Software Security Assignment: XSS, SQL Injection, and Exploitation
VerifiedAdded on 2021/04/17
|21
|4257
|181
Homework Assignment
AI Summary
This assignment solution delves into the realm of software security, dissecting various vulnerabilities and exploitation techniques. It begins by analyzing a C code fragment, identifying vulnerabilities related to buffer overflows and format string bugs, and detailing how an attacker could exploit these flaws. The solution explores the effectiveness of security measures like StackGuard and bounds checkers and proposes methods for fixing the identified weaknesses. The assignment then shifts to Cross-Site Scripting (XSS), explaining its mechanics, the information an attacker can steal using XSS, and mitigation strategies. Following this, it addresses SQL injection attacks, describing how they work, identifying potential input variables susceptible to such attacks, and outlining mitigation techniques. The solution also includes an analysis of Kevin Mitnick's attack on Tsutomu Shimomura's systems, breaking down the attack into its phases. The assignment concludes with a discussion of practical challenges in symbolically exploring a target program.
Running Header: SOFTWARE SECURITY
Name
Institution
Date
Name
Institution
Date
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
SOFTWARE SECURITY 2
Question 1
a. Give a thorough description of the program’s vulnerability.
Answer:
Vulnerabilities of the program given are correlated to strings and buffer overflows
manipulations. As a result, this leads to vulnerability by use of malicious crafted input
values adapted to the environment and the architecture, which can yield to arbitrary
program execution.
The program has the following common errors
sprintf – it is vulnerable to overflows since it does not check buffer boundaries
printf – this is usually concerned with string formatting attacks, which results to
information leakage, overwriting of memory …. Exploitation of this error snprintf
fprintf, sprintf and printf,
b. How would an attacker exploit the vulnerability? Hint: describe in detail what the
injection vector would look like (and what retaddr and retloc the attacker may use).
Use symbolic values and addresses when needed (no need to write down the
shellcode).
Answer:
ISNOTREE matches the 't_l' component of the TREE structure with -1. -1 is the special
indicator in the case of non-tree nodes.
This is the first condition that has to be met:
2. fake->t_l = -1;
Unlinking of FOR (t_n) and BAK (t_p) take place at this point and rewritten as:
t1 = fake->t_p
t2 = fake->t_n
Question 1
a. Give a thorough description of the program’s vulnerability.
Answer:
Vulnerabilities of the program given are correlated to strings and buffer overflows
manipulations. As a result, this leads to vulnerability by use of malicious crafted input
values adapted to the environment and the architecture, which can yield to arbitrary
program execution.
The program has the following common errors
sprintf – it is vulnerable to overflows since it does not check buffer boundaries
printf – this is usually concerned with string formatting attacks, which results to
information leakage, overwriting of memory …. Exploitation of this error snprintf
fprintf, sprintf and printf,
b. How would an attacker exploit the vulnerability? Hint: describe in detail what the
injection vector would look like (and what retaddr and retloc the attacker may use).
Use symbolic values and addresses when needed (no need to write down the
shellcode).
Answer:
ISNOTREE matches the 't_l' component of the TREE structure with -1. -1 is the special
indicator in the case of non-tree nodes.
This is the first condition that has to be met:
2. fake->t_l = -1;
Unlinking of FOR (t_n) and BAK (t_p) take place at this point and rewritten as:
t1 = fake->t_p
t2 = fake->t_n
SOFTWARE SECURITY 3
t2->t_p = t1
t1->t_n = t2
It happens concurrently and written in pseudo-raw-assignments:
[t_n + (1 * sizeof (WORD))] = t_p
[t_p + (4 * sizeof (WORD))] = t_n
In this manner, both the arbitrary addresses and valid address are written simultaneously.
For the program, this can be used:
t_p = retloc - 4 * sizeof (WORD)
t_n = retaddr
*(retaddr + 8) will be overwritten with retloc and retloc will be overwritten with retaddr.
The code at retaddr, will not execute this address, because of code will have a small jump
over the bytes 8-11. Hence, the addresses will be interchange if that ideally fits the
situation.
c. Would StackGuard or a bounds checker fix the vulnerability? Explain clearly the
reasons.
Answer:
No. Since there are four different tricks that can be used to bypass StackGaurd protection
and stackshield. These trick are
i. Function argument control: here local variables may not be protected and this
condition presents a state that the above C program can be exploited. Using this
method local pointers are utilized to overwrite binary memory
ii. An alternate frame pointer is returned – on the first return one can gain control
over the frame pointer and before the following frame pointer one can gain access
to stack pointer thus directing where the function will return.
iii. Greater control over local variables – at least overwriting a major byte from the
frame pointer with a null will shift it, at most, 255 bytes before the stack space.
t2->t_p = t1
t1->t_n = t2
It happens concurrently and written in pseudo-raw-assignments:
[t_n + (1 * sizeof (WORD))] = t_p
[t_p + (4 * sizeof (WORD))] = t_n
In this manner, both the arbitrary addresses and valid address are written simultaneously.
For the program, this can be used:
t_p = retloc - 4 * sizeof (WORD)
t_n = retaddr
*(retaddr + 8) will be overwritten with retloc and retloc will be overwritten with retaddr.
The code at retaddr, will not execute this address, because of code will have a small jump
over the bytes 8-11. Hence, the addresses will be interchange if that ideally fits the
situation.
c. Would StackGuard or a bounds checker fix the vulnerability? Explain clearly the
reasons.
Answer:
No. Since there are four different tricks that can be used to bypass StackGaurd protection
and stackshield. These trick are
i. Function argument control: here local variables may not be protected and this
condition presents a state that the above C program can be exploited. Using this
method local pointers are utilized to overwrite binary memory
ii. An alternate frame pointer is returned – on the first return one can gain control
over the frame pointer and before the following frame pointer one can gain access
to stack pointer thus directing where the function will return.
iii. Greater control over local variables – at least overwriting a major byte from the
frame pointer with a null will shift it, at most, 255 bytes before the stack space.
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
SOFTWARE SECURITY 4
Normally, this is exploited creating a new stack that have a new return address,
but that would be ignored or detected.
iv. Pointing caller’s frame to GOT - In a normal compiled C code, when not utilizing
-fomit-frame-pointer every local variables are retrieved relative to the frame
pointer. In this case, if the attacker has the full control over it he\she can decide
where in the memory local variables are placed, this is the trick is the one used in
the above trick, but attackers do something else.
d. How can the program be fixed?
Answer:
Part one
The program can be fixed using the following two methods
Vulnerability
sprintf(lbuf, "%s", "Welcome: ");
Solution
int length = snprintf (buf, BUFFER_SIZE, “%S”, “Welcome”, suffix);
if (length >= BUFFER_SIZE) {
Part two:
Vulnerability
printf(lbuf);
Solution
$ gcc -mpreferred-stack-boundary=2 FormatString.c -o FormatString
$ ./FormatString %s
Welcome!
Normally, this is exploited creating a new stack that have a new return address,
but that would be ignored or detected.
iv. Pointing caller’s frame to GOT - In a normal compiled C code, when not utilizing
-fomit-frame-pointer every local variables are retrieved relative to the frame
pointer. In this case, if the attacker has the full control over it he\she can decide
where in the memory local variables are placed, this is the trick is the one used in
the above trick, but attackers do something else.
d. How can the program be fixed?
Answer:
Part one
The program can be fixed using the following two methods
Vulnerability
sprintf(lbuf, "%s", "Welcome: ");
Solution
int length = snprintf (buf, BUFFER_SIZE, “%S”, “Welcome”, suffix);
if (length >= BUFFER_SIZE) {
Part two:
Vulnerability
printf(lbuf);
Solution
$ gcc -mpreferred-stack-boundary=2 FormatString.c -o FormatString
$ ./FormatString %s
Welcome!
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
SOFTWARE SECURITY 5
$
Question 2
a. Cross Site Scripting is often abbreviated as XSS.
i. Briefly describe how Cross Site Scripting (XSS) works
Answer:
XSS alludes to user’s side code injection attack wherein a hacker can execute
maliciously crafted variables into a legitimate web application or site. XSS is
among the most uncontrolled of web application vulnerabilities and happens
when a web application influences utilization of unencoded or invalidated
client to enter inside the outputs it creates. a hacker by using XSS does not
focus on the victim directly. Rather, the attacker would exploit vulnerability
on the web application or site that the victim will browse, utilizing the
vulnerable site as a vehicle to convey a malevolent content to the victim's
browser.
ii. State what information an attacker can steal using XSS and why is it
useful.
Answer:
There are three major information am attacker can steal:
Credential – a hacker will be able to steal login credentials by cloning the
login page of the web application so as to serve the victims.
Sensitive data – XSS can be used to infiltrate sensitive data such us card
number or personally identification number.
$
Question 2
a. Cross Site Scripting is often abbreviated as XSS.
i. Briefly describe how Cross Site Scripting (XSS) works
Answer:
XSS alludes to user’s side code injection attack wherein a hacker can execute
maliciously crafted variables into a legitimate web application or site. XSS is
among the most uncontrolled of web application vulnerabilities and happens
when a web application influences utilization of unencoded or invalidated
client to enter inside the outputs it creates. a hacker by using XSS does not
focus on the victim directly. Rather, the attacker would exploit vulnerability
on the web application or site that the victim will browse, utilizing the
vulnerable site as a vehicle to convey a malevolent content to the victim's
browser.
ii. State what information an attacker can steal using XSS and why is it
useful.
Answer:
There are three major information am attacker can steal:
Credential – a hacker will be able to steal login credentials by cloning the
login page of the web application so as to serve the victims.
Sensitive data – XSS can be used to infiltrate sensitive data such us card
number or personally identification number.
SOFTWARE SECURITY 6
iii. How can the effects of XSS be mitigated? Please outline limitations as
well, if any
Answer:
To limit the dangers linked with XSS, programmers ought to encode all fields
while showing them in the browser. Defense mechanism strategy, guarantee
that cookies properties, (like, HttpOnly) and security headers, particularly
CSP, are set as needs accordingly. Lastly, often penetration tests would help
distinguish such errors and enhance the security status of the web applications.
b. SQL Injection is a popular way of attacking applications that use SQL
databases.
i. Briefly describe how SQL Injection works.
Answer:
So as to run malevolent SQL queries against a database server, a hacker
should first find an input in the web application that is incorporated within a
SQL query. Hence, a SQL Injection penetration to occur, the vulnerability site
needs to specifically incorporate client input inside a SQL statement. A hacker
would then be able to embed a payload that will be incorporated as a
component of the SQL query and keep running against the database server.
ii. Apart from username and password input fields, which variables are
candidates for SQL Injection?
Answer:
Contacts
Reports
iii. How can the effects of XSS be mitigated? Please outline limitations as
well, if any
Answer:
To limit the dangers linked with XSS, programmers ought to encode all fields
while showing them in the browser. Defense mechanism strategy, guarantee
that cookies properties, (like, HttpOnly) and security headers, particularly
CSP, are set as needs accordingly. Lastly, often penetration tests would help
distinguish such errors and enhance the security status of the web applications.
b. SQL Injection is a popular way of attacking applications that use SQL
databases.
i. Briefly describe how SQL Injection works.
Answer:
So as to run malevolent SQL queries against a database server, a hacker
should first find an input in the web application that is incorporated within a
SQL query. Hence, a SQL Injection penetration to occur, the vulnerability site
needs to specifically incorporate client input inside a SQL statement. A hacker
would then be able to embed a payload that will be incorporated as a
component of the SQL query and keep running against the database server.
ii. Apart from username and password input fields, which variables are
candidates for SQL Injection?
Answer:
Contacts
Reports
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
SOFTWARE SECURITY 7
Confidential information
iii. What techniques can an application programmer use to mitigate the
effects of SQL injection attacks? Please outline limitations as well, if any.
Answer:
Try not to utilize dynamic SQL when it can be avoided: utilized prepared
statements, parameterized stored or queries techniques rather at whatever
point conceivable.
Patch and refresh: vulnerabilities in databases and applications that attackers
can exploit utilizing SQL injection are consistently found, so it's imperative to
apply updates and patches as soon as practical’s.
Firewall: web application firewall should be considered either application
software based – to assist filtering through malicious information. Great ones
will have a thorough arrangement of default guidelines, and make it simple to
include new ones at whatever point needed. A web application firewall can be
especially valuable to give some security protection against a specific new
vulnerability before a patch is accessible.
Lessen the attack surface: any database functionality that is not necessary to
keep a hacker exploiting it one should get rid of.
iv. Construct an URL and the corresponding SQL query that delete all
entries from the customers
Answer:
Confidential information
iii. What techniques can an application programmer use to mitigate the
effects of SQL injection attacks? Please outline limitations as well, if any.
Answer:
Try not to utilize dynamic SQL when it can be avoided: utilized prepared
statements, parameterized stored or queries techniques rather at whatever
point conceivable.
Patch and refresh: vulnerabilities in databases and applications that attackers
can exploit utilizing SQL injection are consistently found, so it's imperative to
apply updates and patches as soon as practical’s.
Firewall: web application firewall should be considered either application
software based – to assist filtering through malicious information. Great ones
will have a thorough arrangement of default guidelines, and make it simple to
include new ones at whatever point needed. A web application firewall can be
especially valuable to give some security protection against a specific new
vulnerability before a patch is accessible.
Lessen the attack surface: any database functionality that is not necessary to
keep a hacker exploiting it one should get rid of.
iv. Construct an URL and the corresponding SQL query that delete all
entries from the customers
Answer:
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
SOFTWARE SECURITY 8
DELETE FROM Encoding_Information
WHERE Encoding_Name = '%20';
DELETE FROM Encoding_Information
WHERE Encoding_Name = '%27';
DELETE FROM Encoding_Information
WHERE Encoding_Name = '%3b';
DELETE FROM Encoding_Information
WHERE Encoding_Name = '%3d';
Question three
a. Is it possible to successfully exploit this vulnerability? In other words, is it possible
to provide specific input to such a program to take advantage of its vulnerability
and thus execute arbitrary code (for instance, spawning a shell), on x86-32
architectures? If yes, explain how you would exploit it (high-level steps). If not,
explain why and what you would change in the code to make it exploitable.
Answer:
Yes. One can easily inject malicious code into memory of running application with the
vulnerability buffer overflow. The program is vulnerable since it reads the content from
badfile copy it to buffer. Thus the malicious program can be stored in binary form hence
the vulnerable program will duplicate the malicious code to the buffer
b. Assuming the above assembly snippet (shown in Question 3 (b)) will be placed on
the stack, what does the assembly code do? Add comments to each line and draw the
stack layout before and after the considered instruction is executed. Note: you
should clearly point out the direction the stack is growing towards.
DELETE FROM Encoding_Information
WHERE Encoding_Name = '%20';
DELETE FROM Encoding_Information
WHERE Encoding_Name = '%27';
DELETE FROM Encoding_Information
WHERE Encoding_Name = '%3b';
DELETE FROM Encoding_Information
WHERE Encoding_Name = '%3d';
Question three
a. Is it possible to successfully exploit this vulnerability? In other words, is it possible
to provide specific input to such a program to take advantage of its vulnerability
and thus execute arbitrary code (for instance, spawning a shell), on x86-32
architectures? If yes, explain how you would exploit it (high-level steps). If not,
explain why and what you would change in the code to make it exploitable.
Answer:
Yes. One can easily inject malicious code into memory of running application with the
vulnerability buffer overflow. The program is vulnerable since it reads the content from
badfile copy it to buffer. Thus the malicious program can be stored in binary form hence
the vulnerable program will duplicate the malicious code to the buffer
b. Assuming the above assembly snippet (shown in Question 3 (b)) will be placed on
the stack, what does the assembly code do? Add comments to each line and draw the
stack layout before and after the considered instruction is executed. Note: you
should clearly point out the direction the stack is growing towards.
SOFTWARE SECURITY 9
Answer:
1 int
2 main(void)
3 {
4
5 __asm__( /* perform jumps to the assembler C code and read and write C
variables*/
6 "jmp ahead\n"
7 "back:\n"
8 " popl %ebx\n" /* restore the caller base pointer*/
9 " movl %ebx, 0x8(%ebx)\n" /*
10 " movl $0x0, %eax\n"
11 " movb %al, 0x7(%ebx)\n"
12 " movl %eax, 0xc(%ebx)\n"
13 " movl %eax, %edx\n"
14 " movl $0xb, %eax\n"
15 " leal 0x8(%ebx), %ecx\n"
16 " int $0x80\n"
17 "ahead:\n"
18 " call back\n" /* transfers the control from caller to the subroutines*/
19 " .string \"/bin/sh\""
20 );
21 }.
Answer:
1 int
2 main(void)
3 {
4
5 __asm__( /* perform jumps to the assembler C code and read and write C
variables*/
6 "jmp ahead\n"
7 "back:\n"
8 " popl %ebx\n" /* restore the caller base pointer*/
9 " movl %ebx, 0x8(%ebx)\n" /*
10 " movl $0x0, %eax\n"
11 " movb %al, 0x7(%ebx)\n"
12 " movl %eax, 0xc(%ebx)\n"
13 " movl %eax, %edx\n"
14 " movl $0xb, %eax\n"
15 " leal 0x8(%ebx), %ecx\n"
16 " int $0x80\n"
17 "ahead:\n"
18 " call back\n" /* transfers the control from caller to the subroutines*/
19 " .string \"/bin/sh\""
20 );
21 }.
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
SOFTWARE SECURITY 10
Question 4
Describe in detail the attack that Kevin Mitnick launched against Tsutomu Shimomura’s
systems in San Diego on December 25th 1994. Please break down the answer by starting off
with a summary (worth 1 mark) of the attack, followed by the four phases we outlined in
the lectures (worth 6 marks each).
Answer:
Summary
As a hacker, Kevin Mitnick was an irritation. He broke into computers for 15 years, analyzed the
system, stole things, and after that broke into yet more telephone and computers. In this way, on
December 25, 1994, when he broke into detailed computer framework in his San Diego home
utilizing never seen before, complex hacking technique and afterward stole some fancy mobile
phone tools, Shimomura made it a personal challenge. The trail led Mitnick, Shimomura turned
into a cybersleuth, set to get Kevin. As Tsutomu Shimomura's closes the trap on Kelvin to face
justice it is an exclusive story of the last hours of Shimomura's quest for justice.
Detailed step of Kelvin Mitnick against Tsutomu Shimomura’s systems in San Diego
Information gathering: Prior to the hacking, Mitnick was in a position to determine the TCP
sequence number generator's characteristic of X-Terminal and a relationship in the connection
between Server and X-Terminal. Kelvin sent SYN request to X-Terminal and got ACK /SYN
reaction. Afterward, he sent RESET response to maintain the X-Terminal from being topped off.
For twenty times, he repeated the same. He discovered there was a pattern between two
consecutive TCP sequence numbers. He found that the numbers were not arbitrary by any means.
The last number was greater than the previous one by 128000.
Question 4
Describe in detail the attack that Kevin Mitnick launched against Tsutomu Shimomura’s
systems in San Diego on December 25th 1994. Please break down the answer by starting off
with a summary (worth 1 mark) of the attack, followed by the four phases we outlined in
the lectures (worth 6 marks each).
Answer:
Summary
As a hacker, Kevin Mitnick was an irritation. He broke into computers for 15 years, analyzed the
system, stole things, and after that broke into yet more telephone and computers. In this way, on
December 25, 1994, when he broke into detailed computer framework in his San Diego home
utilizing never seen before, complex hacking technique and afterward stole some fancy mobile
phone tools, Shimomura made it a personal challenge. The trail led Mitnick, Shimomura turned
into a cybersleuth, set to get Kevin. As Tsutomu Shimomura's closes the trap on Kelvin to face
justice it is an exclusive story of the last hours of Shimomura's quest for justice.
Detailed step of Kelvin Mitnick against Tsutomu Shimomura’s systems in San Diego
Information gathering: Prior to the hacking, Mitnick was in a position to determine the TCP
sequence number generator's characteristic of X-Terminal and a relationship in the connection
between Server and X-Terminal. Kelvin sent SYN request to X-Terminal and got ACK /SYN
reaction. Afterward, he sent RESET response to maintain the X-Terminal from being topped off.
For twenty times, he repeated the same. He discovered there was a pattern between two
consecutive TCP sequence numbers. He found that the numbers were not arbitrary by any means.
The last number was greater than the previous one by 128000.
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
SOFTWARE SECURITY 11
The flood: Kelvin kept the Server silent by topping the Server off with half-open SYN request for
from spoofing IP address. Making half-open SYN request for, Kelvin utilized routable yet not
dynamic IP address. Since his intention was not to achieve three-way handshake with the Server,
half-open ACK request for occupied the Server's memory speedier. The outcome is that the
Server did not respond to some other request. This was a sort of Denial of Service attack.
Trusted relationship hijacking: Kelvin sent ACK request for to X-Terminal as a Server with
spoofed IP address. He utilized an arbitrary number as the Server's TCP series number. An
ACK/SYN sent X-Terminal response to the Server. Since, the Server had been silenced,
SYN/ACK response was not received. During the data gathering step, Mitnick could produce the
TCP sequence number that X-Terminal made for the Server. Kelvin spoofed his IP as the
Server's IP, sent an SYN response to X-Terminal to achieve three-way handshake. Due to the
returned TCP sequence number was right, X-Terminal enabled Kelvin to interface with it. They
was an establishment of a connection. The computers of Shimomura ware hacked by completing
this step.
Remote command pump: Kelvin had planned to make a secondary passage on Shimomura
computer so he could return later without repeating the hijack. From his computer, he pumped
commands to Shimomura's computer. They were "reverberate + >>/.rhosts" to be prices. They +
+ enabled any computers interface with X-Terminal without being confirmed.
Question five
Part one
a. Give 2 practical challenges associated with symbolically exploring a target program.
Answer:
The flood: Kelvin kept the Server silent by topping the Server off with half-open SYN request for
from spoofing IP address. Making half-open SYN request for, Kelvin utilized routable yet not
dynamic IP address. Since his intention was not to achieve three-way handshake with the Server,
half-open ACK request for occupied the Server's memory speedier. The outcome is that the
Server did not respond to some other request. This was a sort of Denial of Service attack.
Trusted relationship hijacking: Kelvin sent ACK request for to X-Terminal as a Server with
spoofed IP address. He utilized an arbitrary number as the Server's TCP series number. An
ACK/SYN sent X-Terminal response to the Server. Since, the Server had been silenced,
SYN/ACK response was not received. During the data gathering step, Mitnick could produce the
TCP sequence number that X-Terminal made for the Server. Kelvin spoofed his IP as the
Server's IP, sent an SYN response to X-Terminal to achieve three-way handshake. Due to the
returned TCP sequence number was right, X-Terminal enabled Kelvin to interface with it. They
was an establishment of a connection. The computers of Shimomura ware hacked by completing
this step.
Remote command pump: Kelvin had planned to make a secondary passage on Shimomura
computer so he could return later without repeating the hijack. From his computer, he pumped
commands to Shimomura's computer. They were "reverberate + >>/.rhosts" to be prices. They +
+ enabled any computers interface with X-Terminal without being confirmed.
Question five
Part one
a. Give 2 practical challenges associated with symbolically exploring a target program.
Answer:
SOFTWARE SECURITY 12
1. How to successfully explore the vast number of application path in real-world
programs.
2. The path guidance technique are in most cases ad-hoc and ineffective.
b. For each of the 2 challenges given in the previous point, explain commonly
employed approaches for addressing them.
Answer:
1. To tackle the challenge of path exploration developers use unified technique to guide
symbolic path.
2. Coverage-Optimized Search – utilizes heuristics to work out which condition has
better opportunity to cover new code fast.
Consider the function calc depicted below. Let us assume its input x is represented
by a symbolic value and that calc is explored using a symbolic execution engine.
a. Provide the symbolic expression of variable x at line 9.
Answer:
Y = ++30
b. Provide the full path condition at line 11
Answer:
If y is equal to 50
c. Provide the list of line numbers which cause state forking
Answer:
7 and 12
d. A SAT/SMT solver is queried to produce a concrete input for reaching line 11.
Answer:
1. How to successfully explore the vast number of application path in real-world
programs.
2. The path guidance technique are in most cases ad-hoc and ineffective.
b. For each of the 2 challenges given in the previous point, explain commonly
employed approaches for addressing them.
Answer:
1. To tackle the challenge of path exploration developers use unified technique to guide
symbolic path.
2. Coverage-Optimized Search – utilizes heuristics to work out which condition has
better opportunity to cover new code fast.
Consider the function calc depicted below. Let us assume its input x is represented
by a symbolic value and that calc is explored using a symbolic execution engine.
a. Provide the symbolic expression of variable x at line 9.
Answer:
Y = ++30
b. Provide the full path condition at line 11
Answer:
If y is equal to 50
c. Provide the list of line numbers which cause state forking
Answer:
7 and 12
d. A SAT/SMT solver is queried to produce a concrete input for reaching line 11.
Answer:
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
1 out of 21
Related Documents
Your All-in-One AI-Powered Toolkit for Academic Success.
+13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
![[object Object]](/_next/static/media/star-bottom.7253800d.svg)
Unlock your academic potential
Copyright © 2020–2025 A2Z Services. All Rights Reserved. Developed and managed by ZUCOL.