Andrew ID:Full Name:Recitation Section:CS 15-213, Fall 2008Exam 2Thurs. Oct 30, 2008Instructions:• Make sure that your exam is not missing any sheets, then write your full name, Andrew login ID, andrecitation section (A–H) on the front.• Write your answers in the space provided for the problem. If you make a mess, clearly indicate yourfinal answer.• The exam has a maximum score of 60 points.• The problems are of varying difficulty. The point value of each problem is indicated. Pile up the easypoints quickly and then come back to the harder problems.• This exam is OPEN BOOK. You may use any books or notes you like. No calculators or otherelectronic devices are allowed.• Good luck!1 (6):2 (9):3 (6):4 (8):5 (10):6 (6):7 (7):8 (8):TOTAL (60):Page 1 of 14Problem 1. (6 points):In buflab, you performed various buffer overflow attacks against a vulnerable function gets that writesinto a small buffer. However, in practice, a decent compiler (such as gcc) warns about the vulnerabilitiesof gets, and most programmers tend to take the advice.Harry Q. Bovik thinks that his code is invulnerable against buffer overflow attacks as long as he stays awayfrom unsafe functions such as gets.Here is a piece of code Bovik wrote; it compiled without warnings under a 32-bit little-endian machine:// str.c (headers omitted)int main(){char buf[23];scanf("%s", buf);return 0;}void remove_later(){printf("You have found my weakness!!!\n");}Your goal is to prove Bovik wrong by jumping to the removelater function. Do not worry about howthe program would behave upon exiting the function.Page 2 of 14Relevant assembly output from objdump of the str program:080483c0 <main>:80483c0: 55 push %ebp80483c1: 89 e5 mov %esp,%ebp80483c3: 83 ec 38 sub $0x38,%esp80483c6: 83 e4 f0 and $0xfffffff0,%esp80483c9: 8d 45 d8 lea 0xffffffd8(%ebp),%eax80483cc: 83 ec 10 sub $0x10,%esp80483cf: 89 44 24 04 mov %eax,0x4(%esp)80483d3: c7 04 24 e8 84 04 08 movl $0x80484e8,(%esp)80483da: e8 f5 fe ff ff call 80482d4 <scanf@plt>80483df: c9 leave80483e0: 31 c0 xor %eax,%eax80483e2: c3 ret080483f0 <remove_later>:80483f0: 55 push %ebp80483f1: 89 e5 mov %esp,%ebp80483f3: 83 ec 08 sub $0x8,%esp80483f6: c7 04 24 eb 84 04 08 movl $0x80484eb,(%esp)80483fd: e8 c2 fe ff ff call 80482c4 <puts@plt>8048402: c9 leave8048403: c3 retAssume that you are allowed to work under the same directory where Bovik created str, and you areexecuting ./hex2raw < exploit | ./str, where exploit contains your attack code in hexadec-imal.Write down the contents of your exploit, and use [n] to denote n consecutive arbitrary bytes:Page 3 of 14Problem 2. (9 points):Consider the following C function to sum all the elements of a 5 × 5 matrix. Note that it is iterating over thematrix column-wise, and iterating over the columns in reverse order.char sum_matrix(char matrix[5][5]) {int row, col;char sum = 0;for (col = 4; col >= 0; col--) {for (row = 0; row < 5; row++) {sum += matrix[row][col];}}return sum;}Suppose we run this code on a machine whose memory system has the following characteristics:• Memory is byte-addressable.• There are registers, an L1 cache, and main memory.• A char is stored as a single byte.• The cache is direct-mapped, with 4 sets and 2-byte blocks.You should also assume:• matrix begins at address 0.• sum, row and col are in registers; that is, the only memory accesses during the execution of thisfunction are to matrix.• The cache is initially cold and the array has been initialized elsewhere.Fill in the table below. In each cell, write “h” if there is a cache hit when accessing the correspondingelement of the matrix, or “m” if there is a cache miss.0 1 2 3 401234Page 4 of 14Problem 3. (6 points):Using pointersGive the output for the following code snippet, assuming that it was compiled on an IA-32 machine. Variablei, j, and k have memory addresses 600, 700 and 800, respectively.#include <stdio.h>int main() {// Assume that i is stored at memory address 600int i = 50;// Assume that j is stored at memory address 700int*j = &i;// Assume that k is stored at memory address 800int*k = (int*) i;printf("%d,%d,%d", (int) i, (int) &i, (int) (i+1));printf("\n");printf("%d,%d,%d", (int) j, (int) &j, (int) (j+1));printf("\n");printf("%d,%d,%d", (int) k, (int) &k, (int) (k+1));printf("\n");return 0;}This program prints out three lines. Each line has three values that are separated by a comma. What is theoutput?Page 5 of 14Problem 4. (8 points):Consider the following C program, with line numbers:1 int main() {2 int counter = 0;3 int pid;45 while (counter < 4 && !(pid = fork())) {6 counter += 2;7 printf("%d", counter);8 }910 if (counter > 0) {11 printf("%d", counter);12 }1314 if (pid) {15 waitpid(pid, NULL, 0);16 counter += 3;17 printf("%d", counter);18 }29 }Use the following assumptions to answer the questions:• All processes run to completion and no system calls will fail.• printf() is atomic and calls fflush(stdout) after printing argument(s) but before returning.• Logical operators such as && evaluate their operands from left to right and only evaluate the smallestnumber of operands necessary to determine the result.Page 6 of 14A. List all possible outputs of the program in the following blanks.(You might not use all the blanks.)_________________________ __________________________________________________ __________________________________________________ __________________________________________________ __________________________________________________ _________________________B. If we modified line 10 of the code to change the > comparison to >=, it would cause the program flowto print out zero counter values. With this change, how many possible outputs are there?(Just give a number, you do not need to list them all.)NEW NUMBER OF POSSIBLE OUTPUTS = __________Page 7 of 14Problem 5. (10 points):Consider the following C program:void handler1(int sig) {printf("Phantom\n");exit(0);}int main(){pid_t pid1;signal(SIGUSR1, handler1);if((pid1 = fork()) == 0) {printf("Ghost\n");exit(0);}kill(pid1, SIGUSR1);printf("Ninja\n");return 0;}Use the following assumptions to answer the questions:• All processes run to completion and no system calls will fail.• printf() is atomic and calls fflush(stdout) after printing argument(s) but before returning.Mark each column that represents a valid possible output of this program with ‘Yes’ and each column whichis impossible with ‘No’.Phantom Ninja Ghost Ninja NinjaNinja Phantom Ninja Ghost
View Full Document
Unlocking...