Instructor
Lecture:
Resources |
HW1CS 642: Computer Security - Homework OneThis homework assignment tasks you with understanding vulnerabilities in five target programs. The first four are required; if you do the fifth you can earn extra credit. We strongly encourage you to work with a partner. It is due February 21, 2019 by 9pm PM local time. The EnvironmentYou will test your exploit programs within a virtual machine (VM) we provide, which is configured with Debian stable ("Lenny"), with ASLR (address space layout randomization) turned off. See: vulnerability-demo for information about VMs and the VM image. The TargetsDownload hw1_s2019.tgz to get the files for the homework. The 'targets' directory contains the source code for the targets, along with a Makefile for building them. Your exploits should assume that the compiled target programs are
installed setuid-root in To build the targets, change to the To install the target binaries in /tmp, run: make install To make the target binaries setuid-root, run: make install su make setuid Once you've run Keep in mind that it'll be easier to debug the exploits if the targets
aren't setuid. (See below for more on debugging.) If an exploit
succeeds in getting a user shell on a non-setuid target in The ExploitsThe The AssignmentYou are to write exploits, one per target. Each exploit, when run in
the virtual machine with its target installed setuid-root in Your task is to attack these targets. Targets 1-4 are required; target5 is extra credit. HintsRead the Phrack articles suggested below. Read Aleph One's paper carefully, in particular. To understand what's going on, it is helpful to run code through gdb. See the GDB tips section below. Make sure that your exploits work within the provided virtual machine. Start early! Theoretical knowledge of exploits does not readily translate into the ability to write working exploits. Target1 is relatively simple and the other problems are quite challenging. GDB tipsNotice the You may find the A useful way to run gdb is to use the When running gdb using these command line flags, you should follow the following procedure for setting breakpoints and debugging memory:
If you try to set breakpoints before the exec boundary, you will get a segfault. If you wish, you can instrument the target code with arbitrary assembly using the __asm__ () pseudofunction, to help with debugging. Be sure, however, that your final exploits work against the unmodified targets, since these we will use these in grading. WarningsAleph One gives code that calculates addresses on the target's stack based on addresses on the exploit's stack. Addresses on the exploit's stack can change based on how the exploit is executed (working directory, arguments, environment, etc.); in my testing, I do not guarantee to execute your exploits exactly the same way bash does. You must therefore hard-code target stack locations in your exploits. You should *not* use a function such as get_sp() in the exploits you hand in. (In other words, during grading the exploits may be run with a different
environment and different working directory than one would get by
logging in as user, changing directory to Your exploit programs should not take any command-line arguments. Collaboration PolicyYou are encouraged to use the internet, the Piazza discussion board for this class, and classmates for information about tools, reference material, VM setup, and gdb. Please don't discuss solution specifics with anyone beyond your project partner. DeliverablesYou will have three deliverables.
mmswift, swift, swift, michael zliuy676, zifan, liu, zifan Put the ID file, exploits and explanation files in the 'sploits/' directory and package them into a tarball with the following command: tar -cf hw1.tar sploits/* To submit, copy hw1.tar to your handin directory: From a department managed machine: cp hw1.tar ~cs642-1/handin/<cslogin>/hw1 From another machine scp hw1.tar emperor-01.cs.wisc.edu:~cs642-1/handin/<cslogin>/hw1 As a team, only one person should submit the homework tarfile. GradingYou will receive two points for each exploit that yields a root shell in our testing. The extra credit target, target5, is also worth two points. There will not normally be partial credit, but we may make an exception depending on your explanatory writeup. We may also ask you to explain to us how and why each exploit works. Be sure that each group member understands every exploit you turn in! If you cannot get the exploit working in C code, but get it working from the command shell, you can submit a transcript of your exploit for partial credit in the file describing your exploit. Showing a GDB transcript demonstrating how the attack manipulates memory will be helpful. Suggested reading in Phrack, www.phrack.org
Advanced reading:
AcknowledgementsThis assignment is based in part on materials from Prof. Hovav Shacham at UC San Diego as well as Prof. Dan Boneh at Stanford. Thanks for their hard work. |