In today’s exercise you will apply your understanding of how operating systems, memory, and the C programming language work to think about security vulnerabilities. While virtually any program can be vulnerable to attack, it is particularly important for the operating system to prevent such attacks; if an attacker is able to bypass checks in the operating system can access any data or device on a machine.
Today’s exercise will run a bit differently than some of our earlier in-class exercises. We will run through four scenarios with the following steps:
You are free to examine the code for each target program, but your attack must work against the original, unmodified version of the program.
You might be wondering how this scenario is realistic, since you have access to the code—why not simply change the program instead of exploiting it by sending strange inputs?
However, this is exactly the scenario you would be in if you were attacking a public-facing internet service.
While you may have access to the source code for the server code, you have no way to make the target of your attack run a modified version of the code.
Instead, you can craft inputs that will exploit a bug in the program and grant you access that you would not otherwise have.
You are free to run your own copy of the program in gdb, rebuild with AddressSanitizer, or modify its code to help you craft an attack, but that attack will have to work against the deployed version you do not control.
As you work through each step of this exercise, please do not share your discoveries with other students until we regroup as a class.
To start the exercise, log in to a MathLAN machine at https://gpu.cs.grinnell.edu. Open a terminal and run the following commands:
$ git clone /home/curtsinger/csc213/exercises/security ~/csc213/exercises/security
$ cd ~/csc213/exercises/security
Keep your terminal open. All four programs we’ll look at have a terminal user interface, so you’ll need it to attack each target.
pizzashopOur first target program, pizzashop, runs a very simple store.
You can place an order, and you will then be charged for what you order.
Your task is to “attack” this store.
A successful attack will allow you to place an order that results in free pizza.
To build the pizzashop program, run the following command in your shell:
$ make pizzashop
Remember the rules for this exercise: do not share the bugs you discover or an attack you develop until we regroup as a class, and your attack must work on the original, unmodified program.
numbergameThe second target program, numbergame, asks you to guess a number between 1 and 10 that the program has randomly generated.
You would expect to win the game roughly 10% of the time if you guess randomly.
A successful attack will allow you to win 100% of the time.
To build the numbergam program, run the following command in your shell:
$ make numbergame
You should see some warnings from the compilation process. The warnings may help you figure out where to start looking for vulnerabilities in this program.
passwordThe third target program asks you to type in a password, and compares it to a randomly-generated password that you have no way of knowing. You have three attempts before you are locked out. A successful attack will allow you to log in before your three attempts are used up.
To build the password program, run the following command in your shell:
$ make password
Again, you’ll see at least one warning when you build this program. Take the compiler’s advice and look carefully at the code it is warning you about.
accountsOur fourth target is a more complicated multi-account system.
This program has an administrator account with the username root and a password you do not know (it is generated at startup), but you can create your own account as well.
You should be able to create and log in to regular accounts, but logging in as root is not supposed to be possible.
A successful attack will allow you to log in as root.
To build the accounts program, run the following command in your shell:
$ make accounts