CA647 Lab #06

Darragh O'Brien B.Sc. Ph.D., School of Computing, Dublin City University

• Home
• Lab 01
• Lab 02
• Lab 03
• Lab 04
• Lab 05
• Lab 06
• Lab 07
• Lab 08
• Lab 09
• Lab 10

Handy Unix commands

• mkdir makes a directory
• cd changes directory
• ls lists directory contents
• pwd displays current directory
• rm deletes a file
• man system call gives help on that system call

Example

To create a directory called ca647 with a subdirectory called lab01 and launch our text editor, emacs, we would issue the following commands in a terminal window:

$ mkdir ca647
$ cd ca647
$ mkdir lab01
$ cd lab01
$ ls [after downloading getpid.c]
getpid.c
$ emacs getpid.c &
[1] 3054

Overview

In this lab we will:

• Look at how integers are represented inside your machine
• Demonstrate overflow, underflow, truncation and sign errors
• Simulate in gdb an arc injection attack

A. Integer types, sizes and representations

Use gdb to help you answer the following simple questions. To help you get started you will find some examples here of using gdb to answer similar questions.

• How big is a char?
• Write down the bit pattern for a char = 1
• Write down the bit pattern for a char = -1
• Write down the bit pattern for a char = 127
• Write down the bit pattern for a char = -128
• Write down the bit pattern for a char = -129
• Write down the bit pattern for an unsigned char = 255
• How big is a short int?
• How big is a long int?
• How big is an int?
• How big is a long long int?
• How big is a float?
• How big is a double?
• How big is a long double?
• When is -1 > 1?

B. Integer problems

Take a look inside /usr/include/limits.h at the various maxima and minima values for the various integer types. Using the constants in /usr/include/limits.h to help you, write some C excerpts that illustrate:

• Integer overflow and underflow
• Sign errors
• Truncation errors

Examine the bit patterns before and after each problem occurs and make sure you understand how each problem arises.

Compile your problem code excerpts by specifying the -ftrapv option on the gcc command line. What kinds of error are caught and which are missed?

To finish with take a look at loop1.c and loop2.c. Compile and run these two C programs. Why does one terminate while the other one does not?

C. Simulating an arc injection attack

Here is some code in arc.c. Assume the executable's stack has execute permission disabled. One way to get around this defence is to implement an arc attack.

Rather than trying to build a complicated string to overflow some buffer and to build fake frames on the stack, we manipulate the stack by hand and use gdb to do the same thing. This obviously makes things easier for us but illustrates how such an attack functions.

To make things even easier, I've done the work for you in arc.txt. Look back at your lecture notes in order to understand the modifications made to the stack in this example. This (highly contrived) example shows how to chain two function calls together such that they will successively execute once control returns from the vulnerable function. This diagram should serve as a reminder of what an arc injection attack is trying to achieve.

Valid XHTML | Valid CSS | Copyright © Darragh O'Brien | Design by SmallPark