Effective CISSP Questions

As a software developer using C-like programming languages, you received a credential in JSON format, {username: “”, password: “P@$$w0rd”}, from a client and invoked the function, int authenticate (char username[20], char password[10]), to validate the identity. Which of the following is most likely to compromise your code? (Wentz QOTD)
A. SQL Injection
B. Heap overflow
C. Stack overrun
D. Address space layout randomization (ASLR)

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is C. Stack overrun.

Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.

Memory Layout of a Process
Memory Layout of a Process

Function calls typically involve pushing arguments and the return address to the stack instead of the heap. The following is a typical memory layout of a process, a program loaded into memory by the operating system for execution:

  • Text Segment: executable code
  • Data Segment: global variables
  • Heap at the working set: dynamically allocated memory/buffer.
  • Stack at the working set: local variables and the return address of a function.

Buffer means a segment of memory used to store a specific size of data. It gets overflowed if the size of data is larger than the buffer size. It typically causes an exception subject to privilege escalation or returning to the code address in the stack. If input validation and exception handling routine are properly arranged, a buffer overflow can be effectively mitigated.

Memory leak is a common application problem. An application or process is allocated a limited memory size, aka heap, when loaded and launched by the OS. The process may request segments of memory but not return them to the OS. The available memory is running out in the end. The performance is getting worse, and it may result in a process crash. Modern runtime frameworks, e.g., .NET, JVM, provide garbage collection or reference counter to address this issue.


The expression, int authenticate (char username[20], char password[10]), is a function signature or prototype used as a contract to provide services that encapsulate internal implementation details. As a result, we can not tell if a SQL database is employed. It can validate users against the directory using LDAP, SQL, or other mechanisms.

Identity and Access Management
Identity and Access Management


作為使用類 C 編程語言的軟件開發人員,您從客戶端收到了 JSON 格式的憑證 {username: “”, password: “P@$$w0rd”},並調用了函數 int authenticate (char username[20], char password[10]),來驗證身份。 以下哪項最有可能危及您的代碼? (Wentz QOTD)
A. SQL 注入
B. 堆積溢出 (heap overflow)
C. 堆壘溢出 (stack overrun)
D. 地址空間佈局隨機化 (ASLR)

Leave a Reply