1. (12pt) This problem deals with metamorphic malware.
(a) (2pt) Define metamorphic malware.
(b) (2pt) Why would a malware author employ metamorphic techniques?
(c) (6pt) Suppose we have a behavior-based malware detector, which searches for “ma
licious” system call sequences (see examples in the lecture) to decide a malware.
Would metamorphic malware evade such detection? Why or why not?
(d) (2pt) Can metamorphism mutation scheme be used for software protection?
2. (31pt) The C function strcmp is unsafe. The C function strncmp is a safer version of
strcmp with the following interface definition:
int strncmp(char *str1, const char *str2, size t num);
where num specifies that at most num bytes of str1 are compared with the str2. This
function starts comparing the first character of each string. If they are equal to each
other, it continues with the following pairs until the characters differ, until a terminating
null-character is reached, or until num characters match in both strings, whichever
(a) (3pt) Why is strcmp unsafe?
(b) (15pt) Give a concise implementation of strncmp according to the given descrip
tion of its functionality (note that this question is a “written component” in the
sense that you need to embed your code within your submitted PDF file). C im
plementation is preferred. The return number is 0 if they are equal; it is -1 if the
first character that does not match has a lower value (in terms of ASCII code) in
str1 than that in str2; it is 1 if the first character that does not match has a
greater value (in terms of ASCII code) in str1 than that in str2. For instance,
comparing aab and abb returns -1 because the second a in aab is lower than the
second b in abb.
(c) (5pt) What problem of strcmp is solved by strncmp?
(d) (8pt) Can strncmp still lead to buffer overflow? Explain your answer.
3. (34pt) In addition to stack-based buffer overflow attacks, heap overflows can also be
exploited. Consider the following C code, which illustrates a heap overflow.1
i n t main ( )
i n t d i f f , s i z e = 8 ;
char ∗buf1 , ∗ buf2 ;
buf1 = ( char ∗) malloc ( s i z e ) ;
buf2 = ( char ∗) malloc ( s i z e ) ;
d i f f = buf2 − buf1 ;
memset ( buf2 , ’ 2 ’ , s i z e ) ;
p r i n t f (”BEFORE: buf2 = %s ” , buf2 ) ;
memset ( buf1 + d i f f − s i z e , ’ 1 ’ , s i z e ) ;
p r i n t f (”AFTER: buf2 = %s ” , buf2 ) ;
r eturn 0 ;
(a) (1pt) Compile and execute this program. What is printed?
(b) (3pt) Is there a security issue?2
(c) (10pt) In terms of C/C++ memory management, what is the difference between
stack and heap? In particular, which one is allocated/deallocated automatically,
and which one needs programmers to take care of (you can search materials online
but shouldn’t directly copy)?
(d) (20pt) Explain how a heap-based buffer overflow works, in contrast to the stack
based buffer overflow discussed in this chapter. You can learn materials online but
should not directly copy.
4. (25pt) Recall that an opaque predicate is a “conditional” that is actually not a condi
tional. That is, the conditional always evaluates to the same result, although it is not
(a) (5pt) Suppose a program p has ten if conditions, and by using opaque predicate,
we introduce another if condition. Can you identify the if condition introduced
by opaque predicate obfuscation? Please explain your answer.
(b) (10pt) Can Fermat’s little theorem be used to construct opaque predicts? Why
or why not.3
(c) (10pt) Typically there is no “free lunch”. That is, we would worry if certain “side
effects” may be introduced by the obfuscators to the input program. Discuss one
side effect (to the input program) of using an obfuscator.4 How to alleviate the
side effect you suggested?
5. (7pt) Suppose a program p0 is obfuscated (e.g., via opaque predicate) into an “obfus
cated” program p1.
(a) (3pt) Can p1 be re-obfuscated? If so, what would be the advantage and disadvan
tage of “re-obfuscating” for lots of times? That is, we generate p2 by obfuscating
p1 with opaque predicate, and then get p3 from p2, so on and so forth.
(b) (4pt) The obfuscation procedure is usually implemented as a software, with the
input as program source code and output as the “obfuscated” program source
code. Suppose the obfuscation software itself may have bugs, and suppose we
distributed all the obfuscated programs (p1, p2, p3, etc.) and deployed for daily
usage. After a while, we are aware that an input i can trigger a bug in program p13
(e.g., when feeding i to p13, the expected output is 23 but p13 incorrectly outputs
33). Can we decide whether the bug is introduced by the obfuscation software?
本网站支持淘宝 支付宝 微信支付 paypal等等交易。如果不放心可以用淘宝交易！
E-mail: email@example.com 微信:itcsdx