Secure Systems Programming: Coursework 2
VerifiedAdded on 2023/01/09
|10
|2518
|90
AI Summary
This document provides answers to the questions in Coursework 2 of Secure Systems Programming. It discusses errors in code, dynamic memory allocation, buffer overflow attacks, and more.
Contribute Materials
Your contribution can guide someone’s learning journey. Share your
documents today.
UNIVERSITY OF HERTFORDSHIRE
Academic Year: 2018/2019
Semester: B
School of Computer Science
Secure Systems Programming (online)
Coursework 2 (50%)
Please fill in your student ID
Student ID _____________________
(staff use only)
Total
There are 5 questions of 10 marks each.
Full marks may be obtained by attempting ALL questions.
Page 1
Academic Year: 2018/2019
Semester: B
School of Computer Science
Secure Systems Programming (online)
Coursework 2 (50%)
Please fill in your student ID
Student ID _____________________
(staff use only)
Total
There are 5 questions of 10 marks each.
Full marks may be obtained by attempting ALL questions.
Page 1
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
1. Answers to Q1
Error 1: In line 7, the number of iterations in the loop should not exceed the size of
array that is they must remain exactly the same number as allowed by the program.
Error 2: In Line 6 we allocate “dest” variable a buffer size which is equal to size of
variable “source” (which is equal to 10). During the 10th and 11th iteration of the loop
which is in Line 7, the indexing of the “dest” and “source” variable exceeds the size
of the memory they are allocated.
Error 3: No inclusion of header files has been done in the code. Main header files to
execute the program are missing.
Error 4: malloc returns a pointer of type void, which needs to be type casted, but no
type casting is done in Line 6. Explicit and implicit type casting is not present.
Error 5: In line 10 the value of i=12, which is already greater than the allowed size
for the variable of “dest” because of which buffer overflow can possibly occur and
program may behave abruptly and may produce output which is not related to any
work.
Page 2
Error 1: In line 7, the number of iterations in the loop should not exceed the size of
array that is they must remain exactly the same number as allowed by the program.
Error 2: In Line 6 we allocate “dest” variable a buffer size which is equal to size of
variable “source” (which is equal to 10). During the 10th and 11th iteration of the loop
which is in Line 7, the indexing of the “dest” and “source” variable exceeds the size
of the memory they are allocated.
Error 3: No inclusion of header files has been done in the code. Main header files to
execute the program are missing.
Error 4: malloc returns a pointer of type void, which needs to be type casted, but no
type casting is done in Line 6. Explicit and implicit type casting is not present.
Error 5: In line 10 the value of i=12, which is already greater than the allowed size
for the variable of “dest” because of which buffer overflow can possibly occur and
program may behave abruptly and may produce output which is not related to any
work.
Page 2
2. Answers to Q2
Answer to 2(i)
The first, second and third chunk of memory are allocated dynamically with the given
specified size mentioned as a parameter in malloc. No value is initialized in the
allocated memory, so basically garbage values are stored in those memory blocks
during memory allocation. Dynamic memory allocation would result in uninitialized
memory allocations so the garbage values are not related and could be anything in
general .
The first chunk of memory allocated is of size 660 bytes and the base address of the
memory block is given by variable “first”.
Similarly, the second and third chunk of memory allocated is of size 220 and 120
bytes respectively and have base address of these memory blocks are given by
variable “second” and “third” respectively.
If the space is insufficient than allocation fails and returns a NULL pointer.
Answer to 2(ii)
The buffer overflow attack can be vulnerable to a great extent. The program starts
showing undefined behavior as it goes in buffer attack. That means anything can
happen, from it crashing to maybe working too but nothing is certain In this case.
Basically when we are writing data in the memory block allocated to the program
then it is fine by the OS, but when we start writing on memory block other than the
allocated one, we may be writing on the memory block which is being used by some
other program or another variable i.e. the space given to other variables or methods
would be used . So it may alter the working of the program that is utilizing that
memory, causing undefined behavior. Sometimes the extra data may hold
instructions by malicious user or hacker that may trigger some kind of actions that
are undesirable by the user and can cause serious issues with program security
point of view. In the given scenario if the argument argv[1] contains a data of 224
bytes with the last 4 bytes being written with the value 4 then it also may cause
segmentation fault because we are creating an invalid memory reference as the
maximum size of that argument argv[1] can have is 220 bytes. Segmentation fault
generally occurs when we try to use up that space which is not allocated to our
program and the memory limit goes out of bound.
Page 3
Answer to 2(i)
The first, second and third chunk of memory are allocated dynamically with the given
specified size mentioned as a parameter in malloc. No value is initialized in the
allocated memory, so basically garbage values are stored in those memory blocks
during memory allocation. Dynamic memory allocation would result in uninitialized
memory allocations so the garbage values are not related and could be anything in
general .
The first chunk of memory allocated is of size 660 bytes and the base address of the
memory block is given by variable “first”.
Similarly, the second and third chunk of memory allocated is of size 220 and 120
bytes respectively and have base address of these memory blocks are given by
variable “second” and “third” respectively.
If the space is insufficient than allocation fails and returns a NULL pointer.
Answer to 2(ii)
The buffer overflow attack can be vulnerable to a great extent. The program starts
showing undefined behavior as it goes in buffer attack. That means anything can
happen, from it crashing to maybe working too but nothing is certain In this case.
Basically when we are writing data in the memory block allocated to the program
then it is fine by the OS, but when we start writing on memory block other than the
allocated one, we may be writing on the memory block which is being used by some
other program or another variable i.e. the space given to other variables or methods
would be used . So it may alter the working of the program that is utilizing that
memory, causing undefined behavior. Sometimes the extra data may hold
instructions by malicious user or hacker that may trigger some kind of actions that
are undesirable by the user and can cause serious issues with program security
point of view. In the given scenario if the argument argv[1] contains a data of 224
bytes with the last 4 bytes being written with the value 4 then it also may cause
segmentation fault because we are creating an invalid memory reference as the
maximum size of that argument argv[1] can have is 220 bytes. Segmentation fault
generally occurs when we try to use up that space which is not allocated to our
program and the memory limit goes out of bound.
Page 3
3. Answers to Q3
Answer to 3(1):
After compilation the file created is “a.out”
Input: ./a.out 7 testing
output: tes
value of variable “len” : 7
value of variable “size” : 3
Answer to 3(2):
whenever the value of the argument argv[1] is less than 4, then “segmentation
fault” occurs, irrespective of the length of the string in argv[2]
For Example:
Input: ./a.out 3 tes
output: Segmentation Fault
This happens because when argv[1] < 4 then len = argv[1] and eventually
size = len – 4, therefore the value of size if less than 0 and here size is a
“unsigned integer”, so the system converts the negative value to 2’s
compliment and assigns it to size. This value becomes too huge for the
system to allocate a memory block of this size.
Page 4
Answer to 3(1):
After compilation the file created is “a.out”
Input: ./a.out 7 testing
output: tes
value of variable “len” : 7
value of variable “size” : 3
Answer to 3(2):
whenever the value of the argument argv[1] is less than 4, then “segmentation
fault” occurs, irrespective of the length of the string in argv[2]
For Example:
Input: ./a.out 3 tes
output: Segmentation Fault
This happens because when argv[1] < 4 then len = argv[1] and eventually
size = len – 4, therefore the value of size if less than 0 and here size is a
“unsigned integer”, so the system converts the negative value to 2’s
compliment and assigns it to size. This value becomes too huge for the
system to allocate a memory block of this size.
Page 4
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
4. Answers to Q4
Answer to 4(1):
1. int main() {
2. char aaddr[9], format[30], buffer[30]; //three arrays of type “char”
have been declared
3. int aaa = 16; //a integer variable “aaa” has been initialized
value=16
4. int bbb = 0; // a integer variable “bbb” has been initialized
value=0
5. sprintf(aaddr, "%08x", &aaa); //copy address value of variable “aaa”
to another variable “aaddr” where the
values of variable “aaa” has been converted
to hexadecimal lowercase and been extended to
8 digits with 0 as a prefix instead of blank
spaces
6. printf(aaddr); //print variable “aaddr”
7. printf("\n"); // print a blank line
8. sprintf(buffer, "\\x%c%c\\x%c%c\\x%c%c\\x%c%c", aaddr[6], aaddr[7],
aaddr[4], aaddr[5], aaddr[2], aaddr[3], aaddr[0], aaddr[1]);
//copy the middle parameter as a string to the variable “buffer”
where %c is replaced by respective argument from the array “aaddr”
9. strcpy(format, buffer); //copy contents of “buffer” to “format”
10. sprintf(buffer,"%%08x.%%08x%%n"); //copies the second parameter to
the first parameter variable
11. strcat(format, buffer); //paste the contents of variable “buffer” at
the end of variable “format”
12. printf("%s\n", format); //print variable “format”
13. printf(format, &aaa, &aaa, &bbb); // “format” variable is of the f
form “\x88\x78\x96\xb1%08x.%08x%n”. here the “%08x”
parameter is replaced by the content of “&aaa” and
“&aaa” which are the 2nd and 3rd parameters of
printf. Here the main role of the third parameter
is that instead of printing_something causes the function printf() to
load a particular variable pointed to by the similar argument with the
value which is equal to the number of chars that has
been printed by function printf()
14. }
Page 5
Answer to 4(1):
1. int main() {
2. char aaddr[9], format[30], buffer[30]; //three arrays of type “char”
have been declared
3. int aaa = 16; //a integer variable “aaa” has been initialized
value=16
4. int bbb = 0; // a integer variable “bbb” has been initialized
value=0
5. sprintf(aaddr, "%08x", &aaa); //copy address value of variable “aaa”
to another variable “aaddr” where the
values of variable “aaa” has been converted
to hexadecimal lowercase and been extended to
8 digits with 0 as a prefix instead of blank
spaces
6. printf(aaddr); //print variable “aaddr”
7. printf("\n"); // print a blank line
8. sprintf(buffer, "\\x%c%c\\x%c%c\\x%c%c\\x%c%c", aaddr[6], aaddr[7],
aaddr[4], aaddr[5], aaddr[2], aaddr[3], aaddr[0], aaddr[1]);
//copy the middle parameter as a string to the variable “buffer”
where %c is replaced by respective argument from the array “aaddr”
9. strcpy(format, buffer); //copy contents of “buffer” to “format”
10. sprintf(buffer,"%%08x.%%08x%%n"); //copies the second parameter to
the first parameter variable
11. strcat(format, buffer); //paste the contents of variable “buffer” at
the end of variable “format”
12. printf("%s\n", format); //print variable “format”
13. printf(format, &aaa, &aaa, &bbb); // “format” variable is of the f
form “\x88\x78\x96\xb1%08x.%08x%n”. here the “%08x”
parameter is replaced by the content of “&aaa” and
“&aaa” which are the 2nd and 3rd parameters of
printf. Here the main role of the third parameter
is that instead of printing_something causes the function printf() to
load a particular variable pointed to by the similar argument with the
value which is equal to the number of chars that has
been printed by function printf()
14. }
Page 5
Answer to 4(2):
In the program, in line number 13 when the attacker will try to modify the code
to function printf(format), then the compiler will not analyse the “format” string
and it will determine that the integer argument is not present. This can be a
perfectly legal C language code. This fact which says that you are missing
some argument is a type of semantic issue which only will appear at the
runtime. The printf() function now will assume that you have already supplied
the needed argument and it will go looking for the argument on to the stack. It
picks up whatever value happen to be on the stack present there. So the
attacker may cause alteration in stack value that may cause the program to
behave abruptly and in favor of attacker. So either we should limit the stack
behavior or we must implement a check before taking value from the stack.
Page 6
In the program, in line number 13 when the attacker will try to modify the code
to function printf(format), then the compiler will not analyse the “format” string
and it will determine that the integer argument is not present. This can be a
perfectly legal C language code. This fact which says that you are missing
some argument is a type of semantic issue which only will appear at the
runtime. The printf() function now will assume that you have already supplied
the needed argument and it will go looking for the argument on to the stack. It
picks up whatever value happen to be on the stack present there. So the
attacker may cause alteration in stack value that may cause the program to
behave abruptly and in favor of attacker. So either we should limit the stack
behavior or we must implement a check before taking value from the stack.
Page 6
5. Answers to Q5
Answer to 5(1):
The Principle of least-privilege is a very crucial concept in computer network
security. It is a way of limiting the provided access rights for the group or users to the
bare-minimum allowed permissions they will need to perform their scheduled task.
Generally, groups and users are granted basic permissions to read, or to write and
sometimes to execute only those files and resources which they will need to do their
work.
We can implement Principle of least-privilege in a password changing program,
where user can be able to change their own passwords, but not the ones of other
users. This can be done by various methods, like by separating privileges i.e. by
separating admin accounts from standard accounts and higher level systems from
the lower ones and so on. If necessary then just restrict privileges only to moments
when they are needed i.e. time bound privileges can be provided. We can also check
for all the existing one accounts, and all of the processes that are present on the
system, and all the programs present to ensure for the fact that they do only have
the permissions which are absolutely required to do their job. No other permisiions
would be granted and in this way it ensures the safety .
Answer to 5(2):
In software-development, the time of check to the time of use is a general class of
software related bugs caused by the changes performed in a system between doing
the checking of a certain condition (such like as a security credential) and the
rigorous use of the results of that check-condition. This is 1 example of a race
condition.
Suppose in the previous example of password change, user wants to change the
password then we can momentarily give user the privilege of changing the password
but only limiting the privilege to that margin where he/she can change only their
Page 7
Answer to 5(1):
The Principle of least-privilege is a very crucial concept in computer network
security. It is a way of limiting the provided access rights for the group or users to the
bare-minimum allowed permissions they will need to perform their scheduled task.
Generally, groups and users are granted basic permissions to read, or to write and
sometimes to execute only those files and resources which they will need to do their
work.
We can implement Principle of least-privilege in a password changing program,
where user can be able to change their own passwords, but not the ones of other
users. This can be done by various methods, like by separating privileges i.e. by
separating admin accounts from standard accounts and higher level systems from
the lower ones and so on. If necessary then just restrict privileges only to moments
when they are needed i.e. time bound privileges can be provided. We can also check
for all the existing one accounts, and all of the processes that are present on the
system, and all the programs present to ensure for the fact that they do only have
the permissions which are absolutely required to do their job. No other permisiions
would be granted and in this way it ensures the safety .
Answer to 5(2):
In software-development, the time of check to the time of use is a general class of
software related bugs caused by the changes performed in a system between doing
the checking of a certain condition (such like as a security credential) and the
rigorous use of the results of that check-condition. This is 1 example of a race
condition.
Suppose in the previous example of password change, user wants to change the
password then we can momentarily give user the privilege of changing the password
but only limiting the privilege to that margin where he/she can change only their
Page 7
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
account’s password, and as soon as user clicks on submit we can go back to the
state where user had less privileges. We can also use timers, so that if user doesn’t
change the password back within a certain reasonable time then the privileges
granted will be taken back as soon as the timer stops.
Answer to 5(3):
A buffer memory is said to be a sequential section of the memory which is allocated
to hold the data of the variables of different type such as character or the strings or
the integers, etc. A buffer-overflow generally occurs when more amount of data is
tried to be fitted or stored in a buffer whose length or size is generally fixed and static
in nature. This extra amount of information could go to the adjacent memory location
and could trigger unwanted actions which are harmful from the system point of view.
int main()
{
char buffer[16];
int passs = 0 ;
// Taking Input for details to log in
printf ( " \n Enter the credential/password : \n ");
//string Input
gets (buffer);
if (strncmp(buffer, "theschoolstuff"))
printf ("\n This is wrong Credential/Password not correct \n");
else
{
//default condition
printf ("\n The password is Correct \n");
passs = 1;
}
//check for the value of passs as 0 or 1
Page 8
state where user had less privileges. We can also use timers, so that if user doesn’t
change the password back within a certain reasonable time then the privileges
granted will be taken back as soon as the timer stops.
Answer to 5(3):
A buffer memory is said to be a sequential section of the memory which is allocated
to hold the data of the variables of different type such as character or the strings or
the integers, etc. A buffer-overflow generally occurs when more amount of data is
tried to be fitted or stored in a buffer whose length or size is generally fixed and static
in nature. This extra amount of information could go to the adjacent memory location
and could trigger unwanted actions which are harmful from the system point of view.
int main()
{
char buffer[16];
int passs = 0 ;
// Taking Input for details to log in
printf ( " \n Enter the credential/password : \n ");
//string Input
gets (buffer);
if (strncmp(buffer, "theschoolstuff"))
printf ("\n This is wrong Credential/Password not correct \n");
else
{
//default condition
printf ("\n The password is Correct \n");
passs = 1;
}
//check for the value of passs as 0 or 1
Page 8
if(passs)
{
/* Now the system provides root permissions / admin rights to the user*/
printf ( " \n The Root permissions and privileges are provided to the user \n " );
}
return 0 ;
}
Now, the general issue with the above written code is that, the gets() method does
not perform the check on the array bounds and it could even write the strings which
are of length that is higher than the size allowed of the array buffer to which all the
string part is being written. What an attacker could possibly do is that, he could
supply an input char array or string of length which is greater thanwhat the buffer
could allow/hold on and at a very exact particular length of the input , the buffer will
overflow and buffer-overflow could take place in the way that it can even overwrite
the memory which has been allocated for integer ‘ passs ’. So even we provide
wrong credentials or despite of a wrong value for the password, the value of the ‘
passs ’ would became non-zero and in this particular way the root privileges and all
access could be granted to any malicious attacker easily.
Page 9
{
/* Now the system provides root permissions / admin rights to the user*/
printf ( " \n The Root permissions and privileges are provided to the user \n " );
}
return 0 ;
}
Now, the general issue with the above written code is that, the gets() method does
not perform the check on the array bounds and it could even write the strings which
are of length that is higher than the size allowed of the array buffer to which all the
string part is being written. What an attacker could possibly do is that, he could
supply an input char array or string of length which is greater thanwhat the buffer
could allow/hold on and at a very exact particular length of the input , the buffer will
overflow and buffer-overflow could take place in the way that it can even overwrite
the memory which has been allocated for integer ‘ passs ’. So even we provide
wrong credentials or despite of a wrong value for the password, the value of the ‘
passs ’ would became non-zero and in this particular way the root privileges and all
access could be granted to any malicious attacker easily.
Page 9
REFERENCES:
C_programming.com. (2019). Debugging of popular Segmentation Faults and
various solutions for Pointer Problems – C_programming.com. [online] Available
from: https://www.c_programming.com/debugging/segfaults.html [Accessed 9 Apr.
2019].
Tutorialspoint.com. (2019). NULL pointer in C. [online] Available from:
https://www.tutorialspoint.com/null-pointer-in-c [Accessed 9 Apr. 2019].
System, O.(2019). Classic Difference Between the functions malloc and calloc (with
detailed Comparison Chart for both) - Tech Differences. [online] Tech Differences.
Available from: https://techdifferences.com/difference-between-popular-malloc-and-
function -calloc.html [Accessed 9 Apr. 2019].
TechGenix. (2019). Analysis of the Popular Buffer Overflow Attacks. [online]
Available from: http://techgenix.com/Analysis_of_Buffer_Overflow_Attacks/
[Accessed 9 Apr. 2019].
Page 10
C_programming.com. (2019). Debugging of popular Segmentation Faults and
various solutions for Pointer Problems – C_programming.com. [online] Available
from: https://www.c_programming.com/debugging/segfaults.html [Accessed 9 Apr.
2019].
Tutorialspoint.com. (2019). NULL pointer in C. [online] Available from:
https://www.tutorialspoint.com/null-pointer-in-c [Accessed 9 Apr. 2019].
System, O.(2019). Classic Difference Between the functions malloc and calloc (with
detailed Comparison Chart for both) - Tech Differences. [online] Tech Differences.
Available from: https://techdifferences.com/difference-between-popular-malloc-and-
function -calloc.html [Accessed 9 Apr. 2019].
TechGenix. (2019). Analysis of the Popular Buffer Overflow Attacks. [online]
Available from: http://techgenix.com/Analysis_of_Buffer_Overflow_Attacks/
[Accessed 9 Apr. 2019].
Page 10
1 out of 10
Related Documents
![[object Object]](/_next/image/?url=%2F_next%2Fstatic%2Fmedia%2Flogo.6d15ce61.png&w=640&q=75){kind=small}
Your All-in-One AI-Powered Toolkit for Academic Success.
+13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
![[object Object]](/_next/static/media/star-bottom.7253800d.svg)
Unlock your academic potential
© 2024 | Zucol Services PVT LTD | All rights reserved.