Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science

United States Naval Academy Electrical and Computer Engineering Department

advertisement 
EC310 Six Week Exam Fall 2015
October 1, 2015
United States Naval Academy
Electrical and Computer Engineering Department
EC310 - 6 Week Midterm – Fall 2015
1.
2.
3.
4.
5.
6.
Do a page check: you should have 8 pages including this cover sheet.
You have 50 minutes to complete this exam.
A calculator may be used for this exam.
This is a closed book and closed notes exam. You may use one single-sided hand-written page of notes.
Turn in your single-sided hand-written page of notes with your exam.
This exam may be given as a makeup exam to several midshipmen at a later time. No communication is
permitted concerning this exam with anyone who has not yet taken the exam.
Name:
___KEY_________________
Instructor:
____________________
Page 1 of 10
EC310 Six Week Exam Fall 2015
Question 1. (29 pts)
October 1, 2015
A C program named funtimes.c begins:
#include<stdio.h>
int main( )
{
char FavoriteGrade = 'A';
int LuckyNumbers[2] = { 76 , 12 } ;
<more code>
The program is paused immediately after executing the line
int LuckyNumbers[2] = { 76 , 12 } ;
but before executing the section that says <more code> . The stack for the program at this point in time is
shown below. Note specifically that the address for the character variable FavoriteGrade and the address
of the array LuckyNumbers are shown on the figure. In the figure below, the main memory addresses are
shown on the left (in hexadecimal).
Answer to part (e)
Answer to part (c)
Answer to part (a)
(a)
(5 pts) Annotate the diagram above to show the addresses for each of the next eight memory locations.
For each address, the first five hexadecimal digits are already filled in for you; you only need to indicate
the last three hexadecimal digits.
See picture above.
(b)
1 pt for address 79a following 799
1 pt for address 7a0 following 79f
0.5 pts for each of the other six entries
(2 pts) Why didn't the programmer state that the size of the array LuckyNumbers should be 3 in
order to allow space for the NULL terminator?
Answer: LuckyNumbers is not a string; it is an array of integers. There is no NULL
terminator for integer arrays. Use judgement on grading. No partial credit for blather.
Page 2 of 10
EC310 Six Week Exam Fall 2015
(c)
October 1, 2015
(3 pts) Annotate the diagram above to show how the character FavoriteGrade is stored in memory.
Express all values in hexadecimal.
See picture above.
Deduct one point if the student indicates that the character is stored in four bytes.
Deduct one point if the student answer is 0x65
Otherwise, NPC
(d)
(2 pts) Show in the space below how the character FavoriteGrade is represented in binary.
Answer:
0100 0001
NPC
THIS PROBLEM CONTINUES ON NEXT PAGE
(e)
(7 pts) Annotate the diagram above to show how both values of the array LuckyNumbers are stored
in memory. Express all values in hexadecimal. In addition to annotating the diagram, show your work
below.
See picture above.
Give five points for correct conversion of 76
Give two points for correct conversion of 12
Deduct one point if answers are not little endian
Deduct one point if integers do not take four bytes
Deduct three points if no work is shown for converting 76 to hexadecimal.
No deduction (obviously!) if the mid does not indicate how he did the conversion of 12.
Returning to the C program, the section shown as <more code> is actually this:
LuckyNumbers[2] = 76 ;
printf("My favorite grade is %c\n " , FavoriteGrade
);
Do not make any changes to your diagram on the previous page, since that diagram holds your answers
to questions (a) through (e)!!!
(f)
(7 pts) What is printed out by the printf statement in the box above? In the space below, explain
how you arrive at your answer (using, if helpful, the drawing of main memory shown below). (Do not
modify your picture on the previous page!)
Answer:
My favorite grade is L
Explanation: The base-10 value of 76 (0x4c) is placed in bffff79d. Printed out as a
character, this is 'L'.
Deduct 1 point for the answer: My favorite grade is v
Use judgement on grading. See picture below. No partial credit for nonsense answers.
Page 3 of 10
EC310 Six Week Exam Fall 2015
(g)
October 1, 2015
(3 pts) In order to run your program named funtimes.c, you entered: ./a.out
Why did you have to execute the program a.out instead of just executing the program funtimes.c?
Answer:
We execute the compiled machine-language code, not the high-level language source
code. Mid must indicate that "the computer only understands machine language".
Otherwise NPC.
Page 4 of 10
EC310 Six Week Exam Fall 2015
October 1, 2015
Question 2. (36 pts) Consider the C program named morefun.c shown below:
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
#include<stdio.h>
#include<string.h>
int main( )
{
int start_val
int end_val =
char string1[
char string2[
(a)
(2 pts) What is the ASCII value of string1[ 3 ] ?
(b)
(3 pts) How many times will the for loop (lines 10-20) iterate?
Deduct one point for the answer: 2 times
Deduct one point for the answer: 4 times
Otherwise NPC
(c)
(6 pts) What is the exact output of this C program?
}
= 8 , number;
14;
8 ] = "Fun!";
15 ] = "Cyber is fun!";
for( number = start_val ; number != end_val ; number = number + 2)
{
if( number != 8 )
{
printf( "%s\n" , string1 );
}
else
{
printf( "%s\n" , string2 );
}
}
Answer: !
(NPC)
Answer: 3 times
Answer: In order:
Cyber is fun!
Fun!
Fun!
(2 pts)
(2 pts)
(2 pts)
Deduct one point for every additional line of output.
Give full error-carried-forward credit if mid answered 2 times or 4 times for part(b) and
his output for this question matches his wrong part(b) answer.
(d)
(6 pts) Consider the variable declarations in the program above (lines 5 through 8). How many total
bytes are reserved for all of the variables used by this program?
Answer:
4 + 4 + 4 + 8 + 15 = 35 bytes
Deduct 1 point for each missing term.
Deduct one point for silly math error.
Page 5 of 10
EC310 Six Week Exam Fall 2015
(e)
October 1, 2015
(2 pts) Of the C statements listed below, circle the two choices that if inserted as line 9 would cause a
buffer overflow.
(i)
1 pt each
NPC
(iii)
Give no
(iv)
pts if
(v)
mid selects
more than 2 choices
strcpy( string1 , "string2" ) ;
(ii)
strcpy( string2 , string1 ) ;
strcpy( string1 , string2 ) ;
strcpy( string2 , "50 characters" ) ;
strcpy( string2 , "Cyber for everyone!" ) ;
THIS PROBLEM CONTINUES ON NEXT PAGE
You compile and run morefun.c with gdb and examine the debugger's partial output, shown below.
(f)
(2 pts) Where (physically) is the esp register (i.e., the stack pointer) (Circle one choice)
In the C program
In the operating system
In the CPU hardware
In main memory
NPC
(g)
(2 pts)What is the address of the most recent assembly language instruction that has already executed?
Answer:
(h)
0x0804838b
Deduct one point for 0x8048392
(5 pts) What is the address where the variable end_val is stored in memory? Your answer should be
an address expressed as eight hexadecimal digits. Briefly explain your answer.
Answer:
0xe is stored into the address ebp-20. Since ebp is 0xbffff828, end_val
is stored at address 0xbffff828 – 0x14 = 0xbffff814
Deduct one point for the answer 0xbffff808
Page 6 of 10
EC310 Six Week Exam Fall 2015
(i)
October 1, 2015
(8 pts) Suppose the following four lines of code were inserted between lines 20 and 21 in the program
on the previous page:
char *string3 ;
string3 = string2 + 3;
strcpy( string3 , "Navy!" );
printf( "%s\n" , string2 );
What would be printed to the monitor by the final printf statement? Explain your answer, using a
brief sketch if helpful.
Answer:
CybNavy!
Deduct one point for the answer: CybeNavy!
Deduct one point for the answer: CyNavy!
Page 7 of 10
EC310 Six Week Exam Fall 2015
October 1, 2015
Question 3. (20 pts) Consider the program below, named AutoFry.c
#include<stdio.h>
int main( )
{
int days_restriction = 60;
int fry_level = 6000;
char offender_name[ 20 ];
int tours = 30;
printf( "Enter offender’s last name: ");
scanf( "%s" , offender_name );
}
printf("\n MIDN %s is awarded %d days restriction and %d tours \n"
,offender_name, days_restriction, tours);
Assume that no padding (extra space) is created when variables are loaded on the stack.
(a)
(10 pts) If an enterprising midshipman wants to use a buffer overflow attack to completely overwrite the
value of the variable days_restriction, what is the minimum number of characters he would have
to enter when prompted? Justify your reasoning by including a diagram of the program stack.
Answer:
20 + 4 + 3 = 27
Deduct three points for each missing term.
Deduct two points for any extranous term.
Deduct one point for the answer: 28 (with the mid answering: 20 + 4 + 4)
(b)
(5 pts) Is it possible to change the value of the variable named tours by performing a buffer overflow
attack (i.e. by entering characters when prompted)? Why or why not? Justify your reasoning.
Answer:
No (2 pts)
Reason (3 pts): Words to the effect: "tours higher on the stack, so it can not
be overwriiten by a buffer overflow on offender_name"
(c)
(5 pts) What is the fundamental issue with the C programming language that makes a buffer overflow
exploit possible? (Your answer should be limited to a sentence or two.)
Answer: Use judgement on grading. Answer should be along the lines of:
C programs do not automatically check to make sure they are writing beyond the memory
allotted for an array.
or
C compilers do not prevent users from writing beyond the bounds of an array.
Page 8 of 10
EC310 Six Week Exam Fall 2015
October 1, 2015
Question 4. (15 pts) Consider the program shown below:
#include<stdio.h>
void happytimes( int x , int y )
{
char alpha_code[ 7 ];
printf("\nEnter your alpha code:" );
scanf("%s" , alpha_code );
printf("\nYour alpha code is: %s\n" , alpha_code );
}
int main( )
{
int a = 32;
int b = 21;
happytimes( a , b );
}
The program above is run up to the point immediately before the function named happytimes is called.
The debugger output shown below is produced.
(a)
(10 pts) What two addresses are saved on the stack prior to jumping to the function, and what is the
order in which they are stored? Your answers for the values of the two addresses should be expressed in
hexadecimal. Indicate the correct order by drawing one of the addresses above the other on a simple
picture of the stack that displays just these two values.
Answer:
0x0804841e (Give 4 pts for the correct return address for eip) first and then
0xbffff828 (Give 4 pts for the correct saved value of ebp) above the return address.
Give two points if in correct order. 10 points total.
(b)
(5 pts) How many characters would the user need to enter when prompted to enter their alpha code in
order to completely overwrite the saved value of the base pointer? Show work.
Answer:
7 + 3 = 10
Give error carried forward if midshipmen was already penalized for putting the
return address above the ebp in part (a)
Page 9 of 10
EC310 Six Week Exam Fall 2015
October 1, 2015
Turn in your equation sheet with your exam!
This page is intentionally blank.
Page 10 of 10
Related documents
MATH 251, Section Quiz 11 (Sections 14.2, 14.3). Thursday, Nov. 11, 2010
MATH 251, Section Quiz 11 (Sections 14.2, 14.3). Thursday, Nov. 11, 2010
Quiz 5
Quiz 5
MATH 251, Section Quiz 9 (Sections 14.1, 14.2). Thursday, Nov. 7, 2013
MATH 251, Section Quiz 9 (Sections 14.1, 14.2). Thursday, Nov. 7, 2013
MATH 251, Section Quiz 10 (Sections 13.9, 13.10, 14.1). Dr. M. Vorobets
MATH 251, Section Quiz 10 (Sections 13.9, 13.10, 14.1). Dr. M. Vorobets
Name: SUMMER II, 2014 MATH 142:203 QUIZ - 9
Name: SUMMER II, 2014 MATH 142:203 QUIZ - 9
Download
advertisement