Due: Tuesday, Apr. 29
(b) Can you adapt the LibSafe mechanism to work in the heap? If so explain
how and what additional functionality you would need from the memory manager.
If not, explain why not.
Hint: it will help to review the inner workings of the heap memory manager used in malloc and free.
(c) Suppose the OS marks the stack memory pages as non-execute. Can a stack overflow be used to get a root shell on the machine? If so, briefly explain how. If not, explain why not.
Consider the following code snippet:
if (!stat("./file.dat", buf)) return; // Abort if file exists. sleep(10); // Sleep for 10 seconds. fp = fopen("./file.dat", "w" ); fprintf(fp, "Hello world" ); close(fp);
a. Suppose this code is running as a setuid root program. Give an example of how this code can lead to unexpected behavior that could cause a security problem. (try using symbolic links.)
b. Suppose the sleep(10) is removed from the code above. Could the problem you identified in part (a) still occur? Please explain.
c. How would you fix the code to prevent the problem from part (a)?
(a) Recall that a polymorphic virus uses an evolving decryption engine and a fixed (encrypted) virus body. Anti virus software detects polymorphic viruses by first emulating the executable in question for a short time and then looking for a virus signature in memory. Explain how polymorphic viruses can evade this detection technique. Give at least two examples. Your examples should be examples of polymorphic behavior (not metamorphic).
(b) Can you suggest a more robust mechanism for preventing polymorphic viruses from spreading? You may assume that the anti-virus vendor already obtained a copy of the virus and fully analyzed how it works.
Recall that modern processors have an on chip data cache (called an L2 cache) used to reduce the number of accesses to main memory. Reading from the L2 cache is about 10 times faster than reading from main memory. Explain how the L2 processor cache can result in a covert channel on the local system. Give a sample short (pseudo) code to exploit this channel.
Assume that processes have separate address spaces (no shared memory),
although they share the underlying hardware. You don't need to worry
about making the covert channel fast.
You may make any reasonable
assumption about the L2 cache, as long as you state your assumptions.