[Skip Navigation] [CSUSB] / [CNS] / [CSE] / [R J Botting] / [CSci202] / lab03
[Text Version] [Syllabus] [Schedule] [Glossary] [Resources] [Grading] [Contact] [Question] [Search ]
Notes: [01] [02] [03] [04] [05] [06] [07] [08] [09] [10] [11] [12] [13] [14] [15] [16] [17] [18] [19] [20]
Labs: [01] [02] [03] [04] [05] [06] [07] [08] [09] [10]
Tue May 31 15:32:13 PDT 2011

Contents


    CSci202 Laboratory 03 Pointers and Information Security


      (previous): Diagrams [ lab02.html ]

      Goals

      1. To have experimented with a dangerous misuse of arrays.
      2. To know what the buffer overrun attack is.
      3. To know how to write C++ code that is not exposed to buffer overrun attacks.

      Ideal Procedure

      1. Download (shift&click) the following awful example. [ lab02bad.cpp ]
        1. It is designed as an example of a bad log-in program.
        2. It uses char* arrays to hold character strings and the old "str*" library to manipulate them. Each string has an extra '\0' char at the end.
          Net
          1. #include <cstring> // defines the "str*" functions.
          2. authenticated= ! strncmp(pwd,passwd,7); // CoMPares upto 7 charcaters of pwd and passwd and sets authenticated to true if they are equal.
          3. if(!strcmp(name,"botting")) // compares the characters in name with those in "botting" and does not keep count. It tries pairs of characters until one is different or '\0'. The condition succeeds if the strings are equal.
          4. strcpy(pwd, "123456"); // Copies "123456" into pwd -- this copies 6 characters and a null '\0' even if pwd has room for 2 character:-(

          (End of Net)

        3. It has many faults and we will remove some of these in our laboratories.
        4. This is how it works when compiled and run:
          1. First it outputs the addresses of the three character arrays used in the program: "name", "pwd", and "passwd".
          2. Then it enters a loop until a log-in is authenticated:
            1. It asks for a name ("botting" for example) using a function "get".
            2. It looks up the password for the name ("botting" has "123456") using function get_password.
            3. It asks for a password.
            4. It tests to see if the two passwords match.
            5. If they don't match it outputs a message and repeats from step 1 above.

          3. If the two passwords match it "Welcomes" the user.


      2. Make it compile it into "lab02bad" and test it. It should work as described.
      3. Unfortunately it falls to a simple buffer over run attack.
      4. Run it with name 'botting' and try passwords 'x', 'xx', 'xxxx', 'xxxxxx', and so on.... what happens with each? Any unexpected logins?

      5. When you can explain to me what is going on (hint: draw a picture!) you've earned a 'D' for the lab.

      6. Please preserve a copy of the compiled code "lab02bad" ready for a future lab.

      7. Your task is to fix the buffer overrun. Where is the problem?
         		cin>>input;
        in function
         		void get(char * askfor, int numchars, char * input)
      8. Here are two ways to attempt to fix the problem that are fairly easy and one that is challenging (I've tried all three).
        1. The quick fix: input the user data into a 'string' variable. Then use the 'string' functions to extract a substring that fits in the given 7 character buffer. This relies on the C++ Standard Library [ string.html ] not having a buffer overrun in its place. So, I'll offer a max of a B in the lab for this solution.
        2. Use a character by character loop: Have a single
           		char c;
          and put the user data into it one character at a time using
           		cin.get(c);
          until the buffer(input) is full or the user taps enter ('\n'). Then add the terminating ('\0') and discard the rest of the data by using cin.get(c) and not doing anything with c! Get this working and you've got an A.
        3. The challenge of getline: Here you use
           		cin.getline(input, numchars+1, '\n');
          to fill the buffer. You then need to use
           		cin.fail()
          to see if there are any characters to discard and
           		cin.clear()
          to clear the fail flag. After clearing the fail flag then you can use cin.get(...) to discard the rest of the line. Get this working and you've got an A.

      9. Pick the strategy closest to your taste, and may the source be with you, as you patch the code.
      10. Show me when you are happy that it fights off the attackers, or when we are out of time.

      Deliverables

      Show me an example of a buffer over run resisted.

      Deadline

      Before the end of the laboratory period.

      If you have time to spare

      1. Work on your next project.
      2. Study this [ sins-of-software-security.html ] web page.

      Hints

      Do not fix the many other faults with this code. We will get to them later.

      I will publish my solutions in the next lab.

    . . . . . . . . . ( end of section CSci202 Laboratory 03 Pointers and Information Security) <<Contents | End>>

    Glossary

  1. accessor::=`A Function that accesses information in an object with out changing the object in any visible way". In C++ this is called a "const function". In the UML it is called a query.
  2. Algorithm::=A precise description of a series of steps to attain a goal, [ Algorithm ] (Wikipedia).
  3. class::="A description of a set of similar objects that have similar data plus the functions needed to manipulate the data".
  4. constructor::="A Function in a class that creates new objects in the class".
  5. Data_Structure::=A small data base.
  6. destructor::=`A Function that is called when an object is destroyed".
  7. Function::programming=A selfcontained and named piece of program that knows how to do something.
  8. Gnu::="Gnu's Not Unix", a long running open source project that supplies a very popular and free C++ compiler.
  9. mutator::="A Function that changes an object".
  10. object::="A little bit of knowledge -- some data and some know how". An object is instance of a class.
  11. objects::=plural of object.
  12. OOP::="Object-Oriented Programming", Current paradigm for programming.
  13. Semantics::=Rules determining the meaning of correct statements in a language.
  14. SP::="Structured Programming", a previous paradigm for programming.
  15. STL::="The standard C++ library of classes and functions" -- also called the "Standard Template Library" because many of the classes and functions will work with any kind of data.
  16. Syntax::=The rules determining the correctness and structure of statements in a language, grammar.
  17. Q::software="A program I wrote to make software easier to develop",
  18. TBA::="To Be Announced", something I should do.
  19. TBD::="To Be Done", something you have to do.
  20. UML::="Unified Modeling Language".
  21. void::C++Keyword="Indicates a function that has no return".

End