C Programming Basics and Security Concepts

Questions and Answers

What is the main function syntax in C language?

float main()

void main()

int main() (correct)

char main()

What is the difference between a vulnerability and an exploit?

A vulnerability is a weakness, an exploit is a way to take advantage of it. (correct)

An exploit is a weakness, a vulnerability is a way to take advantage of it.

A vulnerability is a way to take advantage of a weakness, an exploit is the weakness.

A vulnerability is the same as an exploit.

What happens when an integer overflows in C?

It crashes the program.

It wraps around to the maximum value. (correct)

It wraps around to the minimum value.

It throws an error.

What is the purpose of shellcode?

To execute a specific task.

What is the difference between a stack and a heap?

A stack is used for function calls, a heap is used for variable allocation.

What is the purpose of a buffer?

To store temporary data.

What is the purpose of format strings in C?

To format output to the console.

What is the purpose of fuzzing in security testing?

To find vulnerabilities in a program.

What is the purpose of ASLR in security?

To randomize the location of memory regions.

What is the purpose of a stack canary in security?

To detect stack overflows.

Study Notes

Week 1: C Language and GDB Tool

• C Language function syntax, main function syntax, and arguments
• Data types: integer, float, char, arrays, and declarations
• Pointers and notation
• Input and output
• Conditionals and looping
• GDB Tool: executing with an executable file, listing and disassembling (disas), breakpoints, and register inspection
• Vulnerability and exploit definitions: difference between a vulnerability and exploit (and zero day)

Week 2: Integer Overflow

• Integer types: 8-bit equal to char, signed or unsigned
• Limits available as MACRO constants
• Byte sizes of types
• Effect of integer overflow: wrapping around positive or negative
• Implications in reality: usually triggered in loop iteration
• C Language: variable scope and variable types

Week 3: Stacks and Buffers

• Principle of a stack: stack frame organization, function entry and exit sequence
• How stacks work during execution and debugging in GDB
• Buffer and overflow principles: beneficial to a threat actor
• How buffers can be viewed in GDB: examples from lab

Week 4: Vulnerable Functions and Shellcode

• Vulnerable functions: gets, strcpy, strcat, sprintf
• Safer alternatives to these functions
• Shellcode: aim, usage, and how it works

Week 5: Format Strings

• Strings vs format strings: format string specifiers
• Functions: printf and sprintf
• What makes format strings vulnerable: properties
• Exploit setup: where does it read from initially?

Week 7: Heap Properties

• Heap properties and layout: vs the stack
• Functions using heap space: relation to the stack with variables
• Structure: chunks

Week 8: Fuzzing Principles

• Fuzzing principles: why and types
• Phases and methods of fuzzing
• Tools used in fuzzing

Week 9: More Fuzzing

• More fuzzing principles: issues with fuzzing approaches
• Code coverage: AFL tool

Week 10: Non-Executable Stack and Security

• Non-executable stack and implications
• Overrides: W^X, stack canaries, and ASLR

Description

Test your knowledge of C programming fundamentals, including syntax, data types, and functions, as well as security concepts like vulnerabilities and exploits.