Heap Overflow and integer overflow

Heap Overflow and integer overflow

P15)

In addition to stack-based buffer overflow attacks (i.e., smashing the stack), heap overflows can also be exploited. Consider the following C code, which illustrates a heap overflow

 

int main()

{

int diff, size = 8;

char *buf1, *buf2;

buf1 = (char *) malloc (size); buf2 = (char *) malloc (size); diff= buf2 – buf1;

memset(buf2, ‘2’, size); printf(“BEFORE: buf2 = %s”, buf2); memset(buf1, ‘1’, diff +3); printf(“AFTER: buf2 = %s”, buf2); return 0;

}

 

  1. Compile and execute this program. What is printed?
  2. Explain the results you obtained in part a.
  3. Explain how a heap overflow might be exploited by Trudy.

 

P16)

In addition to stack-based buffer overflow attacks (i.e., smashing the stack), integer overflows can also be exploited. Consider the following C code, which illustrates an integer overflow [36].

 

int copy_something(char *buf, int len)

{

char kbuf[800];

if(len > sizeof(kbuf))

{

return -1;

}

return memcpy(kbuf, buf, len);

}

 

  1. What is the potential problem with this code? Hint: The last argument to the function memcpy is interpreted as an unsigned integer.
  2. Explain how an integer overflow might be exploited by Trudy.

 

Worms, Viruses, Trojans

 

P19)

Recall that a trojan horse is a program that has unexpected functionality.

  1. Write your own trojan horse, where the unexpected functionality is completely harmless. b. How could your trojan program be modified to do something malicious.

 

 

Recall that a computer virus is malware that relies on someone or some thing (other than itself) to propagate from one system to another.

  1. Write your on computer virus, where the “malicious” functionality is completely harmless. b. Explain how your virus could be modified to do something malicious

 

P21)

Recall that a worm is a type of malware similar to a virus except that a worm propagates by itself. a. Write your own worm, where the “malicious” activity is completely harmless.

  1. Explain how your worm could be modified to do something malicious

 

Linearization Attacks

 

P36)

Consider the code in Table 11.5, which is susceptible to a linearization attack. Suppose that we modify the program as follows

 

int main(int argc, const char *argv[])

{

int i;

boolean flag = true;

char serial [9] = “S123N456n”;

if(strlen(argv[1]) < 8)

{

printf(“nError try again.nn”);

exit(0);

}

for(i = 0; i < 8; ++i)

{

if(argv[1][i] != serial[i])flag = false;

}

if(flag)

{

printf(“bSerial number is correct!nn”);

}

}

 

Note that we never break out of the for loop early; yet we can still determine whether the correct serial number was entered. Explain why this modified version of the program is still susceptible to a linearization attack.

 

P37)

Consider the code in Table 11.5, which is susceptible to a linearization attack. Suppose that we modify it so that it computes the hash of the putative serial number and we compare this hash to the hash of the actual serial number. Is this modified program susceptible to a linearization attack? Explain.

 

 

Consider the code in Problem 36, which is susceptible to a linearization attack. Suppose that we modify the program so that it computes a random delay within each iteration of the loop.

  1. This program is still susceptible to a linearization attack. Why?
  2. An attack on this modified program would be more difficult than an attack on the code that appears in Problem 36. Why?

 

P39)

Consider the code in Table 11.5, which is susceptible to a linearization attack. Suppose that we modify the program as follows

 

int main(int argc, const char *argv[])

{

int i;

 

char serial [9] = “S123N456n”;

if(strcmp(argv[1], serial) == 0)

{

printf(“nSerial number is correct!nn”);

}

}

 

Note that we are using the library function strcmp to compare the input string to the actual serial number.

  1. Is this version of the program immune to a linearization attack? Why or why not?
  2. How is strcmp implemented? That is, how does it determine whether the two strings are identical or not?

 

P42)

Consider the code in Table 11.5, which is susceptible to a linearization attack. Suppose that we modify the program as follows:

int main(int argc, const char *argv[])

{

int i;

int count = 0;

char serial [9] = “S123N456n”;

if(strln(argv[1]) < 8)

{

printf(“nError try again.nn”);

exit(0);

}

for(i=0; i < 8; ++i)

{

if(argv[1][i] != serial[i]){count = count +0;}

else{count = count +1;}

}

if(count == 8)

{printf(“nSerial number is correct!nn”);}

}

 

Note that we never break out of the for loop early; yet we can still determine whether the correct serial number was entered. Is this version of the program immune to a linearization attack? Explain.

 

P43)

Modify the code in Table 11.5 so that it is immune to a linearization attack. Note that the resulting program must take exactly the same amount of time to execute for any incorrect input. Hint: Do not use any predefined functions (such as strcmp or strncmp) to compare the input with the correct serial number.

 

 

 

Please be sure to (1) cite your sources and (2) clearly display borrowed text and give credit to its author(s).

HEAP OVERFLOW AND INTEGER OVERFLOW Answers
(1)
(2)

WORMS, VIRUSES, TROJANS Answers
(1) Type your answers here, and attach an working implementation of your malware.
Full credit will be considered for this question only if your implementation of a virus (resp., worm or Trojan) meets the definition of a virus (resp., worm or Trojan) that is given by Stamp. You may use C, C++, or any programming language a compiler for which is freely available online. Be sure to include your source code in your turn in for this assignment.

LINEARIZATION ATTACKS Answers
(1)

(2)
(3)

(4)

(5)
(6)
Full credit will be considered for this question only if your working implementation of the modified code is included in your turn in for this assignment. You should probably use C for this program, but you may instead use C++, Java, or any programming language a compiler for which is freely available online.

 

Click Order now to have a similar paper completed for you by our team of Experts.