IC221: Systems Programming (SP18)


Home Policy Calendar Units Assignments Resources

Lab 10: O.S. Security

Table of Contents

Preliminaries

Lab Setup

Run the following command

~aviv/bin/ic221-up

Change into the lab directory

cd ~/ic221/lab/11

All the material you need to complete the lab can be found in the lab directory. All material you will submit, you should place within the lab directory. Throughout this lab, we refer to the lab directory, which you should interpret as the above path.

Submission Folder

For this lab, all ubmission should be placed in the following folder:

~/ic221/lab/10

README

In the top level of the lab directory, you will find a README file. You must fill out the README file with your name and alpha. Please include a short summary of each of the tasks and any other information you want to provide to the instructor.

Test Script

You are provided a test script which prints pass/fail information for a set of tests for your programs. Note that passing all the tests does not mean you will receive a perfect score: other tests will be performed on your submission. To run the test script, execute test.sh from the lab directory.

./test.sh

You can comment out individual tests while working on different parts of the lab. Open up the test script and place comments at the bottom where appropriate.

PART 1: Logger (70 points)

In this part of the lab you will be required to complete two programs that implement a simple logging utility that is set-user-id. The concept is that any user can run this utility and write to a log file in your home directory, and anyone can also read the last n entries in the log file. But, only you have access to read or write from the log file. To do this, you will use set-user-id of the programs. You will also need to be able to properly seek within the log file.

File Seeking

File seeking is the process of moving the read/write head of the file to different positions. For example, moving to the end of the file, or somewhere in the middle, or etc. There are two primary functions used for File streams (note this is not :

  • long ftell(FILE * stream) return how far into the file f the

read/write head is currently

  • int fseek(FILE *stream, long offset, int whence) shift the stream to the given offset relative to whence

There are also three values for whence:

  • SEEK_SET : the start of the file
  • SEEK_CUR : the current read head
  • SEEK_END : the end of the file

For example, to set the read head 4 bytes from the start of the file, we would use the following seek:

FILE * stream = fopen("somefile.txt", "r");

fseek(stream, 4, SEEK_SET); //move the read head foreard 4 bytes from
                            //the start of the file

A positive offset moves the read head forward in the file, while a negative offset moves the read head towards the beginning of the file. For example, to set a stream 4 bytes from the end of the file, we can seek negative from the end:

FILE * stream = fopen("somefile.txt", "r");

fseek(stream, -4, SEEK_END); //move the read head 4 bytes from the end
                             //of the file

Change into the logger directory where you will find two programs you must complete, write-log.c and read-log.c. Theses programs will manipulate a log file to be located in your home directory named:

/home/mids/m19XXXX/ic221-lab11-log.txt

Your first task is to complete the write-log.c program which will log a message to the log file and record which user wrote the message. The log file can also be cleared, a protected function. To clear the logfile, the effective and real user id must be your user id. You're are required:

  • Complete the program and set the user id appropriately so other users can log to your file
  • Only you, i.e., your user id, can execute CLEAR
  • Only you, i.e., your user id, can read the log file without have to call read-log

The second task is to complete the read-log.c program which will report the last n log entries. To do this, the program again must be set-user-id, and you must also be able to seek backwards in the file searching for newlines.

  • Complete the program and set the user id appropriately so other users can read the last log entries

To test your program, I have created a special user account and two programs that will simulate running your program as a different user id.

  • ~m199999/lab-10-test/test-write-log : executes your version of write-log as the m199999 user
  • ~m199999/lab-10-test/test-read-log : executes your version read-log as the m199999 user

Here is some sample output simulated using the m179998 user and the m159998 user test program:

m179998@saddleback:~/ic221/labs/11/logger$ ./read-log 
m179998@saddleback:~/ic221/labs/11/logger$ ./write-log "user m179998 can write to his/her own log file"
m179998@saddleback:~/ic221/labs/11/logger$ ./read-log 
[Mon Apr  6 17:13:55 2015] (179998) user m179998 can write to his/her own log file
m179998@saddleback:~/ic221/labs/11/logger$ ~m199999/lab-11-test/test-write-log "user m199999 can *also* write to m179998's log file"
m179998@saddleback:~/ic221/labs/11/logger$ ./read-log 
[Mon Apr  6 17:14:14 2015] (35013) user m199999 can *also* write to m179998's log file
m179998@saddleback:~/ic221/labs/11/logger$ ./read-log 2
[Mon Apr  6 17:13:55 2015] (179998) user m179998 can write to his/her own log file
[Mon Apr  6 17:14:14 2015] (35013) user m199999 can *also* write to m179998's log file
m179998@saddleback:~/ic221/labs/11/logger$ ./read-log 3
[Mon Apr  6 17:13:55 2015] (179998) user m179998 can write to his/her own log file
[Mon Apr  6 17:14:14 2015] (35013) user m199999 can *also* write to m179998's log file
[Mon Apr  6 17:14:43 2015] (35001) so can user aviv
m179998@saddleback:~/ic221/labs/11/logger$ ~m199999/lab-11-test/test-read-log
[Mon Apr  6 17:14:43 2015] (35001) so can user aviv
m179998@saddleback:~/ic221/labs/11/logger$ ~m199999/lab-11-test/test-read-log 1
[Mon Apr  6 17:14:43 2015] (35001) so can user aviv
m179998@saddleback:~/ic221/labs/11/logger$ ~m199999/lab-11-test/test-read-log 2
[Mon Apr  6 17:14:14 2015] (35013) user m199999 can *also* write to m179998's log file
[Mon Apr  6 17:14:43 2015] (35001) so can user aviv
m179998@saddleback:~/ic221/labs/11/logger$ ~m199999/lab-11-test/test-read-log 3
[Mon Apr  6 17:13:55 2015] (179998) user m179998 can write to his/her own log file
[Mon Apr  6 17:14:14 2015] (35013) user m199999 can *also* write to m179998's log file
[Mon Apr  6 17:14:43 2015] (35001) so can user aviv
m179998@saddleback:~/ic221/labs/11/logger$ ~m199999/lab-11-test/test-write-log CLEAR
ERROR: Unauthorized user attempting to clearing the log file
m179998@saddleback:~/ic221/labs/11/logger$ ./write-log CLEAR
m179998@saddleback:~/ic221/labs/11/logger$ ./read-log 
m179998@saddleback:~/ic221/labs/11/logger$

It might be helpful to work with a partner to test your logging functionality across accounts, but be sure you don't violate the honor policy for this class.

PART 2: hackme (30+ points)

In this part of the lab you will work to hack four programs that have the set-group bit set. Once you hack them, you can potentially reveal a secret message. You earn 10 points for each secret message you reveal, up to 40 points, a 10 point bonus!

There are three tools that will greatly benefit your investigation:

  • strings : will print all strings found in an executable file, useful for determining what commands might be run
  • strace : will print all system calls made of an executable and their arguments.
  • ltrace : will print out all the library functions used (such as system()!)

I will leave it to you to figure this out, but to ease some of the work, the source code for the programs have been provided.

Change into the secret directory which contains a single file called secret. You will find four sub-directories: hackme-1 hackme-2 hackme-3 and hackme-4. In those directory, there is a source file (or two) and a file called secret. Your task is to fill the secret files with the secret message associated with each of the hacks.

A compiled version of each of the vulnerable programs is set-group bit version and installed at the following locations:

  • ~aviv/lab-10-secret/hackme-1/uwc
  • ~aviv/lab-10-secret/hackme-2/revtac
  • ~aviv/lab-10-secret/hackme-3/hasher
  • ~aviv/lab-10-secret/hackme-4/revtac2

In each of the hackme directories in tose locations, there is a secret file.

  • ~aviv/lab-10-secret/hackme-1/secret
  • ~aviv/lab-10-secret/hackme-2/secret
  • ~aviv/lab-10-secret/hackme-3/secret
  • ~aviv/lab-10-secret/hackme-4/secret

Your task is to hack the program with the right attack to reveal its associated secret file. Once you've identified the secret message, save it to the right sub-directory under secret in your ic221 lab directory.

For example, if done right, you can perform some hack such that

~aviv/lab-10-secret/hackme-1/uwc hackinputsomewhere > ~/ic221/lab/11/hacmke-1/secret

BONUS There may be more than one attack per program. Identify additional attacks in your README for a 2 point bonus per attack per program that it attacks.