Scribd Logo
Upload

Welcome to Scribd!

  • Mid-1 Solution Without q3

    Uploaded by

    f180364 Rabab Zahra
    23 views7 pages
    The document is the title page for a midterm exam in an information security course. It provides information such as the course name, instructors, date, time allotted, total marks, instructions for the exam, and sections for the student's signature, roll number, and section. The exam contains 3 questions worth a total of 45 marks. The title page instructs students not to open the question book or start until instructed and to attempt all questions in order using the provided answer sheet.

    Original Description:

    Information Security paper mid 2

    Original Title

    Mid-1 Solution without q3 (1)

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document is the title page for a midterm exam in an information security course. It provides information such as the course name, instructors, date, time allotted, total marks, instructions for the exam, and sections for the student's signature, roll number, and section. The exam contains 3 questions worth a total of 45 marks. The title page instructs students not to open the question book or start until instructed and to attempt all questions in order using the provided answer sheet.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    23 views7 pages

    Mid-1 Solution Without q3

    Uploaded by

    f180364 Rabab Zahra
    The document is the title page for a midterm exam in an information security course. It provides information such as the course name, instructors, date, time allotted, total marks, instructions for the exam, and sections for the student's signature, roll number, and section. The exam contains 3 questions worth a total of 45 marks. The title page instructs students not to open the question book or start until instructed and to attempt all questions in order using the provided answer sheet.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 7

    CS3002 Information Security Serial No:

    Wednesday October 20, 2020 1st Mid Term


    Course Instructor Open Book-Exam
    Dr. Irfan ul Haq, Dr. Danish Shehzad Total Time:1 Hour
    and Dr. Umar Aftab Total Marks: 45

    ________________
    Signature of Invigilator

    _____________________ . .
    Roll No Section Signature

    DO NOT OPEN THE QUESTION BOOK OR START UNTIL INSTRUCTED.


    Instructions:
    1. Verify at the start of the exam that you have a total of Three (3) questions printed
    on Six (06) pages including this title page.
    2. Attempt all questions on the question-book and in the given order.
    3. The exam is open book and open notes but no electronic device (laptop, mobile
    devices) allowed that may provide internet facility. The use of such devices will be
    considered as cheating
    4. Read the questions carefully for clarity of context and understanding of meaning
    and make assumptions wherever required, for neither the invigilator will address
    your queries, nor the teacher/examiner will come to the examination hall for any
    assistance.
    5. Fit in all your answers in the provided space. You may use extra space on the last
    page if required. If you do so, clearly mark question/part number on that page to
    avoid confusion.
    6. Use only your own stationery and calculator. If you do not have your own calculator,
    use manual calculations.
    7. Use only permanent ink-pens. Only the questions attempted with permanent ink-
    pens will be considered. Any part of paper done in lead pencil cannot be claimed for
    checking/rechecking.

    Q-1 Q-2 Q-3 Total


    Total
    15 15 15 45
    Marks
    Marks
    Obtained

    Vetted By: ____________________________Vetter Signature: _____________________

    University Answer Sheet Required: No Yes


    National University of Computer and Emerging Sciences
    Department of Computer Science Chiniot-Faisalabad Campus
    Question 1 15 Marks
    Read the steps carefully and answer the questions at the end.
    In this question, you will see how the LD_PRELOAD environment variables influence the
    behaviour of dynamic loader/linker when running a normal program.
    I. Let us build a dynamic link library. Create the following program, and name it mylib.c. It
    basically overrides the sleep () function in libc:

    II. We can compile the above program using the following commands (in the -lc argument, the
    second character is l `):

    % gcc -fPIC -g -c mylib.c


    % gcc -shared -o libmylib.so.1.0.1 mylib.o -lc

    III. Now, set the LD_PRELOAD environment variable:


    % export LD_PRELOAD=./libmylib.so.1.0.1

    IV. Finally, compile the following program myprog, and in the same directory as the above
    dynamic link
    library libmylib.so.1.0.1:

    After you have done with the above steps, suppose you run myprog under the following
    conditions and give the answer of the following four questions.
    A. Make myprog a regular program, and run it as a normal user. What is the output of the
    given program and explain how LD_PRELOAD environment variables influence the
    output of the program? [3 marks]
    B. Make myprog a Set-UID root program and run it as a normal user. What is the output of
    the given program and whether LD_PRELOAD environment variables influence the output
    of the program or not? If not, then explain why not. [4 marks]
    C. Make myprog a Set-UID root program, export the LD_PRELOAD environment variable
    again in the root account and run it. Now, what is the output of the given program and
    explain how LD_PRELOAD environment variables influence the output of the program?
    [4 marks]
    D. Make myprog a Set-UID user1 program (i.e., the owner is user1, which is another user
    account), export the LD_PRELOAD environment variable again in a different user’s
    account (not-root user) and run it. What is the output of the given program and whether
    LD_PRELOAD environment variables influence the output of the program or not? If not,
    then explain why not. [4 marks]

    Mid-1 Fall-2021 Page 2 of 7


    National University of Computer and Emerging Sciences
    Department of Computer Science Chiniot-Faisalabad Campus

    Solution:

    1): printf (“I am not sleeping! \n”); statement is executed instead of sleep (1); statement
    because libc library is replaced with the dynamic link libmylib.so.1.0.1 library by
    changing the LD_PRELOAD variable path such as % export
    LD_PRELOAD=./libmylib.so.1.0.1.

    2): sleep (1); statement is executed because now, the myprog program has the root
    privilege by making myprog a Set-UID root program. We create a child process and the
    child process is not inheriting the LD * environment variables. The LD_PRELOAD
    variable path is not set to the dynamic link libmylib.so.1.0.1 library for the root user.

    3): Now, the LD_PRELOAD environment variable is exported in the root account.
    Therefore, printf (“I am not sleeping! \n”); statement is executed instead of sleep (1);
    statement because libc library is replaced with the dynamic link libmylib.so.1.0.1
    library by changing the LD_PRELOAD variable path such as % export
    LD_PRELOAD=./libmylib.so.1.0.1.

    4): In this case we make myprog a Set-UID user1 program and we do not set
    LD_PRELOAD variable path to the dynamic link libmylib.so.1.0.1 library for user1.
    Now, the myprog has user1 privilege if we run it from another user account that’s
    LD_PRELOAD variable path is set to the dynamic link libmylib.so.1.0.1 library still,
    it executes sleep (1); statement because myprog has user1 privilege and LD_PRELOAD
    variable path is not set for user1.

    Mid-1 Fall-2021 Page 3 of 7


    National University of Computer and Emerging Sciences
    Department of Computer Science Chiniot-Faisalabad Campus

    Question 2 15 Marks
    A. Whether or not this program performs a buffer overflow attack. If not, then find the problem
    in the code and correct it. Explain how the buffer overflow attack is performed and what is
    the output. [5 Marks]

    #include <stdio.h> Answer


    #include <string.h>
    int main(void) • No, this program does not perform buffer
    { overflow attack because char buff
    char buff[8]; variable is at the higher memory address
    int pass = 0; as compare to the int pass and char
    char password[8]= "secret"; password variables. Therefore, buff
    printf("\n Enter the password : \n"); variable does not over write the pass and
    scanf("%s" ,buff); password variable content.
    if(strcmp(buff, password)) • To perform buffer overflow attack char
    { buff variable always remain at a lower
    printf ("\n Wrong Password \n"); memory address as compare to the int
    } pass and char password variables.
    else • If the password is not ‘secret’ then printf
    ("\n Wrong Password \n"); statement is
    {
    executed.
    printf ("\n Correct Password \n");
    • If the password entered is longer than 16
    pass = 1; bytes, the variable 'pass' will be
    } overwritten by the user's input and the
    if(pass) value of variable ‘pass’ is changed from
    { 0 to any other value. So, if(pass)
    /* Now Give root or admin rights to user*/ condition is true if ‘pass’ variable value
    printf ("\n Root privileges given to the user is other than 0. Therefore, printf ("\n
    \n"); Root privileges given to the user \n"); is
    } executed if the entered password length
    return 0; is more than 16 bytes.
    }

    B. There are various programs provided in the below Table. Highlight the vulnerabilities (if
    any). Justify you answer with example. [10 Marks]

    Program Code Answer with Justification

    There is no bounds checking is performed. If


    void askQuestion() the user enters “maybe” then the program
    { will likely stop working rather than asking
    char user_answer[4]; the user for a valid answer and re-prompting
    printf("Is this code secure? please with the question. The user’s answer is
    answer yes or no:"); simply written into the buffer, regardless of
    gets(user_answer); its length.
    }
    In this example, since user_answer is the
    only variable declared, the next values on the
    stack would be the return address value, or
    Mid-1 Fall-2021 Page 4 of 7
    National University of Computer and Emerging Sciences
    Department of Computer Science Chiniot-Faisalabad Campus
    the location in memory to which the program
    will return after running the askQuestion
    function. This means that if the user enters
    four bytes of data (enough to fill the memory
    specifically set aside for the buffer), followed
    by a valid address in memory, the program’s
    return address will be modified.
    No vulnerability because of fixed input
    int main() { values. Because the values are hard coded.
    char full_buffer[4]; No buffer overflow will occur
    char normal_buffer[4];
    strncpy(normal_buffer,"foo",
    sizeof(normal_buffer));
    strncpy(full_buffer, "four",
    sizeof(full_buffer));
    printf(normal_buffer);
    printf("\n");
    printf(full_buffer);
    printf("\n");
    }

    #include <stdio.h>
    #include <string.h>

    int main(void)
    {
    char buff[15];
    int pass = 0;

    printf("\n Enter the password : \n");


    gets(buff);

    if(strcmp(buff, "thegeekstuff"))
    {
    printf ("\n Wrong Password \n");
    }
    else
    { There is a logic behind the output above.
    printf ("\n Correct Password \n"); What attacker did was, he/she supplied an
    pass = 1; input of length greater than what buffer can
    } hold and at a particular length of input the
    buffer overflow so took place that it
    if(pass) overwrote the memory of integer ‘pass’. So
    { despite of a wrong password, the value of
    /* Now Give root or admin rights to ‘pass’ became non zero and hence root
    user*/ privileges were granted to an attacker.
    printf ("\n Root privileges given to the
    user \n");
    }

    return 0;
    }

    Mid-1 Fall-2021 Page 5 of 7


    National University of Computer and Emerging Sciences
    Department of Computer Science Chiniot-Faisalabad Campus

    Question 3 15 Marks
    The given source code has two vulnerabilities. First, foo has a buffer overflow vulnerability.
    Second, bar has a format string vulnerability. You can assume that the program will be
    compiled for a 32-bit, x86 system. When the foo is called, its RA is set to 0xAABBCCDD and
    its old BP is set to 0x11223344. In addition, you can assume that all the countermeasures are
    disabled.
    #include <stdio.h>

    void foo (char *str)


    {
    char buf[1];
    strcpy(buf, str);
    }

    void bar(char *str)


    {
    printf(str, 10, 10);
    }

    int main(int argc, char **argv)


    {
    int secret = 0xA;

    foo(argv[1]);
    bar(argv[1]);

    return 0;
    }
    A. Write an input that will crash the program using format string vulnerability. An input that
    will crash the program due to buffer overflow will result in no marks. [10 marks]

    B. Write an input that will disclose the content of the secret variable? [5 marks]

    Mid-1 Fall-2021 Page 6 of 7


    National University of Computer and Emerging Sciences
    Department of Computer Science Chiniot-Faisalabad Campus

    Mid-1 Fall-2021 Page 7 of 7

    You might also like