Show page

Differences

This shows you the differences between two versions of the page.

--- cns:labs:lab-12 [2016/12/20 03:28]
irina.presa [4. [2p] Smashthestack level2]
+++ cns:labs:lab-12 [2019/12/08 15:18] (current)
dennis.plosceanu
@@ Line 1: / Line 1: @@
-====== Lab 12 - Integers ======
+====== Extra - Integers ======
 ===== Resources =====
@@ Line 18: / Line 18: @@
 Please download the lab archive an then unpack it using the commands below:
 <code bash>
-student@mjolnir:~$ wget http://elf.cs.pub.ro/oss/res/labs/lab-12.tar.gz
+student@asgard:~$ wget http://elf.cs.pub.ro/oss/res/labs/lab-12.tar.gz
-student@mjolnir:~$ tar xzf lab-12.tar.gz
+student@asgard:~$ tar xzf lab-12.tar.gz
 </code>
 After unpacking we will get the ''lab-12/'' folder that we will use for the lab:
 <code bash>
-student@mjolnir:~$ cd lab-12/
+student@asgard:~$ cd lab-12/
-student@mjolnir:~/lab-12$ ls -F
+student@asgard:~/lab-12$ ls -F
 -overflow/  2-comparison/  3-sts7/  4-sts2/  5-sts2_alt/
 </code>
+===== 0. Feedback =====
+In order to improve the Computer Network Security course, your opinions and suggestions are important to us. The feedback is anonymous and the results will only become visible after the final exam. You will find the link to the feedback form on the main page of the curs.pub.ro instance for your master's program CNS class (either PDCS or SRIC). It's **not** in the meta-course for all students.
 ===== Introduction =====
@@ Line 49: / Line 53: @@
 First take a look at the source code in ''overflow.c''. The program receives two arguments ''num1'' and ''num2'' that are then intepreted to integers using [[http://man7.org/linux/man-pages/man3/atoi.3.html|atoi]]. Use a different terminal tab to try some sample runs of the program:<code>
-student@asgard:~/lab-08/1-overflow$ ./overflow 10 50
+student@asgard:~/lab-12/1-overflow$ ./overflow 10 50
-student@asgard:~/lab-08/1-overflow$ ./overflow 100 200
+student@asgard:~/lab-12/1-overflow$ ./overflow 100 200
 Input number too small.
-student@asgard:~/lab-08/1-overflow$ ./overflow 1500 1500
+student@asgard:~/lab-12/1-overflow$ ./overflow 1500 1500
 Input number too small.
 </code>
@@ Line 62: / Line 66: @@
 That is, you want the same comparison happening on line 22 to be false, but it would be true on line 29, right after ''y'' has been added to ''x''.
-[1p] Find two arguments that result in the ''overflow'' program printing //Oh no, I feel exploited!//.
+**[1p]** Find two arguments that result in the ''overflow'' program printing //Oh no, I feel exploited!//.
 <note tip>
@@ Line 71: / Line 75: @@
 In order for the comparison on line 22 to be false, both ''x'' and ''y'' must be positive numbers. However, after the ''x += y;'' line, one of them turns negative, and it can only be ''x''.
-Think how you can turn a signed positive integer to a signed negative one by adding another positive integer. It's about an integer overflow.
+Think how you can turn a signed positive integer to a signed negative one by adding another positive integer. Think, //integer overflow//.
 </note>
 Your second task is to fix the program. Make sure that whatever input you feed to it, there won't be a situation where a signed positive integer turns into a negative integer simply by adding another positive integer to it. Any solution is OK as long as the program behaves correctly.
-[1.5p] Update the ''overflow.c'' file accordigly, and then recompile it using<code>
+**[1.5p]** Update the ''overflow.c'' file accordigly, and then recompile it using<code>
-student@asgard:~/lab-08/1-overflow$ make
+student@asgard:~/lab-12/1-overflow$ make
 </code>
 Then feed it different arguments and prove that now it behaves correctly.
@@ Line 86: / Line 90: @@
 ===== 2. [2.5p] Signed/unsigned comparison =====
-For our first task, let's investigate how comparison between signed and unsigned values results in unwelcomed program behavior.
+For our second task, let's investigate how comparison between signed and unsigned values results in unwelcomed program behavior.
 Please access the ''2-comparison/'' subfolder in the lab archive. It consists of three files: a ''Makefile'', a C source code file dubbed ''comparison.c'' and the resulting executable (ELF) file on a 32-bit system ''comparison''.
 First take a look at the source code in ''comparison.c''. The program receives an argument ''x1'' that is then intepreted as an integer using [[http://man7.org/linux/man-pages/man3/atoi.3.html|atoi]]. Use a different terminal tab to try some sample runs of the program:<code>
-student@asgard:~/lab-08/2-comparison$ ./comparison 10
+student@asgard:~/lab-12/2-comparison$ ./comparison 10
 x0000000a
-student@asgard:~/lab-08/2-comparison$ ./comparison 100
+student@asgard:~/lab-12/2-comparison$ ./comparison 100
 x00000064
-student@asgard:~/lab-08/2-comparison$ ./comparison 1000
+student@asgard:~/lab-12/2-comparison$ ./comparison 1000
 x000003e8
-student@asgard:~/lab-08/2-comparison$ ./comparison -10
+student@asgard:~/lab-12/2-comparison$ ./comparison -10
 xfffffff6
-student@asgard:~/lab-08/2-comparison$ ./comparison -100
+student@asgard:~/lab-12/2-comparison$ ./comparison -100
 xffffff9c
-student@asgard:~/lab-08/2-comparison$ ./comparison -1000
+student@asgard:~/lab-12/2-comparison$ ./comparison -1000
 xfffffc18
 </code>
@@ Line 111: / Line 115: @@
 The hexadecimal representation of ''x2'' may be shown using a Python script:<code>
-student@asgard:~/lab-08/2-comparison$ python -c 'print hex(2147483649)'
+student@asgard:~/lab-12/2-comparison$ python -c 'print hex(2147483649)'
 x80000001
 </code>
 </note>
-[1p] Using this, provide the proper argument to the program such that the program will find the condition on line 16 to be true and print the message on line ''17'': //That looks quite odd, doesn't it?//.
+**[1p]** Using this, provide the proper argument to the program such that the program will find the condition on line 16 to be true and print the message on line ''17'': //That looks quite odd, doesn't it?//.
 <note tip>
@@ Line 122: / Line 126: @@
 </note>
-[1.5p] Now, let's fix this. **Without** changing the data types of ''x1'' and ''x2'' (''x1'' is ''int'' and ''x2'' is ''unsigned int''), make sure the program behaves correctly, i.e. it will print out the message on line ''17'' whenever ''x1'' is less than ''x2''. The program semantics have to be the same.
+**[1.5p]** Now, let's fix this. **Without** changing the data types of ''x1'' and ''x2'' (''x1'' is ''int'' and ''x2'' is ''unsigned int''), make sure the program behaves correctly, i.e. it will print out the message on line ''17'' whenever ''x1'' is less than ''x2''. The program semantics have to be the same.
 <note tip>
 There are multiple ways to achieve this. Choose any that results in the program behaving correcty, that is, getting the following output:<code>
-student@asgard:~/lab-08/2-comparison$ ./comparison -10
+student@asgard:~/lab-12/2-comparison$ ./comparison -10
 xfffffff6
 That looks quite odd, doesn't it?
-student@asgard:~/lab-08/2-comparison$ ./comparison -100
+student@asgard:~/lab-12/2-comparison$ ./comparison -100
 xffffff9c
 That looks quite odd, doesn't it?
-student@asgard:~/lab-08/2-comparison$ ./comparison -1000
+student@asgard:~/lab-12/2-comparison$ ./comparison -1000
 xfffffc18
 That looks quite odd, doesn't it?
@@ Line 170: / Line 174: @@
 </code>
-It seems that we're lucky, since the compiler will automatically convert ''int'' to ''size_t'' by **discarding** the sign bit. At the same time, we notice that the program doesn't check for negative values. The following short program adds a sign bit to the number 42 and prints it in hexadecimal and signed decimal:
+It seems that we're lucky, since the compiler will implicitly cast ''int'' to ''size_t'' and our value **is multiplied** by ''sizeof(int)'', which may result in an **overflow**. At the same time, we notice that the program doesn't check for negative values. The following short program adds a sign bit to the number 42 and prints it in hexadecimal and signed decimal:
 <code C>
@@ Line 232: / Line 236: @@
 Using the info from the previous sections, we can pass a negative number that encodes a malformed size (''size | sign bit'') and overflow the buffer into ''count'' and write the value ''0x574f4c46'' into it.
-  - [3p] Obtain a shell using ''level07''
+  - **[3p]** Obtain a shell using ''level07''
 ===== 4. [2p] Smashthestack level2 =====
@@ Line 256: / Line 260: @@
 //Hint//: this is more or less an architecture-dependent quirk. Take a second look on [[http://en.wikibooks.org/wiki/X86_Assembly/X86_Architecture#Two.27s_Complement_Representation|two's complement]] representation on x86 and a good look on how the [[http://www.felixcloutier.com/x86/DIV.html|x86 DIV instruction]] is specified. It's tricky, but not difficult!
-  - [2p] Obtain a shell using ''level02''.
+  - **[2p]** Obtain a shell using ''level02''.
 ===== 5. [BONUS - 2p] Smashthestack level2_alt =====
@@ Line 270: / Line 274: @@
 then it's ok to recompile the program to run ''execve'' without passing ''-p''.
-  -[2p] **Bonus**: Obtain a shell using ''level02_alt''.
+  -**[2p] Bonus**: Obtain a shell using ''level02_alt''.

Resources

Labs

Lectures

Assignments

Extra

cns/labs/lab-12.1482197297.txt.gz · Last modified: 2016/12/20 03:28 by irina.presa

Show page Old revisions

Media Manager Back to top