Embed Size (px)
Citation preview
1
CIS 5372 - Information Assurance
Fall 2011
Dr. Bogdan Carbunar
Florida International University
Homework #3
A. S. M. Hasan Mahmud
FIU ID: 3746153
2
Problem 1 ) Three ways:- a ) Mallory can change the value of num such that now it indicates more expensive item.
Let’s say item number 100 is more expensive than item number 55. Mallory will set num=100 and keep the rest of the url same. Now if he submits the url, he will get more expensive item at a low price.
b ) Mallory can set qty=30 in url while keeping rest of the url same. When he submits the url he will get 30 items for the price of 20 items.
c ) Mallory can set total=45 and keep the rest of the url same. When he submits the url he will get all the items for $45 which is worth $205.
Problem 2 ) Function lccopy does not check the size of characters/strings pointed by *str. If the size of this string is greater than BUFSIZE, there will be a buffer overflow. Steps:
a ) Attacker will avoid size check of *str in the code that calls lccopy(). He will manage to pass a large string pointer as the parameter of lccopy function. The initial condition of the stack is shown below when execution of line 3 of lccopy() is completed.
b ) Since the size of str will be large enough to overflow buf and overwrite sfp and ret addr.
When line 4 of the code is executed, ret addr will have a new return address.
c ) Now attacker will input the string str such that after converting it to lowercase, the value of ret addr will contain the correct address of the malicious code. The malicious code will also be in buffer. Which is shown below
buf *p
Stack grows this way
Frame of the calling function
sfp ret
addr
*str
Local variables Arguments
buf *p
Stack grows this way
Frame of the
calling function sfp ret
addr
*str
This will be interpreted as
new return address
buf *p
Stack grows this way
Frame of the
calling function sfp ret
addr
*str Malicious code
3
d ) When the function exits, return address will be popped and code in the buffer will be executed. Thus an attacker can exploit a buffer overflow and run malicious code.
Eliminating the vulnerability: we need to insert a size check of *str between the line 3 and 4. So the new code will be like below: char *lccopy(const char *str) {
char buf[BUFSIZE];
char *p;
//need to reserve one character at the end for null
if ( strlen(str) > BUFSIZE -1 ) {
return NULL;
}
strcpy(buf, str);
for (p = buf; *p; p++) {
if (isupper(*p)) {
*p = tolower(*p);
}
}
return strdup(buf);
}
Problem 3 ) What the code will print: foo why? – Because, in void called (int foo) function, the condition of if function is an assignment statement. The value of this statement is always 1 which indicates the condition is true in c language. So it will always execute the statement printf(“foo”); Line of vulnerability: 2 Explanation of this vulnerability: This seems like a programming error of the developer. He forgot to put another “=” operator. Now the condition of if function is an assignment statement. The value of this statement is always 1 which indicates the condition is true in c language. How to eliminate: For better programming practice, use of the switch and case statement is safer. For this code, we need to replace the line 2 with if (foo == 1) printf(“foo”);
4
Problem 4 ) Legends: r : Read Access w : Write Access x : Execute Access
a ) Access Control List: Each list is associated with an object (File, in this case) F: ACL G: ACL H: ACL
b ) Capability List: Here each list is associated with a subject (User). Alice Bob
r
Alice
w
Alice
r
Bob
r
Alice
r
Bob
w
Bob
r
F
r
G
w
G
x
Alice
r
F
w
F
r
G
x
H
5
Problem 5 ) a ) NO: Need compartment “mouse”. b ) NO: Insufficient rank, rank of top secret > rank of secret. c ) YES d ) NO: Need compartment “moose” e ) YES
![Homework 3]](https://img.pdfslide.us/doc/110x75/55b6ace7bb61eba5488b459c/homework-3-55bd3bece5fe2.jpg)
