Lab 11: OS Security
Table of Contents
1 Preliminaries
1.1 Lab Setup
Run the following command
~aviv/bin/ic221-up
Change into the lab directory
cd ~/ic221/lab/11
All the material you need to complete the lab can be found in the lab directory. All material you will submit, you should place within the lab directory. Throughout this lab, we refer to the lab directory, which you should interpret as the above path.
1.2 Submission Folder
For this lab, all ubmission should be placed in the following folder:
~/ic221/lab/11
1.3 Compiling your programs with clang
and make
You are not required to provide your own Makefiles for this lab.
1.4 README
In the top level of the lab directory, you will find a README
file. You must fill out the README file with your name and alpha.
Please include a short summary of each of the tasks and any other
information you want to provide to the instructor.
1.5 Test Script
You are provided a test script which prints pass/fail information
for a set of tests for your programs. Note that passing all the
tests does not mean you will receive a perfect score: other tests
will be performed on your submission. To run the test script,
execute test.sh
from the lab directory.
./test.sh
You can comment out individual tests while working on different parts of the lab. Open up the test script and place comments at the bottom where appropriate.
2 PART 1: Logger (70 points)
In this part of the lab you will be required to complete two programs that implement a simple logging utility that is set-user-id. The concept is that any user can run this utility and write to a log file in your home directory, and anyone can also read the last n entries in the log file. But, only you have access to read or write from the log file. To do this, you will use set-user-id of the programs. You will also need to be able to properly seek within the log file.
2.1 File Seeking
File seeking is the process of moving the read/write head of the file to different posistions. For example, moving to the end of the file, or somewhere in the middle, or etc. There are two primary functions used for File streams:
long ftell(FILE * stream)
return how far into the filef
the
read/write head is currently
int fseek(FILE *stream, long offset, int whence)
shift the stream to the givenoffset
relative towhence
There are also three values for whence
:
SEEK_SET
: the start of the fileSEEK_CUR
: the current read headSEEK_END
: the end of the file
For example, to set the read head 4 bytes from the start of the file, we would use the following seek:
fseek(stream, 4, SEEK_SET);
A positive offset moves the read head forward in the file, while a negative offset moves the read head towards the beginning of the file. For example, to set a stream 4 bytes from the end of the file, we can seek negative from the end:
fseek(stream, -4, SEEK_END);
Change into the logger
directory where you wil find two programs
you must complete, write-log.c
and read-log.c
. Theses programs
will manipulate a log file to be located in your home directory
named:
/home/mids/m17XXXX/ic221-lab11-log.txt
Your first task is to complete the write-log.c
program which will
log a message to the log file and record which user wrote the
message. The log file can also be cleared, a protected function. To
clear the logfile, the effective and real user id must be your user
id. You're are required:
- Complete the program and set the user id appropriately so other users can log to your file
- Only you, i.e., your user id, can execute CLEAR
- Only you, i.e., your user id, can read the log file without have
to call
read-log
The second task is to complete the read-log.c
program which will
report the last n log entries. To do this, the program again must
be set-user-id, and you must also be able to seek backwards in the
file searching for newlines.
- Complete the program and set the user id appropriately so other users can read the last log entries
To test your program, I have created a special user account and two programs that will simulate running your program as a different user id.
~m159998/lab-11-test/test-write-log
: executes your version of write-log as the m159998 user~m159998/lab-11-test/test-read-log
: executes your version read-log as the m159998 user
Here is some sample output simulated using the m179998 user and the m159998 user test program:
m179998@saddleback:~/ic221/labs/11/logger$ ./read-log
m179998@saddleback:~/ic221/labs/11/logger$ ./write-log "user m179998 can write to his/her own log file"
m179998@saddleback:~/ic221/labs/11/logger$ ./read-log
[Mon Apr 6 17:13:55 2015] (179998) user m179998 can write to his/her own log file
m179998@saddleback:~/ic221/labs/11/logger$ ~m159998/lab-11-test/test-write-log "user m159998 can *also* write to m179998's log file"
m179998@saddleback:~/ic221/labs/11/logger$ ./read-log
[Mon Apr 6 17:14:14 2015] (35013) user m159998 can *also* write to m179998's log file
m179998@saddleback:~/ic221/labs/11/logger$ ./read-log 2
[Mon Apr 6 17:13:55 2015] (179998) user m179998 can write to his/her own log file
[Mon Apr 6 17:14:14 2015] (35013) user m159998 can *also* write to m179998's log file
m179998@saddleback:~/ic221/labs/11/logger$ ./read-log 3
[Mon Apr 6 17:13:55 2015] (179998) user m179998 can write to his/her own log file
[Mon Apr 6 17:14:14 2015] (35013) user m159998 can *also* write to m179998's log file
[Mon Apr 6 17:14:43 2015] (35001) so can user aviv
m179998@saddleback:~/ic221/labs/11/logger$ ~m159998/lab-11-test/test-read-log
[Mon Apr 6 17:14:43 2015] (35001) so can user aviv
m179998@saddleback:~/ic221/labs/11/logger$ ~m159998/lab-11-test/test-read-log 1
[Mon Apr 6 17:14:43 2015] (35001) so can user aviv
m179998@saddleback:~/ic221/labs/11/logger$ ~m159998/lab-11-test/test-read-log 2
[Mon Apr 6 17:14:14 2015] (35013) user m159998 can *also* write to m179998's log file
[Mon Apr 6 17:14:43 2015] (35001) so can user aviv
m179998@saddleback:~/ic221/labs/11/logger$ ~m159998/lab-11-test/test-read-log 3
[Mon Apr 6 17:13:55 2015] (179998) user m179998 can write to his/her own log file
[Mon Apr 6 17:14:14 2015] (35013) user m159998 can *also* write to m179998's log file
[Mon Apr 6 17:14:43 2015] (35001) so can user aviv
m179998@saddleback:~/ic221/labs/11/logger$ ~m159998/lab-11-test/test-write-log CLEAR
ERROR: Unauthorized user attempting to clearing the log file
m179998@saddleback:~/ic221/labs/11/logger$ ./write-log CLEAR
m179998@saddleback:~/ic221/labs/11/logger$ ./read-log
m179998@saddleback:~/ic221/labs/11/logger$
It might be helpful to work with a partner to test your logging functionality across accounts, but be sure you don't violate the honor policy for this class.
3 PART 2: hackme (30+ points)
In this part of the lab you will work to hack four programs that have the set-group bit set. Once you hack them, you can potentially reveal a secret message. You earn 10 points for each secret message you reveal, up to 40 points, a 10 point bonus!
There are three tools that will greatly benefit your investigation:
strings
: will print all strings found in an executable file, useful for determining what commands might be runstrace
: will print all system calls made of an executable and their arguments.ltrace
: will print out all the library functions used (such assystem()
!)
I will leave it to you to figure this out, but to ease some of the work, the source code for the programs have been provided.
Change into the secret directory which contains a single file called
secret
. You will find four sub-directories: hackme-1
hackme-2
hackme-3
and hackme-4
. In those directory, there is a source file
(or two) and a file called secret
. Your task is to fill the secret
files with the secret message associated with each of the hacks.
A compiled version of each of the vulnerable programs is set-group bit version and installed at the following locations:
~aviv/lab-11-secret/hackme-1/uwc
~aviv/lab-11-secret/hackme-2/revtac
~aviv/lab-11-secret/hackme-3/hasher
~aviv/lab-11-secret/hackme-4/revtac2
In each of the hackme
directories in tose locations, there is a
secret
file.
~aviv/lab-11-secret/hackme-1/secret
~aviv/lab-11-secret/hackme-2/secret
~aviv/lab-11-secret/hackme-3/secret
~aviv/lab-11-secret/hackme-4/secret
Your task is to hack the program with the right attack to reveal its
associated secret file. Once you've identified the secret message,
save it to the right sub-directory under secret
in your ic221
lab directory.
For example, if done right, you can perform some hack such that
~aviv/lab-11-secret/hackme-1/uwc hackinputsomewhere > ~/ic221/lab/11/hacmke-1/secret
BONUS There may be more than one attack per program. Identify additional attacks in your README for a 2 point bonus per attack per program that it attacks.