Assignment 3

Due Wednesday February 21, 2018 6:55pm via sakai


Please answer the questions precisely and concisely. Every question can be answered in one or at most a few sentences. I will not have the patience to read long paragraphs or essays and you may lose credit for possibly correct answers.


Text: Ross Anderson, Security Engineering:
Section 4.4 (What Goes Wrong), pages 117–126.
Paper: Eric Chien and Péter Ször, Blended Attacks Exploits, Vulnerabilities and Buffer-Overflow Techniques in Computer Viruses, Symantec Security Response White Paper, 2002, pages 3–15.
Discussion of various buffer overflow exploits
Paper: Protecting Your Software, Microsoft Security Intelligence Report
Really brief discussion of ASLR and DEP.
Blog article: Antonio Lopez, Linux Capabilities and how to avoid being root, Computer Emergency Response Team for Security and Industry, June 4, 2015.
Brief posting that explains POSIX (Linux) capabilities at a high level.
Blog article: Gray Chan, Linux Capabilities,
Notes of a Programmer blog, Sepbtember 2, 2013.
Really short article giving an example of using POSIX capabilities.


Question 1.

How does an off-by-one overflow that only allows changing a byte of the base pointer ( ebp or, on 64-bit systems, rbp) enable malicious code execution? (You can compile a small function with cc -S to look at the code generated for function entry and exit).

Question 2.

What damage can heap-based buffer overflows do if they cannot change the instruction pointer?

Question 3.

How can a printf format string read arbitrary stack data?

Question 4.

How does ASLR make buffer overflow attacks more difficult?

Question 5.

(a) What Linux command is used to assign capabilities?

(b) What does the cap_net_raw capability permit (see the capabilities man page)?