Software Security - Week 2

1. Consider the following code:

  char *foo(char *buf) {
    char *x = buf+strlen(buf);
    char *y = buf;
    while (y != x) {
      if (*y == 'a')
        break;
      y++;    
    }
    return y;
  }

  void bar() {
    char input[10] = "leonard";
    foo(input);
  }

The definition of spatial safety models pointers as capabilities, which are triples (p,b,e) where p is the pointer, b is the base of the memory region the pointer is allowed to access, and e is the extent of that region. Assuming characters are 1 byte in size, what is a triple (p,b,e) for the variabley when it is returned at the end of the code?

• (&input+4,&input,&input+10)

y starts out as pointing to the input[] buffer, which has space for 10 characters. y is incremented 4 times, until it reaches the 'a' in the string.

2. Which of the following are true about a language that uses garbage collection or some other automatic means (e.g., reference counting) for memory management?

• The language will not have temporal memory safety violations

The garbage collector will ensure that memory is only deallocated when it is not reachable, and this decision is not left up to the programmer

3. Which of the following are true about a type-safe language?

• The language may be used to enforce information flow security, depending on the type system

4. An engineer proposes that in addition to making the stack non-executable, your system should also make the heap non-executable. Doing so would

• Make the program more secure by disallowing another location for an attacker to place executable code

Then attacker data in the heap cannot be executed, enforcing (W xor X) / DEP for the entire program
5. What is the best choice of value for a stack canary, of the following options?

• A random value

The canary should be unpredictable, so the attacker cannot easily guess it if he must overwrite it during an attack
6. A return-to-libc attack does not require that the attacker inject executable code into the vulnerable program. Which of the following is the most important reason that return-to-libc attacks are useful to the attacker?

• There is no need to be able to execute (writable) data

The attacker does not need to inject executable code into an writable buffer, therefore they can exploit systems that enforce (W xor X) / DEP
7. In a return-oriented program (ROP), what is the role of the stack pointer?

• It's like the program counter in a normal program

the stack pointer is used to select the next instruction to execute via a 'ret'
8. When enforcing Control Flow Integrity (CFI), there is no need to check that direct calls adhere to the control flow graph because:

• CFI should be deployed on systems that ensure the code is immutable

If the code cannot be changed then direct calls cannot be re-written to point to an attacker-supplied value
9. classic enforcement of CFI requires adding labels prior to branch targets, and adding code prior to the branch that checks the label to see if it's the one that is expected. Now consider the following program:

int cmp1(char *a, char *b) {
    return strcmp(a,b);
}
int cmp2(char *a, char *b) {
    return strcmp(b,a);
}

typedef int (*cmpp)(char*,char*);

int bar(char *buf) {
    cmpp  p;
    char  tmpbuff[512] = { 0 };
    int   l;

    if(buf[0] == 'a') {
      p = cmp1;
    } else {
      p = cmp2;
    }

    printf("%p\n", p);

    strcpy(tmpbuff, buf);

    for(l = 0; l < sizeof(tmpbuff); l++) {
      if(tmpbuff[l] == 0) {
        break;
      } else {
        if(tmpbuff[l] > 97) {
          tmpbuff[l] -= 32;
        }
      }
    }

    return p(tmpbuff,buf);
}

To ensure that the instrumented program runs correctly when not being attacked, which of the following functions would have to be given the same label? Choose at least two, but no more functions than necessary.

• cmp1
• cmp2 

10. A project manager proposes a C coding standard where pointer variables must be assigned to NULL after being passed to free(). Doing so:

• Stops writes to stale pointer values that might otherwise succeed and result in program compromise

Writing NULL means that a dereference will result in a crash, which is undesirable but nevertheless helps prevent exploitable vulnerabilities
11. A colleague proposes using a heap allocator that randomizes the addresses of allocated objects. This:

• Will make the program more secure, because attackers frequently rely on predicting the locations of heap-allocated objects in exploits

12. A safe string library typically attempts to ensure which of the following?

• That there is sufficient space in a source and/or target string to perform operations like concatenation, copying, etc.

13. In your review of a program, you discover the following function:

  void aFunction(char *buf) {
    static char  BANNED_CHARACTERS[] = {'>', '<', '!', '*'};
    int l = strlen(buf);
    int i;

    for(i = 0; i < l; i++) {
      int j;
      int k = sizeof(BANNED_CHARACTERS) / sizeof(char);
      for(j = 0; j < k; j++) {
        if(buf[i] == BANNED_CHARACTERS[j])
          buf[i] = ' ';
      }
    }
  }

How would you best describe what this function is doing?

• Input sanitization by blacklisting  

14. When could an integer overflow impact memory safety?

• If the integer is passed as an argument to malloc() :
  then the integer value passed to malloc could differ from the integer used to iterate over the buffer (e.g., it could have been multiplied by a data size)
• If the integer was used to perform pointer arithmetic: if we did something like p = p+i where i is an overflowed integer then we could access outside of p's expected bounds
• If the integer was used to index into an array