Assignment-05-Solutions

.pdf

School

Carleton University *

*We aren’t endorsed by this school

Course

4810

Subject

Computer Science

Date

Jan 9, 2024

Type

pdf

Pages

Uploaded by CountFlagTrout38

SYSC 4810: Introduction to Network and Software Security Module 5 Assignment Fall 2021 Dr. J. Jaskolka Carleton University Department of Systems and Computer Engineering Posted: November 11, 2021 Due: November 28, 2021 Due on Sunday, November 28, 2021 by 11:59PM This assignment contains 26 pages (including this cover page) and 9 problems. You are responsible for ensuring that your copy of the assignment is complete. Bring any discrepancy to the attention of your instructor. Special Instructions: 1. Do as many problems as you can. 2. Start early as this assignment is much more time consuming than you might initially think! 3. The burden of communication is upon you. Solutions not properly explained will not be considered correct. Part of proper communication is the appearance and layout. If we cannot “decode” what you wrote, we cannot grade it as a correct solution. 4. You may consult outside sources, such as textbooks, but any use of any source must be documented in the assignment solutions. 5. You are permitted to discuss general aspects of the problem sets with other students in the class, but you must hand in your own copy of the solutions. 6. Your assignment solutions are due by 11:59PM on the due date and must be submitted on Brightspace . • Late assignments will be graded with a late penalty of 20% of the full grade per day up to 48 hours past the deadline . 7. You are responsible for ensuring that your assignment is submitted correctly and without corruption. Problem 1 2 3 4 5 6 7 8 9 Total Points: 10 15 10 11 11 8 5 5 10 85 Page 1 of 26

SYSC 4810 — Module 5 Assignment Due Date: November 28, 2021 In this assignment, you will participate in activities related to conducting attacks exploiting buffer overflow vulnerabilities in software systems. This assignment aims to assess your understanding of buffer overflow attacks, how they work, and controls for dealing with them. Acknowledgment This assignment is based off the “Buffer Overflow Attack Lab (Server)” SEED Lab developed by Wenliang Du at Syracuse University. Background Research A significant portion of this assignment is to do the required background research on fundamentals of programming and software development including the execution stack , stack and frame pointers , registers , and memory addressing , as well as working with basic software development tools. Keep in mind that a substantial component of any software or computer systems project is to solve and/or eliminate the underlying technical difficulties. This often means exploring user manuals and documentation. Submission Requirements Please read the following instructions very carefully and follow them precisely when submitting your assignment! The following items are required for a complete assignment submission: 1. PDF Assignment Report : Submit a detailed report that carefully and concisely describes what you have done and what you have observed. Include appropriate code snippets and listings, as well as screenshots of program outputs and results. You also need to provide an adequate explanation of the observations that are interesting or surprising. You are encouraged to pursue further investigation beyond what is required by the assignment description. 2. ZIP Archive of Source Code : In addition to embedding source code listings in your assignment report, create and submit a ZIP archive of all programs that you write for this assignment. Please name each of your source code files with the problem number to which they correspond (e.g., for Problem 2(a), the source code file should be named Problem2a.c ). Your source code must compile and run, producing the desired output. Also, please remember to provide sufficient comments in your code to describe what it does and why. 3. ZIP Archive of Screenshot Image Files : In addition to embedding screenshots of program outputs and results in your assignment report, create and submit a ZIP archive of all of the raw screenshot images that you capture for this assignment. Grading Notes An important part of this assignment is following instructions. As such, the following grade penalties will be applied for failure to comply with the submission requirements outlined above: • Failure to submit an Assignment Report will result in a grade of 0 for the assignment. • Failure to submit the Source Code files will result in deduction of 10% of the full grade of the assignment. • Failure to submit the Screenshot Image files will result in deduction of 10% of the full grade of the assignment. • Failure of Source Code to compile/run will result in a grade of 0 for the corresponding problem(s). • Failure to submit any deliverable in the required format (PDF or ZIP) will result in deduction of 5% of the full grade of the assignment. Page 2 of 26

SYSC 4810 — Module 5 Assignment Due Date: November 28, 2021 Part I Assignment Challenge 1 Introduction Imagine that you work for a large software development firm called SecureTech Industries . The organization has just received a major investment to hire a significant number of new quality assurance engineers. Because the development of secure software and systems is a top priority for SecureTech Industries , the organization is launching an initiative to develop a penetration testing training program for new hires (trainees). Your direct supervisor has just assigned you to prepare the training materials related to buffer overflow vulnerabilities and countermeasures that will be provided to all new hires. The details of the assignment, including your supervisor’s expectations, are provided in the sections below. The different parts of this assignment are designed to guide your investigation and to prepare the different aspects for the training materials. At the end of the assignment, you will be required to summarize the take-away points for new hires so that they can better understand buffer overflow vulnerabilities, attacks, and countermeasures. 2 Context Your supervisor has sent you the following email explaining what is expected for the training materials: Hello, I am sure by now that you have seen the latest memo indicating that we have secured a large investment to hire a new batch of quality assurance engineers. You would have also seen that we need to prepare a new set of penetration testing training materials as part of the upgraded security training program that comes with this investment. This means we have lots of work to do. I need you to prepare the training materials for the buffer overflow training module for our new hires. I have asked the senior development team to provide some sample code to help with this task. This sample code, along with what you develop, will be provided as part of the training package that is provided to new hires. It will enable them to get their hands dirty by trying out a few different approaches for learning how to exploit buffer overflow vulnerabilities on server programs and for understanding the different countermeasures that can be be put in place to prevent them. We want our new hires to be aware of the potential ways in which they can get root shells can by conducting buffer overflow attacks, as well as the ways in which buffer overflow countermeasures work and their relative strengths and weaknesses. The training materials that you prepare need to be well-organized and provide very detailed steps of how to conduct the different experiments that we want the new hires to carry out as part of their hands-on training. The new hires should be able to do everything based on the report that you prepare and enable them to perform self-checks to ensure that they are successful in completing the experiments. This means you should provide screenshots and code fragments to help them understand what they should expect in terms of the outcomes of their experiments. Effectively, you should think of preparing your report as a complete walkthrough of the various experiments and tasks. I know I can count on you for this. Thanks, JJ Page 3 of 26

SYSC 4810 — Module 5 Assignment Due Date: November 28, 2021 3 Obligations At the end of this assignment, you will be required to deliver the following information and outcomes: 1. A report that can act as a training manual for new hires to better understand buffer overflow vulnerabilities, attacks, and countermeasures. The report should be a complete walkthrough providing a detailed explanation of all of the steps involved in carrying out the various activities and tasks that will be part of the penetration testing training program module related to buffer overflows. 2. A summary of the main take-away points of the training module, including a list of recommendations (“do’s and don’ts”), so that the trainees can be better prepared to protect their programs from buffer overflow vulnerabilities. This must be provided in a single, well-organized report. Page 4 of 26

SYSC 4810 — Module 5 Assignment Due Date: November 28, 2021 Part II Environment Setup This assignment will be conducted using a pre-built virtual machine (VM) image. We will assume that you already have a virtual machine set up from the Module 1 Assignment. For this assignment, you will be attacking four different servers with varying levels of difficulty. We will use containers to set up this environment. 1 Container Setup and Commands Please download the Setup.zip file to your VM from from the assignment resources for this assignment on Brightspace, unzip it, enter the Setup folder, and use the docker-compose.yml file to set up the assignment environment. In what follows, we recall some of the commonly used commands related to Docker and Compose. Since we are going to use these commands very frequently, aliases have been created for them in the .bashrc file in the provided VM image. $ docker-compose build // Build the container image $ docker-compose up // Start the container $ docker-compose down // Shut down the container // Aliases for the Compose commands above $ dcbuild // Alias for: docker-compose build $ dcup // Alias for: docker-compose up $ dcdown // Alias for: docker-compose down All the containers will be running in the background. To run commands on a container, we need to get a shell on that container. We first need to use the docker ps command to find out the ID of the container, and then use docker exec to start a shell on that container. Aliases have been created for them in the .bashrc file in the provided VM image. $ dockps // Alias for: docker ps --format "{{.ID}} {{.Names}}" $ docksh <id> // Alias for: docker exec -it <id> /bin/bash // The following example shows how to get a shell inside hostC $ dockps b1004832e275 hostA-10.9.0.5 0af4ea7a3e2e hostB-10.9.0.6 9652715c8e0a hostC-10.9.0.7 $ docksh 96 root@9652715c8e0a:/# // Note: If a docker command requires a container ID, you do not need to // type the entire ID string. Typing the first few characters will // be sufficient, as long as they are unique among all the containers. If you encounter problems when setting up the environment, please read the “Common Problems” section of the DOCKER MANUAL for potential solutions. *Important Note* Before running “docker-compose build” to build the docker images, you need to compile and copy the server code to the bof-containers folder. This step is described in Section 2 . Page 5 of 26

SYSC 4810 — Module 5 Assignment Due Date: November 28, 2021 2 The Vulnerable Program The vulnerable program used in this assignment is called stack.c , which is in the server-code folder. This program has a buffer-overflow vulnerability. Throughout this assignment, your job is to exploit this vulnerability and gain the root privilege on the server machines. The code listed below has some non-essential information removed, so it is slightly different from what is provided in the setup files. 1 #include <stdlib.h> 2 #include <stdio.h> 3 #include <string.h> 4 5 /* Changing this size will change the layout of the stack. */ 6 #ifndef BUF_SIZE 7 #define BUF_SIZE 100 8 #endif 9 10 int bof( char *str) 11 { 12 char buffer[BUF_SIZE]; 13 14 /* The following statement has a buffer overflow problem */ 15 strcpy(buffer, str); 16 17 return 1; 18 } 19 20 int main( int argc, char **argv) 21 { 22 char str[517]; 23 24 int length = fread(str, sizeof ( char ), 517, stdin); 25 bof(str); 26 fprintf(stdout, "==== Returned Properly ====\n" ); 27 return 1; 28 } The above program has a buffer overflow vulnerability. It reads data from the standard input, and then passes the data to another buffer in the function bof() . The original input can have a maximum length of 517 bytes, but the buffer in bof() is only BUF_SIZE bytes long, which is less than 517. Because strcpy() does not check boundaries (Line 15), buffer overflow will occur. The program will run on a server with the root privilege, and its standard input will be redirected to a TCP connection between the server and a remote user. Therefore, the program actually gets its data from a remote user. If users can exploit this buffer overflow vulnerability, they can get a root shell on the server. 2.1 Compilation To compile the above vulnerable program, we need to turn off the StackGuard and the non-executable stack protections using the -fno-stack-protector and -z execstack options. The following is an example of the compilation command (the L1 environment variable sets the value for the BUF_SIZE constant inside stack.c ). $ gcc -DBUF_SIZE=$(L1) -o stack -z execstack -fno-stack-protector stack.c The stack program will be compiled into both 32-bit and 64-bit binaries. The VM environment is a 64-bit VM, but it still supports 32-bit binaries. All we need to do is to use the -m32 option in the gcc command. Page 6 of 26

Your preview ends here

Eager to read complete document? Join bartleby learn and gain access to the full version