cs 6262 extra credit 2

What is a cyber attack in the context of software security?

It is the exploitation of a vulnerability in a system or program, often using flaws in software design or implementation to gain unauthorized access or cause damage.

What is binary exploitation?

It is the process of finding and exploiting vulnerabilities in compiled binaries, often by reverse-engineering them into assembly using disassemblers.

What are the main memory regions in a running program?

Code/text segment, global data segment, heap (grows upward for dynamic memory), and stack (grows downward for function calls.

What does the EIP register do?

It stores the address of the next instruction to be executed; changing it alters the control flow of the program.

What is the difference between a “call” and a “jmp” instruction?

“call” pushes a return address onto the stack and jumps to a function; “jmp” transfers control directly without saving a return address.

What do ESP and EBP represent in the stack frame?

ESP (Stack Pointer) points to the top of the stack; EBP (Base Pointer) marks the start of the current function’s stack frame.

What happens during a “push” and “pop” instruction?

“push” places data onto the stack and decreases ESP; “pop” removes data from the stack and increases ESP.

What causes a stack overflow?

When more data is pushed onto the stack than allocated space allows, overwriting adjacent memory regions and potentially altering control flow.

How does a function call create a new stack frame?

By pushing arguments, the return address, and the caller’s frame pointer, then setting a new EBP and reserving space for local variables.

What is the purpose of the function prologue in assembly?

It saves the previous frame pointer, sets a new one, and allocates stack space for local variables.

What does the “leave” instruction do?

It reverses the function prologue: sets ESP = EBP and pops the old frame pointer to restore the caller’s context.

How does a buffer overflow exploit work?

By writing data beyond the buffer’s bounds, overwriting control data (e.g., saved return addresses) and redirecting execution.

What is a NOP sled and why is it used in exploitation?

A series of “no-operation” instructions before shellcode; it increases the chance that a guessed return address lands safely before payload execution.

What role does Address Space Layout Randomization (ASLR) play in preventing stack-based attacks?

It randomizes memory layout (stack, heap, libraries) to make it harder for attackers to predict addresses for injected code.

What is shellcode?

Machine-level code injected and executed as part of an exploit, often used to spawn a shell or perform malicious actions.

What is the goal of a return-to-libc attack?

To bypass Data Execution Prevention (DEP) by reusing existing library functions (like libc) instead of injecting new executable code.

What must an attacker overwrite for a return-to-libc attack to work?

The function’s return address on the stack, replacing it with the address of a libc function (e.g., execv).

Why does return-to-libc require setting up arguments on the stack?

Because the called libc function expects arguments at specific positions; the attacker must place them correctly for execution to succeed.

What does the execv() function do in a return-to-libc exploit?

It replaces the current process with a new program (e.g., /bin/sh) using arguments provided by the attacker.

What is software “debloating”?

The process of removing unnecessary code or libraries to reduce the attack surface and potential vulnerabilities.

What is Return-Oriented Programming (ROP)?

An exploit technique that chains small snippets of existing instructions (“gadgets”) ending in “ret” to perform arbitrary computation.

What is a ROP gadget?

A short sequence of legitimate instructions ending with “ret,” found within existing code, reused to build malicious payloads.

How does a ROP chain work?

By arranging addresses of gadgets on the stack so that each “ret” instruction pops the next gadget’s address and transfers control to it.

What is the purpose of ASLR?

To randomize memory locations of executable regions so attackers cannot reliably guess addresses of code or data.

What limitation of ASLR can attackers exploit?

If function offsets within a library remain constant, knowing one function’s address can reveal all others in the same library.

What are stack canaries?

Random values placed on the stack before control data (like return addresses) to detect buffer overflows by checking if they’ve been overwritten.

What happens when a stack canary is modified?

The program detects tampering and terminates immediately (e.g., via _stackchk_fail).

What is a buffer over-read (as in Heartbleed)?

A vulnerability where a program reads more memory than intended, potentially leaking sensitive data.

How did the Heartbleed exploit work?

Attackers sent small payloads with large claimed lengths, causing the server to return extra memory (up to 64KB) including sensitive information.

What is the purpose of tools like pwntools, ELF, and ROP modules?

They automate crafting of exploits, inspection of ELF binaries, and construction of ROP chains for exploitation.

Why does removing unnecessary code improve security?

Fewer code paths mean fewer potential vulnerabilities, reducing the attack surface.

What is program analysis in software security?

The examination of program code or binaries to understand behavior, detect vulnerabilities, and ensure security.

Why is program analysis important for security?

It helps identify and fix vulnerabilities before attackers exploit them, improving overall software resilience.

What are the two main types of program analysis?

Static analysis (without executing code) and dynamic analysis (by running and observing behavior).

What are examples of static analysis?

Type checking, control-flow analysis, and data-flow analysis performed on source code or disassembled binaries.

What are examples of dynamic analysis?

Fuzzing, profiling, and runtime error detection tools like Valgrind or AFL that monitor program behavior during execution.

What is binary analysis and why is it important?

Analysis of compiled executables to understand or reverse-engineer their behavior, especially when source code is unavailable.

What is control-flow analysis (CFA)?

A static analysis technique that builds a control-flow graph to represent all possible paths a program can take during execution.

What is pointer analysis?

A method to determine what memory locations pointers can reference, used to find vulnerabilities like use-after-free or buffer overflows.

Why can’t we perfectly detect all vulnerabilities in arbitrary programs?

Because determining if a program will reach an erroneous state is undecidable (related to the halting problem).

What is host-based intrusion detection (HIDS)?

Monitoring a program’s runtime activities on a host to detect potential attacks or anomalies in execution.

What is the difference between misuse detection and anomaly detection in HIDS?

Misuse detection uses known attack signatures; anomaly detection builds models of normal behavior and flags deviations.

Why are system calls used for anomaly detection?

They represent all program activities (I/O, memory, process creation) and are easy to monitor at the OS level.

What is a mimicry attack?

An evasion technique where attackers disguise malicious behavior so that monitored system call sequences appear normal.

How can mimicry attacks defeat system call–based anomaly detection?

By padding attacks with benign system calls or reordering operations to match allowed patterns.

What is symbolic execution?

A program analysis technique that executes code with symbolic (unknown) inputs, collecting path constraints to find test cases or vulnerabilities.

What is the difference between symbolic and dynamic execution?

Symbolic execution explores all feasible paths using constraints, while dynamic execution follows concrete inputs in a single run.

What is the main difference between a stack overflow and a heap overflow?

A stack overflow overwrites local variables and return addresses in stack frames, while a heap overflow corrupts dynamically allocated memory and its metadata managed by the heap allocator.

What is the heap used for in a process?

It stores dynamically allocated memory (e.g., malloc/new) whose size or lifetime is not known at compile time and persists until explicitly freed.

How are heap chunks typically organized in memory?

Each allocated block (chunk) has metadata fields before its data area, storing information such as size, status (free or in-use), and links to other chunks.

What is the role of malloc() and free()?

malloc() allocates memory on the heap by locating a suitable free chunk or extending the heap; free() releases that memory for reuse and updates the allocator’s data structures.

What happens when free() is called on a heap chunk?

The chunk is marked free, possibly merged (coalesced) with adjacent free chunks, and added to a free list for future allocations.

What is the dlmalloc allocator?

It is Doug Lea’s malloc implementation, widely used in Linux and early glibc versions; it organizes heap memory into bins for efficient allocation and freeing.

What are the forward (fd) and backward (bk) pointers in dlmalloc?

They are links used in doubly linked free lists (bins) to connect adjacent free chunks; fd points to the next free chunk, and bk points to the previous one.

How can a heap overflow exploit these fd and bk pointers?

By overflowing a buffer into heap metadata, an attacker can overwrite fd and bk pointers so that when free() executes unlink(), it writes attacker-controlled values to arbitrary memory.

What is the unlink() macro used for in heap management?

It removes a free chunk from a doubly linked list by updating the pointers of its neighboring chunks: FD->bk = BK; BK->fd = FD;.

Why is overwriting heap metadata dangerous?

Because allocator routines like free() and unlink() trust the metadata and perform memory writes based on it, enabling arbitrary memory corruption if modified.

What are heap-based buffer overflow attacks used for?

To corrupt adjacent heap structures or function pointers, potentially gaining arbitrary code execution or altering control flow.

How can double-free vulnerabilities be exploited?

Freeing the same memory twice reintroduces a chunk into the free list, allowing it to be allocated multiple times and overwritten, corrupting heap metadata.

What is heap spraying?

A technique used by attackers to fill the heap with predictable data (often shellcode) so that an overflow or pointer corruption is more likely to land on the attacker’s payload.

How have modern systems mitigated heap exploitation?

By adding integrity checks to unlink operations, randomizing heap layout, adding safe unlinking, pointer encoding, and hardened allocators like ptmalloc2 and jemalloc.

What is the general goal of heap exploitation?

To manipulate the allocator’s internal structures (metadata, free lists, or function hooks) to write controlled values into memory and redirect program execution.