Answer each of the following questions. This exam is open-book and open-notes, but you may use only resources that were created before this exam was released (at 9pm eastern time on 12 May 2021). You may not collaborate with other students.
Please show your work for questions in the comments field were applicable so we are able to give you partial credit.
If you think a question is ambiguous or unclear, please make your best guess about what was meant and explain what you did in the comments field for the question. We are unlikely to be able to answer your inquiries during the exam time.
Some viruses infect executables by compressing the original executable and creating a wrapper that that runs the virus code, then decompresses and runs the executable.
Which of the following antivirus techniques likely motivated this virus design? Select all that apply.
One potential technique for viruses to infect executable files is to scan for the machine code that corresponds to a call instruction and replace it with a call to inserted virus code.
In x86-64, one encoding of the call instruction consists of the opcode byte E8 (hexadecimal) followed by a 32-bit signed offset from the address of the first byte of the instruction following the call. So one way a virus could apply this scheme would be to search the executable for an E8 byte followed by a 32-bit signed number that would make the destination address remain within the executable. It would then replace that instruction with a call to virus code.
Which of the following are true about the scheme proposed above for finding and replacing x86-64 call instructions? Select all that apply.
Suppose a virus replaced a call instruction located 0x1d59 bytes from the beginning of an executable that appears in objdump disassembly output like:
401d59: e8 d7 ff ff ff callq 401d35
with a call to the virus code encoded that appears in objdump output as follows:
401d59: e8 40 41 00 00 callq 405e9e
What would be an appropriate instruction or instructions to add to the end the virus code to allow the executable to appear to run without minimal disruption?
Viruses that append their virus code to an executable can often be detected based on changes made to the list of segments in an executable's headers.
Consider the following executable headers:
a.out: file format elf64-x86-64
a.out
architecture: i386:x86-64, flags 0x00000112:
EXEC_P, HAS_SYMS, D_PAGED
start address 0x0000000000401c10
Program Header:
LOAD off 0x0000000000000000 vaddr 0x0000000000400000 paddr 0x0000000000400000 align 2**12
filesz 0x0000000000000518 memsz 0x0000000000000518 flags r--
LOAD off 0x0000000000001000 vaddr 0x0000000000401000 paddr 0x0000000000401000 align 2**12
filesz 0x000000000009375d memsz 0x000000000009375d flags r-x
LOAD off 0x0000000000095000 vaddr 0x0000000000495000 paddr 0x0000000000495000 align 2**12
filesz 0x0000000000026650 memsz 0x0000000000026650 flags r--
LOAD off 0x00000000000bc0c0 vaddr 0x00000000004bd0c0 paddr 0x00000000004bd0c0 align 2**12
filesz 0x0000000000005170 memsz 0x00000000000068c0 flags rw-
NOTE off 0x0000000000000270 vaddr 0x0000000000400270 paddr 0x0000000000400270 align 2**3
filesz 0x0000000000000020 memsz 0x0000000000000020 flags r--
NOTE off 0x0000000000000290 vaddr 0x0000000000400290 paddr 0x0000000000400290 align 2**2
filesz 0x0000000000000044 memsz 0x0000000000000044 flags r--
TLS off 0x00000000000bc0c0 vaddr 0x00000000004bd0c0 paddr 0x00000000004bd0c0 align 2**3
filesz 0x0000000000000020 memsz 0x0000000000000060 flags r--
0x6474e553 off 0x0000000000000270 vaddr 0x0000000000400270 paddr 0x0000000000400270 align 2**3
filesz 0x0000000000000020 memsz 0x0000000000000020 flags r--
STACK off 0x0000000000000000 vaddr 0x0000000000000000 paddr 0x0000000000000000 align 2**4
filesz 0x0000000000000000 memsz 0x0000000000000000 flags rw-
RELRO off 0x00000000000bc0c0 vaddr 0x00000000004bd0c0 paddr 0x00000000004bd0c0 align 2**0
filesz 0x0000000000002f40 memsz 0x0000000000002f40 flags r--
Briefly describe what would likely be changed in the headers shown above if a virus appended its code to this end of this executable. Assume that the appended viruses code is larger than 1 page (4096 bytes) in size.
To evade pattern-based detection and analysis, malware frequently "encrypts" most of its code and includes a randomized decryption routine that decrypts and runs the code.
A frequently proposed solution for antimalware software or analysts to obtain the decrypted code is to run the malware in an emulator, and stop when the malware starts runnning machine code that it wrote while running. Then, one would examine the memory managed by the emulator for the decrypted code. Briefly explain a way that malware could defeat this automated scheme.
Some self-replicating malware tries to evade signature based detection by performing a machine code to machine code transformation as part of its replication process. One possible transformation is to introduce additional operations that have no useful effects in between instructions as part of this transformation.
One idea to detect this transformation is to ignore nop instructions and instructions that do not
change any values in memory or registers (e.g. add $0, %rax, jmp foo; foo:) when doing pattern matching.
Give an example of how malware could use this strategy of inserting additional useless instructions between its
instructions but evade this countermeasure.
To implement this transformation, the malware must make some adjustments to deal with jumps and calls within the malware code. Suppose a jump instruction is encoded using a relative offset. Which of the following information would alone be sufficient to the malware to produce a correct jump instruction in the new machine code? Select all that apply.
Which of the following techniques are likely to make it more difficult to set breakpoints and, when those breakpoints are reached, get a useful call stack trace of some malware in a debugger? Select all that apply.
Consider a dynamic taint tracking scheme that executes a program by annotating each value in a running program with a flag about whether it is "tainted". When a tainted value is used in arithmetic to compute another another value, the other value is marked as tainted. Which of the following techniques are likely make this kind of dynamic taint tracking scheme ineffective? Select all that apply.
What is the difference between a sandbox and a virtual machine?
Suppose we wanted to use sandboxing to protect against vulnerabilities in a video calling application.
What would be true about attempting to do this by confining the entire application using chroot?
Select all that apply.
If one wanted to use privilege separation for this task, what is a part of the video calling application that would be a good candidate for performing privilege separation?
How does AFL-tmin know its minimized test case triggers the same bug as the original test case?
Which of the following are allowed under Rust's ownership rules?
Assume only built-in references are used, not special reference classes that implement
different policies like Rc or RefCell.
Select all that apply.
Some bounds-checking schemes use a lookup table that allows code to use the address of any byte of an object to determine the beginning and end and size of an object. Which of the following are true about these schemes? Select all that apply.
Which of the following patterns would match the machine code for an x86-64 return? Select all that apply.
Which of the following statements are true about using static analysis to find potential security bugs (such as use-after-free or a buffer overflow) in a function F()?