sen-material: hws/hw03.tex@58c3536c5a08 (annotated)

33 e9288308dbcf tuned Christian Urban <urbanc@in.tum.de> parents: diff changeset	1	\documentclass{article}
389 9019f84ef99c updated hws Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 276 diff changeset	2	\usepackage{../style}
9019f84ef99c updated hws Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 276 diff changeset	3
33 e9288308dbcf tuned Christian Urban <urbanc@in.tum.de> parents: diff changeset	4
e9288308dbcf tuned Christian Urban <urbanc@in.tum.de> parents: diff changeset	5	\begin{document}
e9288308dbcf tuned Christian Urban <urbanc@in.tum.de> parents: diff changeset	6
39 09130eb5a9b6 tuned Christian Urban <urbanc@in.tum.de> parents: 38 diff changeset	7	\section*{Homework 3}
33 e9288308dbcf tuned Christian Urban <urbanc@in.tum.de> parents: diff changeset	8
389 9019f84ef99c updated hws Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 276 diff changeset	9	\HEADER
9019f84ef99c updated hws Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 276 diff changeset	10
33 e9288308dbcf tuned Christian Urban <urbanc@in.tum.de> parents: diff changeset	11	\begin{enumerate}
239 0db764174afb updated home works Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 144 diff changeset	12
0db764174afb updated home works Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 144 diff changeset	13	\item How does a buffer-overflow attack work? (Hint: What happens on
0db764174afb updated home works Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 144 diff changeset	14	the stack.)
0db764174afb updated home works Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 144 diff changeset	15
276 d7109c6e721d updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 257 diff changeset	16	\item Why is it crucial for a buffer overflow attack that the stack
239 0db764174afb updated home works Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 144 diff changeset	17	grows from higher addresses to lower ones?
34 24116ce8c294 tuned Christian Urban <urbanc@in.tum.de> parents: 33 diff changeset	18
466 ddf7315450c9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 465 diff changeset	19	\item What does it mean for the stack to be executable and why is this
ddf7315450c9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 465 diff changeset	20	important for a buffer overflow attack?
ddf7315450c9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 465 diff changeset	21
ddf7315450c9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 465 diff changeset	22	\item If the attacker uses a buffer overflow attack in order to inject
ddf7315450c9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 465 diff changeset	23	code, why can this code not contain any zero bytes?
257 9bc912fcedb6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 239 diff changeset	24
239 0db764174afb updated home works Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 144 diff changeset	25	\item How does a stack canary help with preventing a buffer-overflow
0db764174afb updated home works Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 144 diff changeset	26	attack?
0db764174afb updated home works Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 144 diff changeset	27
466 ddf7315450c9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 465 diff changeset	28	\item Why does randomising the addresses from where programs are run
ddf7315450c9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 465 diff changeset	29	help defending against buffer overflow attacks?
239 0db764174afb updated home works Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 144 diff changeset	30
465 76f9457b8f51 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 392 diff changeset	31	\item What is a format string attack?
76f9457b8f51 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 392 diff changeset	32
239 0db764174afb updated home works Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 144 diff changeset	33	\item Assume format string attacks allow you to read out the
0db764174afb updated home works Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 144 diff changeset	34	stack. What can you do with this information? (Hint: Consider what
0db764174afb updated home works Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 144 diff changeset	35	is stored in the stack.)
34 24116ce8c294 tuned Christian Urban <urbanc@in.tum.de> parents: 33 diff changeset	36
110 fefd78525434 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 97 diff changeset	37	\item Assume you can crash a program remotely. Why is this a problem?
fefd78525434 added Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 97 diff changeset	38
239 0db764174afb updated home works Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 144 diff changeset	39	\item How can the choice of a programming language help with buffer
0db764174afb updated home works Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 144 diff changeset	40	overflow attacks? (Hint: Why are C-programs prone to such attacks,
0db764174afb updated home works Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 144 diff changeset	41	but not Java programs.)
392 4dff36e2bbc6 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 389 diff changeset	42
466 ddf7315450c9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 465 diff changeset	43	\item When filling the buffer that is attacked with a payload
ddf7315450c9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 465 diff changeset	44	(starting a shell), what is the purpose of padding the string at the
ddf7315450c9 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 465 diff changeset	45	beginning with NOP-instructions.
465 76f9457b8f51 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 392 diff changeset	46
521 34775227c84f updated Christian Urban <urbanc@in.tum.de> parents: 466 diff changeset	47	\item In the context of buffer-overflow attacks, explain briefly
34775227c84f updated Christian Urban <urbanc@in.tum.de> parents: 466 diff changeset	48	what is meant by a \emph{NOP-sledge}.
34775227c84f updated Christian Urban <urbanc@in.tum.de> parents: 466 diff changeset	49
465 76f9457b8f51 updated Christian Urban <christian dot urban at kcl dot ac dot uk> parents: 392 diff changeset	50	\item \POSTSCRIPT
33 e9288308dbcf tuned Christian Urban <urbanc@in.tum.de> parents: diff changeset	51	\end{enumerate}
e9288308dbcf tuned Christian Urban <urbanc@in.tum.de> parents: diff changeset	52
e9288308dbcf tuned Christian Urban <urbanc@in.tum.de> parents: diff changeset	53	\end{document}
e9288308dbcf tuned Christian Urban <urbanc@in.tum.de> parents: diff changeset	54
e9288308dbcf tuned Christian Urban <urbanc@in.tum.de> parents: diff changeset	55	%%% Local Variables:
e9288308dbcf tuned Christian Urban <urbanc@in.tum.de> parents: diff changeset	56	%%% mode: latex
e9288308dbcf tuned Christian Urban <urbanc@in.tum.de> parents: diff changeset	57	%%% TeX-master: t
e9288308dbcf tuned Christian Urban <urbanc@in.tum.de> parents: diff changeset	58	%%% End:

author	cu
	Sun, 15 Oct 2017 21:23:16 +0100
changeset 550	58c3536c5a08
parent 521	34775227c84f
permissions	-rw-r--r--