SFL Prof. Dr. C. Rossow / S. Hausotte TU Dortmund WS 2021/2022 Exercise 6 (Software Security II)
6.1 Format String Attack
(a) Download the attached executable file format-string. Upon execution, it will ask you for a password. All you know from the source code (which is not given here) is that a pointer to the correct password resides somewhere on the stack. Can you find out the password?
Reminder: The format string %N$s dereferences the Nth specifier and prints the string at that address.
Copyright By PowCoder代写 加微信 powcoder
(b) Which statements about format string attacks are true?
□ Format string attacks allow reading all values stored in registers. □ ASLR does not mitigate the vulnerability from a.
□ Format strings should not depend on user input.
□ Data on the stack can not be altered by a format string attack. □ Format string attacks allow unauthorized reads from the stack. □ Using format strings should be avoided at all cost.
Non-Executable Stack
(a) Describe briefly why it might be a desirable property for a stack to be non-executable. Name an attack scenario which only works for executable stacks.
(b) Explain why code-reuse attacks still work even with non-exectuable stacks.
(c) Name a counter measure against code-reuse attacks and briefly explain it.
6.3 Heap based attacks
(a) Which steps need to be taken in order to abuse a double-free vulnerability? Construct an example by bringing these blocks of code in the correct order such that the program outputs
“World!World!”. Explain what happens in each step. free(a)
printf(“%s”, b) printf(“%s”, c)
char *a = char *c =
char *b = strcpy(b,
malloc (8) malloc (8)
malloc (8) “Hello␣”)
(b) Which two problems arise from use-after-free situations?
(c) Based the code from (a), come up with two sequences of instructions: One which causes the first problem you discovered in (b) and one which causes the second problem.
(d) Wich use-after-free countermeasures can you think of?
程序代写 CS代考 加微信: powcoder QQ: 1823890830 Email: powcoder@163.com