Popa and 2021
Memory Safety
CS 161 Computer Security
Discussion 2
Question 1 Software Vulnerabilities () For the following code, assume an attacker can control the value of basket, n, and owner_name passed into search_basket.
The code includes several security vulnerabilities. Circle three such vulnerabilities in the code and briefly explain each of the three on the next page.
1 2 3 4 5 6 7 8 9
10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30
struct cat {
char name[64]; char owner [64];
int age ; };
/∗ Searches through a BASKET of cats of length N (N should be less than 32) and ∗ adopts all cats with age less than 12 ( kittens ) . Adopted kittens have their
∗ owner name overwritten with OWNER_NAME. Returns the number of kittens ∗ adopted. ∗/
size_t search_basket(struct cat ∗basket , int n, char ∗owner_name) { struct cat kittens [32];
size_t num_kittens = 0;
if (n > 32) return -1;
for (size_t i = 0; i <= n; i++) {
if (basket[i].age < 12) {
/∗ Reassign the owner name. ∗/
strcpy(basket[i].owner, owner_name);
/∗ Copy the kitten from the basket. ∗/
kittens[num_kittens] = basket[i ]; num_kittens ++;
/∗ Print helpful message . ∗/
printf("Adopting kitten: ");
p r i n t f ( b a s k e t [ i ] . name ) ; printf("\n");
} }
/∗ Adopt kittens . ∗/
adopt_kittens ( kittens , num_kittens ) ; // Implementation not shown .
return num_kittens ; }
Page 1 of 4
1. Explanation:
2. Explanation:
3. Explanation:
Solution: Line 14 has a fencepost error: the conditional test should be i < n rather than i <= n. The test at line 13 assures that n doesn’t exceed 32, but if it’s equal to 32, and if all of the cats in basket are kittens, then the assignment at line 19 will write past the end of kittens, representing a buffer overflow vulnerability.
Solution: At line 14 we are checking if i <= n. i is an unsigned int and n is a signed int, so during the comparison n is cast to an unsigned int. We can pass in a value such as n = -1 and this would be cast to 0xffffffff which allows the for loop to keep going and write past the buffer.
Solution: Online17thereisacalltostrcpywhichwritesthecontentsofowner_name, which is controlled by the attacker, into the owner instance variable of the cat struct. There are no checks that the length of the destination buffer is greater than or equal to the source buffer owner_name and therefore the buffer can be overflown.
Solution: Another possible solution is that on line 23 there is a printf call which prints the value stored in the name instance variable of the cat struct. This input is controlled by the attacker and is therefore subject to format string vulnerabilities since the attacker could assign the cats names with string formats in them.
Some more minor issues concern the name strings in basket possibly not being cor- rectly terminated with ‘\0’ characters, which could lead to reading of memory outside of basket at line 23.
Describe how an attacker could exploit these vulnerabilities to obtain a shell:
Solution: Each vulnerability could lead to code execution. An attacker could also use the fencepost or the bound-checking error to overwrite the rip and execute arbitrary code.
Discussion 2 Page 2 of 4 CS 161 – Fall 2021
Question 2 Hacked EvanBot (16 min) Hacked EvanBot is running code to violate students’ privacy, and it’s up to you to disable it before it’s too late!
1 2 3 4 5 6 7 8 9
10 11
#include
void spy_on_students ( void ) {
char buffer [16];
fread(buffer , 1, 24, stdin);
}
int main() { spy_on_students () ;
return 0; }
The shutdown code for Hacked EvanBot is located at address 0xdeadbeef, but there’s just one problem—Bot has learned a new memory safety defense. Before returning from a function, it will check that its saved return address (rip) is not 0xdeadbeef, and throw an error if the rip is 0xdeadbeef.
Clarification during exam: Assume little-endian x86 for all questions.
Assume all x86 instructions are 8 bytes long. 1Assume all compiler optimizations and buffer
overflow defenses are disabled.
The address of buffer is 0xbffff110.
Q2.1 (3 points) In the next 3 subparts, you’ll supply a malicious input to the fread call at line 5 that causes the program to execute instructions at 0xdeadbeef, without overwriting the rip with the value 0xdeadbeef.
The first part of your input should be a single assembly instruction. What is the instruction? x86 pseudocode or a brief description of what the instruction should do (5 words max) is fine.
Solution: jmp *0xdeadbeef
You can’t overwrite the rip with 0xdeadbeef, but you can still overwrite the rip to point at arbitrary instructions located somewhere else. The idea here is to overwrite the rip to execute instructions in the buffer, and write a single jump instruction that starts executing code at 0xdeadbeef.
Grading: most likely all or nothing, with some leniency as long as you mention some- thing about jumping to address 0xdeadbeef. We will consider alternate solutions, though.
Q2.2 (3points)Thesecondpartofyourinputshouldbesomegarbagebytes.Howmanygarbage bytes do you need to write?
1In practice, x86 instructions are variable-length.
Discussion 2 Page 3 of 4 CS 161 – Fall 2021
(G) 0 (H) 4 (I) 8 (J) 12 (K) 16 (L)
Q2.3 (3 points) What are the last 4 bytes of your input? Write your answer in Project 1 Python syntax, e.g. \x12\x34\x56\x78.
Q2.4 (3 points) When does your exploit start executing instructions at 0xdeadbeef? (G) Immediately when the program starts
(H) When the main function returns
(I) When the spy_on_students function returns (J) When the fread function returns
(K)
(L)
Solution: Theexploitoverwritestheripofspy_on_students,sowhenthespy_on_students function returns, the program will jump to the overwritten rip and start executing
arbitrary instructions.
Solution: After the 8-byte instruction from the previous part, we need another 8 bytes to fill buffer, and then another 4 bytes to overwrite the sfp, for a total of 12 garbage bytes.
Solution: \x10\xf1\xff\xbf
This is the address of the jump instruction at the beginning of buffer. (The address
may be slightly different on randomized versions of this exam.) Partial credit for writing the address backwards.
Discussion 2
Page 4 of 4 CS 161 – Fall 2021