CIS 551 - Project 1

Project 1 : Buffer Overflows
CIS 551

Due: Feb. 8th 2008 at 11:59 p.m.

Description

The blame service is a simple system for assigning blame, written by our hero, Feckless C. Coder, PhD. The program accepts on standard input the name of a scapegoat and prints on standard output a message asserting that person's universal culpability. For example:

        $ echo "Steve Zdancewic" | ./blame
        It's all Steve Zdancewic's fault.

or, if you prefer:

        $ echo "Bill Gates" | ./blame
        It's all Bill Gates's fault.

The program is designed to operate as a network service, e.g., from the "inetd" daemon under Unix.

Source code for blame.c is attached below and is also available at http://www.cis.upenn.edu/~cis551/blame.c.

Simple-minded string processing aside (it would be more correct, after all, to say that "It's all Bill Gates' fault"), there is a serious problem with the blame program. Despite Feckless' best efforts, a bug allows anyone who can provide input to this program to run arbitrary code on the target machine. (What might happen if it is run as a network service under inetd, as suggested in the comments?)

Your job is to create input that will cause the blame service to print out the helpful message "Now I pwn your computer" before it terminates. For example:

	$ cat exploit_file | ./blame
	...
	Now I pwn your computer

Here, the "..." may be additional output caused as a side-effect of your attack.

Deliverables

Write a well documented program that generates exploit_file. (You can assume you'd have access to the object code for the instance of blame against which it will be run). Your program should work on the Linux platform available on the machines plus.seas.upenn.edu (note that minus.seas.upenn.edu, which are part of the eniac machine pool has buffer overflow protection turned on). The gcc compiler and gdb debugger are already installed. If, for some reason, you do not have an account on eniac.seas.upenn.edu contact one of the course staff members.
Submit the program that generates your exploit_file as well as any tools you use to generate parameters and constants. Your software should be sufficiently documented to allow a novice programmer to port your code to other platforms or to modify it to exploit similar weaknesses in other programs. In other words, your submission should be suitable as a tutorial on exploiting (and avoiding) this class of vulnerability.
Fix the blame.c implementation so that it is not vulnerable to this buffer overflow attack, but still has the same behavior as the original program for inputs that fit into the buffer INPUT_BUFFER. How do you know your program is secure?
Your submission should consist of a directory. The directory should include a README file containing your group information (including full names and e-mail addresses) and a list of the contents of the directory you submit.
project1 should be submitted online on eniac by using the command turnin.
- login system is your eniac login name
- place all the codes and documents in a folder, such as "hw"
- turnin -c cis551 -p project1 hw
  Please make sure the login name is yours when submitting, turnin identifies the submitted projects by the login name.
You may see what project tags turnin will accept at any given time with the command turnin -l -c cis551. There is also a turnin man page which explains the usage in more detail, including some additional arguments.

Notes UPDATED:

Due to recent changes in gcc 4.1.* that make it harder to perform stack-smashing attacks, you should use gcc 4.0.* to complete this project. To do this, we have installed gcc 4.0.4 in the ~cis551/tools directory on eniac.
To use gcc 4.0.4, you must make sure that our executable appears before gcc in your $PATH environment variable and alter your $LD_LIBRARY_PATH environment variable to point to the 4.0.4 libraries. Depending on your shell, you can do this via:
```
export PATH=/mnt/castor/seas_home/c/cis551/tools/gcc-4.0.4/bin:$PATH
export LD_LIBRARY_PATH=/mnt/castor/seas_home/c/cis551/tools/gcc-4.0.4/lib:$LD_LIBRARY_PATH
```
If you're interested in how gcc 4.1.* tries to protect against stack smashing attacks, consult these pages:
- http://en.wikipedia.org/wiki/Stack-smashing_protection
- http://www.trl.ibm.com/projects/security/ssp/

Gcc 4.1.* provides some options to switch on/off stack-protector

-fstack-protector:
    Emit extra code to check for buffer overflows, such as stack smashing attacks.
    This is done by adding a guard variable to functions with vulnerable objects.
    This includes functions that call alloca, and functions with buffers larger than
    8 bytes. The guards are initialized when a function is entered and then checked
    when the function exits. If a guard check fails, an error message is printed and
    the program exits.
-fstack-protector-all:
    Like \u2018-fstack-protector\u2019 except that all functions are protected.
-fno-stack-protector:
    switch off stack-protector
-fno-stack-protector-all:
    illegal for Suse. It works in FreeBSD

From http://gcc.gnu.org/onlinedocs/gcc-4.1.2/gcc.pdf

Extra credit: Carry out the stack smashing attack against under gcc 4.1.* assuming that blame.c is compiled with the option -fno-stack-protector.
DO THIS ONLY AFTER COMPLETING THE PROJECT UNDER GCC 4.0.*

Resources

You may find these links useful in your task. Feel free to use additional sources for learning about C, gdb, gcc, but do not submit code that you did not create entirely by yourself. Please see the course policies for acceptable use of external resources.

Aleph One's famous article Smashing the Stack for Fun and Profit
The Gnu Compiler Collection
The GNU Project Debugger
Intel's X86 Instruction Set Architecture

Grading guidelines

50% - Working exploit_file and associated tools.
- 25% - generated reasonable attack
- 15% - exploit works
- 10% - tools
20% - Fixed version of blame.c
- 10% - no segfault on long input
- 15% - code style and correctness
- 10% - matches documentation
30% - Documentation, tutorial, and explanation of the two parts above.
- 13% - description of exploit generation is clear and correct
- 15% - tutorial
- 10% - description of fixed blame.c>

Blame server source code `(blame.c)`

/*
 * Blame server.  Assigns blame to the person of your choice.
 *
 * Usage: blame
 *	(reads one line from standard input)
 *
 * To compile:
 *	cc blame.c -o blame
 *
 * Install under inetd as follows:
 *  blame	stream	tcp	nowait	root	/path/to/blame	blame
 *
 * Copyright 2004 by Feckless C. Coder, PhD.
 */

#include <stdio.h>
#include <string.h>
#define INPUT_BUFFER 256  /* maximum name size */

/*
 * read input, copy into s 
 * gets() is insecure and prints a warning
 *    so we use this instead
 */
void getline(char *s)
{
	int c;
	
	while ((c=getchar()) != EOF)
		*s++ = c;
	*s = '\0';
}

/*
 * convert newlines to nulls in place
 */
void purgenewlines(char *s)
{
	int l;

	l = strlen(s);

	while (l--)
		if (s[l] == '\n')
			s[l] = '\0';
}


int main()
{
	char scapegoat[INPUT_BUFFER];

	getline(scapegoat);
	/* this check ensures there's no buffer overflow */
	if (strlen(scapegoat) < INPUT_BUFFER) {
		purgenewlines(scapegoat);
		printf("It's all %s's fault.\n", scapegoat);
	}
	return 0;
}

Last Revised: 29 Jan. 2008

Project 1 : Buffer Overflows CIS 551