Exercise 1 ========== Q1. int main() { x = rand(); y= rand(); in i; scanf ("%d", &i) ; if (!((x*x + x) % 2)) { if (7*y*y -1 == x*x ) { // always false printf("positive") ; } else { if (i>0) printf("positive") ; else printf("negative") ; } ; } else // always false printf("positive") ; } Q2. A possible solution to detect opaque predicate could be to : - notice that some variables are random - run the code (under gdb) to see on a few samples that the value of the complex conditions is unchanged whatever are the values of x and y ... Q3. Other code obfuscation techniques are : - virualization, namely replacing the whole code by a interpreted byte-code + the corresponding interpreter - variables splitting/merging - CFG flattening using arrays etc. Exercise 2 ================================= char buf[8] ; void receiver() { char x, hash=0 ; for (int i=0 ; i<7; i++) { receive(x) ; buf[i]=x; hash=(hash+x)%256 ; } if (buf[7] == hash) return buf ; else return NULL ; } Q1. The hash function may detect a slight alteration of x (data mutation) when processed by the receviver. detected attack : if we receive the sequence "A,B,C,D,E,F,G, hash-value" and if the last char is replaced by Z then the hash will be incorrect. not detected attack : - a swap between 2 values wont' be detected .. Q2. i=0, i_save = 0 ; while (i<7) { if (i!=i_save) return (NULL) receive(x) ; x_save=x ; buf[i] = x ; if (i!=i_save) return (NULL) if (x!=x_save) return (NULL) hash = hash+x ; if (x!=x_save) return (NULL) i++ ; i_save++ ; } ; Since each mutation on x will be detected, there's no need to compute the hash value anymore ... Q3. To protect against test inversion ecah test should be duplicated, namely while (i<7) { if !(i<7) return (NULL) ; if (i!=i_save) return (NULL) if (i!=i_save) return (NULL) etc. } ; if (i<7) return (NULL) ; Possible 2-faults attacks: - simultaneous data mutations on x and x_save - mutation on x followed by a test inversion on the subsequent CM Q4. Mutation the value and i and save_i by replacing it by 10 will produce a BoF when executing buf[i]=x. Possible consequences could be the following: - crashing the application - overwritting i, changing the loop behavior, and possibly loosing some data transmitted ...