1) (20 pts) Please explain the common vulnerabilities/problems associated with each of the following and discuss how to identify vulnerable code through the use of code auditing.
a) Metacharacters
b) Network Protocols with Length Identifiers in Headers
c) File Permission Check TOCTOU (Race) conditions
d) Symbolic Links
e) Insecure default
2) (20 pts) Please provide definitions for each of the following terms and discuss how they are related to software vulnerability analysis
a) Security Policy
A:
b) Authentication
c) Static Analyzers
d) Fuzzing
e) SETUID Program
3) (30 pts)
a) Please describe code auditing and black box testing. What are the pros and cons of each of them? How do you choose which one to use?
b) Summarize the concepts and process of application review.
c) Describe the process of threat modeling.
d) Summarize the concepts and process of auditing function use.
e) Give one example of operational vulnerability and discuss how to prevent it.
4) (15 pts) Define and give examples of each of the follow
a) Design Vulnerabilities
b) Implementation Vulnerabilities
c) Operational Vulnerabilities
5) (15 pts) Answer ONE of the following
a) With respect to code auditing, the process you would use to look for file access vulnerabilities. Specifically include opening files, library functions for checking file status, and evaluating path names.
-OR-
b) Explain fuzzing, discuss the different types of fuzzing, and how fuzzing can be used as an aid to software vulnerability analysis.
6) (30 pts) Each of the following pieces of C code has an error in it. Please identify and explain the vulnerability and discuss
how to fix it.
a)
1. function readFile($filename){
2. $user = getCurrentUser();
3.
4. //resolve file if its a symbolic link
5. if(is_link($filename)){
6. $filename = readlink($filename);
7. }
8.
9. if(fileowner($filename) == $user){
10. echo file_get_contents($realFile);
11. return;
12. } else {
13. echo 'Access denied';
14. return false;
15. }
16. }
|
b)
1. /* Initial UIDS: real = 1000 effective = 0 saved = 0 */
2. /* 1. Usual call to temporarily drop privileges */
3.
4. orig_euid = geteuid();
5. if (seteuid(geteuid() = = -1)
6. errExit(“seteuid error”);
7.
8. /* UIDs change to: real=1000 effective = 1000 saved = 0 */
9. /* Now permanently drop privileges */
10.
11. if (setuid(getuid)) == -1)
12. errExit(“setuid error”);
13. …
14. /* process rest of code */
|
c)
1. unsigned int readdata () {
2. int amount = 0;
3. ...
4. if (result == ERROR)
5. amount = -1;
6. ...
7. return amount;
8. }
|
d)
1. int processMessageFromNetwork(int socket) {
2. int successFlag;
3.
4. char buffer[BUFFER_SIZE];
5. char message[MESSAGE_SIZE];
6.
7. // get message from network socket and store into buffer
8.
// For this exam assume message fits in buffer
9. if (getMessage(socket, buffer, BUFFER_SIZE) > 0) {
10.
11. // put contents of buffer into message structure
12. ExMessage *msg = recastBuffer(buffer);
13.
14. // copy message body into message string for processing
15. int index;
16. for (index = 0; index < msg-="">msgLength; index++) {
17. message[index] = msg->msgBody[index];
18. }
19. message[index] = '\0';
20. // process received message
21. success = processMessage(message);
22. }
23. return success;
24. }
|
e)
1. class A{
2. void foo(bool);
3. };
4.
5. void A::foo(bool heap) {
6. int localArray[2] = { 11,22 };
7. int *p = localArray;
8.
9. if (heap){
10. p = new int[2];
11. }
12. delete[] p;
13. }
|
7) (20 points) Multiple choice (Circle the correct answer).
a) Which technique
cannot
be used guard against buffer overflow attacks?
i) Address space layout randomization
ii) Signed software
iii) Stack canaries
iv) Non-executable stack memory
A:
b) Operational vulnerabilities can result from failure to use the security mechanisms provided by the platform.
i) True
ii) False
A:
c) Pathological code paths describe functions with many small and nonterminating branches.
i) True
ii) False
A:
d) Uninitialized local variables are stored in:
i) bss segment
ii) data segment
iii) text segment
iv) stack segment
v) heap segment
A:
e) Overflowing which region in a function's stack frame may transfer the control to somewhere else.
i) function arguments region
ii) return address region
iii) Previous frame pointer region
iv) local variables region
A:
f) Which type conversion is value preserving conversion?
i) convert between signed and unsigned types of the same width
ii) convert from a narrower unsigned type to a wider unsigned type
iii) convert from a narrower signed type to a wider unsigned type
iv) convert from a wider type to a narrower type
A:
g) Which of the following set of operators are always executed in the order they appear in an expression:
i) &, |, <,>
ii) &&, ||, <,>>
iii) &&, ||
iv) All of the above. Modern compilers understand operators so this is not a problem.
A:
h) Consider the following macro and code: What is the output of the code
#define y 3
#define MAC2(x) (x*y+x-y)
…
printf("%d\n",MAC2(3+4));
i) 25
ii) 19
iii) Compiler error
iv) Undefined, compiler may choose to evaluate 3+4 first OR not, order of operations is not guaranteed.
A: 19
i) When auditing functions, the auditing log usually contains
i) Function description
ii) Cross references
iii) Return value
iv) All of the above
A: All of the Above
j) Which of the following functions behaves differently under different version of Unix
i) initgroups()
ii) mktemp()
iii) open()
iv) setuid()
v) all of the above
A:
8) (20 pts)
CS 504 Only.
Describe a homework assignment that would have been good for this course. Write up the instructions for the assignment, you do not have to include any source code, but you should explain what it will contain.
A:
1) (20 pts) Please explain the common vulnerabilities/problems associated with each of the following and discuss how to identify vulnerable code through the use of code auditing.
a) Metacharacters
b) Network Protocols with Length Identifiers in Headers
c) File Permission Check TOCTOU (Race) conditions
d) Symbolic Links
e) Insecure default
2) (20 pts) Please provide definitions for each of the following terms and discuss how they are related to software vulnerability analysis
a) Security Policy
A:
b) Authentication
c) Static Analyzers
d) Fuzzing
e) SETUID Program
3) (30 pts)
a) Please describe code auditing and black box testing. What are the pros and cons of each of them? How do you choose which one to use?
b) Summarize the concepts and process of application review.
c) Describe the process of threat modeling.
d) Summarize the concepts and process of auditing function use.
e) Give one example of operational vulnerability and discuss how to prevent it.
4) (15 pts) Define and give examples of each of the follow
a) Design Vulnerabilities
b) Implementation Vulnerabilities
c) Operational Vulnerabilities
5) (15 pts) Answer ONE of the following
a) With respect to code auditing, the process you would use to look for file access vulnerabilities. Specifically include opening files, library functions for checking file status, and evaluating path names.
-OR-
b) Explain fuzzing, discuss the different types of fuzzing, and how fuzzing can be used as an aid to software vulnerability analysis.
6) (30 pts) Each of the following pieces of C code has an error in it. Please identify and explain the vulnerability and discuss
how to fix it.
a)
1. function readFile($filename){
2. $user = getCurrentUser();
3.
4. //resolve file if its a symbolic link
5. if(is_link($filename)){
6. $filename = readlink($filename);
7. }
8.
9. if(fileowner($filename) == $user){
10. echo file_get_contents($realFile);
11. return;
12. } else {
13. echo 'Access denied';
14. return false;
15. }
16. }
|
b)
1. /* Initial UIDS: real = 1000 effective = 0 saved = 0 */
2. /* 1. Usual call to temporarily drop privileges */
3.
4. orig_euid = geteuid();
5. if (seteuid(geteuid() = = -1)
6. errExit(“seteuid error”);
7.
8. /* UIDs change to: real=1000 effective = 1000 saved = 0 */
9. /* Now permanently drop privileges */
10.
11. if (setuid(getuid)) == -1)
12. errExit(“setuid error”);
13. …
14. /* process rest of code */
|
c)
1. unsigned int readdata () {
2. int amount = 0;
3. ...
4. if (result == ERROR)
5. amount = -1;
6. ...
7. return amount;
8. }
|
d)
1. int processMessageFromNetwork(int socket) {
2. int successFlag;
3.
4. char buffer[BUFFER_SIZE];
5. char message[MESSAGE_SIZE];
6.
7. // get message from network socket and store into buffer
8.
// For this exam assume message fits in buffer
9. if (getMessage(socket, buffer, BUFFER_SIZE) > 0) {
10.
11. // put contents of buffer into message structure
12. ExMessage *msg = recastBuffer(buffer);
13.
14. // copy message body into message string for processing
15. int index;
16. for (index = 0; index < msg-="">msgLength; index++) {
17. message[index] = msg->msgBody[index];
18. }
19. message[index] = '\0';
20. // process received message
21. success = processMessage(message);
22. }
23. return success;
24. }
|
e)
1. class A{
2. void foo(bool);
3. };
4.
5. void A::foo(bool heap) {
6. int localArray[2] = { 11,22 };
7. int *p = localArray;
8.
9. if (heap){
10. p = new int[2];
11. }
12. delete[] p;
13. }
|
7) (20 points) Multiple choice (Circle the correct answer).
a) Which technique
cannot
be used guard against buffer overflow attacks?
i) Address space layout randomization
ii) Signed software
iii) Stack canaries
iv) Non-executable stack memory
A:
b) Operational vulnerabilities can result from failure to use the security mechanisms provided by the platform.
i) True
ii) False
A:
c) Pathological code paths describe functions with many small and nonterminating branches.
i) True
ii) False
A:
d) Uninitialized local variables are stored in:
i) bss segment
ii) data segment
iii) text segment
iv) stack segment
v) heap segment
A:
e) Overflowing which region in a function's stack frame may transfer the control to somewhere else.
i) function arguments region
ii) return address region
iii) Previous frame pointer region
iv) local variables region
A:
f) Which type conversion is value preserving conversion?
i) convert between signed and unsigned types of the same width
ii) convert from a narrower unsigned type to a wider unsigned type
iii) convert from a narrower signed type to a wider unsigned type
iv) convert from a wider type to a narrower type
A:
g) Which of the following set of operators are always executed in the order they appear in an expression:
i) &, |, <,>
ii) &&, ||, <,>>
iii) &&, ||
iv) All of the above. Modern compilers understand operators so this is not a problem.
A:
h) Consider the following macro and code: What is the output of the code
#define y 3
#define MAC2(x) (x*y+x-y)
…
printf("%d\n",MAC2(3+4));
i) 25
ii) 19
iii) Compiler error
iv) Undefined, compiler may choose to evaluate 3+4 first OR not, order of operations is not guaranteed.
A: 19
i) When auditing functions, the auditing log usually contains
i) Function description
ii) Cross references
iii) Return value
iv) All of the above
A: All of the Above
j) Which of the following functions behaves differently under different version of Unix
i) initgroups()
ii) mktemp()
iii) open()
iv) setuid()
v) all of the above
A:
8) (20 pts)
CS 504 Only.
Describe a homework assignment that would have been good for this course. Write up the instructions for the assignment, you do not have to include any source code, but you should explain what it will contain.
A:
1) (20 pts) Please explain the common vulnerabilities/problems associated with each of the following and discuss how to identify vulnerable code through the use of code auditing.
a) Metacharacters
b) Network Protocols with Length Identifiers in Headers
c) File Permission Check TOCTOU (Race) conditions
d) Symbolic Links
e) Insecure default
2) (20 pts) Please provide definitions for each of the following terms and discuss how they are related to software vulnerability analysis
a) Security Policy
A:
b) Authentication
c) Static Analyzers
d) Fuzzing
e) SETUID Program
3) (30 pts)
a) Please describe code auditing and black box testing. What are the pros and cons of each of them? How do you choose which one to use?
b) Summarize the concepts and process of application review.
c) Describe the process of threat modeling.
d) Summarize the concepts and process of auditing function use.
e) Give one example of operational vulnerability and discuss how to prevent it.
4) (15 pts) Define and give examples of each of the follow
a) Design Vulnerabilities
b) Implementation Vulnerabilities
c) Operational Vulnerabilities
5) (15 pts) Answer ONE of the following
a) With respect to code auditing, the process you would use to look for file access vulnerabilities. Specifically include opening files, library functions for checking file status, and evaluating path names.
-OR-
b) Explain fuzzing, discuss the different types of fuzzing, and how fuzzing can be used as an aid to software vulnerability analysis.
6) (30 pts) Each of the following pieces of C code has an error in it. Please identify and explain the vulnerability and discuss
how to fix it.
a)
1. function readFile($filename){
2. $user = getCurrentUser();
3.
4. //resolve file if its a symbolic link
5. if(is_link($filename)){
6. $filename = readlink($filename);
7. }
8.
9. if(fileowner($filename) == $user){
10. echo file_get_contents($realFile);
11. return;
12. } else {
13. echo 'Access denied';
14. return false;
15. }
16. }
|
b)
1. /* Initial UIDS: real = 1000 effective = 0 saved = 0 */
2. /* 1. Usual call to temporarily drop privileges */
3.
4. orig_euid = geteuid();
5. if (seteuid(geteuid() = = -1)
6. errExit(“seteuid error”);
7.
8. /* UIDs change to: real=1000 effective = 1000 saved = 0 */
9. /* Now permanently drop privileges */
10.
11. if (setuid(getuid)) == -1)
12. errExit(“setuid error”);
13. …
14. /* process rest of code */
|
c)
1. unsigned int readdata () {
2. int amount = 0;
3. ...
4. if (result == ERROR)
5. amount = -1;
6. ...
7. return amount;
8. }
|
d)
1. int processMessageFromNetwork(int socket) {
2. int successFlag;
3.
4. char buffer[BUFFER_SIZE];
5. char message[MESSAGE_SIZE];
6.
7. // get message from network socket and store into buffer
8.
// For this exam assume message fits in buffer
9. if (getMessage(socket, buffer, BUFFER_SIZE) > 0) {
10.
11. // put contents of buffer into message structure
12. ExMessage *msg = recastBuffer(buffer);
13.
14. // copy message body into message string for processing
15. int index;
16. for (index = 0; index < msg-="">msgLength; index++) {
17. message[index] = msg->msgBody[index];
18. }
19. message[index] = '\0';
20. // process received message
21. success = processMessage(message);
22. }
23. return success;
24. }
|
e)
1. class A{
2. void foo(bool);
3. };
4.
5. void A::foo(bool heap) {
6. int localArray[2] = { 11,22 };
7. int *p = localArray;
8.
9. if (heap){
10. p = new int[2];
11. }
12. delete[] p;
13. }
|
7) (20 points) Multiple choice (Circle the correct answer).
a) Which technique
cannot
be used guard against buffer overflow attacks?
i) Address space layout randomization
ii) Signed software
iii) Stack canaries
iv) Non-executable stack memory
A:
b) Operational vulnerabilities can result from failure to use the security mechanisms provided by the platform.
i) True
ii) False
A:
c) Pathological code paths describe functions with many small and nonterminating branches.
i) True
ii) False
A:
d) Uninitialized local variables are stored in:
i) bss segment
ii) data segment
iii) text segment
iv) stack segment
v) heap segment
A:
e) Overflowing which region in a function's stack frame may transfer the control to somewhere else.
i) function arguments region
ii) return address region
iii) Previous frame pointer region
iv) local variables region
A:
f) Which type conversion is value preserving conversion?
i) convert between signed and unsigned types of the same width
ii) convert from a narrower unsigned type to a wider unsigned type
iii) convert from a narrower signed type to a wider unsigned type
iv) convert from a wider type to a narrower type
A:
g) Which of the following set of operators are always executed in the order they appear in an expression:
i) &, |, <,>
ii) &&, ||, <,>>
iii) &&, ||
iv) All of the above. Modern compilers understand operators so this is not a problem.
A:
h) Consider the following macro and code: What is the output of the code
#define y 3
#define MAC2(x) (x*y+x-y)
…
printf("%d\n",MAC2(3+4));
i) 25
ii) 19
iii) Compiler error
iv) Undefined, compiler may choose to evaluate 3+4 first OR not, order of operations is not guaranteed.
A: 19
i) When auditing functions, the auditing log usually contains
i) Function description
ii) Cross references
iii) Return value
iv) All of the above
A: All of the Above
j) Which of the following functions behaves differently under different version of Unix
i) initgroups()
ii) mktemp()
iii) open()
iv) setuid()
v) all of the above
A:
8) (20 pts)
CS 504 Only.
Describe a homework assignment that would have been good for this course. Write up the instructions for the assignment, you do not have to include any source code, but you should explain what it will contain.
A: