CS155: Homework #1
Spring 2013
Due: Tuesday, Apr. 30
Problem 1: Control hijacking
- In x86 the stack grows downwards. Explain how a stack-based overflow attack would work if the stack grew upwards instead.
- How would you implement StackGuard in an architecture where the stack grows upwards? What would be different from StackGuard on the x86?
- How would you implement LibSafe in an architecture where the stack grows upwards? What would be different from LibSafe on the x86?
Problem 2: Memory management
The iOS _MALLOC(size_t size, int type, int flags) function allocates size bytes on the heap. Internally blocks are represented as a length field followed by a data field:
struct _mhead { size_t mlen; char dat[0]; }The mlen field is used by the free() function to determine how much space needs to be freed. In iOS 4.x the _MALLOC function was implemented as follows:
1 void * _MALLOC(size_t size, int type, int flags) { 2 struct _mhead *hdr; 3 size_t memsize = sizeof (*hdr) + size; 4 hdr = (void *)kalloc(memsize); // allocate memory 5 hdr->mlen = memsize; 6 return (hdr->dat); 7 }In iOS 5.x the following two lines were added after line 3:
int o = memsize < size ? 1 : 0; if (o) return (NULL);
- Why were these lines added in iOS5.x? Briefly describe an attack that may be possible without these lines.
- In iOS the kernel heap is divided into zones. When the zone allocator is called it allocates a new zone in a random location in kernel space. What security purpose does randomization serve in this context?
Problem 3: Sandboxing
- Explain in what settings would you use VM-based sandboxing rather than system call interposition.
- Explain in what settings would you use system call interposition rather than VM-based sandboxing.
- In class we discussed a covert channel between two VMs based on CPU utilization and a synchronized clock between the VMs. One might try to block this covert channel by preventing the VMs from synchronizing their clocks, e.g. by presenting each VM with a different time of day. You may assume the clocks run at normal speed, but are shifted by a random amount for each VM. Explain how an attacker can defeat this defense.
- Suggest another method by which the covert channel based on CPU utilization can be blocked.
Problem 4: TOCTOU
Consider the following code snippet:
if (!stat("./file.dat", buf)) return; // Abort if file exists. sleep(10); // Sleep for 10 seconds. fp = fopen("./file.dat", "w" ); fprintf(fp, "Hello world" ); close(fp);
- Suppose this code is running as a setuid root program. Give an example of how this code can lead to unexpected behavior that could cause a security problem. (try using symbolic links.)
- Suppose the sleep(10) is removed from the code above. Could the problem you identified in part (a) still occur? Please explain.
- How would you fix the code to prevent the problem from part (a)?
Problem 5: Soundness and completeness for static code analysis
In lecture 3, we discussed these two definitions briefly:Soundness: If the program contains an error, the analysis will report a warning.
Completeness: If the analysis reports an error, the program will contain an error.
- A false alarm occurs when a tool reports an error, but the program the tool is analyzing does not contain an error. Can a tool that reports a false alarm be sound? Complete?
- Suppose a company sets up an Android app marketplace for its employees. The company is going to use an analysis tool to check apps for security vulnerabilities before it promotes them to its employees. Which tool property is critical to the company for this purpose: soundness or completeness?
-
Theoretically, suppose a tool is both sound and complete. When the tool is used to analyze the following code that
may contain a vulnerability, what property of the loop determines whether the tool will report an error?
int main() { int x = 0; while ( x < 10 ) { /* loop while x is less than 10 */ ... /* do some stuff that might change the value of x */ } ... /* do something insecure */; }
Problem 6: Changing your Unix password
The Unix passwd program allows users to change their passwords. This problem asks you about the access permissions required to do this. Here, for reference, is a summary of the read-write-execute permissions associated with any Unix file (from Wikipedia).Symbolic Notation | Octal Notation | English |
---|---|---|
---------- | 0000 | no permissions |
---x--x--x | 0111 | execute |
--w--w--w- | 0222 | write |
--wx-wx-wx | 0333 | write & execute |
-r--r--r-- | 0444 | read |
-r-xr-xr-x | 0555 | read & execute |
-rw-rw-rw- | 0666 | read & write |
-rwxrwxrwx | 0777 | read, write, & execute |
- The password file is owned by the system (root) and readable by any user. Write appropriate permissions in the symbolic notation illustrated above. Any answer is acceptable for group permissions.
- The passwd program is owned by the system (root). What Unix feature allows an ordinary user to run passwd and change their password? Explain.
-
When a normal user, say "bob", runs passwd, passwd starts with:
Real-UID = bob Effective-UID = bob Saved-UID = root
The program makes a system call "seteuid( 0 )". What will be the Real-UID, Effective-UID, Saved-UID after this call? - Suppose the program called "seteuid( alice )" instead, before calling "seteuid( 0 )". What would be the Real-UID, Effective-UID, Saved-UID after this call?
- Suppose the program called "seteuid( alice )" after calling "seteuid( 0 )". What would be the Real-UID, Effective-UID, Saved-UID after this call?
- Of course, passwd does not call "seteuid( alice )". Explain why passwd can write /etc/passwd and change password for user "bob" after the call seteuid( 0 ).
- Suppose passwd reads some other user input and does some other action after changing the password file. For example, we might want a custom version of passwd that writes into a log file owned by bob, when bob changes his password. What system call would you recommend after writing the password file and before doing other actions? What will be the Real-UID, Effective-UID, Saved-UID after the system call you recommend?