Massachusetts Institute of Technology Handout 156.857: Network and Computer Security Novembe r 16, 2004Professor Ronald L. Rivest Due: Novemb e r 23, 2004Problem Set 6Submit this problem set in PostScript, PDF, or MS Word format to [email protected] beforelecture on the due date. We have provided templates for LATEX and Microsoft Word on the course website.Each solution must appear on separate sheets of paper. Mark the top of each sheet with your name(s), thecourse numb er (6.857), the problem set number and question, and the date.You are to work in groups of three or four people and should submit a single set of solutions for allproblems parts designated [Group]. You should turn in a separate, individual solution to any problemsdesignated [Individual].Problem 6-1. Dig’em Stacks [Group]Bob has hired you as a consultant to analyze his code for possible security flaws. Unfortunately, Bob issupremely confident in his coding skills and will not believe a security flaw exists unless he can reproduciblydemonstrate it.Bob provides you a snippet of code to analyze that is available at:http://crypto.csail.mit.edu/classes/6.857/bob.c and printed below. Bob’s code simply takes aninput char*, prints out a greeting, then returns the address of its local buffer as a long.#include <stdio.h>#include <string.h>/* Bob’s code snippet displays a greeting message thenreturns the address of the stack pointer as a long */unsigned long bob(char* input){char buf[64];bzero(buf,64);strcpy(buf, input);printf("Hello %s, my name is Bob.\n",buf);return (unsigned long)&buf;}(a) Demonstrate a buffer overflow attack that allows you to execute /bin/sh by calling bob(char *)with an appropriately formed input. Provide the source code of your attack. Please ensure that yourcode is adequately commented, understandable, and formatted for printing. A basic attack can beimplemented in les s than 20 lines of c ode.(b) Explain how you would conduct the attack in part (A) if Bob did not cheerfully provide his stackpointer address for you.(c) Fix Bob’s code so that it is not susceptible to this attack.(d) Considering Bob’s flaw in this code, what other C commands could potentially be abused in bufferoverflow attacks?(e) Find a buffer-overflow prevention or detection tool and use it on Bob’s code. For example, you maywant to try StackGuard, StackShield, or ProPolice. Explain what tool you tried, whether it detectedBob’s bug, and briefly comment on its usability.Problem 6-2. Polymorphic Pseudoquines [Individual]2 6.857 : Handout 15: Problem Set 6A quine is a program P that generates a copy of its own source text as its complete output, i.e. P is a quineif execute(P ) → P . Define a pseudoquine as a program that outputs another pseudoquine of the same lengthas the original. Thus, quines are instances of pse udoquines that happen to output themselves.Write a “polymorphic pseudoquine” P that selects a randomly chosen 6-digit integer r ∈ [100000, 999999],then outputs another polymorphic pseudoquine P0such that r appears in P0. Turn in the source code forP , and the output P0of one of its executions. Please ensure that your source code is formatted to be clearand e asy to re ad.You may use an existing quine as a starting point, as long as you c ite your source. We may give specialrecognition to e specially simple, clever, or elegant polymorphic pseudoquines.Problem 6-3. Tagged and Released into the Wild [Group]Choose three of the following six situations. For each of those three, discuss the potential security benefitsand risks of using RFID technology. Based on these benefits and risks, give your opinion of whether RFIDuse is acceptable in each of these three settings.You should consider costs, convenience, privacy, security vulnerabilities, and how RFID compares to alternateor existing systems. If you consider RFID to be unacceptable, briefly discuss any countermeasures or policieswhich could be used to make it acceptable in your view.State any assumptions you make for your answer. If there are minor tweaks that would in your opinion makethe system m ore acceptable, explain those as well. Limit your answer to a maximum of two pages for theentire problem.1.A grocery store keeps RFID tags on individual items. They are used to facilitate checkout, to keeptrack of inventory on shelves, and as an anti-theft measure.2.People may elect to have an RFID tag implanted under their skin. In the event of a medical emergency,emergency personnel can scan the tag and look up its entry in a database; the database contains not afull me dical history but only certain critical information (e.g. “allergic to penicillin”).3.A university puts RFID tags in the ID cards it gives to students, faculty, and staff, for use in buildingand lab acc es s.4.A large retailer puts RFID tags on pallets and crates of products in their warehouses for supply-chainmanagement. The tags track the boxes from the factory to the warehouse to the s tore, but are notplaced on the individual items.5.A country considers embedding RFID chips in its large-denomination bills, as an anti-counterfeitingmeasure and also a potential anti-theft measure.6.RFID tags are used on highways in order to pay tolls. A car need only slow down and drive through aspecial lane in order to pay a toll–a reader reads the tag on the windshield and deducts the toll fromthe associated credit/debit account.Problem 6-4. Program Shepherding [Group]Describe to what extent, if any, the “program shepherding” technique of Kiriansky, Bruening, and Amaras-inghe may be useful in defeating the following kinds of attacks. Justify your answers briefly. Indicate whatsecurity policies, settings, and usage mode for program shepherding might be used, if any.1.The user downloads and exec utes on his PC a gam e that has been infected with a polymorphic virus.2.A sysadmin has modified the system login and compiler binaries in accordance with Ken Thompson’s“Reflections on Trusting Trust”.3.The emulator within a virus detector contains a bug allowing the (emulated) virus to cause the emulatorto be “off-by-one” in certain conditions, causing the virus detection emulator to start emulating codefrom the wrong location (wrong means not the same as what the hardware execution unit would dowhen executing this code in native mode).6.857 : Handout 15: Problem Set 6 34.The malware detects the presence of the RIO program shepherding sandbox, and pops up a window tothe user asking him
View Full Document
Unlocking...