# 计算机代写｜Prog. for Buffer Overflow Homework 2

## Written Assignment

1. (12pt) This problem deals with metamorphic malware.

(a) (2pt) Define metamorphic malware.

(b) (2pt) Why would a malware author employ metamorphic techniques?

(c) (6pt) Suppose we have a behavior-based malware detector, which searches for “malicious” system call sequences (see examples in the lecture) to decide a malware.

Would metamorphic malware evade such detection? Why or why not?

(d) (2pt) Can metamorphism mutation scheme be used for software protection?

2. (31pt) The C function strcmp is unsafe. The C function strncmp is a safer version of strcmp with the following interface definition:

int strncmp(char *str1, const char *str2, size t num);

where num specifies that at most num bytes of str1 are compared with the str2. This function starts comparing the first character of each string. If they are equal to each other, it continues with the following pairs until the characters differ, until a terminating null-character is reached, or until num characters match in both strings, whichever happens first.

(a) (3pt) Why is strcmp unsafe?

(b) (15pt) Give a concise implementation of strncmp according to the given description of its functionality (note that this question is a “written component” in the sense that you need to embed your code within your submitted PDF file). C I’m plementation is preferred. The return number is 0 if they are equal; it is -1 if the first character that does not match has a lower value (in terms of ASCII code) in str1 than that in str2; it is 1 if the first character that does not match has a greater value (in terms of ASCII code) in str1 than that in str2. For instance,comparing aab and abb returns -1 because the second a in aab is lower than the second b in abb.

(c) (5pt) What problem of strcmp is solved by strncmp?

(d) (8pt) Can strncmp still lead to buffer overflow? Explain your answer.

3. (34pt) In addition to stack-based buffer overflow attacks, heap overflows can also be exploited. Consider the following C code, which illustrates a heap overflow.1

i n t main ( )
{
i n t d i f f , s i z e = 8 ;
char ∗buf1 , ∗ buf2 ;
buf1 = ( char ∗) malloc ( s i z e ) ;
buf2 = ( char ∗) malloc ( s i z e ) ;
d i f f = buf2 − buf1 ;
memset ( buf2 , ’ 2 ’ , s i z e ) ;
p r i n t f (”BEFORE: buf2 = %s ” , buf2 ) ;
memset ( buf1 + d i f f − s i z e , ’ 1 ’ , s i z e ) ;
p r i n t f (”AFTER: buf2 = %s ” , buf2 ) ;
r eturn 0 ;
}

(a) (1pt) Compile and execute this program. What is printed?

(b) (3pt) Is there a security issue?2

(c) (10pt) In terms of C/C++ memory management, what is the difference between stack and heap? In particular, which one is allocated/deallocated automatically,and which one needs programmers to take care of (you can search materials online but shouldn’t directly copy)?

(d) (20pt) Explain how a heap-based buffer overflow works, in contrast to the stack based buffer overflow discussed in this chapter. You can learn materials online but should not directly copy.

4. (25pt) Recall that an opaque predicate is a “conditional” that is actually not a conditional. That is, the conditional always evaluates to the same result, although it is not obvious.

(a) (5pt) Suppose a program p has ten if conditions, and by using opaque predicate,we introduce another if condition. Can you identify the if condition introduced by opaque predicate obfuscation? Please explain your answer.

(b) (10pt) Can Fermat’s little theorem be used to construct opaque predicts? Why or why not.3

(c) (10pt) Typically there is no “free lunch”. That is, we would worry if certain “side effects” may be introduced by the obfuscators to the input program. Discuss one side effect (to the input program) of using an obfuscator.4 How to alleviate the side effect you suggested?

5. (7pt) Suppose a program p0 is obfuscated (e.g., via opaque predicate) into an “obfus cated” program p1.

(a) (3pt) Can p1 be re-obfuscated? If so, what would be the advantage and disadvan tage of “re-obfuscating” for lots of times? That is, we generate p2 by obfuscating p1 with opaque predicate, and then get p3 from p2, so on and so forth.

(b) (4pt) The obfuscation procedure is usually implemented as a software, with the input as program source code and output as the “obfuscated” program source code. Suppose the obfuscation software itself may have bugs, and suppose we distributed all the obfuscated programs (p1, p2, p3, etc.) and deployed for daily usage. After a while, we are aware that an input i can trigger a bug in program p13(e.g., when feeding i to p13, the expected output is 23 but p13 incorrectly outputs
33). Can we decide whether the bug is introduced by the obfuscation software?
How?