CS 161 Computer Security Paxson Spring 2011 Homework 1 Due Wednesday February 9 at 9 59pm Instructions Submit your solution by Wednesday February 9 at 9 59pm in the drop box labelled CS161 in 283 Soda Hall Print your name your class account name e g cs161 xy your TA s name the discussion section time where you want to pick up your graded homework and HW1 prominently on the first page Staple all pages together Your solutions must be legible and the solution to each problem must be labelled clearly You must work on your own on this homework Problem 1 Memory safety 20 points Alice has decided to write her diary in digital form To make sure that the secrets of her life stay safe she wants to encrypt the diary She downloads from the web a commandline utility called encryptor for encrypting text encryptor takes two arguments a key and a filename to store the encrypted text It reads the text to encrypt from the standard input and writes its encryption using key to the given file Alice decides it would be a good idea to store each day s diary in a separate file with a separate key In the case of compromise of one key her diary for other days will remain secure In order to simplify the task she has written the following code struct date int day char month int year void write diary char text struct date today FILE diary char buf 200 int key today day today year 365 sprintf buf encryptor k d f mydiary d s d txt key today day today month today year diary popen buf w if diary something about the command failed give up return Page 1 of 6 fprintf diary text pclose diary Unfortunately Alice developed the code in a rush and did not write secure or robust code One problem concerns her computation of the encryption key it is both easy to guess and will sometimes repeat Ignoring these encryption issues identify at least 3 security problems with her code For each problem describe an example of input that an attacker could provide in terms of the arguments in a call to write diary that would cause the security problem to occur Hint Familiarize yourself with the workings of popen and pclose if they are new to you You can read the manual pages for popen by typing man popen at a shell prompt on a Unix system Problem 2 Frame Pointer Overwrite 20 points The C code below has an off by one error the loop in the vuln function iterates one more time than it should void vuln char s char buffer 256 int i int n strlen s if n 256 n 256 for i 0 i n i buffer i s i int main int argc char argv if argc 2 printf missing args n exit 1 vuln argv 1 Homework 1 Page 2 of 6 CS 161 SP 11 In Section 0 we discussed the layout of stack including different types of information that is stored on the stack during function calls Different implementations can vary in the particulars of the stack layout but for this problem assume a layout that corresponds to the specific example given in Section a You will likely find it helpful to sketch the stack for this program You do not have to include the sketch in your writeup Can the attacker overwrite the saved frame pointer SFP in the Section notes Can the attacker overwrite the return instruction pointer RIP Explain why for each b Explain how the attacker can exploit the opportunity to overwrite a single byte to modify the program s flow of execution Hint Pay close attention to how returning from a function works popping a return address from the stack has a dependency on SFP You may find it helpful to read the discussion in the Section materials about the modification of registers by the leave and ret instructions of the x86 instruction set Problem 3 Heap Overflow 20 points Stack smashing attacks generally work by modifying a program s control flow because information regarding control flow is stored in the same way as data Similarly heap overflow vulnerabilities arise because attackers can cause data they supply to be interpreted as control flow information The slides from Section 0 discuss general approaches to implementing heap based storage Review the chunk structure in those materials to understand how it differs for allocated chunks versus free chunks When using heap memory a program releases a buffer by calling the free function free adjusts the pointer passed to it to point to the beginning of the chunk and checks whether the surrounding chunks are allocated If they are not it merges the chunk being freed with the already free ones into a bigger chunk 1 The merge process involves removing the free chunks from their bin then consolidating the chunks and finally placing the single new chunk into a bin according to its size In this problem we focus on a heap overflow that can be triggered during the removal of a chunk from its bin which is implemented by the unlink macro P Chunk being unlinked BK Previous chunk FD Next chunk 1 There are other possibilities for how a system might implement malloc and free Here we focus on a concrete implementation approach namely the one presented in the Section materials Homework 1 Page 3 of 6 CS 161 SP 11 define unlink P BK FD BK P bk FD P fd FD bk BK equivalent to P fd 12 P bk BK fd FD equivalent to P bk 8 P fd Consider the following code example along with the corresponding heap layout where we allocate zero length buffers to keep the accompanying diagrams a bit simpler char buf1 malloc 0 empty just to keep the diagrams simple char buf2 malloc 0 char buf3 malloc 0 gets buf2 free buf1 free buf2 In the code we allocate three zero sized buffers The code then copies user input from standard input into buf2 and finally frees the first two buffers In the following the left figure shows the heap layout before reading the input and the right figure after having read the string 123456789012 prev size size buf1 PREV INUSE fd buf1 PREV INUSE fd bk prev size prev size PREV INUSE size PREV INUSE 34 33 32 31 bk 38 37 36 35 prev size 32 31 30 39 buf2 fd size buf2 PREV INUSE fd 0 size buf3 bk Homework 1 size bk size buf3 prev size fd bk Page 4 of 6 CS 161 SP 11 a Describe what happens when free buf1 is called and in particular how this results in corrupting the heap memory b How can an attacker exploit this vulnerability to inject code For your analysis assume that the second line of the code instead reads char buf2 malloc 256 so that it has enough space to hold the injected code 2 Problem 4 Security Principles 20 points Identify one or more security principles relevant to each of the following scenarios giving a …
View Full Document
Unlocking...