COMSM0049

Exercises sheet 5

Defenses:

1. Explain how does a canary 0xff0d000a works as stack canary to protect against overflowing return address where the buffer overflow happens via strcpy()?

2. Read the article and answer the following questios:

   1. how does W xor X protects against typical shell injection attack as a part of payload (e.g. in the case of a stack buffer overflow vulnerability)?
   2. What are the shortcomings of W xor X (DEP) w.r.t. to ite inability to prevent attacks?
   3. How can mprotect function be used to perform an attack in the presence of a small unrandomized code region with a shellcode to execute? [see the section “Unrandomized Code”]
3. Why does C++ code imposes more challenges for a fine-grained CFI?
4. From your Lab 2, you exploited a stack buffer overflow bug in a C program. Which of the CFI– forward or backward edge– could have been used to prevent that and why?
5. Why do virtual calls lead to more overhead for CFI solution?

Fuzzing:

1. For an unknown input file format, which of the fuzzing types is more appropriate– mutational or generational (grammar) and why?
2. What are shortcomings of blackbox fuzzing [hint: what is the proxy metric for a good fuzzer?]
3. If you were asked to use Pintool to measure code-coverage for a fuzzer, how you will go about it? (you don’t have to provide any pintool code).
4. Read the article “Fuzzing: Hack, Art, and Science” pdf link and answer the following questions:
   1. Why fuzzing is more challenging for netwroked/server type applications?
   2. On page 74, 3rd column, it is written “Note that full program statement coverage is a “necessary but not sufficient” condition to find all the bugs in a program.”. Can you elaborate this statement why it is necessary but not sufficient?
   3. In general, which fuzzing type is suitable for fuzzing XML and C code parsers/compiler?