1/24/22, 3:51 PM Quiz: Attempt review

Started on Sunday, 23 January 2022, 5:49 PM

State Finished
Completed on Sunday, 23 January 2022, 6:12 PM
Time taken 22 mins 44 secs
Grade 6.00 out of 30.00 (20%)

Question 1 Consider the following code in a file named example11.c (you may assume that appropriate header files have been
Not answered included in the code which is not shown).
Marked out of 1 void main(int argc, char** argv){
3.00
2 char buffer[8];
Flag question
3 if (argc > 1) {
4 strcpy(buffer, argv[0]);

5 printf(“%s\n”, buffer);

6 }

7 }
The program is compiled as gcc -o a.out example11.c. Assume that stack protection defenses are not available to the
execution platform.

Which of the following is true?

Select one:

The program will have a buffer overflow when called with C:> a.out AAAAAA

None of the above

The program has a buffer overflow vulnerability which will be triggered by appropriate command line argument

The program does not have a buffer overflow vulnerability

The correct answer is:

The program has a buffer overflow vulnerability which will be triggered by appropriate command line argument

Question 2
The reason why even after studying and analyzing so many buffer overflow exploits in the past 30+ years we still have
Correct
them in applications like Internet Explorer, Whatsapp, Linux, Windows O/S – almost every where --
Mark 3.00 out of
3.00 1. Secure Programming practices are not followed by a majority of programmers
2. Existing libraries with undiscovered vulnerabilities are linked to new applications
Flag question
3. Code reuse in latest versions of products is common place
4. Platform defenses and compiler options to defend against buffer overflow exploitations not exercised by all
5. Program vulnerability analysis tools are not matured enough

Choose the combination that most appropriately fits:

Select one:
1 and 3 and 4

all of 1 to 5 

1 and 2

1 and 2 and 5

The correct answer is: all of 1 to 5

Question 3 When a process is executed, the operating system allocates virtual address space for the process. All program variables,
Not answered pointers, arrays etc. are given virtual addresses. The virtual addresses are translated by the operating system to physical
memory addresses before physical memory is accessed. Which of the following statement is true?

https://md.ipearl.ai/mod/quiz/review.php?attempt=20995&cmid=3655 1/4
1/24/22, 3:51 PM Quiz: Attempt review

Marked out of Select one:

3.00
A Computer running a 32 bit operating system running on a 32 bit processor and has 8GB RAM. is running 10
Flag question
application processes, the amount of virtual memory allocated per process will be approximately 800 MB

A Computer running a 32-bit operating system running on a 32 bit processor with 4 cores having 8GB RAM and 8 GB
flash memory is running 10 application processes, the amount of virtual memory allocated per process will be 2GB.

A Computer running a 32 bit operating system running on a 32 bit processor and has 8GB RAM is running 10
application processes, the amount of virtual memory allocated per process will be 4GB

The combined virtual memory allocation across all processes in a system cannot exceed its hard disk space size.

The correct answer is: A Computer running a 32 bit operating system running on a 32 bit processor and has 8GB RAM is
running 10 application processes, the amount of virtual memory allocated per process will be 4GB

Question 4
There are program analysis tools (SAST and DAST tools) which can take the source code or the binary of an application,
Incorrect
and analyze whether there is buffer overflow vulnerability or not. However, that does not always find all the buffer
Mark -1.00 out
overflow vulnerabilities or the ones they find may be false alarms. Therefore, platform based, and run-time checks are also
of 3.00
required to reduce the chance of buffer overflow during the execution of an application. The fundamental reason why we
Flag question
cannot fully rely on the SAST and DAST tools is:

Select one:
Buffer overflow is not possible in any programming language and these tools are sold by unnecessarily scaring
software engineers

Due to undecidability of the “Halting problem” proven by Alan Turing, one can easily construct programs where a
buffer overflow exists but no program can decide whether the buffer overflow part of the code will actually ever be
executed, nor can any program decide whether there is any point in the program where the unchecked input will
reach to cause an overflow.

Due to the fact that programmers often add new code after the development is completed, and hence check by SAST
or DAST tools precedes the newly added code which may contain a buffer overflow bug 

SAST and DAST tools may be buggy themselves and hence make mistakes

The correct answer is: Due to undecidability of the “Halting problem” proven by Alan Turing, one can easily construct
programs where a buffer overflow exists but no program can decide whether the buffer overflow part of the code will
actually ever be executed, nor can any program decide whether there is any point in the program where the unchecked
input will reach to cause an overflow.

Question 5 Return oriented programming (ROP) is used when:

Correct

Mark 3.00 out of Select one:

3.00
When the hackers find that Address Space Layout randomization is enabled
Flag question
When hackers find that the program is running in a platform with DEP enabled setting, and hence one cannot use the
buffer overflow payload to write executable code on the stack 

Programmers write Recursive programs to ensure that we can mathematically prove that the functions return and
does not go into infinite recursion

Programmers create functions without return values leading to syntactic errors and then ROP is used to fix that
problem

The correct answer is: When hackers find that the program is running in a platform with DEP enabled setting, and hence
one cannot use the buffer overflow payload to write executable code on the stack

Question 6
The fundamental reason by ASLR method was invented is
Correct

Mark 3.00 out of

3.00
Select one:
https://md.ipearl.ai/mod/quiz/review.php?attempt=20995&cmid=3655 2/4
1/24/22, 3:51 PM Quiz: Attempt review

Flag question

ASLR makes it harder to use JIT compiler and thus makes it hard to execute languages such as Java – and we often
require that Java programs not be executed on our machines

Hackers create their buffer overflow payload for stack smashing attack by calculating the exact address where the
executable part of the payload is located by knowing the precise positioning of the stack, heap etc., in the address
space and thus with address space layout randomization, one can confuse the hacker to make it harder to precisely
guess such information 

Hackers often use system call numbers to make system calls in their payload so that when the stack overflow happens,
and the return address is directed to the executable payload, the correct system calls can be made, and ASLR makes it
harder to guess the system call numbers

ASLR makes it harder to execute code directly from stack or heap

The correct answer is:

Hackers create their buffer overflow payload for stack smashing attack by calculating the exact address where the
executable part of the payload is located by knowing the precise positioning of the stack, heap etc., in the address space
and thus with address space layout randomization, one can confuse the hacker to make it harder to precisely guess such
information

Question 7
The fundamental difference between the canary based detection of buffer overflow and Propolice concept is:
Not answered

Marked out of
3.00
Select one:
Flag question
In Propolice you need to recompile your code but in canary based technique such as Stackguard you do not need any
recompilation of the code

Propolice does use canary – so Propolice is an implementation of canary technique

Propolice stores away XORed copy of the return address for comparison with the return address found after a
function execution, whereas Stackguard puts additional bytes on the stack itself

Stackguard stores away XORed copy of the return address for comparison with return address found after a function
execution, whereas Propolice puts additional bytes on the stack itself

The correct answer is: Propolice stores away XORed copy of the return address for comparison with the return address
found after a function execution, whereas Stackguard puts additional bytes on the stack itself

Question 8
Microsoft /SEHOP compile time flag enables the following:
Not answered

Marked out of
3.00
Select one:
Flag question
Additional instructions are added during compilation so that exception handling is disabled

Exceptions of high or low priority are treated differently so only high priority exceptions are handled

Since the exception handlers are overflown from front of the handlers list, a dummy record is created in front of the
handlers list

A Table of safe exception handler is used to whitelist which exception handlers are allowed to execute

The correct answer is: Since the exception handlers are overflown from front of the handlers list, a dummy record is
created in front of the handlers list

Question 9 The idea of control flow integrity (CFI) check is as follows:

Incorrect

Mark -1.00 out Select one:

of 3.00
You compute all possible control path of execution of the program for all possible legitimate inputs and use that
Flag question information to ensure that the paths taken during the execution of the program does not deviate from those
https://md.ipearl.ai/mod/quiz/review.php?attempt=20995&cmid=3655 3/4
1/24/22, 3:51 PM Quiz: Attempt review

computed already

You compute all possible inputs that will not create any buffer overflow, and add a wrapper around the program so
that any other input is filtered out

You build the flow chart before writing the program and flow chart provides visualization of the control paths taken

None of the above 

The correct answer is: You compute all possible control path of execution of the program for all possible legitimate inputs
and use that information to ensure that the paths taken during the execution of the program does not deviate from those
computed already

Question 10
‘Heap-Spray’ is a technique that is used by attackers fundamentally for the following reason:
Incorrect

Mark -1.00 out

of 3.00
Select one:
Flag question
For attacking a program written in C++ when virtual function table is placed on the heap 

In order to create a buffer overflow for any data structure stored on the heap during program execution

In order to ensure that malicious payload is pointed to by an overflown function pointer irrespective of whether you
know the precious location of the malicious payload on the heap

None of the above

The correct answer is: In order to ensure that malicious payload is pointed to by an overflown function pointer irrespective
of whether you know the precious location of the malicious payload on the heap

Finish review

https://md.ipearl.ai/mod/quiz/review.php?attempt=20995&cmid=3655 4/4