IFN657 Assignment 1 1 IFN657 Assignment 1 Total weight: 20% Due date: 25 September 2020 Week 10 Overview This assessment is individual work to be submitted via Blackboard. While you can discuss the assessment with your tutors and peers, your submissions must be your own original work. The objective of this assessment is to gain practical experience with memory corruption security vulnerabilities through buffer overflow and format string attacks. This understanding is to be demonstrated by crafting simple exploits and describing the principles underpinning the exploitation. The vulnerable C programs can be found in the appendices, which must not be modified. They should be compiled and executed in a Linux environment as you did in the tutorials. In addition, you can use 32-bit binaries and turn off the stack protections as in the tutorials. Note that, although you can use gdb to help analyse the memory and instructions, your exploitation must work under the normal shell (not inside gdb). Buffer Overflow Tasks (12%) The C program bo.c (in Appendix A takes a password from users, but never lets any user log in. Task 1 1%. Point out the statement in the program that has a buffer overflow vulnerability and explain why it may cause a buffer overflow attack. Task 2 4%. Figure out a password to make the program output “You are logged in!”, without modifying the return address. Explain in detail how the password works. Task 3 4%. Figure out a password to make the program output “You are logged in!”, by modifying the return address. Explain in detail how the password works. Task 4 1%. Explain how you can fix the buffer overflow vulnerability in the program. IFN657 Assignment 1 2 Task 5 2%. Figure out a way to defeat ASLR Address Space Layout Randomisation) and still complete Task 3. Explain your answer. To turn on ASLR, you must run the following command and compile the program without the option 'no-pie'. echo 2 | sudo tee /proc/sys/kernel/randomize_va_space gcc -w -m32 -g -fno-stack-protector -z execstack -o bo bo.c Format String Tasks (8%) The C program fs.c (in Appendix B is a slightly modified version of the previous program, which also never lets any user log in. Task 6 1%. Point out the statement in the program that has a format string vulnerability and explain why it may cause a format string attack. Task 7 1%. Figure out a password to reveal the contents on the current stack frame in hexadecimal format with width 8 (for example, 804c014 should be displayed as 0804c014. Explain in detail how the password works. Task 8 1%. Figure out a password to launch a simple DoS Denial of Service) attack. Explain in detail how the password works. Task 9 4%. Figure out a password to make the program output “You are logged in!”. Explain in detail how the password works. Task 10 1%. Explain how you can fix the format string vulnerability in the program. Submission Please submit your assignment via the IFN657 Blackboard web site under the Assessment section. You should only submit one PDF document with no more than 10 pages in length, excluding the appendix. It is recommended to use A4 page size with 2cm in margins on all sides; 12-point Times New Roman or 11 point Arial font or something equivalent, and in single space. The body text consists of your direct answers to questions in each task followed by the overall analysis of each task and the description of how you went about completing each task. It should be self-contained and understandable without reading the appendix. To help your explanation, you may draw a stack graph (like those in lectures) to show the stack memory such as the addresses of return address, calling stack pointer, and the local IFN657 Assignment 1 3 variables. Exploit code should be included wherever they are used in any task. They can be either placed in the body text or in the appendix (in which case they should be clearly marked and referenced in your answers). In addition to exploit code, screenshots are used as evidence of successful exploitation and must be clearly visible and easy to read. If gdb is used to craft program inputs for exploiting the vulnerabilities, use screenshots to show how you use gdb to find out the stack information. Appendix A: bo.c for Buffer Overflow Tasks #include
char getPasswd() { int trigger = 'F'; char passwd[100]; gets(passwd); return (char)trigger; } void login() { printf("You are logged in!\n"); exit(0); } void main() { printf("Please enter password: "); if (getPasswd() == 'T') { login(); } else { printf("The password is incorrect.\n"); exit(1); } } Appendix B: fs.c for Format String Tasks #include char passwd[100]; IFN657 Assignment 1 4 char getPasswd() { int trigger = 'F'; int *t = &trigger; fgets(passwd, sizeof(passwd), stdin); printf("Password is "); printf(passwd); return (char)(*t); } void main() { printf("Please enter password: "); if (getPasswd() == 'T') { printf("You are logged in!\n"); exit(0); } else { printf("The password is incorrect.\n"); exit(1); } } 欢迎咨询51作业君