1. Buffer Overflow (30 Points) A.

For the first part of this question we will consider going to the dark side!: Let's scheme on how we can start to compose a string to do the buffer overflow attack!

The most important parts of this are the text of a command to make a shell and the assembly language to execute this command. Your job is to find out the hexadecimal pattern of both! a). The text of a command to make a shell is simply the string /bin/sh Find the hexadecimal numbers for those ASCII characters. Feel free to use online ASCII tables like http://www.asciitable.com/. Tell me the ASCII hexadecimal for the characters of /bin/sh

Answer: 2F62696E2F7368
b). We can have a C compiler tell us the assembly language toexecute this command by compiling the following: /*************************************************************************** **** **** **** runShell.c **** **** **** **** A simple program that runs a command line shell. **** **** **** **** Compile with: **** **** [linux]$ gcc runShell.c -o runShell **** **** **** **** Run with: **** **** [linux]$ ./runShell **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** **** Version 1.0 Joseph Phillips 2010 October 27 **** **** ****

*************************************************************************** /#include <stdlib. Even run it if you'd like. const char* argv[]) { runShell().h> #include <stdio. Answer: The output screen of the execution is as follows: .h> void runShell () { puts("Type \"exit\" to get back:"). as opposed to global variables or any other type of memory of runShell. Look for the code under the heading <runShell> corresponding to: someNumber: n00 n01 n02 n03 n04 n05 n06 movl $someNumber.(%esp) someNumber: n08 n09 n10 n11 n12 call someNumber <system@plt> Tell me what the numbers n00 thru n12 are! T hey are not the exact numbers we'd use. You will see a lot of assembly code. Do that by typing: objdump -d -j . but we would use them as a starting point. } Compile it. just type exit to escape.text runShell This command gives us the text segment of runShell. But what you really need to do is get the assembly language of the system() call in runShell(). The text segment is where the executable instructions reside. } int main (int argc. puts("Welcome back! So long!"). return(EXIT_SUCCESS). system("/bin/sh").

%edi 4003f0 <system@plt> B. It is given a password as a C++ string. The general technique. shared library executable/dynamically linked library e.Use method string . heap d. (Source WiKiPedia. for security reasons. global variable c. Which of the following segments of memory should operating system label as non-executable? a.length ().%rbp $0x400618. Password strength analyzer (40 Points): Write a password strength analyzer. Use isdigit (char c). The processor will then refuse to execute any code residing in these areas of memory. the NX bit is being increasingly used in conventional von Neumann architecture processors. known as executable space protection. text (where the program code really is) b. However. heap. Defending against it Some modern 64 processors support labeling memory pages as executable and non-executable. shared libraries. The ARM architecture refers to the feature as XN for eXecute Never. etc). This makes memory addresses harder to predict when an attacker is attempting a memory-corruption exploit 2. • 2 if it has no digit. this is known as a buffer overflow attack.com) In modern 64 bit operating systems ASLR(Address Space Layout Randomization) is implemented by the kernel and the ELF loader by randomizing the location of memory allocations (stack. AMD uses the name Enhanced Virus Protection. is used to prevent certain types of malicious software from taking over computers by inserting their code into another program's data storage area and running their own code from within this section.The out put text is: 00000000004004d8 <runShell>: 4004d8: 55 4004d9: 48 89 e5 4004dc: bf 18 06 40 00 4004e1: e8 ea fe ff ff 4004e6: bf 31 06 40 00 4004eb: e8 00 ff ff ff 4004f0: c9 4004f1: c3 push mov mov callq mov callq leaveq retq %rbp %rsp. . It returns: • 0 if the password appears in a dictionary (I did this for you already) • 1 if the password is too short (less than 8 chars). An operating system with support for the NX bit may mark certain areas of memory as nonexecutable. it was introduced in ARM v6. a feature normally only found in Harvard architecture processors. which stands for No eXecute.%edi 4003d0 <puts@plt> $0x400631. is a technology used in CPUs to segregate areas of memory for use by either storage of processor instructions (or code) or for storage of data. stack Answer: The NX bit. for eXecute Disable. Intel markets the feature as the XD bit.

please. printf("enter the desired password \n"). Use isupper(char c) and islower(char c).flag. username). hasLower. } else { . • 5 if it is a good password [jphillips@localhost Assign3]$ passwordTester Please enter a prospective password (WATCH OUT! Will be visible): shorty shorty is in the dictionary. matches with username").hasSpecial. int a. unsigned char password[12]. scanf("%s". scanf("%s". fool! Please enter a prospective password (WATCH OUT! Will be visible): shortie Too short! Please enter a prospective password (WATCH OUT! Will be visible): shortieShort 2. password should be of maximum of 12 characters")./passwordTester Please enter a prospective password (WATCH OUT! Will be visible): • • Answer: int main() { unsigned char username[12]. Please enter a prospective password (WATCH OUT! Will be visible): shor1ieShort At least one punctuation char. At least one digit. hasUpper. printf("enter the desired username \n"). if (a==0) { printf(" weak password. password should be of minimum of 6 characters "). else { a=strcmp(username. if(len<6) printf("password length too short . len=strlen(password).password). 4 if it is does not have both upper and lower case chars.cpp: [jphillips@cdmlinux Assign3]$ g++ passwordTester. hasNum. else if(len>12) printf("password length too long.cpp -o passwordTester [jphillips@cdmlinux Assign3]$ .3 if it has no punctuation char. i=0. please. Please enter a prospective password (WATCH OUT! Will be visible): shor1!eShort I LIKE IT! Good job! [jphillips@localhost Assign3]$ How to compile and run passwordTester. unsigned char x.i. hasSymb. password).len.

printf("flag= %d \n". if(hasSpecial) flag+=10. else if(flag == 40) printf("Four our of Five Star Strength"). flag =0. if(hasNum) flag+=10. else if(x>='A' && x<='Z') hasUpper=1. else if(flag == 20) printf("Two out of Five Star Strength"). }//else }//else getch(). else if(x>=123 && x<=126)//special symbols ascii range hasSpecial=1. return 0. if(hasSymb) flag+=10. i++. else printf("One out of Five Star Strength"). }//while if(hasUpper) flag+=10. if(x>='a' && x<='z') hasLower=1. if(hasLower) flag+=10.flag).hasUpper=hasLower=hasSymb=hasSpecial=hasNum= 0. else if(x>=48 && x<=57)//numbers range hasNum=1. else if(flag == 30) printf("Three out of Five Star Strength" ). else if((x>=33 && x<=47) || (x>=58 && x<=64) || (x>=91 && x<=96))// symbols ascii range hasSymb=1. while(password[i]!='\0') { x=password[i]. if(flag == 50) printf("Five out of Five Star Strength!\n"). }//main .

plus a blueprint for orderly change to improve those practices. the inconvenience to users. Initially. Every professional can work on at most one bakery and at most one tech start up. Security Policy (30 Points): You run a business incubator for DePaul.3. you might think that all policies would be the same: to prevent security breaches. and more. or • tech startups (with secret "killer apps") The professionals that DePaul can provide for startup businesses include: • lawyers • accountants • web developers The documents that individual businesses need DePaul to create and use includes: • draft business plans • finished business plans • websites Lawyers create draft business plans by deciding the correct type of business. too. A security policy is a highlevel statement of purpose and intent. military. Web developers turn draft business plans into websites that describe the business. The plan is subject to periodic review and revision as the organization's security needs change. Businesses can either be • bakeries (with secret recipes). As we discuss later in this chapter. Clark-Wilson. the cost. Chinese Wall. The impact of the security plan is important. the security plan has to have the appropriate content and produce the desired effects. Thus. Accountants turn draft business plans into finished business plans by filling in numbers.g.) Answer: A security plan is a document that describes how an organization will address its security needs. supported by management. To device the security policy for the DePaul we will follow the following model as shown in the figure . etc. there are tradeoffs among the strength of the security. A good security plan is an official record of current security practices. Please describe the gross outline I gave you in more detail according to an appropriate security policy (e. Security plan must state the organization's policy on security. But in fact the policy is one of the most difficult sections to write well. developers and users can measure the effect of proposed changes. A carefully written plan. notifies employees that security is important to management (and therefore to everyone). where entrepreneurs try to start new businesses with the help of DePaul's faculty and staff. leading eventually to further improvements. By following the plan. Please describe a flow for documents and a usage policy for professionals.

finished business plans 3. websites 4. accountants 4. web developers And the major tasks are 1. Layers with create. write and execute access Accountant with read. Security/monitoring and business contingency The most appropriate system for IT includes • Document Management System • Email and Instant message services • WWW. lawyers 3. write and execute access Web develop The flow of document is as . Accountants turn draft business plans into finished business plans by filling in numbers. Consultants (faculty and students) 2. draft business plans 2.As from the given scenario the DePaul is a consultancy services providing organization and its major stack holders are 1. read. Web developers turn draft business plans into websites that describe the business. FTP services • Secure authentication services • Internet security and Firewall Services As we have some basic guide line for the document handling: Lawyers create draft business plans by deciding the correct type of business.

modify. execute . write and execute 4. read. read. write and execute 2. create.1. Layers. End User Read only access 3. Web Developer. Accountants. read. modify.

Sign up to vote on this title
UsefulNot useful