òOfYBqDJJ0[8E<@@PPNW !罍OfYBGJJ[80E< @=PPϨր`(j )!罍OfYB HBB0[8E4@@{PPϨց@s !罍)OfYBI0[8E9@@}PPϨց@? !罍)GET /~cis551/ HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (compatible; Konqueror/3.3; FreeBSD) (KHTML, like Gecko) Accept: text/html, image/jpeg, image/png, text/*, image/*, */* Accept-Encoding: x-gzip, x-deflate, gzip, deflate Accept-Charset: iso-8859-1, utf-8;q=0.5, *;q=0.5 Accept-Language: en Host: www.cis.upenn.edu OfYBLBB[80E4!@=PPϨց^і )!罍OfYB[80E"@=WPPϨց`(H ) !罍HTTP/1.1 200 OK Date: Sun, 10 Apr 2005 17:45:50 GMT Server: Apache/1.3.33 (Unix) PHP/4.3.10 mod_perl/1.29 mod_ssl/2.8.22 OpenSSL/0.9.6e Last-Modified: Thu, 07 Apr 2005 18:58:43 GMT ETag: "20580e-1a43-425582e3" Accept-Ranges: bytes Content-Length: 6723 Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: text/html CIS 551 - Computing and Network Security

CIS/TCOM 551 - Computer and Network Security
Spring 2005

Topics     Reading     Projects     Grading     Lectures

Time: Tues. & Thurs. 1:30 - 3:00
Room: Towne 303

Instructors:

    Matt Blaze
      e-mail: blaze at-sign cis.upenn.edu
      office hours: TBD

    Steve Zdancewic
      e-mail: stevez at-sign cis.upenn.edu
      office hours: Tues. 9-10 am., Levine 511

Teaching Assistants:

 OfYBe[80E#@=VPPϨ)`( ) !罍;   Eric Cronin
      e-mail: ecronin at-sign cis.upenn.edu
      office hours: Weds. 4:30-5:30 pm., Moore 102D.

    Gaurav Shah
      e-mail: gauravsh at-sign seas.upenn.edu
      offic hours: Thurs. noon-1 pm., GRW 461.

Topics (roughly):

Reading

There is no required textbook for this class. Instead, see the following sources:

Projects

Project 1: Buffer Overflows Due: 27 Jan. 2005 (note extended deadline)

Project 2: Secure Communication Due: 4 March 2005 (6pm)

Project 3: Feckless Network Intrusion Detection Due: 22 April 2005 (6pm)

Grading Criteria

OfYBeBB0[8E4@@ PPϨ!Ϡ !罒) OfYB<<[80E.&@=PPϨ!`(r ) !罒

Lecture Slides

OfYBw|BB0[8E4@@,PPϨʦ !罜) OfYB BB0[8E4@@PPϨڦ !) OfYBQuJJ0[8E<@@'ePPx¹ !OfYB:xJJ[80E<'@=PPϯRxº`([ )a!OfYBXxBB0[8E4@@PPxºϯR@ !)aOfYB@z0[8E@@PPxºϯR@ !)aGET /favicon.ico HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (compatible; Konqueror/3.3; FreeBSD) (KHTML, like Gecko) Accept: text/html, image/jpeg, image/png, text/*, image/*, */* Accept-Encoding: x-gzip, x-deflate, gzip, deflate Accept-Charset: iso-8859-1, utf-8;q=0.5, *;q=0.5 Accept-Language: en Host: www.cis.upenn.edu OfYB|BB[80E4(@=PPϯRx^· )a!OfYB[80E)@=PPPϯRx`( )d!HTTP/1.1 200 OK Date: Sun, 10 Apr 2005 17:45:51 GMT Server: Apache/1.3.33 (Unix) PHP/4.3.10 mod_perl/1.29 mod_ssl/2.8.22 OpenSSL/0.9.6e Last-Modified: Tue, 08 Jun 2004 17:57:18 GMT ETag: "1dd05-8be-40c5fdfe" Accept-Ranges: bytes Content-Length: 2238 Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: text/plain  ( @cs{ƭνsƥνƭksRcBεΥ{sƽ{cs9ƥ{sZcJZB{J1k)νR9J1{B)k1c){s{kscs9!s1k)c!RkZcRZֽεƭscZJJ9{B1ƥRBk)޽ֵέ{{9)RkcJRֽεƭƥ9BJkss{9ƭֽνkZsJ9c{{{Jsc)Z91sJskBkc9k)1c!)R!csJc9s)9!1c9{sJZ1sR)kkJ!9BcBk1RJ!sBkBsR)9k)Zk)Z)cZ9R)J!1c)kJ)B1{)sJ!B!c)s!kB!9B!!{!ks{Zks{cs{-\II+-hOfYBE[80E*@=܋PPϯX,x`( )d!jV+IA^^B*a9@d-I3pa:?TB^ZZZs^ZZ^AJDBG`f33N^^^ZZ^Z?G^ZZ_^t@433?sZZZBih9^ZZs9 33`E^^^=JZ^^233F^t.HZtMb3333+GEb33bbbbjbb3¼žǭǾoűzʵ¶&/B!E;cn&()"%~=4VI 4I;T`KHlŋ*pIg5HlRb$abSuHawzwfv ;qUĿiv{y    xOfYB[BB0[8E4@@HPPxϯ\,C !)dTfYBf 0[8E1@@PPϨ@N !) GET /~cis551/project1.html HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (compatible; Konqueror/3.3; FreeBSD) (KHTML, like Gecko) Referer: http://www.cis.upenn.edu/~cis551/ Accept: text/html, image/jpeg, image/png, text/*, image/*, */* Accept-Encoding: x-gzip, x-deflate, gzip, deflate Accept-Charset: iso-8859-1, utf-8;q=0.5, *;q=0.5 Accept-Language: en Host: www.cis.upenn.edu TfYB [80E+@=NPPϨ`(uP )=!HTTP/1.1 200 OK Date: Sun, 10 Apr 2005 17:45:56 GMT Server: Apache/1.3.33 (Unix) PHP/4.3.10 mod_perl/1.29 mod_ssl/2.8.22 OpenSSL/0.9.6e Last-Modified: Tue, 11 Jan 2005 14:01:51 GMT ETag: "205810-12bf-41e3dc4f" Accept-Ranges: bytes Content-Length: 4799 Keep-Alive: timeout=15, max=99 Connection: Keep-Alive Content-Type: text/html CIS 551 - Project 1

Project 1 : Buffer Overflows
CIS/TCOM 551

Due: January 25, 2005

Description

The blame service is a simple system for assigning blame, written by our hero, Feckless C. Coder, PhD. The program accepts on standard input the name of a scapegoat and prints on standard output a message asserting that person's universal culpability. For example: 
        $ echo "Matt Blaze" | ./blame
        It's all Matt Blaze's fault.
or, if you prefer: 
        $ echo "Bill Gates" | ./blame
        It's all Bill Gates's fault.
The program is designed to operate as a network service, e.g., from the "inetd" daemon under Unix.

Source code for blame.c is attached below and is also available at http://www.cis.upenn.edu/~cis551/blame.cTfYB" [80E,@=MPPϨÔ`(3 )=!.

Simple-minded string processing aside (it would be more correct, after all, to say that "It's all Bill Gates' fault"), there is a serious problem with the blame program. Despite Feckless' best efforts, a bug allows anyone who can provide input to this program to run arbitrary code on the target machine. (What might happen if it is run as a network service under inetd, as suggested in the comments?)

Your job is to create input that will cause the blame service to print out the helpful message "Now I own your computer" before it terminates. For example: 

	$ cat exploit_file | ./blame
	...
	Now I own your computer
Here, the "..." may be additional output caused as a side-effect of your attack.

Deliverables

  1. Write a well documented program that generates exploit_file. (You can assume you'd have access to the object code for the instance of blame against which it will be run). Your program should work on the Linux platform available on the eniac-l.seas.upenn.edu machine pool. The gcc compiler and gdb debugger are already installed. If, for some reason, you do not have an account on eniac-l.seas.upenn.edu contact one of the course staff members.

    Submit the program that generates your exploit_file as well as any tools you use to generate parameters and constants. Your software should be sufficiently docTfYB3 BB0[8E4@@~PPϨk !)=TfYB [80E-@=LPPϨk`(u )>!umented to allow a novice programmer to port your code to other platforms or to modify it to exploit similar weaknesses in other programs. In other words, your submission should be suitable as a tutorial on exploiting (and avoiding) this class of vulnerability.

  2. Fix the blame.c implementation so that it is not vulnerable to this buffer overflow attack, but still has the same behavior as the original program for inputs that fit into the buffer INPUT_BUFFER. How do you know your program is secure?

Resources

You may find these links useful in your task. Feel free to use additional sources, but please document them if you do.

Blame server source code (blame.c) 

/*
 * Blame server.  Assigns blame to the person of your choice.
 *
 * Usage: blame
 *	(reads one line from standard input)
 *
 * To compile:
 *	cc blame.c -o blame
 *
 * Install under inetd as follows:
 *  blame	stream	tcp	nowait	root	/path/to/blame	blame
 *
 * Copyright 2004 by FecklTfYB
__[80EQ.@=PPϩ`(%
)>!ess C. Coder, PhD.
 */

#include <stdio.h>
#include <string.h>
#define INPUT_BUFFER 256  /* maximum name size */

/*
 * read input, copy into s 
 * gets() is insecure and prints a warning
 *    so we use this instead
 */
void getline(char *s)
{
	int c;
	
	while ((c=getchar()) != EOF)
		*s++ = c;
	*s = '\0';
}

/*
 * convert newlines to nulls in place
 */
void purgenewlines(char *s)
{
	int l;

	l = strlen(s);

	while (l--)
		if (s[l] == '\n')
			s[l] = '\0';
}


int main()
{
	char scapegoat[INPUT_BUFFER];

	getline(scapegoat);
	/* this check ensures there's no buffer overflow */
	if (strlen(scapegoat) < INPUT_BUFFER) {
		purgenewlines(scapegoat);
		printf("It's all %s's fault.\n", scapegoat);
	}
	return 0;
}
Last Revised: 6 January 2005 TfYB BB0[8E48@@PPϩ0+~ !)>TfYB BB0[8E4]@@[IPPϩ0+x !)>YfYB= 0[8E8@@~PPϩ0@m !)>GET /~cis551/project2.html HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (compatible; Konqueror/3.3; FreeBSD) (KHTML, like Gecko) Referer: http://www.cis.upenn.edu/~cis551/ Accept: text/html, image/jpeg, image/png, text/*, image/*, */* Accept-Encoding: x-gzip, x-deflate, gzip, deflate Accept-Charset: iso-8859-1, utf-8;q=0.5, *;q=0.5 Accept-Language: en Host: www.cis.upenn.edu YfYBE [80E/@=JPPϩ0`( )C!HTTP/1.1 200 OK Date: Sun, 10 Apr 2005 17:46:01 GMT Server: Apache/1.3.33 (Unix) PHP/4.3.10 mod_perl/1.29 mod_ssl/2.8.22 OpenSSL/0.9.6e Last-Modified: Wed, 23 Feb 2005 12:02:33 GMT ETag: "205813-1048-421c70d9" Accept-Ranges: bytes Content-Length: 4168 Keep-Alive: timeout=15, max=98 Connection: Keep-Alive Content-Type: text/html CIS 551 - Project 2

Project 2 : Secure, Networked Communication
CIS/TCOM 551

Due: March 4, 2005 (6pm EST)

Description

Recall the blame service from Project 1, which you modified to eliminate a buffer overflow. The original program, as written by Prof. Feckless C. Coder, PhD, accepts on standard input the name of a scapegoat and prints on standard output a message asserting that person's universal culpability. For example: 
        $ echo "Matt Blaze" | ./blame
        It's all Matt Blaze's fault.
In this project, you will do two things. First, modify the program to to operate as a network service, accepting connections on a port. Second, modify your networked program (and write a client) using SSL encryption.

Source code for the original (buffer-overflow-prone) blame.c is attached below and is YfYB [80E0@=IPPϩ ؔ`( )C!also available at http://www.cis.upenn.edu/~cis551/blame.c.

Deliverables

  1. (40% credit) Modify blame.c to run as a network service, blameserver, running in a loop that accepts TCP connections on a port specified on the command line. Write a client blameclient that sends its standard input to the blame server machine and port specified on the command line and that prints the output from the service on standard output For example, 
      ./blameserver 21212
    should run the blame service on TCP port 21212, such that 
      echo Matt Blaze | ./blameclient localhost 21212
    prints the message 
      It's all Matt Blaze's fault!
    Your programs should work on the eniac.seas.upenn.edu machine pool.
  2. (30% credit) Modify blameserver and blameclient to encrypt their traffic (using a public key exchange and a block cipher). Use the OpenSSL library, available on Eniac. Note that there are several ways to do this. Any method that does a public key exchange to generate a random secret session key is acceptable; you may use the entire SSL protocol or you may use any component tools you wish from the SSL library. Be sure to document what you did and how your software works.
  3. (30% credit) Modify your encrypting blameserver and blameclient to use certificates for theYfYBے BB0[8E4%@@LPPϩ !)CYfYBr [80E1@=HPPϩ`(= )C! client and server. Use the OpenSSL tools to create a certificate authority (whose public key can be configured in to your client and server) and issue client and server certificates. Print appropriate error messages if the client or server certificate is invalid or if the key does not match that in the certificate. Write demonstration programs that show normal operation as well as these errors. Note that there are several ways to do this.

Original Blame server source code (blame.c) 

/*
 * Blame server.  Assigns blame to the person of your choice.
 *
 * Usage: blame
 *	(reads one line from standard input)
 *
 * To compile:
 *	cc blame.c -o blame
 *
 * Install under inetd as follows:
 *  blame	stream	tcp	nowait	root	/path/to/blame	blame
 *
 * Copyright 2004 by Feckless C. Coder, PhD.
 */

#include <stdio.h>
#include <string.h>
#define INPUT_BUFFER 256  /* maximum name size */

/*
 * read input, copy into s 
 * gets() is insecure and prints a warning
 *    so we use this instead
 */
void getline(char *s)
{
	int c;
	
	while ((c=getchar()) != EOF)
		*s++ = c;
	*s = '\0';
}

/*
 * convert newlines to nulls in place
 */
void purgenewlines(char *s)
{
	int l;

	l = strlen(s);

	while (l--)
		if (s[l] == '\n')
			s[l] = '\0';
}


int main()
{
	char scapegoat[INPUT_BUFFER];

	getline(scapegoat);
	/* this check ensures there's no buffer overflow */
	if (strlen(scapegoat) < INPUT_YfYBy
[80E2@=IPPϩ(`(
)C!BUFFER) {
		purgenewlines(scapegoat);
		printf("It's all %s's fault.\n", scapegoat);
	}
	return 0;
}
Last Revised: 6 January 2005 YfYB BB0[8E4|@@