SC3010

Computer Security

Tutorial 1: Introduction & Buffer Overflow

Tianwei Zhang
Q1. Circle the correct answers in the
following questions
1. Which of the following statement(s) is/are true about malware?
(i) Worms try to propagate to different computers without user intervention.
(ii) Viruses try to propagate to different computers without user intervention.
(iii) Rootkits aim to obtain root privileges to compromise the victim computer.
(iv) Trojans aim to allow a remote party to gain access to the victim computer

A. (i) and (iii)

B. (i) and (iv)
C. (ii) and (iii)
D. (ii) and (iv)

2
Q1. Circle the correct answers in the
following questions
2. Which of the following statement is false?
A. Security cannot be established in a computer system without trusting any
components.
B. A threat model should clearly define the TCB, adversary’s capabilities and security
properties to be achieved.
C. The three security strategies to protect a system is detection, mitigation, and
reaction.
D. Defense in depth can increase the difficulty of attacking the entire system, but also
the cost and complexity of implementing the system.

3
Q1. Circle the correct answers in the
following questions
3. Which of the following statements are true about Trusted Computing Base (TCB)?
(i) We need to assume all components in TCB are secure.
(ii) We need to introduce security solutions to protect all components in TCB.
(iii) It is easier to design a system with a smaller TCB.
(iv) It is more secure to design a system with a smaller TCB.

A. (i) and (iii)

B. (i) and (iv)
C. (ii) and (iii)
D. (ii) and (iv)

4
Q2. Answer the following questions
1. What do vulnerability, exploit, and payload refer to?

Vulnerability: the weakness of a program that reduces its information assurance

Exploit: the technique the attacker takes to compromise the target system

Payload: the code the attacker wants the system to run.

5
Q2. Answer the following questions
2. What could be the potential consequences of a buffer overflow attack?

Corrupt the data

Control flow hijacking
System crash
……

6
Q2. Answer the following questions
3. What are the steps to utilize a buffer overflow vulnerability to execute
shellcode?

1. Convert the shellcode from C to assembly code, and then binary

2. Store the binary code in a buffer, which is allocated on the victim stack
3. Use the buffer overflow vulnerability to overwrite the return address with the
address of the binary shellcode.

7
Q3. Threat Model
Home Depot, the world’s largest home improvement retailer, was hacked from April to
September 2014. The attacker used a third-party vendor’s username and password to
enter the Home Depot’s internal network and launched the malware programs on a
number of self-checkout registers in the U.S. and Canada. This attack lasted for about four
months before being detected. About 56 million payment cards and 53 million e-mail
addresses were stolen by the attacker. Write a threat model that would cover the Home
Depot attack.

In the Home Depot attack,

• What are trusted and not trusted: the entire Home Depot computer system including
the software and hardware is trusted. However, the third-party vendor is not trusted,
which leaks the credentials to the attacker.
• Adversarial capabilities: the attacker can launch malware programs on the registers,
and collect the payment card data from the customers.
• Security properties: we consider the confidentiality: protecting the system from leaking
sensitive information.

8
Q4. Program Analysis
The following program is designed to generate a random number. It takes a password as
input, but always fails to generate a random number. Luckily, this program is vulnerable to
a buffer overflow attack. Our goal is to leverage this advantage to generate a random
number. Please figure out a password that can achieve this.
char CheckPassword() {
char good = ‘N’;
char Password[100];
gets(Password);

return good;
}

int main(int argc, char* argv[]) {

printf(“Enter your password:”);
if(CheckPassword() == ‘Y’)
printf(“Your random number is %d\n”, rand()%100);
else{
printf(“You don’t have the permission to get a random number”);
exit(-1);
}
return 0;
}

9
Q4. Solution
gets: can lead buffer overflow.
 Provide an input with size of 101, and end with ‘Y’ to overwrite good.

char CheckPassword() {
char good = ‘N’;
char Password[100];
gets(Password); buffer overflow

return good;
}

int main(int argc, char* argv[]) {

printf(“Enter your password:”);
if(CheckPassword() == ‘Y’)
printf(“Your random number is %d\n”, rand()%100);
else{
printf(“You don’t have the permission to get a random number”);
exit(-1);
}
return 0;
}

10
Q5. Program Analysis
A developer writes the following program for user authentication for his system.
However, this program is vulnerable to buffer overflow attacks. Please give some
examples of malicious input that an attacker can use to bypass the authentication.

int check_authentication(char *pwd) {

int auth_flag = 0;
char Password[] = “qwertyu”;
char buffer[8];

strcpy(buffer, pwd);
if (strncmp(buffer, Password, 8) == 0)
auth_flag = 1;
return auth_flag;
}

int main(int argc, char* argv[]) {

if(check_authentication(argv[1]))
printf(“Access Granted\n”);
else{
printf(“Access Denied\n”);
}
return 0;
}

11
Q5. Solution
The attacker can leverage the strcpy to overflow the stack and bypass the
authentication
 Overwrite the Password: pwd = “abcdefgh” + “abcdefgh”
 Overwrite the auth_flag: pwd = “xxxxxxxx” + “xxxxxxxx” +
“abcd” -> the corresponding integer is 0x61626364
int check_authentication(char *pwd) {
int auth_flag = 0;
char Password[] = “qwertyu”;
char buffer[8];

strcpy(buffer, pwd); buffer overflow

if (strncmp(buffer, Password, 8) == 0)
auth_flag = 1;
return auth_flag;
auth_flag
} Password
int main(int argc, char* argv[]) { buffer
if(check_authentication(argv[1]))
printf(“Access Granted\n”);
else{
printf(“Access Denied\n”);
}
return 0;
}
12