPSC 497: Midterm Review Trent Jaeger Systems and Internet - PowerPoint PPT Presentation

Feb 25, 2023 •446 likes •962 views

CMPSC 497: Midterm Review Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and Engineering Department Pennsylvania State University Systems and Internet Infrastructure Security Laboratory (SIIS) Page 1

  1. CMPSC 497: � Midterm Review Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and Engineering Department Pennsylvania State University Systems and Internet Infrastructure Security Laboratory (SIIS) Page 1

  2. Midterm • Format ‣ True/False • 8 questions ‒ 16 pts ‣ Short answer ‒ word/phrase to sentence or two • 8 questions ‒ 36 pts ‣ Question ‒ conceptual (why?) and constructions (how?) • 6 questions ‒ 48 pts • Conceptual ‒ can be a bit open-ended • Constructions ‒ like questions 11-14 from homework, but fewer parts ‣ Exams can be long-ish ‒ 3+ minutes per question Systems and Internet Infrastructure Security Laboratory (SIIS) Page 2

  3. Homework – Question #1 • Know the definitions of ‣ vulnerability, implicit information flow, memory error, no-op sled, canary, buffer overflow, buffer overread, use-after-free vulnerability, name resolution attack, confused deputy, soundness in static analysis, path constraints in symbolic execution, fuzz testing Systems and Internet Infrastructure Security Laboratory (SIIS) Page 3

  4. Question #2 • What is a format string vulnerability? What format specifier enables writing to memory? What enables reading from memory? Systems and Internet Infrastructure Security Laboratory (SIIS) Page 4

  5. Format String Vulnerabilities • Who uses printf in their programs? printf ("This class is %s\n", string); ‣ In some cases, printf can be exploited • Printf takes a format string and an arbitrary number of subsequent arguments ‣ Format string determines what to print • Including a set of format parameters ‣ Arguments supply input for format parameters • Which may be values (e.g., %d) or references (e.g., %s) • An argument for each format parameter Systems and Internet Infrastructure Security Laboratory (SIIS) Page 5

  6. Format String Vulnerabilities • Who uses printf in their programs? ‣ In some cases, printf can be exploited • As usual, arguments are retrieved from the stack ‣ What happens when the following is done? printf(“%s%s%s%s”); • Traditionally, compilers do not check for a match between arguments and format string – do now… ‣ So, printf would print “strings” using next four values on stack as string addresses – whatever they are Systems and Internet Infrastructure Security Laboratory (SIIS) Page 6

  7. Format String Vulnerabilities • Who uses printf in their programs? ‣ In some cases, printf can be exploited • As usual, arguments are retrieved from the stack ‣ What happens when the following is done? printf(arg); • An interesting format parameter type – %n ‣ “%n” in a format string tells the printf to write the number of bytes written via the format string processing up to that point to an address specified by the argument Systems and Internet Infrastructure Security Laboratory (SIIS) Page 7

  8. … Printf and the Stack • Suppose format string generates an adversary-controlled number Address of of bytes Format str • Suppose adversary controls Arg1-Arg3 on stack Arg 1 Arg 2 • Adversary can control number of bytes generated by format Arg 3 string with Arg1 and Arg2 • Adversary can direct where to write that number (of bytes) using %n with address at Arg3 8 Systems and Internet Infrastructure Security Laboratory (SIIS) Page

  9. Question #3 • What is the difference between a code-reuse attack and a code-injection attack? Systems and Internet Infrastructure Security Laboratory (SIIS) Page 9

  10. Injecting Code void function (int a, int b) { char buffer[12]; Injected gets(buffer); code return; } ret 1 void main() { 2 int x; stack frame x = 0; for main function(1,2); x = 1; The injected code can do anything. printf("%d\n",x); E.g., download and install a worm } 10 Systems and Internet Infrastructure Security Laboratory (SIIS) Page

  11. Code Injection • Attacker creates a malicious argument—a specially crafted string that contains malicious code and a pointer to that code • When the function returns, control is transferred to the malicious code ‣ Injected code runs with the permission of the vulnerable program when the function returns. ‣ Programs running as root or other elevated privileges are normally targeted • Programs with the setuid bit on 11 Systems and Internet Infrastructure Security Laboratory (SIIS) Page

  12. Injecting Shell Code • This brings up a shell call execve • Adversary can execute any (“/bin/sh”) command in the shell • The shell has the same ret privilege as the process 1 • Usually a process with the 2 root privilege is attacked stack frame for main 12 Systems and Internet Infrastructure Security Laboratory (SIIS) Page

  13. Question #4 • Why is a disclosure vulnerability harmful for canary defenses? Systems and Internet Infrastructure Security Laboratory (SIIS) Page 13

  14. Canary • Packet overflows overwrite the authenticated value packet authenticated old ebp CANARY ret stack frame Systems and Internet Infrastructure Security Laboratory (SIIS) Page

  15. Disclosure • Big limitation: Disclosure attacks ‣ By performing a buffer “overread” ‣ Example is the famous Heartbleed attack against SSL ‣ Why is this a problem for Stackguard? packet old ebp char packet[10]; canary … ret addr // suppose len is adversary controlled arg strncpy(buf, packet, len); previous send(fd, buf, len); stack frame Systems and Internet Infrastructure Security Laboratory (SIIS) Page 15

  16. Question #5 • What is address space layout randomization? How does it prevent code reuse attacks? Systems and Internet Infrastructure Security Laboratory (SIIS) Page 16

  17. Question #5 • What is address space layout randomization? How does it prevent code reuse attacks? • Move the base address of a memory segment based on a secret, random value • Normally, 0x8000000 ‒ move to 0x8ab0000 ‣ Why not 0x800ab00? • Impacts code reuse ‒ data locations to place new stack (writable) and locations of code are moved • Limits ‒ not all code is moved, disclosure... Systems and Internet Infrastructure Security Laboratory (SIIS) Page 17

  18. Question #6 • Why does W xor X defense prevent code injection attacks? Systems and Internet Infrastructure Security Laboratory (SIIS) Page 18

  19. Question #6 • Why does W xor X defense prevent code injection attacks? ‣ Cannot write code into data section and execute • Cannot run “Call execve” by putting that instruction in writable memory ‣ How to circumvent? Systems and Internet Infrastructure Security Laboratory (SIIS) Page 19

  20. Question #6 • Why does W xor X defense prevent code injection attacks? ‣ Cannot write code into data section and execute • Cannot run “Call execve” by putting that instruction in writable memory ‣ How to circumvent? • Build stack for ROP attack • Pointer to execve gadget ‣ Even with ASLR on? Systems and Internet Infrastructure Security Laboratory (SIIS) Page 20

  21. Question #6 • Why does W xor X defense prevent code injection attacks? ‣ Cannot write code into data section and execute • Cannot run “Call execve” by putting that instruction in writable memory ‣ How to circumvent? • Build stack for ROP attack • Pointer to execve gadget ‣ Even with ASLR on • Use execve PLT entry in executable Systems and Internet Infrastructure Security Laboratory (SIIS) Page 21

  22. Question #7 • Describe the steps necessary for you to exploit a buffer overflow to disable W xor X defenses? Assume you can overwrite the return address. Systems and Internet Infrastructure Security Laboratory (SIIS) Page 22

  23. Question #7 • Describe the steps necessary for you to exploit a buffer overflow to disable W xor X defenses? Assume you can overwrite the return address. ‣ Overwrite return address with gadgets to create desired ROP stack ‣ Desired ROP stack can disable W xor X using mprotect ‣ If there is a PLT entry for mprotect, invoke that with the arguments necessary to change perms so data can be writable and executable ‣ Arguments Systems and Internet Infrastructure Security Laboratory (SIIS) Page 23

  24. Question #8 • What are the requirements for copying a string safely? Systems and Internet Infrastructure Security Laboratory (SIIS) Page 24

  25. Many C func*ons don’t check bounds (examples) • gets(3) – reads input without checking. Don’t use it! • strcpy(3) – strcpy(dest, src) copies from src to dest ‣ If src longer than dest buffer, keeps wri*ng! • strcat(3) – strcat(dest, src) appends src to dest ‣ If src + data in dest longer than dest buffer, keeps wri*ng! • scanf() family of input func*ons – many dangerous op*ons ‣ scanf(3), fscanf(3), sscanf(3), vscanf(3), vsscanf(3), vfscanf(3) ‣ Many op*ons don ’ t control max length (e.g., bare “ %s ” ) • Many other dangerous func*ons, e.g.: ‣ realpath(3), getopt(3), getpass(3) ‣ streadd(3), strecpy(3), and strtrns(3) • It’s not just func*ons; ordinary loops can overflow 25 Systems and Internet Infrastructure Security Laboratory (SIIS) Page

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Operating Systems Operating Systems CMPSC 473 CMPSC 473 Midterm 2 Review Midterm 2 Review

Operating Systems Operating Systems CMPSC 473 CMPSC 473 Midterm 2 Review Midterm 2 Review

Operating Systems Operating Systems CMPSC 473 CMPSC 473 Midterm 2 Review Midterm 2 Review April 15, 2008 - Lecture 21 April 15, 2008 - Lecture 21 Instructor: Trent Jaeger Instructor: Trent Jaeger Scope Chapter 6 -- Synchronization

461 views • 27 slides
CS161 Midterm 2 Review Midterm 2: April 29, 18:30-20:00

CS161 Midterm 2 Review Midterm 2: April 29, 18:30-20:00

CS161 Midterm 2 Review Midterm 2: April 29, 18:30-20:00 Same room as lecture Overview StaAc analysis and program verificaAon Security architecture

845 views • 45 slides
Midterm review Midterm: what you need to know Everything weve covered thus far (chapters 1

Midterm review Midterm: what you need to know Everything weve covered thus far (chapters 1

Midterm review Midterm: what you need to know Everything weve covered thus far (chapters 1 -10, lectures, discussions, cases) may appear on the exam The only item that will not be covered on the midterm is chapter 8 (Global Marketing)

815 views • 53 slides
CSE 461 Midterm Review A quick tour of what we have learned so far Midterm Topic Coverage

CSE 461 Midterm Review A quick tour of what we have learned so far Midterm Topic Coverage

CSE 461 Midterm Review A quick tour of what we have learned so far Midterm Topic Coverage Midterm is on Everything we covered in lecture slides, textbook, and Feb. 10, Mon assignments before Section 3.1 (Backward Learning and Spanning Tree

531 views • 42 slides
Review Review of topics for midterm Next class Homeworks 1 & 2 solutions and

Review Review of topics for midterm Next class Homeworks 1 & 2 solutions and

Numerical and Scientific Computing with Applications David F . Gleich CS 314, Purdue September 16, 2016 In this class: Review Review of topics for midterm Next class Homeworks 1 & 2 solutions and questions Midterm G&C

495 views • 14 slides
CSE 461 MIDTERM REVIEW HELP YOURSELF TO SNACKS MIDTERM OVERVIEW 50 minutes Closed

CSE 461 MIDTERM REVIEW HELP YOURSELF TO SNACKS MIDTERM OVERVIEW 50 minutes Closed

CSE 461 MIDTERM REVIEW HELP YOURSELF TO SNACKS MIDTERM OVERVIEW 50 minutes Closed book, closed notes Covers topics in lectures, projects and homeworks Not intended to test things you can easily look up If something

728 views • 42 slides
CS 401 Midterm review Xiaorui Sun 1 Midterm Exam Midterm exam via gradescope : October 16

CS 401 Midterm review Xiaorui Sun 1 Midterm Exam Midterm exam via gradescope : October 16

CS 401 Midterm review Xiaorui Sun 1 Midterm Exam Midterm exam via gradescope : October 16 (Friday) The exam will be available on Oct 16 0am You must submit no later than Oct 16 11:59pm Usually can be finished in 2 hours

679 views • 35 slides
Midterm Review Logistics Lab 2 now due Monday May 18 th Midterm next class computer

Midterm Review Logistics Lab 2 now due Monday May 18 th Midterm next class computer

Midterm Review Logistics Lab 2 now due Monday May 18 th Midterm next class computer architecture background, gpu architecture, CUDA Parallelism, Memory coalescing, warp divergence, thread synchronization, Reduction, Scan, and Matrix

706 views • 31 slides
Topics For Final (1) everything from before the midterm outline posted in midterm review

Topics For Final (1) everything from before the midterm outline posted in midterm review

Topics For Final (1) everything from before the midterm outline posted in midterm review slides Architectural Styles 5 styles discussed: pipe & filter layered implicit invocation (event based) repository

429 views • 14 slides
Midterm 2 Review. Midterm format Modular Arithmetic Inverses and GCD Midterm Topics: Notes 6-14.

Midterm 2 Review. Midterm format Modular Arithmetic Inverses and GCD Midterm Topics: Notes 6-14.

Midterm 2 Review. Midterm format Modular Arithmetic Inverses and GCD Midterm Topics: Notes 6-14. Modular Arithmetic. Inverses. GCD/Extended-GCD. x has inverse modulo m if and only if gcd ( x , m ) = 1 . Time: 120 minutes Proof Idea:

282 views • 5 slides
Midterm review 98-348: Lecture 6 Midterm logistics Next week in class (Oct 16 th ) Worth

Midterm review 98-348: Lecture 6 Midterm logistics Next week in class (Oct 16 th ) Worth

Midterm review 98-348: Lecture 6 Midterm logistics Next week in class (Oct 16 th ) Worth 30% of your grade Should look like Homework 3 and 4 2 short answers 2 declensions 2 weak conjugation 2 gloss-and-translations

544 views • 26 slides
CSE 461 MIDTERM REVIEW MIDTERM OVERVIEW 50 minutes Closed book,

CSE 461 MIDTERM REVIEW MIDTERM OVERVIEW 50 minutes Closed book,

CSE 461 MIDTERM REVIEW MIDTERM OVERVIEW 50 minutes Closed book, closed notes Covers topics in lectures, projects and homeworks Not intended to test

789 views • 45 slides
Operating Systems Operating Systems CMPSC 473 CMPSC 473 Exam 1 Review Exam 1 Review February

Operating Systems Operating Systems CMPSC 473 CMPSC 473 Exam 1 Review Exam 1 Review February

Operating Systems Operating Systems CMPSC 473 CMPSC 473 Exam 1 Review Exam 1 Review February 19, 2008 - Lecture 10 10 February 19, 2008 - Lecture Instructor: Trent Jaeger Instructor: Trent Jaeger Exam Structure (12) Short Answer

330 views • 11 slides
Midterm 2 Review Midterm Topics Leader Election Consensus Formulation Synchronous

Midterm 2 Review Midterm Topics Leader Election Consensus Formulation Synchronous

Midterm 2 Review Midterm Topics Leader Election Consensus Formulation Synchronous consensus Paxos FLP Theorem Bitcoin Raft DHT Midterm Format Timed exam, 79 p.m. Monday Exam released @ 7 p.m.

340 views • 14 slides
CSE 461: Midterm Review! Autumn 2020 Midterm Info November 9th, 12:30pm - 1:20pm PST

CSE 461: Midterm Review! Autumn 2020 Midterm Info November 9th, 12:30pm - 1:20pm PST

CSE 461: Midterm Review! Autumn 2020 Midterm Info November 9th, 12:30pm - 1:20pm PST Reminder: Assignment 3 due tomorrow! Networks Parts of a network Types of links Overview Key interfaces Sockets

498 views • 38 slides
Midterm 1 Review Office Hours Midterm 1 on Sept. 28th Mon 12-1pm Zane will

Midterm 1 Review Office Hours Midterm 1 on Sept. 28th Mon 12-1pm Zane will

Midterm 1 Review Office Hours Midterm 1 on Sept. 28th Mon 12-1pm Zane will cover Chapters 1-5 and lecture material Tues 1:30-3pm me Tues 5-6pm Randall Chapter 10 Reading Assignment due Monday,

825 views • 53 slides
Modulo- Parallel Prefix Addition via Excess-Modulo Encoding of

Modulo- Parallel Prefix Addition via Excess-Modulo Encoding of

SBU - Tehran ENSL - Lyon Modulo- Parallel Prefix Addition via Excess-Modulo Encoding of Residues Seyed Hamed Fatemi Langroudi & Ghassem Jaberipur Computer Science & Engineering Department Shahid

1.35k views • 113 slides
A Learning Bridge from Architectural Synthesis to Physical Design for Exploring Power Efficient

A Learning Bridge from Architectural Synthesis to Physical Design for Exploring Power Efficient

A Learning Bridge from Architectural Synthesis to Physical Design for Exploring Power Efficient High-Performance Adders Subhendu Roy 1 Yuzhe Ma 2 Jin Miao 1 Bei Yu 2 1 Cadence Design Systems 2 The Chinese University of Hong Kong ISLPED17 1 /

454 views • 27 slides
Symbolic Computation and Theorem Proving in Program Analysis Laura Kov acs Chalmers Outline

Symbolic Computation and Theorem Proving in Program Analysis Laura Kov acs Chalmers Outline

Symbolic Computation and Theorem Proving in Program Analysis Laura Kov acs Chalmers Outline Part 1: Weakest Precondition for Program Analysis and Verification Part 2: Polynomial Invariant Generation (TACAS08, LPAR10) Part 3:

1.22k views • 98 slides
Shell Model Far From Stability: IoI Mergers Fr ed eric Nowacki NUSPIN 2017, June 26 th -29

Shell Model Far From Stability: IoI Mergers Fr ed eric Nowacki NUSPIN 2017, June 26 th -29

Shell Model Far From Stability: IoI Mergers Fr ed eric Nowacki NUSPIN 2017, June 26 th -29 th 2017 The Archipelago of Islands of Inversion N=8 N=20 N=28 N=40 N=50 11 Li 32 Mg 42 Si 64 Cr 74 Cr Landscape of medium mass nuclei: Mergers

609 views • 48 slides
On a New Proof of the Faber-Manteuffel Theorem Petr Tich joint work with Jrg Liesen and

On a New Proof of the Faber-Manteuffel Theorem Petr Tich joint work with Jrg Liesen and

On a New Proof of the Faber-Manteuffel Theorem Petr Tich joint work with Jrg Liesen and Vance Faber Institute of Computer Science, Academy of Sciences of the Czech Republic June 2, 2008, Zeuthen, Germany Householder Symposium XVII 1

1.11k views • 63 slides
36th European Workshop on Computational Geometry Disjoint tree-compatible plane perfect

36th European Workshop on Computational Geometry Disjoint tree-compatible plane perfect

36th European Workshop on Computational Geometry Disjoint tree-compatible plane perfect matchings Oswin Aichholzer 1 , Julia Obmann 1 , Pavel Pat ak 2 , Daniel Perz 1 , and Josef Tkadlec 2 1 Graz University of Technology, Austria 2 IST Austria,

1.29k views • 66 slides
Instruction scheduling However, that order is usually not the only valid one, in the sense that

Instruction scheduling However, that order is usually not the only valid one, in the sense that

Instruction ordering When a compiler emits the instructions corresponding to a program, it imposes a total order on them. Instruction scheduling However, that order is usually not the only valid one, in the sense that it can be changed without

209 views • 3 slides
Theory of Peer Data Management Sebastian Skritek Database and Artificial Intelligence Group

Theory of Peer Data Management Sebastian Skritek Database and Artificial Intelligence Group

Theory of Peer Data Management Sebastian Skritek Database and Artificial Intelligence Group Vienna University of Technology DEIS 2010 S.Skritek Theory of PDM 1/54 1.Motivation 1.1. Motivation Motivation From Data Integration to Peer

1.67k views • 123 slides

More recommend