程序代写CS代考 Popa and 2021

Popa and 2021
CS 161 Computer Security
Discussion 3
Memory Safety Mitigations
Question 1 C Memory Defenses () Mark the following statements as True or False and justify your solution. Please feel free to discuss with students around you.
1. Stack canaries completely prevent a buffer overflow from overwriting the return instruction pointer.
2. A format-string vulnerability can allow an attacker to overwrite values below the stack pointer
3. An attacker exploits a buffer overflow to redirect program execution to their in- put. This attack no longer works if the data execution prevention/executable space protection/NX bit is set.
4. If you have a non-executable stack and heap, buffer overflows are no longer ex- ploitable.
5. If you use a memory-safe language, some buffer overflow attacks are still possible.
6. ASLR, stack canaries, and NX bits all combined are insufficient to prevent exploita- tion of all buffer overflow attacks.
Short answer!
1. What vulnerability would arise if the canary was above the return address?
2. What vulnerability would arise if the stack canary was between the return address and the saved frame pointer?
Page 1 of 3

3. Assume ASLR is enabled. What vulnerability would arise if the instruction jmp *esp exists in memory?
Discussion 3 Page 2 of 3 CS 161 – Fall 2021

Question 2 Pointer Authentication Codes (PACs) () Suppose we are on a 64-bit system, and we have an address space of 250 bytes.
For each of the following questions, provide a short answer and justify your response. Please feel free to discuss with students around you.
1. How many unused bits are available for pointer authentication in each address?
Regardless of your answer to the previous part, for the remainder of the questions, assume that 10 bits are used for pointer authentication in each address and the attacker does not have the ability to create their own pointer authentication codes (PACs).
2. Assume that 64-bit stack canaries are enabled and that the first two bytes of the stack canary are always null. How many bits does the attacker have to guess correctly to guess the stack canary and the PAC?
Now assume that the attacker has a format string vulnerability that lets them read any part of memory while the program is running.
3. How many bits does the attacker have to guess correctly to guess the stack canary and the PAC?
4. Suppose the attacker is interacting with a remote system. Provide at least one defense that would make brute-force attacks infeasible for the attacker.
Discussion 3 Page 3 of 3 CS 161 – Fall 2021