Paradigms Final Review

An attacker of return-oriented programming may overflow the buffer by

A.

appending one or more fake calling frames

B.

none of the mentioned

C.

appending only one fake calling frame

D.

appending only the fake address of a system function.

A.

appending one or more fake calling frames

How can a stack buffer overflow hijack the control flow of the program?

A.

Overwriting the return address on the stack

B.

Overwriting a function pointer on the stack

C.

All of the above

D.

None of the above

C.

All of the above

In Control Flow Integrity (CFI), direct calls to functions do need to be monitored.

A.

True

B.

False

B.

False

In ROP, it is possible to invoke an arbitrary function simply by placing a fake frame in stack memory.

A.

True

B.

False

A.

True

In hardware-enforced NX bit (non-executable bit)

A.

The EIP can jump to the Stack

B.

The EIP can jump to executable regions

C.

none of the mentioned

D.

The EIP can jump to the Heap

B.

The EIP can jump to executable regions

In return-oriented programming, a return from a hijacked function can not be controlled by the hijacker.

A.

True

B.

False

B.

False

The sandbox restrictions provide strict limitations on which system resources the applet can request or access.

A.

True

B.

False

A.

True

Which of the following checks the code fragments for illegal code that can violate access right to objects?

A.

Bytecode Verifier

B.

Security Manager

C.

JVM

D.

Class loader

A.

Bytecode Verifier

Which of the following option leads to the portability and security of Java?

A.

The applet makes the Java code secure and portable

B.

Bytecode is executed by JVM

C.

Use of exception handling

D.

Dynamic binding between objects

B.

Bytecode is executed by JVM

Which statement is wrong about orchestrating gadgets in return-oriented programming:

A.

Gadgets can be pieced together to accomplish a task.

B.

Some gadgets can be injected onto the stack.

C.

Gadget may return to another gadget.

D.

Every gadget must end with a RET.

B.

Some gadgets can be injected onto the stack.

Reflected XSS occurs when an attacker gets a victim to send a request with malicious input to a server which includes the unsanitized input in the HTML output it produces.

A.

True

B.

False

A.

True

The server can trust cookie values in HTTP requests to be untampered since the cookies are set by the server.

A.

False

B.

True

A.

False

Which of the following is NOT a common defense mechanism against XSS attacks?

A.

Allowing inline JavaScript in web applications

B.

Input validation and sanitization

C.

Cross-Origin Resource Sharing (CORS)

D.

Using secure cookies with HttpOnly flag

A.

Allowing inline JavaScript in web applications

What does the HttpOnly flag in cookies prevent?

A.

Session fixation attacks

B.

Cross-Site Scripting attacks

C.

Cross-Site Request Forgery attacks

D.

SQL Injection attacks

B.

Cross-Site Scripting attacks

What is the purpose of Same Origin Policy (SOP) in web security?

A.

To prevent unauthorized access to resources from different origins

B.

To prevent XSS attacks

C.

To prevent SQL Injection attacks

D.

To prevent Cross-Site Request Forgery

A.

To prevent unauthorized access to resources from different origins

Websites that allow users to enter text (such as comments or names), then store it and later display it to other users may be vulnerable to an attack. What is it?

A.

None of these

B.

Cross-site request forgery

C.

Two-factor authentication

D.

Cross-site scripting

E.

Cross-site scoring scripting

D.

Cross-site scripting

Which of the following is not an example of an XSS attack?

A.

Stored XSS

B.

Reflected XSS

C.

DNS XSS

D.

DOM-based XSS

C.

DNS XSS

HTML/JavaScript are the primary languages targeted by cross-site scripting attacks.

A.

True

B.

False

A.

True

One common strategy to prevent XSS vulnerabilities is to (choose the best answer):

A.

Educate your users to recognize safe vs. unsafe web pages.

B.

Ensure the user's input is valid as quickly as possible.

C.

Make sure your database is configured for strong security.

D.

Avoid using JavaScript on your site.

E.

Use an interpreted programming language such as Java or C#.

B.

Ensure the user's input is valid as quickly as possible.

What does CSRF stand for in web security?

A.

Cross-Site Resource Fraud

B.

Centralized Security Request Framework

C.

Cross-Site Request Forgery

D.

Cross-Site Resource Forgery

C.

Cross-Site Request Forgery

Functions are considered first-class citizens in the functional programming languages, implying that:

A.

Functions can be passed as arguments to other functions.

B.

Functions can be returned as results from other functions.

C.

Factions can be assigned to names

D.

all of the above

D.

all of the above

The lambda special form can be used to define "anonymous" functions in Lisp.

A.

False

B.

True

B.

True

Think of a way to write the addition of four numbers using the maximum possible braces?

A.

(+ 1 2 3 4)

B.

(+ (+ 1 2) (+ 3 4))

C.

(+ 1 (+ 2 (+ 3 (4))))

D.

(+ 1 2 (+ 3 4))

B.

(+ (+ 1 2) (+ 3 4))

What is the output of the following LISP program?

(define (b p) (+ p p) )

(define z 1)

(b z)

A. 2

B. error

C. 1

D. 3

A. 2

What is the output of the following statement?

(define x 'outside)

(let ((x 'inside) (y x)) (list x y))

A.

'(inside)

B.

'(inside outside)

C.

'(outside inside)

D.

'(outside)

B.

'(inside outside)

What is the output of the following statements?

(define (aaa-x x) (lambda(y)(+ x y)))

(define add-d (aaa-x 7))

(add-d 15)

A.

error

B.

14

C.

7

D.

22

D.

22

What will be the output of the following statement?

(cons (car '(a b)) (cdr '(p q)))

A.

'(p q)

B.

'(a b)

C.

'(a q)

D.

'(a p)

C.

'(a q)

What is the output of this racket program?

(define (multiply p q) (* p q))

(cons 4 (multiply 2 4))

A.

'(4 . 8)

B.

'(4 . 4)

C.

'(8 . 4)

D.

'(8 . 8)

A.

'(4 . 8)

What is the output of the following statements?

(define whole-list '(monday tuesday wednesday thursday friday))

(define (mystery) (cons (first whole-list) (last whole-list)))

(mystery)

A.

'(monday.friday)

B.

'( )

C.

error

D.

'(monday friday)

A.

'(monday.friday)

What is the output of the following statements?

(define thing 'sphere)

(define r 2)

(cond ((eq? thing 'circle) ( 3 r r)) (( 4 3 r r)))

A.

6

B.

12

C.

48

D.

24

C.

48

What relationship does the following Prolog program represent?

r(X, Y) :- parent(Z,X), parent(Z,Y), male(X), X \= Y.

A.

X and Y are NOT related

B.

X is the brother of Y

C.

Y is the sister of X.

D.

X is the father of Y

B.

X is the brother of Y

Which one from the options would return true for the following prolog program?

boy(john,123).

girl(jane,234).

student(john,123).

A.

?- girl(jane,x).

B.

?- boy(john,123).

C.

All of the above.

D.

None of the above

B.

?- boy(john,123).

The scope of a variable in Prolog is a single clause (i.e., a fact or rule) or a single query.

A.

True

B.

False

A.

True

What would the output of the following Prolog query be?

?- f(a,b) = f(Y,X).

A.

X=X. Y=Y.

B.

X=b. Y=a.

C.

X=a. Y=b.

D.

This expression will not compile.

B.

X=b. Y=a.

Which process makes two different Logical expressions look identical?

A.

Unification

B.

Lifting

C.

Inference Process

D.

None of the above

A.

Unification

The inference engine in Prolog works on ______.

A.

Forward Chaining

B.

Backward Chaining

C.

Both a and b

D.

None of the above

B.

Backward Chaining

In Prolog, in what manner is a state-space tree for a backtracking algorithm constructed?

A.

Breadth-first search

B.

Depth-first search

C.

Nearest neighbor first

D.

Twice around the tree

B.

Depth-first search

The cut (in Prolog) is a goal, written as !, which always succeeds, but cannot be backtracked.

A.

True

B.

False

A.

True

What is the use of 'is' in prolog programming?

A.

unification

B.

arithmetic evaluation

C.

reduction

D.

None of above

B.

arithmetic evaluation

For the Prolog goal:

?-[[X,Y],Z|R] = [[a,b],[1,2],[c,d]] .

Which binding apply?

A.

none, because the goal fails

B.

X=a Y=b Z=[1,2] R=[[c,d]]

C.

X=a Y=b Z=1 R=[2,c,d]

D.

X=a Y=b Z=[c,d] R=[c,d]

B.

X=a Y=b Z=[1,2] R=[[c,d]]

Software Security

protects the environment where the software operates

Sources of Software Insecurity

Complexity

Inadequacy

Change

Incorrect/changing assumptions

Flawed specs and designs

Poor implementation

Bad secure coding practices

Unintended interactions

Lack of consideration for security

Pointers

indirect addressing by holding memory addresses and NULL

Problems with pointers

Dangling pointers

Lost heap-dynamic variable

Arrays out of bounds

C++/C problems

does not check array bounds- going over can lead to corruption and security risks

Type Errors

incorrect typing of a variable (string x = 9, int y = "hello", etc

Implicit declaration

default mechanism for specifying types of variables instead of declarations (used in Basic, Perl, Ruby, JavaScript, PHP)

Dynamic Typing

flexible, but has high cost and type error detection is difficult

Strong Typing

strict rules about how types can be used; type safe, readable, and maintainable, but less flexible and potentially more boilerplate

Strongly Typed Languages

Java, Python

Type Safety

only the operations allowed are performed; java and sml are safe languages, c/c++ are not

Safe Languages

all safe languages use types and are strongly typed

ARI

Activation record instance; the activation record for a particular function activation

Dynamic Link

points to the top of the ARI of the caller

Stack Smashing Attack

stack overflow attack or butter overflow attack, occurs when a program writes more data to a block of memory or buffer than it was allocated for

How Stack Smashing works

attacker sends data to overflow the buffer, then overwrites critical control data, redirects the flow of execution to malicious code, then executes the code

Preventing Stack Smashing

bounds checking, safe string functions, address space randomization, stack canaries, non-executable stack

Number 1 security issue in software

buffer overflow

String manipulation functions

cause buffer overflow; give servers very large strings to overflow and crash the server

gets()

reads user input unlimited; use fgets(buf,size,stdin) to make a limit or read until newline

strcpy()

assumes null-terminated and that dest is long enough; use strncpy(dest,src,size) instead

strncpy correct initialization

strncpy(dest, src, sizeof(dest)-1)

dest[sizeof(dest)-1] = '\0'

if dest should be null-terminated

casting bug

signed/unsigned or an implicit casting bug is hard to spot- variables like length may be negative, which will be cast to unsigned and become a huge positive number

format string vulnerability

if the argument is attacker-controlled in printf, the attacker can write to arbitrary memory addresses

Preventing format string vulnerabilities

avoid user-controlled format strings, validate and sanitize input, use explicit format strings, limit permissions, static code analysis

preventing buffer overflow

array bounds checking

non-executable stack/heap

safe c library

compiler solutions

type safe language (java)

static source code analysis

anomaly detection

code randomization

memory address obfuscation/ASLR (address space layout randomization)

DEP

data execution prevention; execute code, not data; data areas marked non-executable

EIP control

can't jump to heap or stack, can only land in executable regions

how can DEP be defeated

borrow bits of code that already exist in the executable regions, then create a sequence of operations to carry out the attack

Return Oriented Programming (ROP)

An attacker can overwrite the stack such that the return address in the currently executing function points to a desired malicious instruction (or series of instructions), followed by a return instruction. This can ultimately lead to executing arbitrary code.

How does Ret2LibC work

find gadgets/controlled stack/redirect control flow/chain gadgets/execute ROP chain/achieve arbitrary code execution/exploit buffer overflow/set return address (EIP)/prepare the fake stack frame/return to the libc function and execute

functional programming

treats computation as the evaluation of math functions

functional programming languages

LISP, ML, F#, Erlang, Miranda

pure functional programming

no side effects (output is only dependent on inputs, evaluated in any order); more complex function based on recursion

racket

functional programming language

> (+ 3 2)

5

> (* 10 4)

40

> (- 5 8)

-3

> ( / 6 2)

3

> (/ 5 2)

2 1/2

> (/ 100 10 5)

2

racket datatypes

boolean (#t/#f)

numbers

characters ('#\a', '#\b', etc)

strings ("Hello, World!")

Bytes and Byte Strings ('#u(0 1 2 3)')

(integer? 1)

(real? 1)

(exact-integer? 6.0)

(real? 6.4)

(rational? 5.0)

(complex? 5.0)

#t

#t

#f

#t

#t

#t

(define x 5)

x = 5

(and (2 = 3))

#f

(and (= 2 2) (< 4 5))

#t

bindings can override almost any name, including making do addition with (define +)

true

define function example

(define (greet )

(printf "Welcome )

(newline)

(printf "I hope you enjoy."))

condition example

(cond [(not (number? n)) "not a number"]

[(< n 0) "negative"]

[(> n 0) "positive"]

[else "zero"])

read expression such as an int

(read)

read a string

(read-line)

racket comments

; is a single line

#||# is multiline

#; is single expression to ignore the entire expression

lists

preceded by ' to suppress default automatic evaluation of an expression and enclosed in (), lists can be nested (x (y z) a b)

s-expresssion

symbolic expression, notation for a nested list for LISP

(* 2(+ 3 4))

operation vs evaluation

operation returns a number, evaluation returns a boolean

racket naming conventions

can use special characters such as $, %, &

lambda function

defines parameters and mapping body

lambda function structure

(lambda (args) (body))

(lambda (x,y) (xx + yy))

square sum lambda function

higher order function

either takes function as parameter or yields a function as result, treated as first-class citizen; applies to all elements of a collection