Advanced Security for Systems Engineering VU - WS2018 (183.645) Lab1

Team size: 3
Start and deadline for this lab: see (external link)tuwel

Exercise interview: See (external link)tuwel

Exercise Lab1

In this lab exercise you will strengthen and deepen the knowledge prepared for you during the lectures on advanced application attacks. More specifically, you will gain practice regarding exploit techniques for several classes of memory corruption vulnerabilities, learn how to circumvent mitigation techniques, and gain insight into real-world vulnerabilities.

Each student team can choose to complete either a larger number of entry-level exercises, or a smaller number of more difficult exercises in order to obtain the required number of points for getting the best grade. More specifically, we have 3 vulnerability categories:

You can, for example, choose to create working exploit code for each vulnerability category at an entry level (with all mitigation mechanisms disabled), or choose from two vulnerability categories at an intermediate level (with some mitigation mechanisms turned on), or create a single exploit at an advanced/elite level. See section 'Scoring' below for details.

Since this is a graduate course at a research university, each exercise in this lab will start with a research phase on real-world vulnerabilities, where you will learn to apply your knowledge about vulnerabilities to understand and analyze real-world bug reports and real-world code.

For each exercise in this lab, you need to complete the following phases:

Mitigation Techniques and Difficulty Level

For each vulnerability category A, B, or C, you will decide on a difficulty level for your exploit development. The selected difficulty level may influence the choice of real-world vulnerability in phase 1 (not every exploitable vulnerability is necessarily exploitable at every difficulty level), your modeling of the vulnerability and coding of the vulnerable program in phase 2 (for example, to circumvent ASLR and W^X you may need an additional information disclosure vulnerability so that your exploit code is able to learn about randomized addresses in the vulnerable process), and of course the specifics of your exploit techniques in phase 3, since you need to circumvent mitigations techniques at higher difficulty levels.

We provide a vagrant file in tuwel to create a virtual machine image, where your vulnerable program must compile and run, and where your exploit must build and successfully write into /home/privileged as user 'unprivileged'.

Scoring Lab1

The following table tells you how many points you are able to achieve at most per exercise.

Category A    Category B   Category C
Entry 15 15 20
Medium 25 25 35
Advanced 50 35 50
Elite 50* 50* 50*


Only the maximum score counts per category: I.e., if you write a stack based buffer overflow exploit (category A) at both the entry level as well as the medium level, you will get 25 points, not 25+15.

Maximum points in total for this lab: 50 points.

The awesomeness star (*) means that you will get special recognition.

Specification and Automated Grading Lab1

All code must build and run in a prepared virtual machine (use the vagrant file in the tuwel course).

Your submission archive will be extracted into the folder /home/unprivileged inside the VM. You must include a GNU Makefile with predefined targets for building your vulnerable programs, and building and executing your exploits. You should use and extend the Makefile from the tuwel example. This Makefile defines the targets that must be supported. Your Makefile will be executed as user 'unprivileged'.

Suppose you do one category A exercise at medium level difficulty, and one category B exercise at entry level difficulty. Then your Makefile must support the following targets:

The user of your vulnerable programs will be set to 'privileged' and the setuid-bit will be set (see the 'install') target. The following targets must be supported

All other analogous targets should output the string 'NOT IMPLEMENTED' to stdout.

A team that chooses to implement exercises from different categories or at different difficulty levels must implement the respective targets in the Makefile analogously to the example above.

Submission Lab1

Note: Replace TEAM-NUMBER in the following instructions with your own team number which you can find in tuwel.

Create a (zip|gzip|bzip2) compressed archive, lab1_TEAM-NUMBER.(zip|tgz|tar.gz|tbz2|tar.bz2) with the following content.

Report

Your report must include the following entries.

Notes Regarding Scoring

Notes Regarding Phase 2

Notes General

Additional Notes

Back to Top