CEG 4420/6420: Host Computer Security Fall 2019 • Mid Semester Exam • 100 points Due: Oct 31, 2019 11:59 PM.

This exam permits the use of a Linux/ Mac/ Windows laptop/ PC running Knoppix/ Kali, gcc, ps, splint, etc. but *not* man pages. It is otherwise a traditional closed book, closed notes exam. Once you click the midterm link, you are honor bound

1. not to take longer than 120 minutes,
2. not to surf or access any content already existing (other than the links given),
3. not to give or take help from others

until you turnin the mtanswers.pdf on Pilot dropbox.

Survey (0 points)

Please record your effort in minutes for each of the ten items below. Other feedback you wish to give is also welcome.

Part I (5 points each)

The following statements may or may not be (fully or partially) valid. Explain the underlined technical term occurring in each statement. Explain/ discuss/ dispute the statement. It is possible to write no more than, say, ten, sentences each, and yet receive full score.

1. sha512sum /bin/ls showed the following today.

   894d8c5493570ba4e0823cafbf06db490ba65b34372bb2f858e117409e5ff982 363a617dd7708c6d5c0476c7a2c9b18f279e60b0a65c59d18b0001404779d3e0 /bin/ls

   The numbers shown yesterday were different. OMG! We have been compromised!
2. A rootkit is a collection of (short or long) programs used by super-users to repair the damage done by an intruder.
3. Backdoors are used to install rootkits.
4. From the content of /proc/1 we can get the exact path name of the init.
5. Consider the following programs: /bin/mount, /bin/umount, /usr/bin/sudo, /bin/cat, /usr/lib/virtualbox/VirtualBox. It is justifiable that they should all be given suid root permissions.

Part II (15 points each)

1. Consider the following ten significant events that occur in the rebooting of a Linux machine, currently running, from power on to login prompt. The events may or may not have occurred in the order given. Other (significant) events not mentioned may have happened. E1: Root volume is mounted by the kernel; E2: Process init is created; E3: OS boot loader reads the kernel image; E4: OS Boot loader invokes the kernel; E5: several more processes are started. E6: Several processes whose names are enclosed in brackets are started; (To see bracketed ones, list all processes.) E7: BIOS/ UEFI finds the boot device. E8: OS boot loader is discovered; E9: All file volumes are unmounted. E10: init is terminated. (i) (10 points) Order these events chronologically. (ii) (5 points) Explain step E1 further, and describe how security may have been breached in this step.
2. Compile the file testsc.c of AlephOne, and run testsc under strace in a modern Linux. (i) (5 points) Did the shell code get executed? Explain fully. (ii) (10 points) Explain the details of any two of the system calls s-traced.
3. In developing the various versions of exploitN.c, AlephOne wishes to avoid the occurrence of 0x00 in the shellcode[]. Why? How does he avoid it?
4. The ascii diagram below is from the paper by AlephOne. Explain fully the arrow labeled (3).

   bottom of DDDDDDDDEEEEEEEEEEEE EEEE FFFF FFFF FFFF FFFF top of memory 89ABCDEF0123456789AB CDEF 0123 4567 89AB CDEF memory buffer sfp ret a b c <------ [JJSSSSSSSSSSSSSSCCss][ssss][0xD8][0x01][0x02][0x03] ^|^ ^| | |||_____________||____________| (1) (2) ||_____________|| |______________|(3) top of bottom of stack stack

5. Splint was run on exploit3.c of AlephOne. It produced several code warnings. Take the two warnings on lines 32 and 52, and explain how you would revise the code, line by line, so that the warnings no longer apply. Re-run splint on the revised exploit3.c, and include the output in the mtanswers.pdf.