hws/hw03.tex
author Christian Urban <urbanc@in.tum.de>
Mon, 06 Nov 2017 10:40:23 +0000 (2017-11-06)
changeset 561 17cd7fdee7c8
parent 521 34775227c84f
permissions -rw-r--r--
updated
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
33
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
     1
\documentclass{article}
389
9019f84ef99c updated hws
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 276
diff changeset
     2
\usepackage{../style}
9019f84ef99c updated hws
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 276
diff changeset
     3
33
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
     4
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
     5
\begin{document}
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
     6
39
Christian Urban <urbanc@in.tum.de>
parents: 38
diff changeset
     7
\section*{Homework 3}
33
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
     8
389
9019f84ef99c updated hws
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 276
diff changeset
     9
\HEADER
9019f84ef99c updated hws
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 276
diff changeset
    10
33
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    11
\begin{enumerate}
239
0db764174afb updated home works
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 144
diff changeset
    12
0db764174afb updated home works
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 144
diff changeset
    13
\item How does a buffer-overflow attack work? (Hint: What happens on
0db764174afb updated home works
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 144
diff changeset
    14
  the stack.)
0db764174afb updated home works
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 144
diff changeset
    15
276
d7109c6e721d updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 257
diff changeset
    16
\item Why is it crucial for a buffer overflow attack that the stack
239
0db764174afb updated home works
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 144
diff changeset
    17
  grows from higher addresses to lower ones?
34
Christian Urban <urbanc@in.tum.de>
parents: 33
diff changeset
    18
466
ddf7315450c9 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 465
diff changeset
    19
\item What does it mean for the stack to be executable and why is this
ddf7315450c9 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 465
diff changeset
    20
  important for a buffer overflow attack?
ddf7315450c9 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 465
diff changeset
    21
  
ddf7315450c9 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 465
diff changeset
    22
\item If the attacker uses a buffer overflow attack in order to inject
ddf7315450c9 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 465
diff changeset
    23
  code, why can this code not contain any zero bytes?
257
9bc912fcedb6 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 239
diff changeset
    24
239
0db764174afb updated home works
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 144
diff changeset
    25
\item How does a stack canary help with preventing a buffer-overflow
0db764174afb updated home works
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 144
diff changeset
    26
  attack?
0db764174afb updated home works
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 144
diff changeset
    27
466
ddf7315450c9 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 465
diff changeset
    28
\item Why does randomising the addresses from where programs are run
ddf7315450c9 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 465
diff changeset
    29
  help defending against buffer overflow attacks?
239
0db764174afb updated home works
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 144
diff changeset
    30
465
76f9457b8f51 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 392
diff changeset
    31
\item What is a format string attack?
76f9457b8f51 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 392
diff changeset
    32
  
239
0db764174afb updated home works
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 144
diff changeset
    33
\item Assume format string attacks allow you to read out the
0db764174afb updated home works
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 144
diff changeset
    34
  stack. What can you do with this information? (Hint: Consider what
0db764174afb updated home works
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 144
diff changeset
    35
  is stored in the stack.)
34
Christian Urban <urbanc@in.tum.de>
parents: 33
diff changeset
    36
110
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 97
diff changeset
    37
\item Assume you can crash a program remotely. Why is this a problem?
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 97
diff changeset
    38
239
0db764174afb updated home works
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 144
diff changeset
    39
\item How can the choice of a programming language help with buffer
0db764174afb updated home works
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 144
diff changeset
    40
  overflow attacks?  (Hint: Why are C-programs prone to such attacks,
0db764174afb updated home works
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 144
diff changeset
    41
  but not Java programs.)
392
4dff36e2bbc6 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 389
diff changeset
    42
  
466
ddf7315450c9 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 465
diff changeset
    43
\item When filling the buffer that is attacked with a payload
ddf7315450c9 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 465
diff changeset
    44
  (starting a shell), what is the purpose of padding the string at the
ddf7315450c9 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 465
diff changeset
    45
  beginning with NOP-instructions.
465
76f9457b8f51 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 392
diff changeset
    46
521
34775227c84f updated
Christian Urban <urbanc@in.tum.de>
parents: 466
diff changeset
    47
\item In the context of buffer-overflow attacks, explain briefly
34775227c84f updated
Christian Urban <urbanc@in.tum.de>
parents: 466
diff changeset
    48
what is meant by a \emph{NOP-sledge}.  
34775227c84f updated
Christian Urban <urbanc@in.tum.de>
parents: 466
diff changeset
    49
465
76f9457b8f51 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 392
diff changeset
    50
\item \POSTSCRIPT
33
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    51
\end{enumerate}
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    52
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    53
\end{document}
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    54
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    55
%%% Local Variables: 
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    56
%%% mode: latex
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    57
%%% TeX-master: t
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    58
%%% End: