EC310 Six Week Exam Spring 2016
18 February 2016
United States Naval Academy
Electrical and Computer Engineering Department
EC310 - 6 Week Midterm – Spring 2016
1.
2.
3.
4.
5.
6.
Do a page check: you should have 10 pages including this cover sheet.
You have 50 minutes to complete this exam.
A calculator may be used for this exam.
This is a closed book and closed notes exam. You may use one single-sided hand-written page of notes.
Turn in your single-sided hand-written page of notes with your exam.
This exam may be given as a makeup exam to several midshipmen at a later time. No communication is
permitted concerning this exam with anyone who has not yet taken the exam.
Name:
____________________
Instructor:
____________________
Page 1 of 10
EC310 Six Week Exam Spring 2016
Question 1. (31 pts)
1
2
3
4
5
6
7
8
18 February 2016
Consider the beginning of a C program named program.c shown below:
#include<stdio.h>
#include<string.h>
int main( )
{
int LuckyNumbers[2] = { 17 , 14 } ;
char Initials[3] = "AB";
<more code>
The program is paused at line 7. The stack for the program at this point in time is shown below, where the
addresses are shown on the left (in hexadecimal). Note specifically that the location for the string Initials
and the address of the array LuckyNumbers are shown on the figure.
bffff495
Initials
bffff496
bffff497
bffff498
LuckyNumbers
bffff_ _ _
bffff_ _ _
bffff_ _ _
bffff_ _ _
bffff_ _ _
bffff_ _ _
bffff_ _ _
bffff_ _ _
(a)
(2 pts) During runtime (during execution), where is the program stored? (circle one):
In the Operating System
(b)
In the CPU
In Main memory
In Secondary memory
(2 pts) Convert the hexadecimal value 0xb5 to binary.
Answer:
(c)
(5 pts) Annotate the diagram above to show the addresses for each of the next eight locations. (The
first five hexadecimal digits are already filled in for you; you only need to indicate the last three
hexadecimal digits.)
(d)
(2 pts) Why did the programmer state that the size of the array Initials should be 3 when the
array only holds two characters?
Answer:
(e)
(3 pts) Annotate the diagram above to show how each of the characters in Initials is stored.
Express all values in hexadecimal.
THIS PROBLEM CONTINUES ON NEXT PAGE
Page 2 of 10
EC310 Six Week Exam Spring 2016
18 February 2016
(f)
(6 pts) Annotate the diagram above to show how both values of the array LuckyNumbers are stored.
Express all values in hexadecimal. In addition to annotating the diagram, show your work below.
(g)
(1 pt) If your diagram above still has blank locations, write "gar" in all of the blank locations to
indicate garbage values.
Returning to the C program, the section shown as <more code> is actually this:
strcpy( Initials, "MIDN" ) ;
printf("\n %d \n" , LuckyNumbers[0] );
Do not make any changes to your diagram on the previous page, since that diagram holds your answers
to questions (c) through (g)!!!
(h)
(4 pts) What is printed out by the printf statement in the box above? In the space below, explain
how you arrive at your answer (using, if helpful, the drawing of main memory shown below). (Do not
modify your picture on the previous page!)
Answer:
Initials
LuckyNumbers
(i)
(4 pts) In order to run program.c you entered:
./a.out
Why did you have to execute the program a.out instead of just the program program.c?
Answer:
(j)
(2 pts) After you save the program and turn off the computer. Where is the program stored? (circle one):
In the Operating System
In the CPU
In Main memory
In Secondary memory
Page 3 of 10
EC310 Six Week Exam Spring 2016
18 February 2016
Question 2. (32 pts) Consider the C program shown below:
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
#include<stdio.h>
#include<string.h>
int main( )
{
char string1[ 10 ] = "EC310";
char string2[ 10 ] = "Cyber II!";
int start_value = 7
int end_value = 20;
int counter;
(a)
(6 pts) Consider the variable declarations in the program above (lines 5 through 9). How many total
bytes are reserved for all of the variables used by this program? Show work for your calculation.
for( counter = start_value ; counter <= end_value ; counter = counter + 3)
{
if( counter != 13 )
{
printf( "%s\n" , string2 );
}
else
{
printf( "%s\n" , string1 );
}
}
}
Answer:
(b)
(2 pts) If the program is executed but stopped at line 10, what will be the value of the variable
counter? (Circle one choice)
0
(c)
1
the same value as start_value
a garbage value
(3 pts) How many times will the for loop (lines 11-21) iterate?
Answer:
(d)
(5 pts) What is the exact output of this program?
Answer:
THIS PROBLEM CONTINUES ON NEXT PAGE
Page 4 of 10
EC310 Six Week Exam Spring 2016
18 February 2016
You compile and run the program from the start with gdb, pause at a given line (you set a breakpoint), and
examine the debugger's partial output shown below.
(e)
(2 pts) Where, physically, are the esp, ebp and eip registers stored? (Circle one choice)
In the C program
(f)
In the operating system
In the CPU hardware
In main memory
(2 pts) What is the assembly language of the next instruction to be executed?
Answer:
(g)
(6 pts) At what address on the text segment is the instruction that most closely corresponds to line 7 in
the source code? Express your address in hexadecimal. Briefly explain your answer.
Answer:
(h)
(6 pts) At what address on the stack is the variable end_value stored? You may express your answer
in relation to a register. Briefly explain your answer.
Answer:
Page 5 of 10
EC310 Six Week Exam Spring 2016
18 February 2016
Question 3. (15 pts) Consider the program below, where the student is expected to enter his or her 6-character
alpha code as a command line argument as such ./a.out 123456 <enter>
#include <stdio.h>
#include <string.h>
int main (int argc, char *argv[] )
{
int size = 10;
char buffer[size];
char *ptr;
ptr = (char*) malloc(size);
strcpy (ptr , argv[1]);
buffer[0] = 'm';
strcpy (buffer+1 , ptr);
printf("\n Your alpha code is: %s \n" , ptr);
printf("\n Your username is: %s \n" , buffer);
free( ptr );
}
(a)
(b)
(6 pts) From the code above you can infer the programer is using the heap. Which of the following
statements is/are true of the heap in general? (circle all that apply)
(i)
the heap is located below the text segment
(ii)
the heap, like the stack, grows from the bottom up (from higher address to lower address)
(iii)
the programer is responsible for managing the heap
(iv)
the heap can only hold character type values
(v)
the heap should not be used to store arrays of unknown size
(vi)
the heap is located above the stack
(3 pts) From the code above you can infer that ptr holds a value. What does the value of ptr
represent? Select one of the choices below.
(i)
the character 'm'
(ii)
the address of the top of the heap
(iii)
the same character stored in variable buffer[1]
(iv)
the string argv[1]
(v)
a garbage value since it was never initialized
THIS PROBLEM CONTINUES ON NEXT PAGE
Page 6 of 10
EC310 Six Week Exam Spring 2016
(c)
18 February 2016
(6 pts) A closer look of the code reveals a buffer overflow attack can be performed by the user.
Assuming you cannot modify the code, what is the maximum number of characters entered as a
command line argument that would avoid a buffer overflow on the stack. Explain your answer, using a
brief sketch if helpful.
Answer:
Question 4. (22 pts) Consider the program shown below:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
(a)
#include<stdio.h>
void avg_dis( float x , float y )
{
char namebuffer[ 10 ];
float avg;
avg = ( x + y ) / 2;
printf("\nEnter your name:" );
scanf("%s" , namebuffer );
printf("\n %s the average is: %f\n" , namebuffer , avg );
}
int main( )
{
float a;
float b;
printf("\nEnter two numbers:" );
scanf("%f %f", &a , &b);
avg_dis ( a , b );
}
(2 pts) How many functions are in this program?
Answer:
THIS PROBLEM CONTINUES ON NEXT PAGE
Page 7 of 10
EC310 Six Week Exam Spring 2016
18 February 2016
Using gdb the debugger output shown below is produced.
(b)
(2 pts) A breakpoint is set to line 17 and the program is executed up to that breakpoint. What would be
displayed if we entered the command i r eip?
Answer:
(c)
(4 pts) When executing the function, the stack would be arranged similarly to the diagram below. Note
that the diagram is not to scale, where spaces may hold multiple bytes. What two addresses are saved on
the stack prior to jumping to the function and in what order are they stored? Express the addresses in
hexadecimal and in the correct order in the empty spaces provided in the diagram below.
Answer:
avg
namebuffer
avg_dis arguments
b
a
THIS PROBLEM CONTINUES ON NEXT PAGE
Page 8 of 10
EC310 Six Week Exam Spring 2016
18 February 2016
Now, executing the program again without gdb, assume a malicious user wants to exploit the program.
(d)
(7 pts) When prompted to enter their name, how many characters would a user need to enter in order to
overwrite the least significant byte (LSB) on the stack of variable a declared in line 13 in main?
Show work.
Answer:
(e)
(3 pts) True or False: It is not possible to change the value of the variable named avg declared in the
function by performing a buffer overflow attack since it was declared last and therefore would be placed
higher on the stack than namebuffer , and memory is overwritten downward (from lower address to
higher address) during a buffer overflow.
Circle one:
(f)
TRUE
FALSE
(4 pts) What is the fundamental issue with the C programming language that makes a buffer overflow
exploit possible? (Your answer should be limited to a sentence or two.)
Answer:
Turn in your equation sheet with your exam!
Page 9 of 10
EC310 Six Week Exam Spring 2016
18 February 2016
This page is intentionally blank.
Page 10 of 10