Chapter 36 Quiz: Exploit Mitigations

Open Assembly Language Project

Chapter 36 Quiz: Exploit Mitigations

Instructions: Choose the best answer. ⭐ marks questions with answers in Appendix B.

Question 1 ⭐ Where is the stack canary value originally stored, and how is it accessed?

A) In a global variable in the .bss section, accessed directly B) In thread-local storage at fs:0x28, accessed via segment-relative addressing C) In the kernel's memory, accessed via a system call D) At a fixed address in the .data section

Question 2 Why is the low byte of the stack canary always set to zero?

A) Zero bytes are faster to compare B) This prevents string functions like strcpy from including the canary in an output string (which would leak it) C) The kernel requires that all canary values be aligned D) This makes the canary easier to verify

Question 3 ⭐ What does NX/DEP specifically prevent?

A) Buffer overflow vulnerabilities in C code B) The CPU executing instructions from memory pages marked as non-executable C) Writing to read-only code sections D) Stack smashing and return address corruption

Question 4 A binary is compiled without PIE (-no-pie). With full ASLR enabled on the system, what part of the binary's address space is NOT randomized?

A) The stack B) The heap C) Shared libraries (libc, etc.) D) The executable's own code and data sections

Question 5 ⭐ What is the difference between Partial RELRO and Full RELRO?

A) Partial RELRO protects only the .bss section; Full RELRO protects all data sections B) Partial RELRO protects the non-PLT GOT; Full RELRO also makes the PLT GOT read-only (by resolving all symbols at startup) C) Partial RELRO uses software checks; Full RELRO uses hardware enforcement D) Partial RELRO applies to shared libraries; Full RELRO applies to the main executable

Question 6 Which instruction must appear at the start of every function in a binary compiled with CET IBT (Indirect Branch Tracking)?

A) nop B) endbr64 C) int 3 D) fence

Question 7 ⭐ Intel CET's Shadow Stack (SHSTK) works by:

A) Creating a software copy of the stack in a separate thread B) Having the CPU maintain a hardware-protected second stack that stores only return addresses, checked on every RET C) Encrypting the return address before pushing it onto the stack D) Randomizing return addresses using a per-function XOR key

Question 8 checksec shows Stack: No canary found for a binary. Which GCC flag would add canary protection?

A) -fstack-check B) -fstack-protector-strong C) -stack-guard D) -fcanary-all

Question 9 ⭐ What is the attack that Full RELRO specifically prevents?

A) Stack buffer overflow B) Format string information leak C) Overwriting GOT entries to redirect function calls (GOT overwrite attack) D) Return-oriented programming

Question 10 ASLR on a 64-bit Linux system provides approximately how many bits of entropy for library randomization?

A) 8 bits B) 16 bits C) 28 bits D) 48 bits

Question 11 ⭐ The prologue sequence mov rax, [fs:0x28]; mov [rbp-8], rax; xor eax, eax does what?

A) Saves the current thread ID for later verification B) Reads the stack canary from TLS, stores it on the stack, and clears RAX to prevent canary leakage C) Initializes the frame pointer and sets up the red zone D) Saves the segment base address for later comparison

Question 12 What is the security concern with a binary that has RPATH: /tmp in its dynamic linking configuration?

A) RPATH causes the binary to be loaded at a random address B) An attacker could place a malicious library in /tmp to be loaded instead of the legitimate library C) /tmp is not a valid library path on most systems D) RPATH prevents ASLR from working correctly

Question 13 ⭐ After NX/DEP was deployed, attackers shifted to what technique because it does not require injecting executable code?

A) Format string exploitation B) Heap spraying C) Return-Oriented Programming (ROP) D) Integer overflow exploitation

Question 14 Which compiler flag enables FORTIFY_SOURCE, and what does it protect against?

A) -D_FORTIFY_SOURCE=2 — adds runtime bounds checking to standard library functions like strcpy, memcpy B) -ffortify — adds compile-time bounds checking to all array accesses C) -fsanitize=fortify — enables the Fortify sanitizer for all memory operations D) -O3 — enables aggressive optimization that eliminates buffer overflows

Question 15 ⭐ Why is CET SHSTK superior to stack canaries for preventing return address corruption?

A) SHSTK provides higher entropy (256 bits vs. 64 bits) B) SHSTK compares return addresses in hardware and cannot be bypassed by leaking the canary value, since there is no canary to leak C) SHSTK is faster to check (0 instructions vs. 3 instructions) D) SHSTK also protects heap objects, unlike canaries which only protect stack frames

Question 16 A binary has NX enabled but no ASLR and no canary. An attacker has found a buffer overflow. What is the simplest exploitation technique that NX does NOT prevent?

A) Writing shellcode to the stack and jumping to it B) Returning to the address of system() in libc (ret2libc) C) Heap spraying with NOP sleds D) Using JIT-compiled code as a shellcode landing zone

Question 17 ⭐ Why must a JIT compiler receive special treatment when CET IBT is enabled?

A) JIT compilers are not allowed to allocate executable memory with CET enabled B) JIT-generated code must either include endbr64 at every indirect branch target or be mapped with IBT suppression C) JIT compilers must be recompiled from source to work with CET D) CET IBT has no interaction with JIT-generated code

Question 18 In the sequence: mov rax, [rbp-8]; xor rax, [fs:0x28]; jne __stack_chk_fail, what does a non-zero result of the XOR indicate?

A) The function completed successfully B) The canary on the stack does not match the original value — the canary has been overwritten C) A system call is needed to verify the canary D) The frame pointer has been corrupted

Question 19 ⭐ Full RELRO requires -z now in addition to -z relro. What does -z now specifically cause?

A) Faster startup by pre-loading libraries B) Eager (non-lazy) resolution of all symbols at startup, allowing the GOT to be made read-only C) Immediate termination on any security violation D) Nowtime (wall clock) stamping of the binary for integrity checking

Question 20 A binary has all mitigations enabled: Full RELRO + Canary + NX + PIE/ASLR + CET. To achieve code execution via memory corruption, an attacker would need at minimum:

A) One write primitive that overwrites the return address B) A read primitive to leak addresses, plus an additional bypass for SHSTK (which may require a hardware vulnerability or logic bug) C) Only a heap overflow, since CET does not protect heap objects D) Exploitation is now impossible with all these mitigations