cs161 midterm 1 review
play

CS161 Midterm 1 Review Midterm 1: March 4, 18:30- 20:00 Same room - PowerPoint PPT Presentation

Dec 05, 2022 •126 likes •426 views

CS161 Midterm 1 Review Midterm 1: March 4, 18:30- 20:00 Same room as lecture Security Analysis and Threat Model Basic security properties CIA Threat model A. We want perfect security B. Security is about risk analysis and

  1. CS161 Midterm 1 Review Midterm 1: March 4, 18:30- 20:00 Same room as lecture

  2. Security Analysis and Threat Model • Basic security properties – CIA • Threat model A. We want perfect security B. Security is about risk analysis and economics Answer is B.

  3. Software Vulnerabilities • Bufger overfmow vulnerabilities and attacks • Integer overfmow vulnerabilities and attacks • Format string vulnerabilities and attacks • Arc injection/return-to-libc/ROP vulnerabilities and attacks • General control hijacking attacks • Data hijacking attacks

  4. General Control Hijacking expected code Control Flow Pointer return address frame pointer function pointer as local variable exception Handler shellcode, jump to address longjmp pointer library (return function pointer in to libc) heap Overwrite Step: Find some way to modify a Control Flow Pointer to point to your shellcode, library entry point, or other code of interest. Activate Step: Find some way to activate that modifjed Control Flow Pointer. Dawn Song 4

  5. Instances of Control Hijacking Location Control Flow How to in Pointer activate Memory Stack Return Address Return from function (stack frame) Stack Frame Pointer Return from Ret Addr Frame Ptr function exception handers Stack Function Reference and local fn ptrs Pointers as call function buf local variables pointer Stack Exception T rigger A A E E H Handler Exception H ( ( Object vtable Object vtable ) ) P P Heap Function Reference and T method T method ptr FP1: ptr FP1: pointer in heap call function #1 method #2 method #2 #1 FP2: FP2: method (i.e. method of pointer method FP3: FP3: #3 #3 an object) data data buf buf Anywhe setjmp and Call longjmp longjmp saved longjmp re pointer program state … bufger other data buf Dawn Song 5

  6. Data Hijacking odifying data in a way not intended Example: Authentication variab arguments arguments arguments return address return address return address stack frame pointer stack frame pointer stack frame pointer authentication_variable authentication_variable authentication_variable bufger bufger bufger Exploited Situation: Normal Situation: User types in a password which is stored in the bufger, and if the User types in a password which is long enough to overfmow bufger and into the authentication_variable. The user is now user is successfully authenticated, the authentication_variable is Dawn Song 6 set. unintentionally authenticated.

  7. Stack and Format Strings • Function behavior is controlled by the format string • Retrieves parameters from stack as requested: “%” • Example: A Address of the format printf(“Number %d has no address, number %d has: string stack top … %08x\n”, I, a, &a) i Value of variable I <&a> <a> a Value of variable a <i> A &a Address of variable a … stack bottom

  8. SW Vuln. Defenses • Non-execute (NX) • Stack canaries • ASLR • Bounds check • Which defenses are efgective against what attacks?

  9. Efgectiveness and Limitations • Defense against bufger overfmow attacks * When Applicable Defenses/Mitigations Code Injection Code Injection Arc Injection Arc Injection Stack Non-Execute (NX)* ASLR Stack Non-Execute (NX)* ASLR ASLR StacKGuard(Canaries) ASLR StacKGuard(Canaries) StacKGuard(Canaries) ProPolice StacKGuard(Canaries) ProPolice /GS /GS libsafe libsafe Heap Non-Execute (NX)* ASLR Heap Non-Execute (NX)* ASLR ASLR ASLR PointGuard PointGuard Exceptio Non-Execute (NX)* ASLR Exceptio Non-Execute (NX)* ASLR ASLR SAFESEH and SEHOP n ASLR n SAFESEH and SEHOP Handler Handler s s Dawn Song 9

  10. Fuzzing • Random fuzzing • Mutation-based fuzzing • Generation-based fuzzing • Code coverage – line, branch and path coverage • Example problem: given a program, calculate how many inputs can achieve a full line/branch/path coverage (e.g., Discussion 5)

  11. Coverage Metrics Lines

  12. Coverage Metrics Lines

  13. Coverage Metrics Lines Branche s

  14. Coverage Metrics Lines Branche s

  15. Coverage Metrics Paths Lines Branche s

  16. Coverage Metrics Paths Lines Branche s

  17. Coverage Metrics Paths Lines Branche s

  18. Quiz on Line Coverage How many lines are in this How many test cases (pairs of code? values for (a,b)) are needed to achieve 100% line coverage? 1 1 2 2 3 3 4 4

  19. Quiz on Branch Coverage How many branches are in How many test cases (pairs of this code? values for (a,b) are needed to achieve 100% branch coverage? 1 1 2 2 3 3 4 4

  20. Quiz on Path Coverage How many paths are in this How many test cases (pairs of code? values for (a,b) are needed to achieve 100% path coverage? 1 1 2 2 3 3 4 4

  21. Completeness of Coverage Metrics Which of the following coverage results guarantee the bug will be found? 100% line coverage 100% branch coverage 100% path coverage None of the above

  22. Properties of Coverage Metrics • A numeric measure of an analysis • An objective basis for comparing difgerent analyses • A way to evaluate if no progress is made (no coverage metrics are increasing) Important: Metrics are not suffjcient conditions for completeness. 100% coverage does not mean all sources of vulnerabilities have been evaluated.

  23. Symbolic Execution • Path predicates • Security vulnerabilities as assertion violations • How to use symbolic execution to fjnd bugs • Constraint-based automatic test case generation • Challenges for symbolic execution

  24. Assertion Violation as Satisfjability In the appropriate theory, the formula input < UINT_MAX - 2 && len == input + 3 && ! (len < 10) && ! (len % 2 == 0) && !(len < UINT_MAX – 1) is satisfjed by the assignment err input UINT_MAX - 3 len UINT_MAX

  25. Quiz: Branches and Paths F 1 T Suppose we want to know if there is a feasible path to the location 1F 1T ERR in this program. 2 F T Suppose we generate one path predicate for each path through 2F 2T this program. 3 How many path predicates are generated? F T n nF nT ER R

  26. Quiz: Branches and Paths F 1 T Suppose we want to know if there is a feasible path to the location 1F 1T ERR in this program. 2 F T Suppose we generate one path predicate for each path through 2F 2T this program. 3 How many path predicates are generated? 2 n F T n nF nT ER R

  27. Quiz: Branches and Paths F 1 T Suppose we want to know if there is a feasible path to the location 1F 1T ERR in this program. 2 F T Suppose we generate one path predicate for each path through 2F 2T this program. 3 How many path predicates are generated? 2 n F T n Number of predicates can be nF nT exponential in the number of branches. ER R

  28. T opics Covered in Midterm 2 • Static analysis • Program Verifjcation • Security principles and architectures • Malware • Other topics after midterm 2

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CS161 Midterm 2 Review Midterm 2: April 29, 18:30-20:00

CS161 Midterm 2 Review Midterm 2: April 29, 18:30-20:00

CS161 Midterm 2 Review Midterm 2: April 29, 18:30-20:00 Same room as lecture Overview StaAc analysis and program verificaAon Security architecture

845 views • 45 slides
Midterm review Midterm: what you need to know Everything weve covered thus far (chapters 1

Midterm review Midterm: what you need to know Everything weve covered thus far (chapters 1

Midterm review Midterm: what you need to know Everything weve covered thus far (chapters 1 -10, lectures, discussions, cases) may appear on the exam The only item that will not be covered on the midterm is chapter 8 (Global Marketing)

815 views • 53 slides
CSE 461 Midterm Review A quick tour of what we have learned so far Midterm Topic Coverage

CSE 461 Midterm Review A quick tour of what we have learned so far Midterm Topic Coverage

CSE 461 Midterm Review A quick tour of what we have learned so far Midterm Topic Coverage Midterm is on Everything we covered in lecture slides, textbook, and Feb. 10, Mon assignments before Section 3.1 (Backward Learning and Spanning Tree

531 views • 42 slides
Review Review of topics for midterm Next class Homeworks 1 &amp; 2 solutions and

Review Review of topics for midterm Next class Homeworks 1 &amp; 2 solutions and

Numerical and Scientific Computing with Applications David F . Gleich CS 314, Purdue September 16, 2016 In this class: Review Review of topics for midterm Next class Homeworks 1 &amp; 2 solutions and questions Midterm G&amp;C

495 views • 14 slides
CSE 461 MIDTERM REVIEW HELP YOURSELF TO SNACKS MIDTERM OVERVIEW 50 minutes Closed

CSE 461 MIDTERM REVIEW HELP YOURSELF TO SNACKS MIDTERM OVERVIEW 50 minutes Closed

CSE 461 MIDTERM REVIEW HELP YOURSELF TO SNACKS MIDTERM OVERVIEW 50 minutes Closed book, closed notes Covers topics in lectures, projects and homeworks Not intended to test things you can easily look up If something

728 views • 42 slides
CS 401 Midterm review Xiaorui Sun 1 Midterm Exam Midterm exam via gradescope : October 16

CS 401 Midterm review Xiaorui Sun 1 Midterm Exam Midterm exam via gradescope : October 16

CS 401 Midterm review Xiaorui Sun 1 Midterm Exam Midterm exam via gradescope : October 16 (Friday) The exam will be available on Oct 16 0am You must submit no later than Oct 16 11:59pm Usually can be finished in 2 hours

679 views • 35 slides
Midterm Review Logistics Lab 2 now due Monday May 18 th Midterm next class computer

Midterm Review Logistics Lab 2 now due Monday May 18 th Midterm next class computer

Midterm Review Logistics Lab 2 now due Monday May 18 th Midterm next class computer architecture background, gpu architecture, CUDA Parallelism, Memory coalescing, warp divergence, thread synchronization, Reduction, Scan, and Matrix

706 views • 31 slides
Topics For Final (1) everything from before the midterm outline posted in midterm review

Topics For Final (1) everything from before the midterm outline posted in midterm review

Topics For Final (1) everything from before the midterm outline posted in midterm review slides Architectural Styles 5 styles discussed: pipe &amp; filter layered implicit invocation (event based) repository

429 views • 14 slides
Midterm 2 Review. Midterm format Modular Arithmetic Inverses and GCD Midterm Topics: Notes 6-14.

Midterm 2 Review. Midterm format Modular Arithmetic Inverses and GCD Midterm Topics: Notes 6-14.

Midterm 2 Review. Midterm format Modular Arithmetic Inverses and GCD Midterm Topics: Notes 6-14. Modular Arithmetic. Inverses. GCD/Extended-GCD. x has inverse modulo m if and only if gcd ( x , m ) = 1 . Time: 120 minutes Proof Idea:

282 views • 5 slides
Midterm review 98-348: Lecture 6 Midterm logistics Next week in class (Oct 16 th ) Worth

Midterm review 98-348: Lecture 6 Midterm logistics Next week in class (Oct 16 th ) Worth

Midterm review 98-348: Lecture 6 Midterm logistics Next week in class (Oct 16 th ) Worth 30% of your grade Should look like Homework 3 and 4 2 short answers 2 declensions 2 weak conjugation 2 gloss-and-translations

544 views • 26 slides
CSE 461 MIDTERM REVIEW MIDTERM OVERVIEW 50 minutes Closed book,

CSE 461 MIDTERM REVIEW MIDTERM OVERVIEW 50 minutes Closed book,

CSE 461 MIDTERM REVIEW MIDTERM OVERVIEW 50 minutes Closed book, closed notes Covers topics in lectures, projects and homeworks Not intended to test

789 views • 45 slides
Midterm 2 Review Midterm Topics Leader Election Consensus Formulation Synchronous

Midterm 2 Review Midterm Topics Leader Election Consensus Formulation Synchronous

Midterm 2 Review Midterm Topics Leader Election Consensus Formulation Synchronous consensus Paxos FLP Theorem Bitcoin Raft DHT Midterm Format Timed exam, 79 p.m. Monday Exam released @ 7 p.m.

340 views • 14 slides
CSE 461: Midterm Review! Autumn 2020 Midterm Info November 9th, 12:30pm - 1:20pm PST

CSE 461: Midterm Review! Autumn 2020 Midterm Info November 9th, 12:30pm - 1:20pm PST

CSE 461: Midterm Review! Autumn 2020 Midterm Info November 9th, 12:30pm - 1:20pm PST Reminder: Assignment 3 due tomorrow! Networks Parts of a network Types of links Overview Key interfaces Sockets

498 views • 38 slides
Midterm 1 Review Office Hours Midterm 1 on Sept. 28th Mon 12-1pm Zane will

Midterm 1 Review Office Hours Midterm 1 on Sept. 28th Mon 12-1pm Zane will

Midterm 1 Review Office Hours Midterm 1 on Sept. 28th Mon 12-1pm Zane will cover Chapters 1-5 and lecture material Tues 1:30-3pm me Tues 5-6pm Randall Chapter 10 Reading Assignment due Monday,

825 views • 53 slides
Lecture 10 Midterm review Announcements The midterm is on Tue Feb 9 th in class 4 Bring photo

Lecture 10 Midterm review Announcements The midterm is on Tue Feb 9 th in class 4 Bring photo

Lecture 10 Midterm review Announcements The midterm is on Tue Feb 9 th in class 4 Bring photo ID 4 You may bring a single sheet of notebook sized paper 8x10 inches with notes on both sides (A4 OK) 4 You may not bring a magnifying

491 views • 32 slides
Wrap of Number Theory &amp; Midterm Review F Primes, GCD, and LCM (Section 3.5 in text) F Midterm

Wrap of Number Theory &amp; Midterm Review F Primes, GCD, and LCM (Section 3.5 in text) F Midterm

Wrap of Number Theory &amp; Midterm Review F Primes, GCD, and LCM (Section 3.5 in text) F Midterm Review Sections 1.1-1.7 Propositional logic Predicate logic Rules of inference and proofs Sections 2.1-2.3 Sets and Set operations Functions

241 views • 12 slides
Vulnerabilities in C/C++ programs Part II TDDC90 Software Security Ulf Kargn Department

Vulnerabilities in C/C++ programs Part II TDDC90 Software Security Ulf Kargn Department

Vulnerabilities in C/C++ programs Part II TDDC90 Software Security Ulf Kargn Department of Computer and Information Science (IDA) Division for Database and Information Techniques (ADIT) Integer overflows and sign errors Adding,

756 views • 42 slides
A Type System for Format Strings Konstantin Weitz weitzkon@uw.edu Gene Kim genelkim@uw.edu

A Type System for Format Strings Konstantin Weitz weitzkon@uw.edu Gene Kim genelkim@uw.edu

A Type System for Format Strings Konstantin Weitz weitzkon@uw.edu Gene Kim genelkim@uw.edu Siwakorn Srisakaokul ping128@uw.edu Michael D. Ernst mernst@uw.edu 1 Format String APIs printf(name: %s age: %d, Konstantin, 25);

791 views • 58 slides
Using Functional Load for Optimizing DPGMM based Zero Resource Sub-word Unit Discovery Bin Wu 1 ,

Using Functional Load for Optimizing DPGMM based Zero Resource Sub-word Unit Discovery Bin Wu 1 ,

Using Functional Load for Optimizing DPGMM based Zero Resource Sub-word Unit Discovery Bin Wu 1 , Sakriani Sakti 1,2 , Jinsong Zhang 3 and Satoshi Nakamura 1,2 {wu.bin.vq9,ssakti,s-nakamura}@is.naist.jp, jinsong.zhang@blcu.edu.cn 1. Nara

429 views • 23 slides
AlsaModularSynth An instrument for the electrified virtuoso Matthias Nagorni, SUSE Linux AG,

AlsaModularSynth An instrument for the electrified virtuoso Matthias Nagorni, SUSE Linux AG,

AlsaModularSynth An instrument for the electrified virtuoso Matthias Nagorni, SUSE Linux AG, Nrnberg, Germany 30. April 2004 Surprisingly, it was already in the early days of electronic music that its most expressive exponent was invented:

872 views • 17 slides
1 Example Bugs Type Qualifiers [Shankar, et al 01] Idea null dereference Add tainted and

1 Example Bugs Type Qualifiers [Shankar, et al 01] Idea null dereference Add tainted and

Finding Bugs Problem Last time What is a bug? a path in the code that causes a run-time exception Alias/Pointer analysis a path through the code that causes incorrect results Today Issues Program Analysis for finding bugs,

214 views • 4 slides
Yet More Bufger Overfmows 1 Changelog Corrections made in this version not in fjrst posting: 1

Yet More Bufger Overfmows 1 Changelog Corrections made in this version not in fjrst posting: 1

Yet More Bufger Overfmows 1 Changelog Corrections made in this version not in fjrst posting: 1 April 2017: slide 41: a few more %cs would be needed to skip format string part 1 last time: pointer subterfuge pointer subterfuge

1.25k views • 78 slides
CMSC 240 SOFTWARE SYSTEMS DEVELOPMENT CMSC 240: Fall 2020 Homework

CMSC 240 SOFTWARE SYSTEMS DEVELOPMENT CMSC 240: Fall 2020 Homework

CMSC 240 SOFTWARE SYSTEMS DEVELOPMENT CMSC 240: Fall 2020 Homework http://www.mathcs.richmond.edu/~blawson/cmsc240 Read: Syllabus Chapters 1, 2, 3 of C++ Primer Plus Tutorial: Unix Tutorial for Beginners (Intro, Tutorial 1,

1.18k views • 46 slides
From Overow to Shell From Overow to Shell An Introduction to low-level exploitation An

From Overow to Shell From Overow to Shell An Introduction to low-level exploitation An

From Overow to Shell From Overow to Shell An Introduction to low-level exploitation An Introduction to low-level exploitation Carl Svensson @ Foo Caf, February 2019 Carl Svensson @ Foo Caf, February 2019 1 / 28 1 / 28 Background

619 views • 28 slides

More recommend