C Language Programming Fundamentals

Questions and Answers

What is the primary purpose of shellcode?

To provide a safer alternative to vulnerable functions

To spawn a shell and gain system access (correct)

To execute a denial-of-service attack

To debug a program using GDB

What is the difference between a vulnerability and an exploit?

A vulnerability is a potential security risk, while an exploit is a piece of code that takes advantage of it (correct)

A vulnerability is a type of zero-day attack, while an exploit is a type of integer overflow

A vulnerability is a type of shellcode, while an exploit is a type of format string

A vulnerability is a type of buffer overflow, while an exploit is a type of fuzzing

What is the primary benefit of using GDB to debug a program?

To execute a program with an executable file

To list and disassemble the code (correct)

To identify vulnerabilities in the code

To improve the performance of the program

What is the effect of an integer overflow?

It wraps around to a positive or negative value

What is the primary purpose of a stack canary?

To detect buffer overflows

What is the relationship between the stack and the heap?

The stack is used for static memory allocation, while the heap is used for dynamic memory allocation

What is the purpose of ASLR?

To make it harder for an attacker to predict where a program's libraries are located in memory

What is the primary benefit of using format strings?

They allow for more flexibility in formatting output

What is the primary purpose of fuzzing?

To identify vulnerabilities in a program

What is the difference between a buffer and an overflow?

A buffer is a region of memory, while an overflow is a type of vulnerability

Study Notes

Week 1: C Language and GDB Tool

• C Language function syntax, main function syntax, and arguments
• Data types: integer, float, char, arrays, and declarations
• Pointers and notation
• Input and output
• Conditionals and looping
• GDB Tool: executing with an executable file, listing and disassembling (disas), breakpoints, and register inspection
• Vulnerability and exploit definitions: difference between a vulnerability and exploit (and zero day)

Week 2: Integer Overflow

• Integer types: 8-bit equal to char, signed or unsigned
• Limits available as MACRO constants
• Byte sizes of types
• Effect of integer overflow: wrapping around positive or negative
• Implications in reality: usually triggered in loop iteration
• C Language: variable scope and variable types

Week 3: Stacks and Buffers

• Principle of a stack: stack frame organization, function entry and exit sequence
• How stacks work during execution and debugging in GDB
• Buffer and overflow principles: beneficial to a threat actor
• How buffers can be viewed in GDB: examples from lab

Week 4: Vulnerable Functions and Shellcode

• Vulnerable functions: gets, strcpy, strcat, sprintf
• Safer alternatives to these functions
• Shellcode: aim, usage, and how it works

Week 5: Format Strings

• Strings vs format strings: format string specifiers
• Functions: printf and sprintf
• What makes format strings vulnerable: properties
• Exploit setup: where does it read from initially?

Week 7: Heap Properties

• Heap properties and layout: vs the stack
• Functions using heap space: relation to the stack with variables
• Structure: chunks

Week 8: Fuzzing Principles

• Fuzzing principles: why and types
• Phases and methods of fuzzing
• Tools used in fuzzing

Week 9: More Fuzzing

• More fuzzing principles: issues with fuzzing approaches
• Code coverage: AFL tool

Week 10: Non-Executable Stack and Security

• Non-executable stack and implications
• Overrides: W^X, stack canaries, and ASLR

Description

This quiz covers the basics of C programming, including function syntax, data types, pointers, and control structures, as well as an introduction to debugging with GDB and basic security concepts.