Table of contents

1. Assignment 1: Security Mindset & Buffer Overflow Due Feb 19, 11:59pm EST
   1. Part 1 – Bash Bandit [10 points]
   2. Part 2 – Security Mindset [10 points]
      1. Part 2-1: Threat Models and Risk Assessment [5 points]
      2. Part 2-2: Finding vulnerabilities [5 points]
   3. Part 3 – Buffer Overflow [90 points]
      1. Part 3-1 Understanding Buffer Overflow [15 points]
      2. Part 3-2 and 3-3: Programming Tasks
      3. Programming Task #3-2: Where is the Key? [30 points]
      4. Programming Task #3-3: Infinite Number of Giveaways [45 points]

Assignment 1: Security Mindset & Buffer Overflow Due Feb 19, 11:59pm EST

Ground Rules: Work must be typeset (not handwritten and scanned) and submitted by 23:59 of the due date.

Submission: You need to submit a detailed lab report, with screenshots, to describe what you have done and what you have observed. You also need to provide explanation to the observations that are interesting or surprising. Please also list the important code snippets followed by explanations. Simply attaching code without any explanation will receive NO credits.

Part 1 – Bash Bandit [10 points]

In this assignment, you will warm up on bash commands. This will help you go over essential Linux commands that you will need for this course and your next assignments.

Let’s play the Bandit Game. You are supposed to achieve Level 11 (pass Level 10 → Level 11), which means that you are able to log in Level 11.

To access Bandit Level 0, you are supposed to access bandit.labs.overthewire.org on port 2220 with the username (bandit0) and the password (bandit0). You need to find the password for Level 1 and access the same hostname and port number, but with the different username (bandit1).

Describe how you did solve each level (i.e., how you did find passwords for next levels). Also, screenshots are required for each level and they should include your command to find passwords.

Part 2 – Security Mindset [10 points]

Part 2-1: Threat Models and Risk Assessment [5 points]

Suppose the course instructor has created a database of all information for this course: homeworks, exams, handouts, and grades. Create a detailed threat model for this database: what should the security goals be? What are reasonable attacks, and who are the potential attackers? What threats should we explicitly exclude from consideration?

Now assume that the database is stored on the instructor’s personal laptop, with no network card and no floppy disk drive. Propose at least two security mechanisms that would help counter your threat model (e.g. file or disk encryption, a laptop lock, a safe to store the laptop, a kevlar laptop sleeve, relocation to Fort Knox …), and analyze the net risk reduction of both. You should justify your estimates for the various incidence rates and costs. While we do want to see numbers for this part, don’t worry about figuring out exact costs or risk reductions, guess at some reasonable numbers but don’t spend very long on this part of the assignment.

Part 2-2: Finding vulnerabilities [5 points]

Here are a few code excerpts. For this exercise, you’ll find the vulnerability in each and describe how to exploit it.

Below is a short POST-method CGI script - it reads a line of the form “field-name=value” from standard input, and then executes the last command (in the line $result = ‘last …‘) to see if the user name value has logged in recently. Describe how to construct an input that executes an arbitrary command with the privileges of the script. Explain how your input will cause the program to execute your command, and suggest how the code could be changed to avoid the problem.

#!/usr/bin/perl
print "content-type: text/html\r\n\r\n<HTML><BODY>\n";

($field_name, $username_to_look_for) = split(/=/, <>);
chomp $username_to_look_for;

$result = `last -1000 | grep $username_to_look_for`;
if ($result) { 
  print "$username_to_look_for has logged in recently.\n";
} else {
  print "$username_to_look_for has NOT logged in recently.\n";
} 
print "</BODY></HTML>\n";

Part 3 – Buffer Overflow [90 points]

Part 3-1 Understanding Buffer Overflow [15 points]

1. How are the addresses decided for the following variables a and x, i.e., during the runtime, how does the program know the address of these two variables? [5 points]

   void foo(int a) {
    int x;
   }
   

2. Please draw the function stack frame for the following C function. [5 points]

   int bof(char *str) {
   char buffer[16];
   strcpy(buffer, str);
   return 1;
   }
   

3. Alice already knows that due to the security issues like buffer overflows she is not supposed to use strcpy when copying some strings to other buffers. But she is not aware what other functions she needs to use for the string copy, and she googled and found out in Stack Overflow that strncpy is safe and recommended to use for the string copy. Is strncpy really safe in terms of security? If so, why do you think? or If not, please explain the potential security issue(s) and how we can mitigate the vulnerability. [5 points]

Part 3-2 and 3-3: Programming Tasks

VM: You are provided with a VM where you can run the code with some vulnerabilities that you can exploit. Download the VM here (MD5 value: f3d2227c92219265679400064a0a1287):

• Google Drive Link
• Digital Ocean Link

We recommend using VirtualBox to run the VM. You will be logged into an account called seed, and its password is dees (the reverse order of seed)

If you want to build a VM yourself, please follow these instructions.

1. Download and install VirtualBox from https://www.virtualbox.org/wiki/Downloads.
2. Download the 64-bit .iso file for Ubuntu 16.04 Desktop from https://www.ubuntu.com/download/desktop/thank-you?country=US&version=16.04.1&architecture=amd64.
3. Create a new VM in VirtualBox, then attach the ISO file for Ubuntu as a virtual DVD and boot it.
4. Complete the installation process for Ubuntu.
5. Once Ubuntu is installed and has rebooted, open a Terminal.
6. Run this command: wget https://moa-lab.net/cosc366-s24/assignments/ctf_vm_setup.sh && bash ctf_vm_setup.sh
7. When this script finishes, it’ll give you instructions on how to install VirtualBox Guest additions. Follow those instructions.

Docker for Apple M1

1. Install Docker by following the instruction.
2. Please download this dockerfile
3. Build the docker image: docker build . -t "hw1_docker"
4. Run the docker image: docker run -d -p 9022:22 hw1_docker
5. Access the docker image over SSH with the password cosc366: ssh root@localhost -p 9022
6. Unzip the giveaway_for_m1.zip file (that is located in /root): Note that this zip file is different from the original giveaway.zip file.
7. Build the giveaway program: make
8. Enjoy hacking.

Turning Off Countermeasures: You can execute the lab tasks using our pre-built 64 bits Ubuntu virtual machines. Ubuntu and other Linux distributions have implemented several security mechanisms to make the buffer-overflow attack difficult. To simplify our attacks, we need to disable them first. Be sure that after the VM restarts, you may want to turn off the countermeasures again.

• Address Space Randomization: Ubuntu and several other Linux-based systems uses address space randomization to randomize the starting address of heap and stack. This makes guessing the exact addresses difficult; guessing addresses is one of the critical steps of buffer-overflow attacks. In this lab, we disable this feature using the following command:

  $ sudo sysctl -w kernel.randomize_va_space=0
  

• The StackGuard Protection Scheme: The GCC compiler implements a security mechanism called StackGuard to prevent buffer overflows. In the presence of this protection, buffer overflow attacks will not work. We can disable this protection during the compilation using the -fno-stack-protector option. For example, to compile a program example.c with StackGuard disabled, we can do the following:

  $ gcc -fno-stack-protector example.c
  

• Non-Executable Stack: Ubuntu used to allow executable stacks, but this has now changed: the binary images of programs (and shared libraries) must declare whether they require executable stacks or not, i.e., they need to mark a field in the program header. Kernel or dynamic linker uses this marking to decide whether to make the stack of this running program executable or non-executable. This marking is done automatically by the recent versions of gcc, and by default, stacks are set to be non-executable. To change that, use the following option when compiling programs.

  For executable stack:
  $ gcc -z execstack -o test test.c
  For non-executable stack:
  $ gcc -z noexecstack -o test test.c
  

GDB: We may want to use GDB to look inside of the stack memory.

• GDB Quick Reference
• GDB Cheat Sheet
• If you want the more enhanced GDB, please consider using this tool pwndbg. This tool is more usable than the orginal GDB in terms of hacking.

Programming Task #3-2: Where is the Key? [30 points]

Suppose that you are a hacker. You come across a vulnerable server where the above C code is running and you also obtain the C code in your hands. If you are running the code, as expected, you always get a message of It doesn't work. But since you are a hacker, you want to print the message of you got me and execute the ping command.

• Download the where_key.zip and you can get the C code. (This zip file is protected with a password that is posted in Canvas.)

How can you smash the stack buffer by exploiting the buffer overflow vulnerability? Please describe how you can exploit the stack buffer overflow and include the followings: stack memory layout (where the bufis located), screenshots of your results and commands, etc. [20 points]

Also, as mentioned in class, you are supposed to think as a defender. How can you mitigate the vulnerability? Please describe your defense mechanisms.[10 points]

💡 Simply attaching code without any explanation will not receive credits.
💡 Recommend to use the GCC option `-m32` , which compiles your code in 32bit. 
This helps you readily understand the stack frame layout.

Programming Task #3-3: Infinite Number of Giveaways [45 points]

Suppose that you are a white hacker and come across source code of software that has a very simple task that 1) takes a customer’s name as the input and 2) prints a giveaway for the customer. The simple program is designed to allow each customer to run the program once; therefore, the customer can get only one giveaway.

Meanwhile, You target the simple program. The attacker’s goal (your goal) is to repeatedly print giveaways by passing some argument to your program because the attacker (you) want to get an infinite number of giveaways. In other words, the argument will make the program repeatedly execute the function of giveaway.

How to run this simple software:

1. Download the giveaway.zip. (This zip file is protected with a password that is posted in Canvas.)
2. Run make all, and run ./exploit. The program prints a random giveaway.
3. Now you need to fill out the asterisk box in the middle of the exploit.c file.
4. ❗Note that you aren’t allowed to modify the giveaway.c file.

Attack:

1. Identify the specific bug or vulnerability that the attacker can exploit for his/her goal. [5 points]
2. Describe the attacker’s attack strategy. In other words, please describe the memory addresses (e.g., stack memory) involved in the attack, and explain how the attack can make the program print an infinite number of giveaways. [10 points]
3. Write a C program that passes the adversarial string to the target program and conducts the attack. [20 points]

Defense:

1. Try to run the same code outside the VM. Does the attack work? If yes, why? or If no, why? Please comment on the result. [10 points]