CS 443 Assignment #1 Fall, 2009 This assignment must be done individually with no help from anyone else in the class or outside the class. You must write all code yourself, and you may not use any other code found on the Internet or elsewhere. Part I, due beginning of class on September 30 (Late assignments are penalized 5% points per day.) 1. Use any reference materials, the Internet, or manuals to find this information. You may use any resource except asking another person. Identify the security measures against buffer overflow attacks found in the latest version of following operating systems. Describe each security measure, how it mitigates and/or prevents buffer overflows, and whether it can be turned on and off, or if it is always there. Identify which operating system you think is the best and which is the worst in terms with protecting memory on the stack. Mac OS/X 10.5.7 or 10.6 on Intel Ubuntu Open BSD Free BSD Windows Vista 2. Write a program in C. The program may be interactive and ask the user to answer some question on the keyboard, or it can obtain input from somewhere else. Write your code so that there is a buffer overflow vulnerability. Try your best to hide the vulnerability so that someone analyzing your code would not see the vulnerability. Document the vulnerability in a short, external report. Turn in your source code and the short report. Also bring a CD with your program on it, but with no indication of how the program is vulnerable. Make sure your name is on the CD. Your development environment will be an Ubuntu VM that we are providing. You can find instructions in the file "ubuntu.instructions.txt" in this web directory. 3. Write the exploit to your program. The exploit should create a shell with the user's permission of the account running the program. The exploit can be in the form of something entered into one of the interactive questions in the program or through a calling routine. Or, if you think of something else creative, that's great. Turn in the shell code for your exploit, a trace of a run of your exploit, and a short report documenting and explaining the theory behind your exploit and how it works. You might be asked to demonstrate your exploit to one of the TAs. Part II, due beginning of class on October 12 Find a partner in the class. Give them the program that you wrote for #2 in Part I above, but do not provide any external documentation to them. You will also receive the partner's program. If there are an odd number of students in the class, then a three way trade can be arranged. On September 30, in class, we will make sure everyone has a partner, but feel free to choose one in advance. I recommend trying to find someone with comparable technical skill to yourself. Make sure you do not provide any information to your partner about your vulnerability or exploit. You have 2 weeks to find the vulnerability in the other program and to write an exploit. Partial credit will be given for identifying the vulnerability if you cannot write an exploit. You will receive extra credit if your partner is unable to find the vulnerability in your program. You will also receive extra credit if you find a vulnerability in the program that the author did not intend. Turn in a description of the vulnerability, a description of your exploit, the shell code for your exploit, a trace of a run of your exploit, and a short report documenting and explaining the theory behind your exploit and how it works. Again, you might be asked to demonstrate your exploit to one of the course TAs. Part III, presentations on October 12 and October 14 Be prepared to present the following to the class. You should prepare a presentation of 8 minutes or less: - demonstrate your program - explain the vulnerability - describe and demo your exploit - describe your analysis of your partner's program and what you found, as well your exploit, if you were able to write one After each person goes, their partner will present. It is possible that not all the students will get to present due to class size and time constraints, in which case, I'll pick students at random, so everyone needs to be prepared. Grade Sheet: Part I Problem #1: ____________ (20 points) Problem #2: Quality of program: ______ (15 points) Quality of vulnerability: ___ (10 points) Stealthiness of vulnerability: ___ (10 points) Quality of documentation: ___ (15 points) Extra credit, if partner did not find vulnerability: ___ (10 points) Problem #3: Quality of exploit: ___ (10 points) Quality of documentation: ___ (20 points) Part II: Finding vulnerability: ___ (10 points) Quality of exploit: ___ (15 points) Quality of documentation: ___ (20 points) Part III: Quality of presentation: ___ (15 points) (people who don't get to present will not be penalized)