Hw1 Release v11

SongSpring 2015

CS 161Computer Security Homework 1

Due: Thursday, February 26, at 11:59pm

Instructions. This homework is due Thursday, February 26, at 11:59pm. It must besubmitted electronically via Gradescope (Pandagrader) (and not in person, in the drop box,by email, or any other method). This assignment must be done on your own.

Please put your answer to each problem on its own page, in the order that the problemsappear. For instance, if your answer to every problem fits on a single page, your solutionwill be organized as follows:

page 1: your solution to problem 1page 2: your solution to problem 2page 3: your solution to problem 3page 4: your solution to problem 4page 5: your solution to problem 5page 6: your solution to problem 6page 7: your solution to problem 7page 8: your optional feedback (“problem 8”)

If your solution to problems 4 and 5 both take up two pages, your solution would be organizedas follows:

page 1: your solution to problem 1page 2: your solution to problem 2page 3: your solution to problem 3page 4: first page of your solution to problem 4page 5: second page of your solution to problem 4page 6: first page of your solution to problem 5page 7: second page of your solution to problem 5page 8: your solution to problem 6page 9: your solution to problem 7page 10: your optional feedback (“problem 8”)

Scan your solution to a PDF—or, write it electronically and save it as a PDF. Then, uploadit to Gradescope (Pandagrader).

Page 1 of 12

Problem 1 True/False, and Why? (30 points)

Answer each question true or false, and then say why in at most one sentence. Don’t

forget to provide a one-sentence justification for each part!

(a) True or False: “Security through obscurity” refers to the practice of obscuring auser’s password when the user types it in, so that no one else can see it on thescreen.

(b) True or False: In a C program, format string bugs alone cannot be exploited forcontrol-hijacking attacks.

(c) An OS running on a new Intel processor marks the stack memory pages as non-executable using NX bit feature 1.True or False: This mechanism prevents attackers from getting a root shell byexploiting stack-based bu↵er overflows.

(d) True or False: ASLR together with NX and stack canaries is enough to protectfrom bu↵er overflow attacks.

(e) True or False: It is better to use library calls with rich functionality, like system(),than those with narrow functionality like, like execve(), because then your codethat uses the library is simpler, and so more likely to be correct.

(f) True or False: Having complete line coverage is enough to guarantee bug-free code.

1Briefly, the NX bit (no-execute bit is a flag added to every memory page indicating whether the contentsof the page can be executed or not. When NX bit is set for a page, the processor never executes any byte inthe page

Homework 1 Page 2 of 12 CS 161 – Sp 15

Problem 2 Is it vulnerable? (20 points)

For each code snippet below, determine whether it contains a memory-safety bug ornot, then write either “buggy” or “not buggy” on your answer depending on whetherit contains a memory-safety bug or not. If you wrote “buggy”, explain the bug, statewhich line number(s) contain the bug, and describe an input that would trigger the bug.Assume the inputs to these functions satisfy their preconditions (as documented by theRequires: clause) but are otherwise under adversarial control.

(a) /* Escapes all newlines in the input string, replacing them with "\n". */

/* Requires: p != NULL; p is a valid ’\0’-terminated string */

1: void escape(char *p) {

2: while (*p != ’\0’)

3: switch (*p) {

4: case ’\n’:

5: memmove(p+2, p+1, strlen(p));

6: *p++ = ’\\’; *p++ = ’n’;

7: break;

8: default:

9: p++;

10: }

11: }

(b) /* Copy every step’th character from src to dst. To clarify, we are not using the standard library function strlen. Instead, just assume that strlen gives you the correct length of the strings. */

/* Requires: src, dst are valid non-NULL pointers,

n <= strlen(src), n <= strlen(dst), step >= 0 */

void copy(char* dst, char* src, int n, int step)

{

for (int i= 0; i <= n; i+= step)

{

dst[i] = src[i];

}

}

(c) 1: /* Information about the current CD. */

2: struct cd {

3: int numtracks;

4: int tracklen[];

5: void (*notify)(struct cd *);

6: };

7:

8: struct cd *curcd = makestructcd();

9:

10: /* Update the length of track number ’track’. */

11: void update_cdinfo(int track, int newtracklen) {

12: if (track > curcd->numtracks)

13: return;


14: curcd->tracklen[track] = newtracklen;

15: (curcd->notify)(curcd);

16: }

Don’t worry about makestructcd(); it just allocates and initializes a struct cd.Assume the adversary can arrange for update cdinfo() to be called with whatevervalues of track and newtracklen he likes (those values may have been read directlyo↵ the CD, for instance).


Problem 3 Reasoning about code (15 points)

The following code takes two strings as arguments and returns a pointer to a new stringthat represents their concatenation.

The function is intended to take two strings and return a new string representing theirconcatenation. If a problem occurs, the function’s expected behavior is undefined.For the function, write down 1 Precondition. For the three statements assigning arrayelements, write down 3 Requires predicates that must hold to make the assignmentsmemory-safe:

(a) /* "Precondition" */

char *concat(char s1[], int n1, char s2[], int n2)

(b) /* "Requires" for line 13: */

s[i] = s1[i];

(c) /* "Requires" for line 16: */

s[i+j] = s2[j];

(d) /* "Requires" for line 18: */

s[i+j] = ’\0’;


Problem 4 Software security (12 points)

The following C code has a vulnerability:

/* requires: len == size(in) */

void vuln(uint64_t in[], size_t len) {

char a[25];

size_t i;

for (i=0; i<len && i<25; i++) {

memcpy(&(a[i]), &(in[i]), sizeof(uint64_t));

}

}

Assume that the elements and length of in are controlled by the attacker, but it isguaranteed that vuln() will be called with arguments where len is equal to the numberof elements in in (i.e., assume that the precondition of vuln() always holds).

vuln() is vulnerable to a bu↵er overflow attack. Explain why, and given an examplevalue of len that would enable such an attack.

(a) Explanation.

(b) Example value of len.

As a reminder, memcpy() is a library function declared as:

void memcpy(char *dst, char *src, size_t n);

memcpy(dst, src, n) copies n bytes starting at the address src to dst.Also, uint64_t is a 64-bit unsigned integer.


Problem 5 Fuzzing and Symbolic Execution (20 points)

Consider the following program:

1. int f(int x)

2. {

3. return 3 * x + 2;

4. }

5.

6. int target (int x, int y)

7. {

8. int buf[50];

9. if ((x >= 0) && (y >= 0))

10. {

11. if (f(x) == x + 18)

12. {

13. if (y < 20)

14. {

15. buf[x + f(y)] = 0;

16. }

17. }

18. }

19. }

(a) Suppose we employ blackbox fuzzing to function target, to check if it is vulnerableto a bu↵er overflow. Blackbox fuzzing creates new test cases in each run withrandom integer values for the parameters to target with the goal of crashing theprogram. How many test cases (approximately) are needed to generate a crash atline 15. Assume that our program creates new test cases without replacement (i.e.it will only generate each unique pair x, y once).

(b) Suppose we use a symbolic execution based automatic test case generation techniquefor whitebox fuzzing. Let us denote the inputs x and y with symbolic variables x0

and y0.Show the path constraints P on the symbolic input necessary to reach line number15.

(c) Write the security assertion Q to prevent a bu↵er overflow at line 15, in terms ofthe symbolic inputs.

(d) By solving the constraints (P ^ ¬Q), give an instance of values for x0 and y0 thatare necessary and su�cient to cause a bu↵er overflow on line 15.


Problem 6 Biometrics and Passwords (15 points)

Biometric authentication schemes often produce a “confidence” value that trades o↵between “false positive” and “false negative” errors. A “false positive” is when thesystem accepts someone when it should not have; a “false negative” is when the systemdoesn’t accept someone it should have. A false negative prevents an authorized userfrom logging in; a false positive allows an unauthorized user to access the system.

Password authentication tends to be much more “black and white”. If you mis-typeeven a single letter when entering your password, your login will be rejected.

(a) How might you modify standard password authentication to a↵ord a sort of “con-fidence” level, in light of the potential for users to inadvertently mis-type part oftheir password?

(b) What e↵ects would your modification (in part (a)) have on the security of passwordauthentication? Be sure to take into consideration human factors and talk aboutthe e↵ects on the false positive and false negative rates.

(c) One simplistic model for how users select passwords is that there is some universaldictionary of 230 alphanumeric possible passwords, and each user randomly picksa password by choosing uniformly at random from this dictionary.2 Assume thatall of the passwords in this dictionary are 10 alphanumeric characters long, andthat people have a 2% error rate per character they type, i.e., each character theytype independently has a 0.02 probability of being mis-typed. Suppose that wewant a false negative rate that is below 0.2%, i.e., below 0.002. In other words,if the user inputs one password with the aforementioned error rate, the schemeshould only lock them out less than 0.2 percent of the time. Describe what specificparameters this new scheme should use (independent from the scheme in parts a andb), and list the false positive rate your scheme will have at this parameter setting,assuming the attacker gets to make one try at guessing the password. To simplifyyour calculation, assume that every pair of passwords in the dictionary di↵er in atleast 3 5 positions.

2This model is pretty crude, but let’s run with it, for purposes of this homework question.


Problem 7 Return-Oriented Programming (ROP) (30 points)

In discussion section you learned how to bypass a non-executable stack via arc injection,an attack which introduces new data that existing instructions operate on. In otherwords, compared to a classic bu↵er overflow where the attacker provides the maliciousinstructions (typically shellcode), arc injection “recycles” existing ones.

Return-oriented programming (ROP) takes arc injection to the extreme. In a nutshell,a ROP exploit is built out of many pre-existing gadgets, which are small instructionsequences ending in a ret instruction. The attacker looks for gadgets in executablesegments (e.g., .text) and stitches them together into a working program—much like aransom note.

Recall that ret semantically behaves like popl %eip, which takes the top-most stackelement and writes it into the program counter. After the attacker has transferred controlflow into a specific gadget, the execution will eventually end in another ret. Due to theprevious ret, %esp now points to one element higher in the stack. The current gadget’sret will thus cause that element to be the next address to load into %eip. This style ofexecuting can continue for quite a while and depends on how the attacker prepared thestack.

(a) We begin by chaining gadgets to perform a desired computation. To do so, supposethat earlier e↵orts have already done the grunt work of finding usable gadgets:

To get the hang of how ROP exploits work, the first step is for you to glue thegadgets together into a working program that assigns the register %eax the value42. Ignoring the ret instruction, write down the sequence of instructions that canachieve this task by cherry-picking from the gadgets above.

(b) The next step involves performing the computation in a return-oriented way. Tothis end, consider a program vulnerable to a stack-based bu↵er overflow that is justabout to execute the function epilogue, that is, right before the leave instruction.Assume that you can overflow the entire local bu↵er plus everything higher upthe stack, i.e., saved frame pointer, return instruction pointer, and arbitrarily farbeyond.

How would you set up the stack to implement the computation from part (a)? Usethe template below as orientation to figure out how to insert the gadget addressessuch that the program executes (in the correct order) the gadgets you identified


in part (a). You can assume cells labeled from A to Z, although you will not neednearly that many.

0x________0x________0x________0x________0x________0x________

0x________

rip

sfp

buffer

A

B

C

D

E

F

G

A solution might look like (though this particular solution is not correct):

D: 2ef4f00d

C: 2ef4beef

B: 2ef4cafe

A: 2ef4f00d

(c) Having developed a basic feel for return-oriented programming, it is time to performa real attack. Your task is to invoke the libc function system, which takes a singlestring as an argument and executes it as a shell command. You scan the programand discover that system maps to the location 0x1ffa4b28 — sweet! Now youinject data that system should eventually operate on. Your goal is to execute thetwo statements in order:

1. system("gcc /tmp/foo.c")

2. system("./a.out")

You have filled a local bu↵er with the necessary data and know their addresses:

0x________0x________0x________0x________

rip

sfp

pushl %ebp ; Prologuemovl %esp, %ebp…movl 8(%ebp), %eax ; Use first argument ; string and execute it…leave ; Epilogueret

0x1ffa4b28 system:

c c g

p m t /

o o f /

q \0 c .

. a / .

\0 t u o

0xbfdecae0

0xbfdecaf0

A

B

C

D

Assume that system does not modify the stack and only executes the shell commandpassed to it as a parameter. Write down the cell values as in part (b), again assumingcells available from A to Z.

(d) You found that your exploit worked well, but now you realize that you shouldcover your tracks after exploitation, and decide to delete the source and generated


2ef4cafe

2ef4face

2ef4beef

executable.

1. system("gcc /tmp/foo.c")

2. system("./a.out")

3. system("rm a.out /tmp/foo.c")

Your prepared bu↵er now looks as follows:

0x________0x________0x________

rip

sfp

a m r

t u o .

m t /

o f / p

0xbfdecaf8

c c g

p m t /

o o f /

q \0 c .

. a / .

\0 t u o

0xbfdecae0

0xbfdecaf0

\0 c . o

Use the same stack template as in the previous part, but this time with the goal toexecute three times system with the arguments as shown above. Also explain whyyou have to use a gadget from part (a) to properly chain the gadgets together.


Problem 8 Feedback (0 points)

Optionally, feel free to include feedback. What’s the single thing we could do to makethe class better? Or, what did you find most di�cult or confusing from lectures or therest of class, and what would you like to see explained better?


Documents

Hw1 Release v11