Computer Security Tutorial
Instructors
- Prof. Dr.-Ing. Volker Roth
- Jan-Ole Malchow
Description
This page describes the tutorial and homework assignments by
tutorial and due date.
Time and Location
Tutorials:
- Mondays, 16h - 18h, T9/005 (starting April 18th)
- Thursdays, 10h - 12h, T9/005 (starting April 21th)
Grading
Active participation requires successful completion of homework
assignments and projects and is graded on a pass / no pass basis. At
least 50% of the cumulative score is required to pass.
Useful links
Assignments
Tutorial 1, Monday April 18
Assignment:
- Set up a dev environment with a C compiler and debugger.
- Write a program that implements and invokes a simple function.
- Extend the program so that it dumps the function code to the terminal in hex.
- Extend the program so that it copies the function to memory and executes it there.
- Comment your program and print it out on 1-2 pages
Due date: April 28th, 2011; hand in your printout at the beginning of the lecture.
Tutorial 2, Monday April 25
Topics: (Note that there will be no tutorial on Easter Monday)
- Hand-out and discussion of the first assignment
Tutorial 3, Monday May 02
Assignment:
- Download one of the binaries linked below.
- Reverse engineer the binary with a debugger e.g., gdb.
- Submit a detailed explanation what the program does and how.
- Submitting a print-out of the commented assembler code might be a good idea.
- Find the input for which the binary produces the output linked below.
Binaries and challenge output:
You may find the following link useful:
Note that no decompilers are allowed, you need to look at the assembler
code. If you take a shortcut then you may fail some test down the road.
Due date: May 12th, 2011; hand in your solutions at the beginning of the lecture.
Tutorial 4, Monday May 09
No new assignment today.
Tutorial 5, Monday May 16
Assignment:
Due date: June 7th, 2011; hand in your print out at the beginning of the lecture.
Tutorial 10, Monday June 20
Assignment: Develop a working exploit for a buffer overflow vulnerability
for a given vulnerable program. The exploit shall consist of two parts:
- Write a NULL-byte free unpacker that unpacks concatenated shellcode.
- Write a shellcode that runs /bin/sh via a call to execve.
- Write the unpacker and shellcode in GNU assembler.
- Both programs shall be position independent.
- Adjust the builder program provided further below as needed.
- Build and test the exploit
The goal of the unpacker is to mask any NULL bytes in the shellcode that
would otherwise cut off the exploit and prevent overflowing the target
buffer.
In order to test this, you need to configure your system and your linker
in a way that makes the victim vulnerable. Specifically, you need to
disable:
- Stack canaries
- Substitution of safe alternatives to vulnerable functions such as strcpy.
- Address space layout randomization
Recommendations:
- Use a Linux distro e.g., Ubuntu 32-bit.
- Install it on a virtual machine e.g., using VirtualBox
Switch off ASLR:
- echo 0 > /proc/sys/kernel/randomize_va_space
Useful compiler and linker options, and hints:
- -fno-stack-protector
- -D_FORTIFY_SOURCE=0
- -z execstack
- GNU assembler relative jumps can be forced e.g., by jmp .+8
- GNU assembler register jumps are written as jmp *%ebx
- Keep you unpacker and shellcode simple and compact.
Helpful programs:
Documentation you must turn in by the due date:
- Printouts of your unpacker and shellcode assembler code.
- The calling parameters and stderr output of stack_builder.
- An explanation of how and why the exploit works.
Due date: July 7th, 2011; hand in your print out at the beginning of the lecture.