33
|
1 |
\documentclass{article}
|
389
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
2 |
\usepackage{../style}
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
3 |
|
33
|
4 |
|
|
5 |
\begin{document}
|
|
6 |
|
39
|
7 |
\section*{Homework 3}
|
33
|
8 |
|
389
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
9 |
\HEADER
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
10 |
|
33
|
11 |
\begin{enumerate}
|
239
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
12 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
13 |
\item How does a buffer-overflow attack work? (Hint: What happens on
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
14 |
the stack.)
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
15 |
|
276
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
16 |
\item Why is it crucial for a buffer overflow attack that the stack
|
239
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
17 |
grows from higher addresses to lower ones?
|
34
|
18 |
|
466
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
19 |
\item What does it mean for the stack to be executable and why is this
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
20 |
important for a buffer overflow attack?
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
21 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
22 |
\item If the attacker uses a buffer overflow attack in order to inject
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
23 |
code, why can this code not contain any zero bytes?
|
257
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
24 |
|
239
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
25 |
\item How does a stack canary help with preventing a buffer-overflow
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
26 |
attack?
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
27 |
|
466
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
28 |
\item Why does randomising the addresses from where programs are run
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
29 |
help defending against buffer overflow attacks?
|
239
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
30 |
|
465
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
31 |
\item What is a format string attack?
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
32 |
|
239
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
33 |
\item Assume format string attacks allow you to read out the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
34 |
stack. What can you do with this information? (Hint: Consider what
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
35 |
is stored in the stack.)
|
34
|
36 |
|
110
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
37 |
\item Assume you can crash a program remotely. Why is this a problem?
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
38 |
|
239
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
39 |
\item How can the choice of a programming language help with buffer
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
40 |
overflow attacks? (Hint: Why are C-programs prone to such attacks,
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
41 |
but not Java programs.)
|
392
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
42 |
|
466
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
43 |
\item When filling the buffer that is attacked with a payload
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
44 |
(starting a shell), what is the purpose of padding the string at the
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
45 |
beginning with NOP-instructions.
|
465
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
46 |
|
Christian Urban <christian dot urban at kcl dot ac dot uk>
diff
changeset
|
47 |
\item \POSTSCRIPT
|
33
|
48 |
\end{enumerate}
|
|
49 |
|
|
50 |
\end{document}
|
|
51 |
|
|
52 |
%%% Local Variables:
|
|
53 |
%%% mode: latex
|
|
54 |
%%% TeX-master: t
|
|
55 |
%%% End:
|