Worksheet 7: Software Security I

Worksheets are self-guided activities that reinforce lectures. They are not graded for accuracy, only for completion. Worksheets are due by the end of the Tuesday before the next lecture via Blackboard link as a single pdf document. Be sure to properly label each question.

Questions

Explain what a TOCTOU Race is using the following short program example, assuming the program has some level of additional privileged to access file that an attacker normally doesn’t.
```
if(access("file",PERMS REQUESTED)==0)   // Line 1
  filedescr = open("file", PERMS)       // Line 2
```
Reveal Solution

TOCTOU stands for “time of check, time of use”. In this example, the privilege program checks access and hen opens the file. There is an opportunity for the attacker to intervene after the access but before the file is actually opened and used. This provides a point of attack where what file is actually access could be changed and thus access it via the privileged program when they shouldn’t be able to.

What is the mitigation to the above example?

Reveal Solution

The user should use a procedure that atomically both checks access and performs access at one time, such as using open() directly which uses the check.

What does the function unlink() and link() do in an i-node file systems?

Reveal Solution
- unlink() is the equivalent of deleting a file by removing the link to it in the i-node tree.
- link() will create a new link to an existing file in the i-node tree. It’s similar to creating a new file, but the file or directory being linked to have to previously exist, otherwise it’s a dangling link.

What is the difference between a symbolic and hard link in an i-node file system?

Reveal Solution
- A symbolic link is an indirect alias to a file, essentially a shortcut. In the i-node tree, it stores a path that should be references when this node is references.
- A hard link is where there exists two nodes, entries in the filesystem, that link to the same file.
See for reference Figure 5.8 in the book.

What is the PATH environment variable, what is it used for?

Reveal Solution

The PATH environment variable stores a list of directories where the shell/terminal should look for executables to run. For example, when you type a command like emacs or vim or cat or anything, those executables are stored somewhere else. To find if they exist, the shell looks in each directory listed in the PATH, and it runs the executable it first finds.

Consider the function call to system(), like so system("cat foo.txt"). Explain how this is a potential security vulnerability if the program is privileged.

Reveal Solution

Sense a full path to cat wasn’t used, the attacker can change the PATH environment variable to include a directory under their control, so as /home/attacker/bin, and in that directory create a program named cat that does what they want, like maybe reading /etc/shadow

What is an injection attack? Provide an example.

Reveal Solution

An injection attack is when the attacker is able to inject commands or code into the program that should not be executed. For example, when system() is called, the attacker is able to inject an extra command into system() that executes whatever the want.

What is a buffer overflow, and how can it be used in an exploit?

Reveal Solution

A buffer overflow attack is when an attacker can read/write outside the designated memory region, also called a buffer in memory. If the place it overflows into allows the attacker to write to critical areas, like a command to be executed or the return address of a function, then it can be used to perform an exploit.

Download the following exercise exploit-me-1 as a zip file and unzip it. You should open that directory in a VSCode environment. If you already have Docker Desktop installed, it should also prompt you to open it in a container. Please do so. If you need some review, refer to problem #12 in Worksheet 3.

In here you’ll find the source code (minus the flag) for a program that can be exploited using a path attack, injection attack, and a buffer overflow. Do so and retrieve the flag. Also, come up with as many ways to exploit it as possible.

Reveal Solution

The flag is flag{4242-P@th!-@tT@ck_33}

Consider a three-bit number in 2’s compliment. For all bit arrangements, write out the values in base 10.

Hint: Refer to slide 81.

Reveal Solution
```
000   0   100 -4
001   1   101 -3
010   2   110 -2
011   3   111 -1
```

Still considering the three-bit number in 2’s compliment, what would be 3+2 ? Show the math.

Reveal Solution
```
  011  3
+ 010  2
--------
  101  -3
```

Using the example from above, explain how an integer overflow attack would be possible?

Reveal Solution
When using fixed-width, signed integers, when they get too large, they become negative! So if you have some sort of comparison of two numbers:
```
int a=10;
int b=10;

//user get's to choose some operations on a and b that should, in theory,
//only increase the value of a and b

if( a + b < 10)
  // do something important!
else
  // do normal things
```
Normally, it would be really hard to get a+b to be less than 10, but you could overflow a or b to be a negative number, then it would be easily possible.

Download the following exercise exploit-me-2 as a zip file and unzip it. You should open that directory in a VSCode environment. If you already have Docker Desktop installed, it should also prompt you to open it in a container. Please do so. If you need some review, refer to problem #12 in Worksheet 2.

In here you’ll find the source code (minus the flag) for a program that can be exploited using an integer overflow. Do so and retrieve the flag. Also describe a way to fix this program.

Reveal Solution
```
flag{366-iNt3G3r5iGNc0nV3r5i0N}
```
You check to make sure that after reading the amount that should be withdrawn, that it isn’t negative when cast from a unsigned int to an int