DOC PREVIEW
Berkeley COMPSCI 161 - Homework

This preview shows page 1-2 out of 6 pages.

Save
View full document
View full document
Premium Document
Do you want full access? Go Premium and unlock all 6 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 6 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 6 pages.
Access to all documents
Download any document
Ad free experience

Unformatted text preview:

PaxsonSpring 2011CS 161Computer SecurityHomework 1Due: Wednesday, February 9, at 9:59pmInstructions. Submit your solution by Wednesday, February 9, at 9:59pm, in the dropbox labelled CS161 in 283 Soda Hall. Print your name, your class account name (e.g.,cs161-xy), your TA’s name, the discussion section time where you want to pick up yourgraded homework, and “HW1” prominently on the first page. Staple all pages together.Your solutions must be legible and the solution to each problem must be labelled clearly.You must work on your own on this homework.Problem 1 Memory safety (20 points)Alice has decided to write her diary in digital form. To make sure that the secrets of herlife stay safe, she wants to encrypt the diary. She downloads from the web a command-line utility called encryptor for encrypting text. encryptor takes two arguments: akey and a filename to store the encrypted text. It reads the text to encrypt from thestandard input and writes its encryption using key to the given file.Alice decides it would be a good idea to store each day’s diary in a separate file with aseparate key. In the case of compromise of one key, her diary for other days will remainsecure. In order to simplify the task, she has written the following code:struct date{int day;char* month;int year;};void write_diary(char* text, struct date today){FILE* diary;char buf[200];int key = today.day + today.year * 365;sprintf(buf, "encryptor -k %d -f \"mydiary_%d-%s-%d.txt\"",key, today.day, today.month, today.year);diary = popen(buf, "w");if (! diary)/* something about the command failed, give up */return;Page 1 of 6fprintf(diary, text);pclose(diary);}Unfortunately, Alice developed the code in a rush, and did not write secure or robustcode. One problem concerns her computation of the encryption key: it is both easy toguess, and will sometimes repeat. Ignoring these encryption issues, identify at least 3security problems with her code. For each problem, describe an example of input thatan attacker could provide (in terms of the arguments in a call to write diary) thatwould cause the security problem to occur.Hint: Familiarize yourself with the workings of popen() and pclose() if they are newto you. You can read the manual pages for popen() by typing man popen at a shellprompt on a Unix system.Problem 2 Frame Pointer Overwrite (20 points)The C code below has an off-by-one error; the loop in the vuln() function iterates onemore time than it should.void vuln(char* s){char buffer[256];int i;int n = strlen(s);if (n > 256)n = 256;for (i = 0; i <= n; i++)buffer[i] = s[i];}int main(int argc, char* argv[]){if (argc < 2){printf("missing args\n");exit(-1);}vuln(argv[1]);}Homework 1 Page 2 of 6 CS 161 – SP 11In Section #0 we discussed the layout of stack, including different types of informationthat is stored on the stack during function calls. Different implementations can vary inthe particulars of the stack layout, but for this problem assume a layout that correspondsto the specific example given in Section.(a) You will likely find it helpful to sketch the stack for this program. (You do nothave to include the sketch in your writeup.) Can the attacker overwrite the savedframe pointer (SFP in the Section notes)? Can the attacker overwrite the returninstruction pointer (RIP)? Explain why for each.(b) Explain how the attacker can exploit the opportunity to overwrite a single byte tomodify the program’s flow of execution.Hint: Pay close attention to how returning from a function works; popping a returnaddress from the stack has a dependency on SFP. You may find it helpful to read thediscussion in the Section materials about the modification of registers by the leave andret instructions of the x86 instruction set.Problem 3 Heap Overflow (20 points)Stack smashing attacks generally work by modifying a program’s control flow becauseinformation regarding control flow is stored in the same way as data. Similarly, heapoverflow vulnerabilities arise because attackers can cause data they supply to be inter-preted as control flow information.The slides from Section #0 discuss general approaches to implementing heap-based stor-age. Review the chunk structure in those materials to understand how it differs forallocated chunks versus free chunks.When using heap memory, a program releases a buffer by calling the free function. freeadjusts the pointer passed to it to point to the beginning of the chunk and checks whetherthe surrounding chunks are allocated. If they are not, it merges the chunk being freedwith the already free ones into a bigger chunk.1The merge process involves removing thefree chunks from their bin, then consolidating the chunks, and finally placing the singlenew chunk into a bin according to its size. In this problem, we focus on a heap overflowthat can be triggered during the removal of a chunk from its bin, which is implementedby the unlink macro:/* P: Chunk being unlinked* BK: Previous chunk* FD: Next chunk1There are other possibilities for how a system might implement malloc and free. Here we focus on aconcrete implementation approach, namely the one presented in the Section materials.Homework 1 Page 3 of 6 CS 161 – SP 11*/#define unlink(P, BK, FD){BK = P->bk;FD = P->fd;FD->bk = BK; /* equivalent to *(P->fd + 12) = P->bk */BK->fd = FD; /* equivalent to *(P->bk + 8) = P->fd */}Consider the following code example along with the corresponding heap layout (wherewe allocate zero-length buffers to keep the accompanying diagrams a bit simpler):char* buf1 = malloc(0); /* empty just to keep the diagrams simple */char* buf2 = malloc(0);char* buf3 = malloc(0);...gets(buf2);...free(buf1);free(buf2);In the code, we allocate three zero-sized buffers. The code then copies user input fromstandard input into buf2, and finally frees the first two buffers. In the following, the leftfigure shows the heap layout before reading the input, and the right figure after havingread the string "123456789012":prev_sizesizefdPREV_INUSEbkprev_sizesizefdPREV_INUSEbkprev_sizesizefdPREV_INUSEbkbuf1buf2buf3prev_sizesizefdPREV_INUSEbkprev_sizesize PREV_INUSEsizefdbkbuf1buf2buf334 33 32 3138 37 36 3532 31 30 39\0Homework 1 Page 4 of 6 CS 161 – SP 11(a) Describe what happens when free(buf1) is called, and in particular how thisresults in corrupting the heap memory.(b) How can an attacker exploit this vulnerability to inject code? For your analysis,assume that the second line of the code instead reads:char* buf2 = malloc(256);so that it


View Full Document

Berkeley COMPSCI 161 - Homework

Documents in this Course
Rootkits

Rootkits

11 pages

Load more
Download Homework
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view Homework and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Homework 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?