|
CEG 4420/6420: Host Computer Security
Fall 2018 • Mid Semester Exam • 100 points
Due: Oct 24, 2018 11:59 PM.
|
This exam permits the use of a Linux/ Mac/ Windows laptop/ PC
running Knoppix/ Kali, gcc, ps, splint, etc. but *not* man
pages. It is otherwise a traditional closed book, closed
notes exam. Once you click the
midterm link, you are honor bound
- not to take
longer than 120 minutes,
- not to surf or access any
content already existing (other than the links given),
-
not to give or take help from others
until you turnin the
answers.pdf on Pilot dropbox.
Survey (0 points)
Please record your
effort in minutes for each of the ten items below. Other
feedback you wish to give is also welcome.
Part I (5 points each)
The following statements may or may not be (fully or partially)
valid. Explain the underlined technical term occurring in
each statement. Explain/ discuss/ dispute the statement. It
is possible to write no more than, say, ten, sentences
each, and yet receive full score.
- size /bin/ls showed the following today.
text data bss dec hex filename
126379 4728 4832 135939 21303 /bin/ls
|
The numbers shown yesterday were
different. OMG! We have been
compromised!
- sha512sum /bin/ls showed the following today.
894d8c5493570ba4e0823cafbf06db490ba65b34372bb2f858e117409e5ff982
363a617dd7708c6d5c0476c7a2c9b18f279e60b0a65c59d18b0001404779d3e0
/bin/ls |
The numbers shown yesterday were
different. OMG! We have been compromised!
- A rootkit is a collection of (short) programs
used by super-users to repair the damage done by an
intruder.
- From the content of sudo /proc/1 we can
get the exact path name of the init.
- Consider the following
programs: /bin/mount, /bin/umount,
/usr/bin/sudo, /bin/cat,
/usr/lib/virtualbox/VirtualBox. It is
justifiable that they should all be given suid root
permissions.
Part II (15 points each)
- Consider the following ten significant events that occur in
the rebooting of a Linux machine, currently running,
from power on to login prompt. The events may or may not have
occurred in the order given. Other significant events not
mentioned may have happened. E1: Root volume is mounted
by the kernel; E2: Process init is created;
E3: OS boot loader reads the kernel image; E4:
OS Boot loader invokes the kernel; E5: several more
processes are started. E6: Several processes whose
names are enclosed in brackets are
started; (To see
bracketed ones, list all processes.)
E7: BIOS/ UEFI finds the boot device. E8: OS
boot loader is discovered; E9: All file volumes are
unmounted. E10: init is terminated. (i) (10
points) Order these events chronologically. (ii) (5 points)
Explain step E9 further, and describe how security may have
been breeched
in
these two
steps this step.
- Compile the file
testsc.c
of AlephOne, and run testsc under strace in
a modern Linux. (i) (5 points) Did the shell code get
executed? Explain fully. (ii) (10 points) Explain the
details of any two of the system calls s-traced.
- In developing the various versions of exploitN.c, AlephOne
wishes to avoid the occurrence of 0x00 in the shellcode[].
Why? How does he avoid it?
- The ascii diagram below is from the paper by AlephOne. Explain
fully the arrow labeled (3).
bottom of DDDDDDDDEEEEEEEEEEEE EEEE FFFF FFFF FFFF FFFF top of
memory 89ABCDEF0123456789AB CDEF 0123 4567 89AB CDEF memory
buffer sfp ret a b c
<------ [JJSSSSSSSSSSSSSSCCss][ssss][0xD8][0x01][0x02][0x03]
^|^ ^| |
|||_____________||____________| (1)
(2) ||_____________||
|______________| (3)
top of bottom of
stack stack
|
- Splint was run on
exploit3.c
of AlephOne. It produced 12
code warnings. Take any two warnings, and explain how you would
revise the code, line by line, so that the warnings no longer apply.
Re-run splint on the revised exploit3.c, and include the output in
the answers.pdf.
Copyright © 2018
Prabhaker Mateti