程序代写代做代考 python x86 compiler assembly Popa and 2021

Popa and 2021
Memory Safety
CS 161 Computer Security
Discussion 2
Question 1 Software Vulnerabilities () For the following code, assume an attacker can control the value of basket, n, and owner_name passed into search_basket.
The code includes several security vulnerabilities. Circle three such vulnerabilities in the code and briefly explain each of the three on the next page.
1 2 3 4 5 6 7 8 9
10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30
struct cat {
char name[64]; char owner [64];
int age ; };
/∗ Searches through a BASKET of cats of length N (N should be less than 32) and ∗ adopts all cats with age less than 12 ( kittens ) . Adopted kittens have their
∗ owner name overwritten with OWNER_NAME. Returns the number of kittens ∗ adopted. ∗/
size_t search_basket(struct cat ∗basket , int n, char ∗owner_name) { struct cat kittens [32];
size_t num_kittens = 0;
if (n > 32) return -1;
for (size_t i = 0; i <= n; i++) { if (basket[i].age < 12) { /∗ Reassign the owner name. ∗/ strcpy(basket[i].owner, owner_name); /∗ Copy the kitten from the basket. ∗/ kittens[num_kittens] = basket[i ]; num_kittens ++; /∗ Print helpful message . ∗/ printf("Adopting kitten: "); p r i n t f ( b a s k e t [ i ] . name ) ; printf("\n"); } } /∗ Adopt kittens . ∗/ adopt_kittens ( kittens , num_kittens ) ; // Implementation not shown . return num_kittens ; } Page 1 of 4 1. Explanation: 2. Explanation: 3. Explanation: Describe how an attacker could exploit these vulnerabilities to obtain a shell: Discussion 2 Page 2 of 4 CS 161 – Fall 2021 Question 2 Hacked EvanBot (16 min) Hacked EvanBot is running code to violate students’ privacy, and it’s up to you to disable it before it’s too late! 1 2 3 4 5 6 7 8 9 10 11 #include
void spy_on_students ( void ) {
char buffer [16];
fread(buffer , 1, 24, stdin);
}
int main() { spy_on_students () ;
return 0; }
The shutdown code for Hacked EvanBot is located at address 0xdeadbeef, but there’s just one problem—Bot has learned a new memory safety defense. Before returning from a function, it will check that its saved return address (rip) is not 0xdeadbeef, and throw an error if the rip is 0xdeadbeef.
Clarification during exam: Assume little-endian x86 for all questions.
Assume all x86 instructions are 8 bytes long. Assume all compiler optimizations and buffer
overflow defenses are disabled.
The address of buffer is 0xbffff110.
Q2.1 (3 points) In the next 3 subparts, you’ll supply a malicious input to the fread call at line 5 that causes the program to execute instructions at 0xdeadbeef, without overwriting the rip with the value 0xdeadbeef.
The first part of your input should be a single assembly instruction. What is the instruction? x86 pseudocode or a brief description of what the instruction should do (5 words max) is fine.
Q2.2 (3points)Thesecondpartofyourinputshouldbesomegarbagebytes.Howmanygarbage bytes do you need to write?
(G) 0 (H) 4 (I) 8 (J) 12 (K) 16 (L)
Q2.3 (3 points) What are the last 4 bytes of your input? Write your answer in Project 1 Python
syntax, e.g. \x12\x34\x56\x78.
Q2.4 (3 points) When does your exploit start executing instructions at 0xdeadbeef? (G) Immediately when the program starts
Discussion 2 Page 3 of 4 CS 161 – Fall 2021

Discussion 2
Page 4 of 4
CS 161 – Fall 2021
(H) When the main function returns
(I) When the spy_on_students function returns (J) When the fread function returns
(K)
(L)