Introduction to System Security

This class requires a broad background and draws from a variety of tool sets. The following is designed with the intent to give you a chance to exercise some of the skills you will need at specific points in the class that we won't have time to introduce. These exercises are not designed to be conceptually challenging and should be doable in a line or two of code each.

Note that the project files include a test suite which has examples in case you have confusion when trying to get exactly the right output.

To get started open up the container for the project. Note, this is a different container than the student_env container used for most assignments.

git clone https://github.com/cs354/CS-354.git
bash CS-354/projects/programming_languages.bash
cd grading/

C

C is a wonderfully low-level language which gives the programmer a great deal of control over the computer. Many well known and common vulnerabilities can be exploited by abusing that power.

Fill in the body of the following function:

/**
* Parameters: buffer (pointer to a 100 character buffer)
*             num    (4 byte int)
*
* Description: Writes a string to buffer containing num's value written in decimal, hexadecimal
* (left padded with 0s to be 8 characters wide and prefixed with 0x), then it's hexadecimal
* value printed in little-endian (also left padded and prefixed).  These fields should
* appear in order as listed and be separated by | (the pipe character).
* Example: If `num = 11259375`, then `buffer = "11259375|0x00ABCDEF|0xEFCDAB00"`
*/
int put_stuff_in_buffer(char* buffer, int num) {
    return 0;
}

Hint: Remember EECS 213

MySQL

MySQL is going to be the database of choice for this class. You will probably only need to know MySQL on one or two occasions for this course, which is why we don't have time to teach it to you. However, it will be significantly less frustrating to learn MySQL and then learn SQL injection rather than learn both at the same time.

Write a series of .sql files:

1. Creates a table called test with 3 columns.
   • 1st column: An int column called pk that is by default 1 more than the previous row when a new row is inserted, known as a primary key.
   • 2nd column: A varchar(20) column called name which can be used to store user names.
   • 3rd column: A char(32) column called password which can be used to store password hashes.
2. Adds 2 rows to the table for users Foo and Bar, both with password f00Bar. The passwords should be stored as hashes using the MySQL md5() function.
3. Creates a table called test_color with two columns:
   • 1st column: An int column called user_pk which can be used to identify the matching row in the test table.
   • 2nd column: A varchar(20) column called fav_color which can be used to store the user's favorite color.
4. Changes Foo's password to "FoodBar" and sets Foo and Bar's favorite colors to "Purple" and "White", respectively.
5. Consider using the UNION operator which appears the rows from one query returning N columns to the end of another query returning N columns to create a single query that dumps:
   • All of the rows in both tables.
   • All of the names of all of the columns in both tables and the tables they belong to. (Note: the sql OR operator isn't deterministic do not count on it returning results in the same order on the grader even if it appears to in your container)

Output of Solution to 5.sql:

+-----------+------------+----------------------------------+
| pk        | name       | password                         |
+-----------+------------+----------------------------------+
| 1         | Foo        | 7b987aed75e93e596a9550061f26131a |
| 2         | Bar        | 77e6fde46d36b4cd25fa5620e24558dd |
| 1         | Purple     |                                  |
| 2         | White      |                                  |
| pk        | test       |                                  |
| name      | test       |                                  |
| password  | test       |                                  |
| user_pk   | test_color |                                  |
| fav_color | test_color |                                  |
+-----------+------------+----------------------------------+

Hint:

• For 5.sql note that SELECT *,'' FROM ... is valid syntax
• We are actually running mariaDB for speed reasons. It is compatible with mySQL for the functions you'll need here.

Ruby

Ruby is an all-purpose scripting language that is popular among the security community because of its ties to the Metasploit toolset. It's also good for the occasional one-liner off the command line.

Just to get you exposed to it, write a function called verify which validates that its argument (a string) could be buffer after it has been passed to put_stuff_in_buffer() in the C exercise. If it is, return a true value, otherwise return a false value. You do not need to worry about piping the output of the C program into ruby, you just need to handle accepting a string and validating it as an output of put_stuff_in_buffer().

Hint: Use regular expressions.

*Resources: http://www.ruby-lang.org/en/documentation/quickstart/ is a good crash course.

Javascript

You really should know javascript if you want to do anything with the web (and we do things related to the web in this class). However, the course is designed such that you don't need any background in javascript coming in, though hopefully you'll leave knowing some.

Shell Commands

Knowing how to live in a text-only environment is really useful. In fact, it's crtitical, because once you've exploited a machine, you often have nothing but characters coming at you from a TCP socket. The following commands will be sufficient to complete the exercises below. It is highly recommended that you refer to their man pages for more information:

1. Commands to know
   • Elementary: cd, ls, cp, mv, echo, cat, less
   • Basic: grep, ps, kill, find, bg, fg, export (in bash, set for csh), chmod, touch, man
   • Useful: pushd, popd, killall, top, screen
   • Programming: make, gcc, gdb
   • Internet: wget, curl, nc, netstat
2. Piping and Redirection
   • The concept of piping doesn't really exist in a graphical environment
   • What do the characters |, <, > do? How does & relate to them?
   • How do you use the contents of a file as though you had typed them into a program? (aka redirect a file to stdin)
3. Learn a command-line text editor
   • Your options: vi/vim, emacs,nano
     • all can do the basics (syntax highlighting, find/replace)
     • vi (or vim) is the most widespread text editor for *nix environments
     • emacs is a similarly popular alternative to vi
     • nano will be on all the computers for which you have a login in this class but is not recommended since it is very slow to use. Invest the time to learn vim or emacs.

Write a series of .sh files (they will be run by bash):

1. Makes a new (empty) directory named test in the current working directory

2. Creates the following 10 files inside the new directory test: file1.txt, file2.txt, file3.csv, file4.txt, file5.csv, file6.txt, file7.csv, file8.txt, file9.csv, file10.sh

3. Writes the string This is file 1. to the file file1.txt

4. Changes the name of file1.txt to foobar.txt

5. Lists all the filenames with the csv extension. The output should print one file on each line and they should be sorted alphabetically. The listing should include test/ as part of the relative path name.

6. Delete file8.txt.

7. Changes the permissions of the file file10.sh to be readable and executable by the owner but only readable by everyone else.

8. Prints 400 of the letter A to stdout (hint: use ruby)

Submit by running ./submit in the grading/ directory.