Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science

United States Naval Academy Electrical and Computer Engineering Department

advertisement 
EC310 Six Week Exam Spring 2016
18 February 2016
United States Naval Academy
Electrical and Computer Engineering Department
EC310 - 6 Week Midterm – Spring 2016
1.
2.
3.
4.
5.
6.
Do a page check: you should have 10 pages including this cover sheet.
You have 50 minutes to complete this exam.
A calculator may be used for this exam.
This is a closed book and closed notes exam. You may use one single-sided hand-written page of notes.
Turn in your single-sided hand-written page of notes with your exam.
This exam may be given as a makeup exam to several midshipmen at a later time. No communication is
permitted concerning this exam with anyone who has not yet taken the exam.
Name:
SOLUTIONS
____________________
Instructor:
____________________
Page 1 of 10
EC310 Six Week Exam Spring 2016
Question 1. (31 pts)
1
2
3
4
5
6
7
8
18 February 2016
Consider the beginning of a C program named program.c shown below:
#include<stdio.h>
#include<string.h>
int main( )
{
int LuckyNumbers[2] = { 17 , 14 } ;
char Initials[3] = "AB";
<more code>
The program is paused at line 7. The stack for the program at this point in time is shown below, where the
addresses are shown on the left (in hexadecimal). Note specifically that the location for the string Initials
and the address of the array LuckyNumbers are shown on the figure.
(a)
bffff495
0x41
bffff496
0x42
bffff497
null
bffff498
0x11
bffff_4 9_ 9_
0x00
bffff_4 9_ a_
0x00
bffff_4 9_ b_
0x00
bffff_4 9_ c_
0x0E
bffff_4 9_ d_
0x00
bffff_4 9_ e_
0x00
bffff_4 9_ f_
0x00
bffff_4 a_ 0_
gar
LuckyNumbers
(2 pts) During runtime (during execution), where is the program stored? (circle one):
In the Operating System
(b)
Initials
In the CPU
In Main memory
In Secondary memory
(2 pts) Convert the hexadecimal value 0xb5 to binary.
Answer: 0xb5 = 1011 0101
(c)
(5 pts) Annotate the diagram above to show the addresses for each of the next eight locations. (The
first five hexadecimal digits are already filled in for you; you only need to indicate the last three
hexadecimal digits.)
See diagram above.
(d)
(2 pts) Why did the programmer state that the size of the array Initials should be 3 when the
array only holds two characters?
Answer:
(e)
To allow space for the null.
(3 pts) Annotate the diagram above to show how each of the characters in Initials is stored.
Express all values in hexadecimal. See diagram above.
THIS PROBLEM CONTINUES ON NEXT PAGE
Page 2 of 10
EC310 Six Week Exam Spring 2016
(f)
18 February 2016
(6 pts) Annotate the diagram above to show how both values of the array LuckyNumbers are stored.
Express all values in hexadecimal. In addition to annotating the diagram, show your work below.
See diagram above.
(g)
(1 pt) If your diagram above still has blank locations, write "gar" in all of the blank locations to
indicate garbage values.
See diagram above.
Returning to the C program, the section shown as <more code> is actually this:
strcpy( Initials, "MIDN" ) ;
printf("\n %d \n" , LuckyNumbers[0] );
Do not make any changes to your diagram on the previous page, since that diagram holds your ans wers
to questions (c) through (g)!!!
(h)
(4 pts) What is printed out by the printf statement in the box above? In the space below, explain
how you arrive at your answer (using, if helpful, the drawing of main memory shown below). (Do not
modify your picture on the previous page!)
Answer:
78
M
0x4D
I
0x49
D
0x44
N
0x4E
null
null
Initials
LuckyNumbers
0x00
0x00
0x0E
0x00
0x00
0x00
gar
(i)
(4 pts) In order to run program.c you entered:
./a.out
Why did you have to execute the program a.out instead of just the program program.c?
a.out is the machine language code which the computer understands and is
Answer:
able to execute. The code program1.c is in C language, a high-level language
which the computer does not understand.
(j)
(2 pts) After you save the program and turn off the computer. Where is the program stored? (circle one):
In the Operating System
In the CPU
In Main memory
In Secondary memory
Page 3 of 10
EC310 Six Week Exam Spring 2016
18 February 2016
Question 2. (32 pts) Consider the C program shown below:
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
#include<stdio.h>
#include<string.h>
int main( )
{
char string1[ 10 ] = "EC310";
char string2[ 10 ] = "Cyber II!";
int start_value = 7
int end_value = 20;
int counter;
(a)
(6 pts) Consider the variable declarations in the program above (lines 5 through 9). How many total
bytes are reserved for all of the variables used by this program? Show work for your calculation.
for( counter = start_value ; counter <= end_value ; counter = counter + 3)
{
if( counter != 13 )
{
printf( "%s\n" , string2 );
}
else
{
printf( "%s\n" , string1 );
}
}
}
Answer: 10 + 10 + 4 + 4 + 4 = 32 bytes
(b)
(2 pts) If the program is executed but stopped at line 10, what will be the value of the variable
counter? (Circle one choice)
0
(c)
the same value as start_value
a garbage value
(3 pts) How many times will the for loop (lines 11-21) iterate?
Answer:
(d)
1
5 times.
(counter = 7, 10, 13, 16, 19, 22)
(5 pts) What is the exact output of this program?
Answer: Cyber II!
Cyber II!
EC310
Cyber II!
Cyber II!
THIS PROBLEM CONTINUES ON NEXT PAGE
Page 4 of 10
EC310 Six Week Exam Spring 2016
18 February 2016
You compile and run the program from the start with gdb, pause at a given line (you set a breakpoint), and
examine the debugger's partial output shown below.
(e)
(2 pts) Where, physically, are the esp, ebp and eip registers stored? (Circle one choice)
In the C program
(f)
In the operating system
In main memory
(2 pts) What is the assembly language of the next instruction to be executed?
Answer: mov
(g)
In the CPU hardware
eax,DWORD PTR [ebp-44]
(6 pts) At what address on the text segment is the instruction that most closely corresponds to line 7 in
the source code? Express your address in hexadecimal. Briefly explain your answer.
Answer: 0x080483b9. Line 7 in the source code assigns the value 7 to variable
start_value. Assembly language at address 0x080483b9 is the only place
where the value 7 is stored in memory.
(h)
(6 pts) At what address on the stack is the variable end_value stored? You may express your answer
in relation to a register. Briefly explain your answer.
Answer: 0xbffff7e8 or ebp-48. Address 0x080483c0 in the text segment shows value 20
(0x14) being stored in memory address given by ebp-48.
Page 5 of 10
EC310 Six Week Exam Spring 2016
18 February 2016
Question 3. (15 pts) Consider the program below, where the student is expected to enter his or her 6-character
alpha code as a command line argument as such ./a.out 123456 <enter>
#include <stdio.h>
#include <string.h>
int main (int argc, char *argv[] )
{
int size = 10;
char buffer[size];
char *ptr;
ptr = (char*) malloc(size);
strcpy (ptr , argv[1]);
buffer[0] = 'm';
strcpy (buffer+1 , ptr);
printf("\n Your alpha code is: %s \n" , ptr);
printf("\n Your username is: %s \n" , buffer);
free( ptr );
}
(a)
(b)
(6 pts) From the code above you can infer the programer is using the heap. Which of the following
statements is/are true of the heap in general? (circle all that apply)
(i)
the heap is located below the text segment
(ii)
the heap, like the stack, grows from the bottom up (from higher address to lower address)
(iii)
the programer is responsible for managing the heap
(iv)
the heap can only hold character type values
(v)
the heap should not be used to store arrays of unknown size
(vi)
the heap is located above the stack
(3 pts) From the code above you can infer that ptr holds a value. What does the value of ptr
represent? Select one of the choices below.
(i)
the character 'm'
(ii)
the address of the top of the heap
(iii)
the same character stored in variable buffer[1]
(iv)
the string argv[1]
(v)
a garbage value since it was never initialized
THIS PROBLEM CONTINUES ON NEXT PAGE
Page 6 of 10
EC310 Six Week Exam Spring 2016
(6 pts) A closer look of the code reveals a buffer overflow attack can be performed by the user.
Assuming you cannot modify the code, what is the maximum number of characters entered as a
command line argument that would avoid a buffer overflow on the stack. Explain your answer, using a
brief sketch if helpful.
Answer:
Maximum of 8 characters for argv[1] since buffer[0] has the
letter m and buffer[9] is for the null. Any more characters
would go beyond the bounds of the array.
buffer[0] = ‘m’
buffer[1]
…
(c)
18 February 2016
buffer[9] = null
size = 10
Question 4. (22 pts) Consider the program shown below:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
(a)
#include<stdio.h>
void avg_dis( float x , float y )
{
char namebuffer[ 10 ];
float avg;
avg = ( x + y ) / 2;
printf("\nEnter your name:" );
scanf("%s" , namebuffer );
printf("\n %s the average is: %f\n" , namebuffer , avg );
}
int main( )
{
float a;
float b;
printf("\nEnter two numbers:" );
scanf("%f %f", &a , &b);
avg_dis ( a , b );
}
(2 pts) How many functions are in this program?
Answer: Two,
(main and avg_dis).
THIS PROBLEM CONTINUES ON NEXT PAGE
Page 7 of 10
EC310 Six Week Exam Spring 2016
18 February 2016
Using gdb the debugger output shown below is produced.
(b)
(2 pts) A breakpoint is set to line 17 and the program is executed up to that breakpoint. What would be
displayed if we entered the command i r eip?
Answer: 0x08048449
(c)
(4 pts) When executing the function, the stack would be arranged similarly to the diagram below. Note
that the diagram is not to scale, where spaces may hold multiple bytes. What two addresses are saved on
the stack prior to jumping to the function and in what order are they stored? Express the addresses in
hexadecimal and in the correct order in the empty spaces provided in the diagram below.
Answer:
avg
namebuffer
0xbffff818
0x0804844e
avg_dis arguments
b
a
THIS PROBLEM CONTINUES ON NEXT PAGE
Page 8 of 10
EC310 Six Week Exam Spring 2016
18 February 2016
Now, executing the program again without gdb, assume a malicious user wants to exploit the program.
(d)
(7 pts) When prompted to enter their name, how many characters would a user need to enter in order to
overwrite the least significant byte (LSB) on the stack of variable a declared in line 13 in main?
Show work.
Answer:
(e)
namebuffer[9]
prior ebp
return address
a
b
b
a
(3 pts) True or False: It is not possible to change the value of the variable named avg declared in the
function by performing a buffer overflow attack since it was declared last and therefore would be placed
higher on the stack than namebuffer , and memory is overwritten downward (from lower address to
higher address) during a buffer overflow.
Circle one:
(f)
…
namebuffer[0]
10 + 4 + 4 + 4 + 4 + 4 = 30 characters
The NULL will overwrite the first byte of int a
listed in the main’s variables.
TRUE
FALSE
(4 pts) What is the fundamental issue with the C programming language that makes a buffer overflow
exploit possible? (Your answer should be limited to a sentence or two.)
Answer: C compilers do not prevent programs from accessing memory outside the
bounds of an array.
Turn in your equation sheet with your exam!
Page 9 of 10
EC310 Six Week Exam Spring 2016
18 February 2016
This page is intentionally blank.
Page 10 of 10
Related documents
MATH 251, Section Quiz 11 (Sections 14.2, 14.3). Thursday, Nov. 11, 2010
MATH 251, Section Quiz 11 (Sections 14.2, 14.3). Thursday, Nov. 11, 2010
Quiz 5
Quiz 5
MATH 251, Section Quiz 9 (Sections 14.1, 14.2). Thursday, Nov. 7, 2013
MATH 251, Section Quiz 9 (Sections 14.1, 14.2). Thursday, Nov. 7, 2013
MATH 251, Section Quiz 10 (Sections 13.9, 13.10, 14.1). Dr. M. Vorobets
MATH 251, Section Quiz 10 (Sections 13.9, 13.10, 14.1). Dr. M. Vorobets
Name: SUMMER II, 2014 MATH 142:203 QUIZ - 9
Name: SUMMER II, 2014 MATH 142:203 QUIZ - 9
Download
advertisement