Chapter 37 Quiz: Return-Oriented Programming and Modern Exploitation

Instructions: Choose the best answer. All questions are framed for defensive education. ⭐ marks questions with answers in Appendix B.

Question 1 ⭐ Why does NX/DEP fail to prevent Return-Oriented Programming?

A) NX/DEP is not enabled on 64-bit systems by default B) NX/DEP only prevents executing injected code; ROP reuses code that is already in executable memory C) NX/DEP is easily bypassed by setting the stack executable D) NX/DEP only applies to the heap, not the stack

Question 2 A ROP gadget is a sequence of instructions that ends with:

A) A jmp to a known location B) A call to a library function C) A ret instruction D) A nop sled

Question 3 ⭐ How does a ROP chain advance from one gadget to the next?

A) Each gadget contains a jmp to the next gadget's address B) A dispatcher function manages the chain's execution C) Each gadget ends with ret, which pops the next gadget's address from RSP (the forged stack) D) The CPU's branch predictor follows the chain automatically

Question 4 Why do large binaries (and especially libc) contain more useful ROP gadgets?

A) Large binaries have more efficient instruction encoding B) More code means more instruction sequences, including more sequences that end in ret C) Large binaries disable ASLR and are easier to target D) Large binaries always have weaker canaries

Question 5 ⭐ What is an "unintended gadget" in x86-64?

A) A gadget that was deliberately inserted by a compiler optimization B) A valid instruction sequence starting from a byte in the middle of a longer intended instruction, enabled by x86-64's variable-length encoding C) A gadget that has no useful side effects (a nop gadget) D) A gadget found in the GOT rather than the code section

Question 6 ret2libc (without ASLR) chains gadgets to call system("/bin/sh"). What setup is needed to call system correctly according to the System V ABI?

A) RSP must point to the string, and system reads it from the stack B) RDI must contain a pointer to the "/bin/sh" string before calling system C) RAX must be 59 (execve syscall number) D) RBP must point to the /bin/sh string

Question 7 ⭐ What problem does ret2plt solve when ASLR is enabled?

A) It bypasses the stack canary by writing to the GOT B) It calls a PLT stub to execute a library function and print a GOT entry's value, leaking a libc runtime address C) It patches the binary's code section to add gadgets D) It disables ASLR for the current process

Question 8 SROP (Sigreturn-Oriented Programming) achieves full register control by:

A) Using many gadgets to set each register individually B) Forging a sigcontext structure on the stack and invoking the sigreturn syscall, which restores all registers from it C) Corrupting the kernel's signal dispatch table D) Reusing the kernel's signal handler with modified arguments

Question 9 ⭐ What is the sigreturn syscall number on Linux x86-64?

A) 11 B) 15 C) 59 D) 231

Question 10 JOP (Jump-Oriented Programming) uses gadgets that end in jmp instead of ret. Why did this become relevant?

A) JOP is faster than ROP because JMP is a single byte B) JOP bypasses stack canaries more easily C) CET SHSTK protects ret gadgets; JOP uses jmp gadgets which SHSTK does not directly protect D) JOP requires no information leak to work

Question 11 ⭐ Blind ROP (BROP) works against remote servers. What property enables it?

A) Remote servers always have ASLR disabled B) Fork()-based servers create children with the same address space layout, allowing gradual discovery of the layout through crash behavior without re-randomization C) Network connections carry enough timing information to deduce addresses D) The server's binary is always available for download

Question 12 CET SHSTK defeats traditional ROP chains because:

A) SHSTK encrypts the return address before storing it B) ret compares the return address from the regular stack against the hardware-protected shadow stack; forged return addresses mismatch and trigger a CPU exception C) SHSTK makes the stack completely read-only D) SHSTK requires ENDBR64 at every return address

Question 13 ⭐ What is the minimum number of gadgets required for a basic SROP attack?

A) One (a syscall; ret or just syscall) B) Five (one per register) C) Seventeen (one per field in sigcontext) D) At least fifty (must set up the full stack frame)

Question 14 Why is "pop rsi; pop r15; ret" a less desirable gadget than "pop rsi; ret" for setting RSI?

A) The longer gadget requires more bytes in the chain payload B) The longer gadget also pops an unintended value into R15, requiring additional chain entries to reset R15 if it matters C) The longer gadget is slower D) The longer gadget cannot be used with ASLR enabled

Question 15 ⭐ Which property of x86-64 instruction encoding makes "unintended gadgets" possible?

A) x86-64 instructions are always aligned to 8-byte boundaries B) x86-64 instructions are variable length (1-15 bytes); any byte offset can be the start of a valid instruction sequence C) x86-64 uses a RISC-like encoding with fixed-width instructions D) x86-64 has a separate instruction stream for 32-bit compatibility

Question 16 The information leak phase of a ret2libc attack (with ASLR) leaks one libc address. Why does this break ASLR for the entire libc?

A) One leaked address allows disabling ASLR in the current process B) All offsets within libc are fixed; knowing one absolute address plus the fixed offset to any other symbol reveals all libc addresses C) libc is not subject to ASLR; the leak is not needed D) The leaked address is the libc base directly

Question 17 ⭐ CET IBT addresses what type of exploitation that SHSTK does not directly address?

A) Return address overwrites (ROP) B) Indirect call/jump target manipulation (JOP, vtable hijacking, function pointer corruption) C) Stack canary bypass D) Information leaks via format strings

Question 18 In a ROP chain, add rsp, 0x8; ret is sometimes used as a "stack pivot skip". What does it accomplish?

A) It moves RSP forward by 8 bytes, skipping over data on the forged stack that would otherwise be consumed as a gadget address B) It saves RSP to a register for later restoration C) It aligns the stack to 16 bytes for function calls D) It terminates the ROP chain

Question 19 ⭐ Formal proof that ROP is Turing complete means:

A) ROP can only perform computations that are in NP B) Any computation expressible as assembly can be expressed as a ROP chain, given sufficient gadget diversity C) ROP chains always require exactly 42 gadgets for any computation D) ROP is computationally equivalent to regular expressions

Question 20 A server binary has all mitigations enabled including CET SHSTK. An attacker finds a memory corruption vulnerability that can write 8 bytes to an arbitrary writable address. What is the MOST USEFUL target for this write?

A) The return address on the stack (cannot be used; SHSTK will detect mismatch) B) A function pointer in a heap object (vtable, callback), since SHSTK does not protect indirect calls unless IBT is also enabled C) The canary value in TLS (read-only; cannot be written) D) The PIE base address in memory (not a single location; PIE base is determined at load time)