Operating Systems Assignment 3 – Easy

Instructions:

1. The assignment has to be done in a group of 2 members.

2. You can use Piazza for any queries related to the assignment and avoid asking queries on the last day.

3. Check script with a sample test case: Link.

4. Please use the x86 implementation of the xv6 OS.

5. Demo will be taken for the students whose code fails to execute on the test machine.

1 Buffer Overflow Attack in XV6

During the execution of a function, the operating system maintains a stack frame for allocating the callee’s local variables and storing the pointer to the parent stack frame (caller). The stack frame is furthermore used for holding the return address. The registerebpis used to store the pointer to the parent stack frame, and the registerespstores the address of the top of the stack. When a function returns, the stored return address is popped into the instruction pointer (eip), and the control jumps to that address.

The figure below shows the C code, abridged assembly instructions, and the stack frame generated by xv6 compiled for the x86 architecture while executing the functionvulnerable function().

# i n c l u d e " t y p e s . h "

# i n c l u d e " u s e r . h "

# i n c l u d e " f c n t l . h "

v o i d foo () {

p r i n t f (1 , " S E C R E T _ S T R I N G ") ; }

v o i d v u l n e r a b l e _ f u n c t i o n (c h a r * i n p u t ) { c h a r b u f f e r [ 4 ] ;

s t r c p y ( buffer , i n p u t ) ; }

int m a i n (int argc , c h a r ** a r g v ) {

1

fd = o p e n (" p a y l o a d ", O _ R D O N L Y ) ; c h a r p a y l o a d [ 1 0 0 ] ;

r e a d ( fd , payload , 1 0 0 ) ;

v u l n e r a b l e _ f u n c t i o n ( p a y l o a d ) ; e x i t () ;

}

0 0 0 0 0 0 0 0 < foo >:

. . . .

4: p u s h % ebp

5: mov % esp ,% ebp

7: p u s h % ebx

8: sub $0x4 ,% esp 15: sub $0x8 ,% esp . . . .

1 e : p u s h % edx 1 f : p u s h $0 x 1

21: mov % eax ,% ebx

23: c a l l 52 a < printf >

28: add $0x10 ,% esp

2 b : nop

2 c : mov -0 x4 (% ebp ) ,% ebx 2 f : l e a v e

30: ret

0 0 0 0 0 0 3 1 < v u l n e r a b l e _ f u n c t i o n >:

. . . .

35: p u s h % ebp

36: mov % esp ,% ebp

38: p u s h % ebx

// s t o r e c a l l e e s a v e d r e g i s t e r s 39: sub $0x14 ,% esp

// c r e a t e s p a c e for l o c a l s 46: sub $0x8 ,% esp 49: p u s h l 0 x8 (% ebp )

// p u s h the a d d r e s s of p a y l o a d i n t o s t a c k 4 c : lea -0 xc (% ebp ) ,% edx

4 f : p u s h % edx

50: mov % eax ,% ebx

52: c a l l d5 < strcpy >

57: add $0x10 ,% esp // r e m o v e l o c a l s

5 a : nop

5 b : mov -0 x4 (% ebp ) ,% ebx // r e s t o r e ebx

5 e : l e a v e

5 f : ret

0 0 0 0 0 0 6 0 < main >:

. . . .

6 e : p u s h % ebp

6 f : mov % esp ,% ebp

71: p u s h % ebx

2

72: p u s h % ecx

73: sub $0x10 ,% esp // c r e a t e s p a c e for l o c a l s . . . .

87: mov % eax , -0 xc (% ebp )

// l o a d the a d d r e s s of p a y l o a d i n t o ( ebp - 12)

8 a : sub $0xc ,% esp

8 d : p u s h l -0 xc (% ebp )

// p u s h a d d r e s s at ( ebp - 1 2 ) [ p a y l o a d a d d r e s s ] // i n t o s t a c k

90: c a l l 31 < v u l n e r a b l e _ f u n c t i o n >

95: add $0x10 ,% esp

// r e m o v e s p a c e for l o c a l s 98: c a l l 38 e < exit >

Unsafe functions likegets()andstrcpy()do not check bounds during execu- tion. This leads to a situation in which the supplied input overflows into adjacent memory regions. For example, during normal execution (without overflow), the variable buffer will hold a maximum of four bytes, whereas if a buffer over- flow attack is mounted, vulnerable functions likegets()andstrcpy()will offload more than four bytes into a space reserved for four bytes. This will cause the saved registers and the return address to get overridden with attacker-controlled values. Once the modified return address is popped into the eipregister, the control jumps to a location the attacker can control. For example, if the return address is overridden with0x00000000, the control jumps to the functionfoo() even though the function is never explicitly called.

You have to write a python script that writes to a file(payload) an exploit code which, when passed to the buffer overflow binary (buffer overflow.c), executes thefoo() function that prints a secret string on the console. The input to the Python script is the size of the buffer variable.

$p y t h o n 3 g e n _ e x p l o i t . py b u f f e r _ s i z e

$m a k e c l e a n && make - qemu - nox

$./ b u f f e r _ o v e r f l o w S E C R E T _ S T R I N G

2 Address Space Layout Randomization

ASLR prevents buffer overflow attacks by making the address layout of a process non-deterministic. This makes it difficult for attackers to predict the memory layout of a process and exploit its vulnerabilities.

Modify the xv6 operating system to implement ASLR. Specifically, you need to:

1. Create a file calledaslr flag that contains the current status of ASLR in xv6.

2. If the file contains 1, turn on ASLR; otherwise, turn ASLR off.

3. Create a random number generator.

3

4. Modify the memory allocation routines to use the random number gen- erator to randomize the location of regions (stack, heap, text, data, bss, etc. OR the entire space) in the process’s virtual address space.

5. Test the ASLR implementation by executing the test case with the same payload that revealed the secret string. If the ASLR implementation is correct, the secret string should not be revealed.

6. Write a report summarizing your implementation of ASLR in xv6, the challenges faced, and their resolutions.

3 Deliverables

1. A modified version of the xv6 operating system that supports toggleable ASLR.

2. A report documenting your implementation of ASLR in xv6.

Note:

• You might have to change theno-stack-protector and the pie CFLAGS in theMakefile.

• Include thepayloadfile in the filesystem by adding ”payload” to thefs.img build rule inMakefile.

4 Submission Instructions

• We will run MOSS on the submissions. Any cheating will result in a zero in the assignment, a penalty as per the course policy and possibly much stricter penalties (including a fail grade).

How to submit:

1. Copy your report to the xv6 root directory.

2. Then, in the root directory run the following commands:

make clean tar czvf \

assignment3_easy_<entryNumber1>_<entryNumber2>.tar.gz *

This will create a tarball with the name,assignment3easy < entryN umber1>

< entryN umber2 > .tar.gz in the same directory that contains all the xv6 files and the report PDF document. Entry number format: 2020CSZ2445 (All English letters will be in capitals in the entry number.). Only one member of the group is required tosubmitthis tarball on Moodle.

3. Please note that if the report is missing in the root directory, no marks will be awarded for the report.

4. If you attempt the assignment individually, you do not need to mention the entryNumber 2 field.

4