Embed Size (px)
Citation preview
EC310 Six Week Exam Spring 2015 February 12, 2015
United States Naval Academy Electrical and Computer Engineering Department
EC310 - 6 Week Midterm- Spring 2015
1. Do a page check: you should have 8 pages including this cover sheet. 2. You have 50 minutes to complete this exam. 3. A calculator may be used for this exam. 4. This is a closed book and closed notes exam. You may use one single-sided hand-written page of notes. 5. Turn in your single-sided hand-written page of notes with your exam. 6. This exam may be given as a makeup exam to several midshipmen at a later time. No communication is
permitted concerning this exam with anyone who has not yet taken the exam.
Name:
Instructor:
Dec Hex Char Dec Hex Char Dec Hex Char Dec Hex Char Dec Rex Char 32 20 43 2b + 54 36 6 65 41 A 76 4c L
33 21 ! 44 2c , 55 37 7 66 42 B 77 4d M
34 22 .. 45 2d - 56 38 8 67 43 c 78 4e N
35 23 t 46 2e . 57 39 9 68 44 D 79 4f 0
36 24 $ 47 2£ I 58 3a : 69 4S E 80 50 p
37 25 % 48 30 0 59 3b ; 70 46 F 81 51 Q 38 26 & 49 31 1 60 3c < 71 47 G 82 52 R
39 27 ' so 32 2 61 3d = 72 48 H 83 S3 s 40 28 ( Sl 33 3 62 3e > 73 49 I 84 54 T
41 29 ) 52 34 4 63 3f ? 74 4a J 85 55 u 42 2a .... 53 35 5 64 40 @ 75 4b K 86 S6 v
Dec Hex Char Dec Hex Char Dec Hex Cha r Dec Hex Char 87 57 w 98 62 b 109 Gd m 120 78 x
88 58 x 99 63 c 110 6e n 121 79 y 89 59 y 100 64 d 111 6£ 0 122 7a z 90 Sa z 101 65 e 112 70 p 123 7b {
91 Sb [ 102 66 f 113 71 q 124 7c I 92 Sc \ 103 67 g 114 72 r 12S 7d }
93 5d ] 104 68 h 115 73 s 126 7e -94 Se ,... 1 05 69 i 116 74 t
95 Sf 106 6a j 117 75 u 96 60 ~ 107 6b k 118 76 v
97 61 a 108 6c l 119 77 w
Page 1of8
EC310 Six Week Exam Spring 2015 February 12, 2015
Question 1. (31 pts) AC program begins:
# i n c l ude <stdi o . h> int ma i n ( )
int a = 101; cha r mySt r ing [ 4 ]
<mo re code >
" ENS "
The program is paused immediately after executing the line
c h a r myString[4 ] = "ENS" ;
but before executing the section that says <more code> . The stack for the program at this point in time is shown below. Note specifically that the address for the integer variable a and the address of the array myString are shown on the figure. In the figure below, the main memory addresses are shown on the left (in hexadecimal).
(a) (5 pts) Annotate the diagram above to show the addresses for each of the next ten memory locations. For each address, the first five hexadecimal digits are already filled in for you; you only need to indicate the last three hexadecimal digits.
(b) (3 pts) Why did the programmer state that the size of the array mySt ring should be 4 when the array only holds three characters? In other words, why didn't the programmer declare the array mySt r ing as:
char myStri ng[ 3 J = "ENS " ;
Answer:
(c) (4 pts) Annotate the diagram above to show how the array myStr i ng is stored in memory. Express all values in hexadecimal.
THIS PROBLEM CONTINUES ON NEXT PAGE
Page 2 of8
EC310 Six Week Exam Spring 2015 February 12, 2015
(d) (5 pts) Annotate the diagram above to show how the value of the variable a is stored in memory. Express all values in hexadecimal. In addition to annotating the diagram, show your work below.
/61 ~ Jfy- _£__ _5 IC> I -11/tJ =-~
/b I It 6
(e) (1 pt) If, at this point, your diagram above still has blank memory locations, write "gar" in all of the blank locations to indicate garbage values.
(f) (2 pts) What would be displayed by the command: x/xb bffff7f8
(g)
Answer:
(3 pts) Convert the value stored in myString [ 2 ] to hinfily.
Answer: 0 rlr
""' L
() ;o S' 5 _,,, IS/# .::;:
0/6/
Returning to the C program, the section shown as <more code> is actually this:
strcpy( myString , "2ndLT " );
print f( " \n %d \n " , a ) ;
5 oO/ I
Do not make any changes to your diagram on the previous page, since that diagram holds your answers to questions (a) through (e)!!!
(h) (3 pts) What is printed out by the printf statement in the box above? ~ ~ 06~1
Answer: ;t.j ( ~
S:-x/6 "' ~~16
(i) (3 pts) In the space below, explain (using, if helpful, the drawing of main memory shown below) how you arrive at your answer to part (h). (Do not modify your picture on the previous page!)
bffff7f7
bffff7f8
bffff bfff f
bffff bfff f
bffff
bffff
bffff
bffff bfff f bffff
7 n d L 1
AJllU.
Answer:
• myString
c>,)'~'-/ • l a
t/-tc(fe) &60
6'?'100
G) (2 pts) You have grown sick of this problem! So you save your C program and turn off your computer. Where is your C program now? (Circle one choice)
~ndary mem~ In the operating system In the CPU hardware In main memory
Page 3 of8
EC310 Six Week Exam Spring 2015 February 12, 2015
Question 2. (25 pts) Consider the C program named fun times . c shown below:
1. #include<stdio.h> 2 . int main( ) 3. { 4 . inti ;
int number = 7 ;
f 5. 6 . 7 . 8 . 9 . 10. 11. 12 . 13 . 14 .
for( i = 10 ; i > number ; i i - 1 {
if ( i 9 )
printf ( " %s\n" , " Fun" ) ;
else printf( " %s \n" " Not Fun"
(a) (5 pts) What is the exact output of this C program?
Answer:
You run this program and examine the debugger's partial output, shown below.
THIS PROBLEM CONTINUES ON NEXT PAGE
/0 '1 g
Page 4 of8
EC310 Six Week Exam Spring 2015 February 12, 2015
(b) (2 pts) Where (physically) is the eip register? (Circle one choice)
In the C program In the operating system @he cPU hardw~ In main memory
(c) (3 pts) What is the next assembly language instruction that will be executed?
Answer: ~~ 1112 u?- q~ o)o r (d) (3 pts) Suppose, given the picture above, you enter the command: nexti. After you enter this
command, what is the value stored in the e i p register?
(e) (2 pts) Complete the sentence: The e ip register holds an address in the program's .. . (circle one choice)
1. CPU section
ii. Stack frame
c:g- 'T<xt segmev
iv. Dynamic memory space
v. Variable allocation
(f) (3 pts) Considering the values of e sp and ebp, how many bytes are in this stack frame? Show your reasoning.
Answer: 2/1f k->
(g) (4 pts) What is the address where the variable number is stored in memory? Your answer should be an address expressed as eight hexadecimal digits. Briefly explain your answer.
Answer: o~b/Jl//ffZO <P eJ,17- 8
(h) (3 pts) Consider the assembly language instruction
cmp DWORD PTR [ebp- 4],0x9
What line of C code does this correspond to?
Answer: L twe 1
/}(; ~= ?)
Page 5 of8
EC310 Six Week Exam Spring 2015 February 12, 2015
Question 3. (5 pts) What is the fundamental issue with the C programming language that makes a buffer overflow exploit possible? (Your answer should be limited to a sentence or two.)
Answer:
Question 4. (8 pts) Consider the C program below:
1. #include<s t dio.h> 2. int main () 3. { 4. char saying[20] = " To be or not to be. " 5 . 6. char *ptr ; 7 . 8 . ptr = saying + 4; 9. 10. strcpy( ptr , " ring " ) ; 11. 12. printf ( "%s\n" , saying ) ; 13 .
Note that the string named saying is initialized in line 4, and saying is then printed out on line 12.
What is the output of this C program? Explain your answer in a few sentences a sketch. --111;,,.
Answer: - )• 6- >41J>.y
Page 6 of 8
EC310 Six Week Exam Spring 2015 February 12, 2015
Question 5. (16 pts) Consider the program shown on the right:
(a) (2 pts) How many functions are in this program?
Answer: 2-(b) (2 pts) In the line of code: void myfunction ()
what does the word void mean? (Choose one)
1. The function has no arguments.
11. The function has no parameters.
@:> The function does not return a value.
iv. The function does not perform a useful task.
#include<s tdio.h>
void myfun ction () {
int a = 2003 ;
int main ()
myf unction ( ) ;
v. Copies of the values of the arguments are plugged in to the parameters.
(c) (6 pts) Before myfunction is called, two items will be placed onto the stack. What are the names of these two items? (For example, if you believe that the items placed on the stack before the function call are the stack pointer and the address of main, your answer would be: Item 1: esp , Item 2: main's address.)
Item 1: /2e/wb1I ~U<> 61<JtJ8CJc/fY5£8
Item2: OZ-!> t;:gf (.'!At'#j Bf;P~ (Jyi1f/lf 8//3'
(d) (6 pts) The program above is run up to the point immediately before the function named myfunct i on is called. The debugger output shown below is produced. Determine the correct values for the answers you gave for part ( c) above; i.e., determine the correct values for the two items that must be saved on the stack prior to the function call. Write your answers next to the two item names in part (c) above.
(gdb) i r eip ebp esp eip 0x8048363 0x8048363 <main+l6>
0xbff f f818 ebp 0xbf ff f818 esp 0xbf ff f810 0xbf ff f810 (gdb) disassemble main Dump of assembler code 0x08048353 <main+8>: 0x08048354 <main+l>: 0x08048356 <main+3>: 0x08048359 <main+6>: 0x0804835c <main+9>: 0x08048361 <main+l4>: 0x08048363 <main+l6>: 0x08048368 <main+21>: 0x08048369 <main+22> :
for function main: push ebp mov ebp,esp sub esp,0x8 and esp,0xfffffff0 mov eax ,0x0 sub esp,eax call 0x8048344 <myfunction> leave ret
Page 7 of8
EC310 Six Week Exam Spring 2015 February 12, 2015
Question 6. (15 pts) Consider the program below, named welcomi ng me s sage. c . The program prompts the user to enter their name, then provides them a warm and comforting welcome message. And what could be wrong with that?
# i nclude<stdio . h >
v oid greeting s( int length_of name )
i nt yea r = 2 015 ; c har name[lengt h_of name ] ;
printf ( "En ter your name : " ) ; scanf( " %s ", name) ; printf( "Hello : %s ! We l come t o %d . \n", name, year) ;
i nt main ()
int name len = 15 ; greetings( name_len) ;
Assume that no padding (extra space) is created when stack frames are created.
t) z_ i:> 6'lJ I'
µ //-Pl>IUl'f
j,,,,,/,., ""7 3 t:z.:3~ 1~::.---~--1
pe-1~
(a) (10 pts) When you are prompted to enter your name, what is the minimum number of characters you can enter to completely overwrite the value of the variable name len which is declared in main? Justify your reasoning and show your work.
(b) (5 pts) Is it possible to change the value of the variable named year declared in the function g r eet ings by performing a buffer overflow attack? Why or why not? Justify your reasoning.
Turn in your equation sheet with your exam!
Page 8 of 8
