Software Security Week 5 Quiz Answer
In this article i am gone to share Coursera Course Software Security Week 5 Quiz Answer with you..
Software Security Week 5 Quiz Answer
Also visit this link: Software Security Week 4 Quiz Answer
Week 5 Quiz Answer
Question 1)
A static analysis
- is always better than testing
- analyzes a program’s code without running it
- is a kind of real analysis for solving numeric equations
- analyzes the fixed, or static portions of a program
Question 2)
Which of the following are advantages of static analysis over testing?
- A static analysis runs faster than testing
- A static analysis is more precise than testing
- A static analysis can analyze programs that are not necessarily executable on their own, e.g., libraries
Question 3)
The halting problem is the problem of determining, for an arbitrary program and input, whether the program will finish running or continue to run forever. Which of the following statements about the halting problem are true?
- You cannot build an automated analysis that proves that a particular program P terminates.
- Many other program analysis problems can be converted to the halting problem.
- You cannot solve the halting problem with static analysis, but you can with symbolic execution.
Question 4)
Suppose we have a static analysis that aims to find buffer overflows in C programs. If the analysis is sound, then which of the following is true about it?
- It will report all actual bugs, and have no false alarms
- It may miss bugs, and have false alarms
- It may have false alarms, but will not fail to report actual bugs
- It will not have any false alarms, but may fail to report actual bugs
Question 5)
A tainted flow is
- A flow from an untrusted source to both trusted and untrusted sinks
- A flow from an untrusted source to a trusted sink
- A flow from a trusted source to an untrusted sink
- A flow from a trusted source to both trusted and untrusted sinks
Question 6)
Consider the program below, using the qualified types annotations for tainted flows given in the lecture (shown in comments). In particular, notice that the variable fmt and the argument to printf are untainted, while the result of fgets is tainted. Suppose we analyze this with a tainted flow analysis. This program has no bugs, but which kinds of analysis report a false alarm?
/* int printf(untainted char *fstr, …); */
/* tainted char *fgets(…); */
char *chomp(char *s) {
int i, len = strlen(s);
for (i = 0; i<len; i++)
if (s[i] == ‘n’)
s[i] = ‘�’;
break;
}
return s;
}
void foo(FILE *networkFP, untainted char *fmt) {
char buf[100];
char *str = fgets(buf, sizeof(buf), networkFP);
char *str1 = chomp(str);
char *fmt1 = chomp(fmt);
printf(fmt1,str1);
}
- flow-sensitive, context-sensitive
- path-sensitive, context-sensitive
- flow-sensitive, context-INsensitive
- flow-INsensitive, context-INsensitive
Question 7)
Consider the following code, where the referenced chomp function is the same as in the previous question. Suppose we analyze this with a tainted flow analysis. Once again, this program has no bugs, but which kinds of analysis report a false alarm?
void bar(FILE *networkFP, char *fmt, int testing) {
char buf[100];
char *str = fgets(buf, sizeof(buf), networkFP);
char *str1 = chomp(str);
if (testing)
str1 = “test format”;
printf(fmt,str1);
if (testing)
printf(str1);
}
- flow-sensitive, context-sensitive
- path-sensitive, context-INsensitive
- flow-sensitive, context-INsensitive
- flow-INsensitive, context-INsensitive
Question 8)
Which of the following are true of implicit flows?
- Implicit flows are rarely detected by tainted flow analyses, because detecting them can increase false alarms
- They only arise in object-oriented languages with dynamic dispatch, since the choice of method to call is implicit
- One can occur when assigning an untainted value to an untainted variable, but conditioned on a tainted value
Question 9)
What is a key advantage of symbolic execution over static analysis?
- Symbolic executors consider all possible program runs, while static analyses don’t
- As a generalized form of testing, when a symbolic executor finds a bug, we are sure it is not a false alarm
- Symbolic executors can consider partial programs (e.g., libraries) while static analyzers cannot
- Symbolic executors are both sound and complete, while static analyzers can only be one or the other
Question 10)
Symbolic execution, viewed as a kind of static analysis, has which of the following “sensitivities?”
- Flow-sensitivity
- Context-sensitivity
- Path-sensitivity
- All of the above
Question 11)
Why is concolic execution problematic for non-terminating programs?
- Non-terminating programs will consume too many resources
- Non-terminating programs require user interaction, which concolic execution does not handle
- Its search strategy is to choose new test cases based on constraints generated by terminating runs
- Concolic execution takes a breadth-first approach, but non-terminating programs are better suited to a depth-first approach
Question 12)
Suppose that x and y in the following program are symbolic. When the symbolic executor reaches the line that prints “everywhere” what will the path condition be?
/* assume x and y are both symbolic */
void foo(int x, int y) {
if (x > 5) {
if (y > 7) {
printf(“heren”);
} else {
if (x < 20)
printf(“everywheren”);
else
printf(“nowheren”);
}
}
}
- ¬(y > 7) ∧ x < 20
- x > 5 ∧ ¬(y > 7) ∧ ¬(x < 20)
- x > 5 ∧ ¬(y > 7) ∧ x < 20
- x > 5 ∧ y > 7 ∧ x < 20
Question 13)
Suppose that x in the following program is symbolic. When the symbolic executor reaches the line that prints “here” what will the path condition be?
void bar(int x) {
int z;
if (x > 5)
z = 5;
else
z = 1;
if (z > 3)
printf(“heren”);
}
- x > 5 ∧ z > 3
- x > 5
- ¬(x > 5) ∧ z > 3
- z > 3
Question 14)
Which of the following are heuristics that symbolic executors use to cover more of the search space?
- Randomly restart the search from the main function
- Switch between concolic and non-concolic execution
- Choose between two paths based on a notion of priority
- Choose between two paths based on whether one reaches program statements not previously executed