On a 32-bit processor, a baggy bounds scheme is expected to set all of the bounds table entries to 31 at initialization time. Assume that a buggy implementation with a slot size of 32 bytes performs bounds table initialization inappropriately, resulting in random entries being incorrectly set to 1. Assume that a networked server processes network messages using an uninstrumented library. Assume that this library does not include some buffer overflow bugs (i.e., it never calls unsafe functions such as gets()). However, the server suffers from the above-mentioned bounds table initialization issue, and an attacker may submit messages to the server that force the library to dynamically assign and write memory in an attacker-controlled amount using uninstrumented code that looks like this: / N is the size of the buffer that the intruder gets to choose. for (int I = 0; I N/4; i++, p += 4) char *p = malloc(N); *p = 'a'; *(p+1) = 'b'; *(p+2) = 'c'; *(p+3) = 'd'; Assume the server is using a buddy memory allocator with a maximum allocation size of 2 16 (larger allocations would fail). What is the smallest N that an intruder can choose that will unquestionably cause the server to crash? Why is that N going to trigger a crash?
On a 32-bit processor, a baggy bounds scheme is expected to set all of the bounds table entries to 31 at initialization time. Assume that a buggy implementation with a slot size of 32 bytes performs bounds table initialization inappropriately, resulting in random entries being incorrectly set to 1.
Assume that a networked server processes network messages using an uninstrumented library. Assume that this library does not include some buffer overflow bugs (i.e., it never calls unsafe functions such as gets()).
However, the server suffers from the above-mentioned bounds table initialization issue, and an attacker may submit messages to the server that force the library to dynamically assign and write memory in an attacker-controlled amount using uninstrumented code that looks like this:
/ N is the size of the buffer that the intruder gets to choose.
for (int I = 0; I N/4; i++, p += 4)
char *p = malloc(N);
*p = 'a';
*(p+1) = 'b';
*(p+2) = 'c';
*(p+3) = 'd';
Assume the server is using a buddy memory allocator with a maximum allocation size of 2 16 (larger allocations would fail).
What is the smallest N that an intruder can choose that will unquestionably cause the server to crash? Why is that N going to trigger a crash?
Trending now
This is a popular solution!
Step by step
Solved in 2 steps