[Skip Navigation] [CSUSB] / [CNS] / [Comp Sci & Eng Dept] / [R J Botting] / [CSci202] / lab03
[Text Version] [Syllabus] [Schedule] [Glossary] [Resources] [Grading] [Contact] [Question] [Search ]
Notes: [01] [02] [03] [04] [05] [06] [07] [08] [09] [10] [11] [12] [13] [14] [15] [16] [17] [18] [19] [20]
Labs: [01] [02] [03] [04] [05] [06] [07] [08] [09] [10]
Mon Apr 20 16:40:33 PDT 2009

Contents

    CSci202 Laboratory 03 Pointers and Information Security


      (previous): Diagrams [ lab02.html ]

      Goals

      1. To have experimented with a dangerous misuses and arrays.
      2. To know what buffer overrun attack is.
      3. To know how to write C++ code that is not exposed to buffer overrun attacks.

      Ideal Procedure

      1. Download (shift&click) the following awful example. [ lab02bad.cpp ]
        1. It is designed as an example of a bad log-in program.
        2. It uses char* arrays to hold character strings with and the old "str*" library to manipulate them. Each string has an extra '\0' char at the end.
          Net
          1. #include <cstring> // defines the "str*" functions.
            authenticated= ! strncmp(pwd,passwd,7); // CoMPares upto 7 charcaters of pwd and passwd and sets authenticated to true if they are equal.
            if(!strcmp(name,"botting")) // compares the characters in name with those in "botting" and does not keep count. It tries pairs of characters until one is different or '\0'. The condition succeeds if the strings are equal.
            strcpy(pwd, "123456"); // Copies "123456" into pwd -- this copies 6 characters and a null '\0' even if pwd has room for 2 character:-(

          (End of Net)

        3. It has many faults and we will remove some of these in our laboratories.
        4. This is how it works when compiled and run:
          1. First it outputs the addresses of the three character arrays used in the program: "name", "pwd", and "passwd".
          2. Then it enters a loop until a log-in is authenticated:
            1. It asks for a name ("botting" for example) using a function "get".
            2. It looks up the password for the name ("botting" has "123456") using function get_password.
            3. It asks for a password.
            4. It tests to see if the two passwords match.
            5. If they don't match it outputs a message and repeats from step 1 above.

          3. If the two passwords match it "Welcomes" the user.

      2. Make it compile it into "lab02bad" and test it. It should work as described.
      3. Unfortunately it falls to a simple buffer over run attack.
      4. Run it with name 'botting' and try passwords 'x', 'xx', 'xxxx', 'xxxxxx', and so on.... what happens with each? Any unexpected logins?

      5. When you can explain to me what is going on (hint: draw a picture!) you've earned a 'D' for the lab.

      6. Please preserve a copy of the compiled code "lab02bad" ready for [ lab06.html ] a future lab.

      7. Your task is to fix the buffer overrun. Where is the problem? 
         		cin>>input;
        in function 
         		void get(char * askfor, int numchars, char * input)
      8. Here are two ways to attempt to fix the problem that are fairly easy and one that is challenging (I've tried all three).
        1. The quick fix: input the user data into a 'string' variable. Then use the 'string' functions to extract a substring that fits in the given 7 character buffer. This relies on the C++ Standard Library [ string.html ] not having a buffer overrun in its place. So, I'll offer a max of a B in the lab for this solution.
        2. Use a character by character low level hack: Have a single 
           		char c;
          and put the user data into it one character at a time using 
           		cin.get(c);
          until the buffer(input) is full or the user taps enter ('\n'). Then add the terminating ('\0') and discard the rest of the data by using cin.get(c) and not doing anything with c! Get this working and you've got an A.
        3. The challenge of getline: Here you use 
           		cin.getline(input, numchars+1, '\n');
          to fill the buffer. You then need to use 
           		cin.fail()
          to see if there are any characters to discard and 
           		cin.clear()
          to clear the fail flag. After clearing the fail flag then you can use cin.get(...) to discard the rest of the line. Get this working and you've got an A.


        Pick the strategy closest to your taste, and may the source be with you, as you patch the code.
      9. Show me when you are happy that it fights off the attackers, or when we are out of time.

      Deliverables

      Show me an example of a buffer over run resisted.

      Deadline

       Before the end of the laboratory period.

      If you have time to spare

      1. Study this web page [ pointers.html ] (and look for the stories and jokes).

      2. Work on your next project.

      Hints

      Do not fix the many other faults with this code. We will get to them later.

      I will publish my solutions in the next lab.

    . . . . . . . . . ( end of section CSci202 Laboratory 03 Pointers and Information Security) <<Contents | End>> i. Making this class safer: [ lab06.html ]

    Abbreviations

  1. Algorithm::=A precise description of a series of steps to attain a goal, [ Algorithm ] (Wikipedia).
  2. class::="A description of a set of similar objects that have similar data plus the functions needed to manipulate the data".
  3. Data_Structure::=A small data base.
  4. Function::programming=A selfcontained and named piece of program that knows how to do something.
  5. Gnu::="Gnu's Not Unix", a long running open source project that supplies a very popular and free C++ compiler.
  6. KDE::="Kommon Desktop Environment".
  7. object::="A little bit of knowledge -- some data and some know how", and instance of a class".
  8. OOP::="Object-Oriented Programming", Current paradigm for programming.
  9. Semantics::=Rules determining the meaning of correct statements in a language.
  10. SP::="Structured Programming", a previous paradigm for programming.
  11. STL::="The standard C++ library of classes and functions" -- also called the "Standard Template Library" because many of the classes and functions will work with any kind of data.
  12. Syntax::=The rules determining the correctness and structure of statements in a language, grammar.
  13. Q::software="A program I wrote to make software easier to develop",
  14. TBA::="To Be Announced", something I should do.
  15. TBD::="To Be Done", something you have to do.
  16. UML::="Unified Modeling Language".
  17. void::C++Keyword="Indicates a function that has no return".

End