Saturday, July 25, 2015

Software Security - Week 2

1. Consider the following code:
  char *foo(char *buf) {
    char *x = buf+strlen(buf);
    char *y = buf;
    while (y != x) {
      if (*y == 'a')
    return y;

  void bar() {
    char input[10] = "leonard";
The definition of spatial safety models pointers as capabilities, which are triples (p,b,e) where p is the pointer, b is the base of the memory region the pointer is allowed to access, and e is the extent of that region. Assuming characters are 1 byte in size, what is a triple (p,b,e) for the variabley when it is returned at the end of the code?
  • (&input+4,&input,&input+10)
y starts out as pointing to the input[] buffer, which has space for 10 characters. y is incremented 4 times, until it reaches the 'a' in the string.

2. Which of the following are true about a language that uses garbage collection or some other automatic means (e.g., reference counting) for memory management?
  • The language will not have temporal memory safety violations
The garbage collector will ensure that memory is only deallocated when it is not reachable, and this decision is not left up to the programmer

3. Which of the following are true about a type-safe language?
  • The language may be used to enforce information flow security, depending on the type system
4. An engineer proposes that in addition to making the stack non-executable, your system should also make the heap non-executable. Doing so would
  • Make the program more secure by disallowing another location for an attacker to place executable code
Then attacker data in the heap cannot be executed, enforcing (W xor X) / DEP for the entire program
5. What is the best choice of value for a stack canary, of the following options?
  • A random value
The canary should be unpredictable, so the attacker cannot easily guess it if he must overwrite it during an attack
6. A return-to-libc attack does not require that the attacker inject executable code into the vulnerable program. Which of the following is the most important reason that return-to-libc attacks are useful to the attacker?
  • There is no need to be able to execute (writable) data
The attacker does not need to inject executable code into an writable buffer, therefore they can exploit systems that enforce (W xor X) / DEP
7. In a return-oriented program (ROP), what is the role of the stack pointer?
  • It's like the program counter in a normal program
the stack pointer is used to select the next instruction to execute via a 'ret'
8. When enforcing Control Flow Integrity (CFI), there is no need to check that direct calls adhere to the control flow graph because:
  • CFI should be deployed on systems that ensure the code is immutable
If the code cannot be changed then direct calls cannot be re-written to point to an attacker-supplied value
9. classic enforcement of CFI requires adding labels prior to branch targets, and adding code prior to the branch that checks the label to see if it's the one that is expected. Now consider the following program:
int cmp1(char *a, char *b) {
    return strcmp(a,b);
int cmp2(char *a, char *b) {
    return strcmp(b,a);

typedef int (*cmpp)(char*,char*);

int bar(char *buf) {
    cmpp  p;
    char  tmpbuff[512] = { 0 };
    int   l;

    if(buf[0] == 'a') {
      p = cmp1;
    } else {
      p = cmp2;

    printf("%p\n", p);

    strcpy(tmpbuff, buf);

    for(l = 0; l < sizeof(tmpbuff); l++) {
      if(tmpbuff[l] == 0) {
      } else {
        if(tmpbuff[l] > 97) {
          tmpbuff[l] -= 32;

    return p(tmpbuff,buf);
To ensure that the instrumented program runs correctly when not being attacked, which of the following functions would have to be given the same label? Choose at least two, but no more functions than necessary.
  • cmp1
  • cmp2 

10. A project manager proposes a C coding standard where pointer variables must be assigned to NULL after being passed to free(). Doing so:
  • Stops writes to stale pointer values that might otherwise succeed and result in program compromise
Writing NULL means that a dereference will result in a crash, which is undesirable but nevertheless helps prevent exploitable vulnerabilities
11. A colleague proposes using a heap allocator that randomizes the addresses of allocated objects. This:
  • Will make the program more secure, because attackers frequently rely on predicting the locations of heap-allocated objects in exploits
12. A safe string library typically attempts to ensure which of the following?
  • That there is sufficient space in a source and/or target string to perform operations like concatenation, copying, etc.

13. In your review of a program, you discover the following function:
  void aFunction(char *buf) {
    static char  BANNED_CHARACTERS[] = {'>', '<', '!', '*'};
    int l = strlen(buf);
    int i;

    for(i = 0; i < l; i++) {
      int j;
      int k = sizeof(BANNED_CHARACTERS) / sizeof(char);
      for(j = 0; j < k; j++) {
        if(buf[i] == BANNED_CHARACTERS[j])
          buf[i] = ' ';
How would you best describe what this function is doing?
  • Input sanitization by blacklisting  

14. When could an integer overflow impact memory safety?
  • If the integer is passed as an argument to malloc() :
    then the integer value passed to malloc could differ from the integer used to iterate over the buffer (e.g., it could have been multiplied by a data size)
  • If the integer was used to perform pointer arithmetic: if we did something like p = p+i where i is an overflowed integer then we could access outside of p's expected bounds
  • If the integer was used to index into an array 


  1. Could you give your email? I need help to understand some code in C. My regards.

  2. And for this post, could you explain more the question? I want to understand the details. I have been watching several videos and tutorials in C, but there are some points that I dont understand, yet...

    1. What are the details you are looking for? I think these example questions are simple C program. I suggest you look more into pointers and referencing. This will help you a lot.
      If you are looking for special help please let me know where exactly you are missing the details. I will point you out where to look these.
      Thank you for your comments :)

  3. In fact, I am reading a lot of Stuff in C, but my focus is to understand this test - - but i can't understand yet all the answers. I am learning every day to catch the meaning. I will study more heavy...
    In the 13 question - How can I input sanitation in that code?
    And 9 - cmp1 and cmp2 - At the beginning they have almost the same code and after i don't see cmp1 been repeat.

    1. I have not looked into this project before. Therefore, I will require some time in understanding this. Moreover, I couldn't correlate your questions to the project.

      Like in Q13 you said. But there is no Q13 in the project. Could you please elaborate more on?

  4. haiii
    can you please explain me the code for program 1 briefly?