Assignment-05-Solutions
.pdf
keyboard_arrow_up
School
Carleton University *
*We aren’t endorsed by this school
Course
4810
Subject
Computer Science
Date
Jan 9, 2024
Type
Pages
26
Uploaded by CountFlagTrout38 on coursehero.com
SYSC 4810: Introduction to Network and Software Security
Module 5
Assignment
Fall 2021
Dr. J. Jaskolka
Carleton University
Department of Systems and Computer Engineering
Posted: November 11, 2021
Due: November 28, 2021
Due on Sunday, November 28, 2021 by 11:59PM
This assignment contains 26 pages (including this cover page) and 9 problems.
You are responsible for
ensuring that your copy of the assignment is complete.
Bring any discrepancy to the attention of your
instructor.
Special Instructions:
1.
Do as many problems as you can.
2. Start early as this assignment is much more time consuming than you might initially think!
3. The burden of communication is upon you. Solutions not properly explained will not be considered
correct. Part of proper communication is the appearance and layout. If we cannot “decode” what you
wrote, we cannot grade it as a correct solution.
4. You may consult outside sources, such as textbooks, but
any use
of
any source
must
be documented
in the assignment solutions.
5. You are permitted to discuss
general aspects
of the problem sets with other students in the class, but
you must hand in your own copy of the solutions.
6. Your assignment solutions are due by 11:59PM on the due date and must be submitted on
Brightspace
.
•
Late assignments will be graded with a late penalty of 20% of the full grade per day
up to 48
hours past the deadline
.
7. You are responsible for ensuring that your assignment is submitted correctly and without corruption.
Problem
1
2
3
4
5
6
7
8
9
Total
Points:
10
15
10
11
11
8
5
5
10
85
Page 1 of 26
SYSC 4810 — Module 5
Assignment
Due Date: November 28, 2021
In this assignment, you will participate in activities related to conducting attacks exploiting buffer overflow
vulnerabilities in software systems.
This assignment aims to assess your understanding of buffer overflow
attacks, how they work, and controls for dealing with them.
Acknowledgment
This assignment is based off the “Buffer Overflow Attack Lab (Server)” SEED Lab developed by Wenliang
Du at Syracuse University.
Background Research
A significant portion of this assignment is to do the required background research on fundamentals of
programming and software development including the
execution stack
,
stack and frame pointers
,
registers
,
and
memory addressing
, as well as working with basic software development tools.
Keep in mind that
a substantial component of any software or computer systems project is to solve and/or eliminate the
underlying technical difficulties. This often means exploring user manuals and documentation.
Submission Requirements
Please read the following instructions very carefully and follow them precisely when submitting your assignment!
The following items are required for a complete assignment submission:
1.
PDF Assignment Report
: Submit a detailed report that carefully and concisely describes what
you have done and what you have observed. Include appropriate code snippets and listings, as well
as screenshots of program outputs and results. You also need to provide an adequate explanation of
the observations that are interesting or surprising. You are encouraged to pursue further investigation
beyond what is required by the assignment description.
2.
ZIP Archive of Source Code
: In addition to embedding source code listings in your assignment
report, create and submit a ZIP archive of all programs that you write for this assignment.
Please
name each of your source code files with the problem number to which they correspond (e.g., for
Problem 2(a), the source code file should be named
Problem2a.c
).
Your source code must compile
and run, producing the desired output. Also, please remember to provide sufficient comments in your
code to describe what it does and why.
3.
ZIP Archive of Screenshot Image Files
: In addition to embedding screenshots of program outputs
and results in your assignment report, create and submit a ZIP archive of all of the raw screenshot
images that you capture for this assignment.
Grading Notes
An important part of this assignment is following instructions. As such, the following grade
penalties
will
be applied for failure to comply with the submission requirements outlined above:
•
Failure to submit an Assignment Report will result in a grade of
0
for the assignment.
•
Failure to submit the Source Code files will result in deduction of
10%
of the full grade of the assignment.
•
Failure to submit the Screenshot Image files will result in deduction of
10%
of the full grade of the
assignment.
•
Failure of Source Code to compile/run will result in a grade of
0
for the corresponding problem(s).
•
Failure to submit any deliverable in the required format (PDF or ZIP) will result in deduction of
5%
of the full grade of the assignment.
Page 2 of 26
SYSC 4810 — Module 5
Assignment
Due Date: November 28, 2021
Part I
Assignment Challenge
1
Introduction
Imagine that you work for a large software development firm called
SecureTech Industries
. The organization
has just received a major investment to hire a significant number of new quality assurance engineers. Because
the development of secure software and systems is a top priority for
SecureTech Industries
, the organization is
launching an initiative to develop a penetration testing training program for new hires (trainees). Your direct
supervisor has just assigned you to prepare the training materials related to buffer overflow vulnerabilities
and countermeasures that will be provided to all new hires. The details of the assignment, including your
supervisor’s expectations, are provided in the sections below.
The different parts of this assignment are designed to guide your investigation and to prepare the different
aspects for the training materials.
At the end of the assignment, you will be required to summarize the
take-away points for new hires so that they can better understand buffer overflow vulnerabilities, attacks,
and countermeasures.
2
Context
Your supervisor has sent you the following email explaining what is expected for the training materials:
Hello,
I am sure by now that you have seen the latest memo indicating that we have secured a large
investment to hire a new batch of quality assurance engineers. You would have also seen that
we need to prepare a new set of penetration testing training materials as part of the upgraded
security training program that comes with this investment. This means we have lots of work to
do.
I need you to prepare the training materials for the buffer overflow training module for our new
hires. I have asked the senior development team to provide some sample code to help with this
task. This sample code, along with what you develop, will be provided as part of the training
package that is provided to new hires. It will enable them to get their hands dirty by trying out
a few different approaches for learning how to exploit buffer overflow vulnerabilities on server
programs and for understanding the different countermeasures that can be be put in place to
prevent them. We want our new hires to be aware of the potential ways in which they can get
root shells can by conducting buffer overflow attacks, as well as the ways in which buffer overflow
countermeasures work and their relative strengths and weaknesses.
The training materials that you prepare need to be well-organized and provide very detailed
steps of how to conduct the different experiments that we want the new hires to carry out as part
of their hands-on training. The new hires should be able to do everything based on the report
that you prepare and enable them to perform self-checks to ensure that they are successful in
completing the experiments. This means you should provide screenshots and code fragments to
help them understand what they should expect in terms of the outcomes of their experiments.
Effectively, you should think of preparing your report as a complete walkthrough of the various
experiments and tasks.
I know I can count on you for this.
Thanks,
JJ
Page 3 of 26
SYSC 4810 — Module 5
Assignment
Due Date: November 28, 2021
3
Obligations
At the end of this assignment, you will be required to deliver the following information and outcomes:
1. A report that can act as a training manual for new hires to better understand buffer overflow
vulnerabilities, attacks, and countermeasures. The report should be a complete walkthrough providing
a detailed explanation of all of the steps involved in carrying out the various activities and tasks that
will be part of the penetration testing training program module related to buffer overflows.
2. A summary of the main take-away points of the training module, including a list of recommendations
(“do’s and don’ts”), so that the trainees can be better prepared to protect their programs from buffer
overflow vulnerabilities.
This must be provided in a single, well-organized report.
Page 4 of 26
SYSC 4810 — Module 5
Assignment
Due Date: November 28, 2021
Part II
Environment Setup
This assignment will be conducted using a pre-built virtual machine (VM) image.
We will assume that
you already have a virtual machine set up from the Module 1 Assignment.
For this assignment, you will
be attacking four different servers with varying levels of difficulty.
We will use containers to set up this
environment.
1
Container Setup and Commands
Please download the
Setup.zip
file to your VM from from the assignment resources for this assignment on
Brightspace, unzip it, enter the
Setup
folder, and use the
docker-compose.yml
file to set up the assignment
environment.
In what follows, we recall some of the commonly used commands related to Docker and Compose. Since we
are going to use these commands very frequently, aliases have been created for them in the
.bashrc
file in
the provided VM image.
$ docker-compose build
// Build the container image
$ docker-compose up
// Start the container
$ docker-compose down
// Shut down the container
// Aliases for the Compose commands above
$ dcbuild
// Alias for: docker-compose build
$ dcup
// Alias for: docker-compose up
$ dcdown
// Alias for: docker-compose down
All the containers will be running in the background. To run commands on a container, we need to get a
shell on that container. We first need to use the
docker ps
command to find out the ID of the container,
and then use
docker exec
to start a shell on that container.
Aliases have been created for them in the
.bashrc
file in the provided VM image.
$ dockps
// Alias for: docker ps --format "{{.ID}} {{.Names}}"
$ docksh <id>
// Alias for: docker exec -it <id> /bin/bash
// The following example shows how to get a shell inside hostC
$ dockps
b1004832e275 hostA-10.9.0.5
0af4ea7a3e2e hostB-10.9.0.6
9652715c8e0a hostC-10.9.0.7
$ docksh 96
root@9652715c8e0a:/#
// Note: If a docker command requires a container ID, you do not need to
//
type the entire ID string. Typing the first few characters will
//
be sufficient, as long as they are unique among all the containers.
If you encounter problems when setting up the environment, please read the “Common Problems” section of
the
DOCKER MANUAL
for potential solutions.
*Important Note*
Before running “docker-compose build” to build the docker images, you need to
compile and copy the
server
code to the
bof-containers
folder. This step is described in Section
2
.
Page 5 of 26
SYSC 4810 — Module 5
Assignment
Due Date: November 28, 2021
2
The Vulnerable Program
The vulnerable program used in this assignment is called
stack.c
, which is in the
server-code
folder.
This program has a buffer-overflow vulnerability. Throughout this assignment, your job is to exploit this
vulnerability and gain the root privilege on the server machines. The code listed below has some non-essential
information removed, so it is slightly different from what is provided in the setup files.
1
#include
<stdlib.h>
2
#include
<stdio.h>
3
#include
<string.h>
4
5
/* Changing this size will change the layout of the stack. */
6
#ifndef
BUF_SIZE
7
#define
BUF_SIZE 100
8
#endif
9
10
int
bof(
char
*str)
11
{
12
char
buffer[BUF_SIZE];
13
14
/* The following statement has a buffer overflow problem */
15
strcpy(buffer, str);
16
17
return
1;
18
}
19
20
int
main(
int
argc,
char
**argv)
21
{
22
char
str[517];
23
24
int
length = fread(str,
sizeof
(
char
), 517, stdin);
25
bof(str);
26
fprintf(stdout,
"==== Returned Properly ====\n"
);
27
return
1;
28
}
The above program has a buffer overflow vulnerability.
It reads data from the standard input, and then
passes the data to another buffer in the function
bof()
. The original input can have a maximum length of
517 bytes, but the buffer in
bof()
is only
BUF_SIZE
bytes long, which is less than 517. Because
strcpy()
does not check boundaries (Line 15), buffer overflow will occur.
The program will run on a server with the root privilege, and its standard input will be redirected to a
TCP connection between the server and a remote user. Therefore, the program actually gets its data from
a remote user. If users can exploit this buffer overflow vulnerability, they can get a root shell on the server.
2.1
Compilation
To compile the above vulnerable program, we need to turn off the
StackGuard
and the non-executable stack
protections using the
-fno-stack-protector
and
-z execstack
options. The following is an example of
the compilation command (the
L1
environment variable sets the value for the
BUF_SIZE
constant inside
stack.c
).
$ gcc -DBUF_SIZE=$(L1) -o stack -z execstack -fno-stack-protector stack.c
The stack program will be compiled into both 32-bit and 64-bit binaries. The VM environment is a 64-bit
VM, but it still supports 32-bit binaries. All we need to do is to use the
-m32
option in the
gcc
command.
Page 6 of 26
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help
Related Questions
Please identify the correct statement(s) of ARP spoofing attacks.
Question 14 options:
192.168.2.6 can launch ARP spoofing attacks against 192.168.3.8 (i.e., with 192.168.3.8 as the victim).
192.168.2.6 can launch ARP spoofing attacks against 192.168.2.1 (i.e., with 192.168.2.1 as the victim)
192.168.2.6 can launch ARP spoofing attacks against 192.168.3.1 (i.e., with 192.168.3.1 as the victim).
192.168.2.6 can launch ARP spoofing attacks against 192.168.2.2 (i.e., with 192.168.2.2 as the victim)
arrow_forward
What occurs if a directive is sent to VA page 30 without being approved? In the following circumstances, a software-managed TLB would be quicker than a hardware-managed TLB:
arrow_forward
Please identify the correct statement(s) of ARP spoofing attacks.
Question 14 options:
192.168.2.6 can launch ARP spoofing attacks against 192.168.3.1.
192.168.2.6 can launch ARP spoofing attacks against 192.168.3.8.
192.168.2.6 can launch ARP spoofing attacks against 192.168.2.2.
192.168.2.6 can launch ARP spoofing attacks against 192.168.2.1.
arrow_forward
What are the potential limitations of Electronic Code Book (ECB)?
Question 13 options:
If one ciphertext block is corrupted during the transmission, all subsequent ciphertext blocks cannot be decrypted unless until corrupted block is successfully retransmitted.
If the same message (e.g., an SSN) is encrypted (with the same key) and sent twice, their ciphertexts are the same.
It needs an initialization vector to operate.
Repetitive patterns contained in the plaintext may be revealed in the ciphertext, if aligned with blocks.
arrow_forward
"Why are authorization lists so sensitive to unauthorised alteration that they need to be encrypted and protected? What kind of damage could take place if these files were altered in an unanticipated or unexpected way?
arrow_forward
Why are authorization lists so vulnerable to the unauthorised change that they need to be encrypted and protected? What kind of harm could occur if these files are altered in an unanticipated or unexpected manner?
arrow_forward
What is a cross-site scripting (XSS) assault and how does it work?
arrow_forward
125.
Scrambling data during its transmission for
a.
encryption
b.
control totals
c.
disaster recovery
d.
biometric controls
arrow_forward
Why are authorization lists so vulnerable to the unauthorised modification that they need to be encrypted and protected? What kind of damage might occur if these files are altered in an unanticipated or unexpected manner?
arrow_forward
The DNS records have to be organized according to the record type. Provide a concise explanation of each, including what it is used for, why it is used, and how it is used, using the examples that were provided. Is it considered to be acceptable management practice for a corporation to have its mail server and its web server utilize the same hostname?
arrow_forward
Q3:
A / Draw a diagram showing the PDU messages exchange of writing a file of 950 bytes to the server, using TFTP protocol. Assume all messages are arrived correctly.
B / List the command-reply message exchange sequence to get (read) a file of 950 bytes from the TFTP server. Assume the first block of data is corrupted and the ACK of the second block is not arrived. Other messages are arrived correctly.
arrow_forward
Question 4a) Demonstrate with the use of simple python line codes on how to: (i) encrypt and (ii) decrypt a sensitive message b)The statement: “While some breaches are accidental, many are intentional”. It is however very challenging sometimes to establish in investigation processes about accidental and intentional breaches. As an assumed security officer of your company explain some outlines that properly classify accidental security and intentional. c) In determining if your computer is vulnerable to an Internet or network attack, you could use an online security service, which is a Web site that evaluates your computer to check for Internet and e-mail vulnerabilities. What would be the reaction of a company to use online network service solution for vulnerability checks.
arrow_forward
Are there any potential risks associated with using the SSTF disc scheduling method?
arrow_forward
What was the final set of criteria utilized by the National Institute of Standards and Technology (NIST) to evaluate prospective AES ciphers?
arrow_forward
What is the full form of XSS?
arrow_forward
What potential risks are there involved with putting the SSTF disc scheduling method into practice?
arrow_forward
What is the structure of UNIX file system?
Group of answer choices
Hierarchical structure (tree with root at the bottom) with loop
Hierarchical structure (inverted tree with root at the top) with links
General graph structure
Complete graph structure
How to identify a relative pathname? Where does relative pathname start?
Group of answer choices
Any pathname that does not start with / is a relative pathname and it starts at current working directory
Any pathname that starts with . is a relative pathname and it starts at the root
Any pathname that starts with / is a relative pathname and it starts at current working directory
Any pathname that starts with / is a relative pathname and it starts at the root
What is home directory? What is login directory?
Group of answer choices
They are same. It is the system directory under which all users directories are created
They are same. It represents the /home system directory
Both are same. It is user’s top-level…
arrow_forward
Why do authorization lists need to be protected against unauthorized alteration and encrypted? What kind of damage may be done if these files are altered in an unexpected or unanticipated way?
arrow_forward
Which file must be opened to do SNMP log analysis?
arrow_forward
SEE MORE QUESTIONS
Recommended textbooks for you
Database System Concepts
Computer Science
ISBN:9780078022159
Author:Abraham Silberschatz Professor, Henry F. Korth, S. Sudarshan
Publisher:McGraw-Hill Education
Starting Out with Python (4th Edition)
Computer Science
ISBN:9780134444321
Author:Tony Gaddis
Publisher:PEARSON
Digital Fundamentals (11th Edition)
Computer Science
ISBN:9780132737968
Author:Thomas L. Floyd
Publisher:PEARSON
C How to Program (8th Edition)
Computer Science
ISBN:9780133976892
Author:Paul J. Deitel, Harvey Deitel
Publisher:PEARSON
Database Systems: Design, Implementation, & Manag...
Computer Science
ISBN:9781337627900
Author:Carlos Coronel, Steven Morris
Publisher:Cengage Learning
Programmable Logic Controllers
Computer Science
ISBN:9780073373843
Author:Frank D. Petruzella
Publisher:McGraw-Hill Education
Related Questions
- Please identify the correct statement(s) of ARP spoofing attacks. Question 14 options: 192.168.2.6 can launch ARP spoofing attacks against 192.168.3.8 (i.e., with 192.168.3.8 as the victim). 192.168.2.6 can launch ARP spoofing attacks against 192.168.2.1 (i.e., with 192.168.2.1 as the victim) 192.168.2.6 can launch ARP spoofing attacks against 192.168.3.1 (i.e., with 192.168.3.1 as the victim). 192.168.2.6 can launch ARP spoofing attacks against 192.168.2.2 (i.e., with 192.168.2.2 as the victim)arrow_forwardWhat occurs if a directive is sent to VA page 30 without being approved? In the following circumstances, a software-managed TLB would be quicker than a hardware-managed TLB:arrow_forwardPlease identify the correct statement(s) of ARP spoofing attacks. Question 14 options: 192.168.2.6 can launch ARP spoofing attacks against 192.168.3.1. 192.168.2.6 can launch ARP spoofing attacks against 192.168.3.8. 192.168.2.6 can launch ARP spoofing attacks against 192.168.2.2. 192.168.2.6 can launch ARP spoofing attacks against 192.168.2.1.arrow_forward
- What are the potential limitations of Electronic Code Book (ECB)? Question 13 options: If one ciphertext block is corrupted during the transmission, all subsequent ciphertext blocks cannot be decrypted unless until corrupted block is successfully retransmitted. If the same message (e.g., an SSN) is encrypted (with the same key) and sent twice, their ciphertexts are the same. It needs an initialization vector to operate. Repetitive patterns contained in the plaintext may be revealed in the ciphertext, if aligned with blocks.arrow_forward"Why are authorization lists so sensitive to unauthorised alteration that they need to be encrypted and protected? What kind of damage could take place if these files were altered in an unanticipated or unexpected way?arrow_forwardWhy are authorization lists so vulnerable to the unauthorised change that they need to be encrypted and protected? What kind of harm could occur if these files are altered in an unanticipated or unexpected manner?arrow_forward
- What is a cross-site scripting (XSS) assault and how does it work?arrow_forward125. Scrambling data during its transmission for a. encryption b. control totals c. disaster recovery d. biometric controlsarrow_forwardWhy are authorization lists so vulnerable to the unauthorised modification that they need to be encrypted and protected? What kind of damage might occur if these files are altered in an unanticipated or unexpected manner?arrow_forward
- The DNS records have to be organized according to the record type. Provide a concise explanation of each, including what it is used for, why it is used, and how it is used, using the examples that were provided. Is it considered to be acceptable management practice for a corporation to have its mail server and its web server utilize the same hostname?arrow_forwardQ3: A / Draw a diagram showing the PDU messages exchange of writing a file of 950 bytes to the server, using TFTP protocol. Assume all messages are arrived correctly. B / List the command-reply message exchange sequence to get (read) a file of 950 bytes from the TFTP server. Assume the first block of data is corrupted and the ACK of the second block is not arrived. Other messages are arrived correctly.arrow_forwardQuestion 4a) Demonstrate with the use of simple python line codes on how to: (i) encrypt and (ii) decrypt a sensitive message b)The statement: “While some breaches are accidental, many are intentional”. It is however very challenging sometimes to establish in investigation processes about accidental and intentional breaches. As an assumed security officer of your company explain some outlines that properly classify accidental security and intentional. c) In determining if your computer is vulnerable to an Internet or network attack, you could use an online security service, which is a Web site that evaluates your computer to check for Internet and e-mail vulnerabilities. What would be the reaction of a company to use online network service solution for vulnerability checks.arrow_forward
arrow_back_ios
SEE MORE QUESTIONS
arrow_forward_ios
Recommended textbooks for you
- Database System ConceptsComputer ScienceISBN:9780078022159Author:Abraham Silberschatz Professor, Henry F. Korth, S. SudarshanPublisher:McGraw-Hill EducationStarting Out with Python (4th Edition)Computer ScienceISBN:9780134444321Author:Tony GaddisPublisher:PEARSONDigital Fundamentals (11th Edition)Computer ScienceISBN:9780132737968Author:Thomas L. FloydPublisher:PEARSON
- C How to Program (8th Edition)Computer ScienceISBN:9780133976892Author:Paul J. Deitel, Harvey DeitelPublisher:PEARSONDatabase Systems: Design, Implementation, & Manag...Computer ScienceISBN:9781337627900Author:Carlos Coronel, Steven MorrisPublisher:Cengage LearningProgrammable Logic ControllersComputer ScienceISBN:9780073373843Author:Frank D. PetruzellaPublisher:McGraw-Hill Education
Database System Concepts
Computer Science
ISBN:9780078022159
Author:Abraham Silberschatz Professor, Henry F. Korth, S. Sudarshan
Publisher:McGraw-Hill Education
Starting Out with Python (4th Edition)
Computer Science
ISBN:9780134444321
Author:Tony Gaddis
Publisher:PEARSON
Digital Fundamentals (11th Edition)
Computer Science
ISBN:9780132737968
Author:Thomas L. Floyd
Publisher:PEARSON
C How to Program (8th Edition)
Computer Science
ISBN:9780133976892
Author:Paul J. Deitel, Harvey Deitel
Publisher:PEARSON
Database Systems: Design, Implementation, & Manag...
Computer Science
ISBN:9781337627900
Author:Carlos Coronel, Steven Morris
Publisher:Cengage Learning
Programmable Logic Controllers
Computer Science
ISBN:9780073373843
Author:Frank D. Petruzella
Publisher:McGraw-Hill Education