Homework - HackMD

--- title: 'Homeworks' tags: enee759-spring24 --- * Please use **[ELMS-Canvas](https://elms.umd.edu/)** to submit your projects. * Deadlines are posted in the [ELMS-Canvas](https://elms.umd.edu/). * Feedback will be available after the grading. ## Preparation: Installing Intel Pin * If your Linux system does not have Intel Pin installed. (If you have downloaded VirtualBox VM, it would have Pin installed, so skip this part). * Download the https://yonghwi-kwon.github.io/class/softsec/pin/pin.sh and run it. ```shell $ cd $ wget https://yonghwi-kwon.github.io/class/softsec/pin/pin.sh $ chmod +x pin.sh $ ./pin.sh ``` 1. It will download, unzip, and install the Pin. 2. After the installation, close the terminal and open a new terminal. 3. If it can run the `pin` binary in your home folder, the installation is successful. ### Documents for Pin * [**Intel Pin for Perturbing Program Executions: Examples**](https://hackmd.io/@yonghwikwon/HJoOIh9y5) * [Please see this page to turn off ASLR (Address Space Layout Randomization)](https://hackmd.io/@yonghwikwon/Hkrqi7756). * Intel Official Documents: [Pin User Manual](https://software.intel.com/sites/landingpage/pintool/docs/98484/Pin/html/index.html), [Pin API Reference](https://software.intel.com/sites/landingpage/pintool/docs/98484/Pin/html/group__API__REF.html) ## Homework 1. Immortal Flappy Bird ### Preparation * [Download this Flappy Bird game (Makefile updated; -O3 removed)](https://yonghwi-kwon.github.io/class/softsec/hw/flappy-bird.zip) * You need to install `ncurses` library to compile it. ```shell $ sudo apt install ncurses* ``` * Installation Script: https://yonghwi-kwon.github.io/class/softsec/hw/hw1.sh * The below script will create a directory and download/unzip all the required files. ```shell $ wget https://yonghwi-kwon.github.io/class/softsec/hw/hw1.sh $ chmod +x hw1.sh $ ./hw1.sh ``` ### Objectives * You will make a Pin tool that can make the Flappy Bird immortal. There are two 'game over' conditions: 1. The Flappy Bird hits the pipe 2. The Flappy Bird hits the ground * Basically, you will (1) find how the two conditions are detected and handled in the program and (2) modify the program execution so that the two conditions do not meet. * There are multiple ways to achieve. 1. **`DATA`** Modify **values** of registers/memory in instructions. 2. **`CODE`** Ignore/skip **instructions**/**functions**. * Pin supports APIs controlling function calls/returns without you going through the instructions. * All the details will be presented in the class. :) ### What to submit? **(1)** your pin tool's **source code** (e.g., code everything in the icount.cpp, and upload it). **(2)** a **1-page description** as a **pdf** file (including how you locate the memory/variable and which code is added in the pin tool to modify values/code and so on). ## Homework 2. Scanning the Mine Field ### Preparation * [Download the Minesweeper game](https://yonghwi-kwon.github.io/class/softsec/hw/minesweeper.zip) * You will be given a simple minesweeper game's source code. **Compile it** and get a binary and a disassembled code. ```shell $ chmod +x compile.sh $ ./compile.sh ``` * After the compilation, you should see `mine` program and should be able to **run it with arguments** (if you don't provide any arguments, it will create a **5x5** minesweeper game by **default**). ```shell $ ./mine y 0 1 2 3 4 x 0 D D D D D 1 D D D D D 2 D D D D D 3 D D D D D 4 D D D D D x y mode(o/f)> $ ./mine 3 3 y 0 1 2 x 0 D D D 1 D D D 2 D D D x y mode(o/f)> ... ``` * Installation Script: https://yonghwi-kwon.github.io/class/softsec/hw/hw2.sh * The below script will create a directory and download/unzip all the required files. ```shell $ wget https://yonghwi-kwon.github.io/class/softsec/hw/hw2.sh $ chmod +x hw2.sh $ ./hw2.sh ``` ### Objectives Your task is to identify **where are the mines** by **using your own Pin tool**. The goal of this homework is to **experience** how you would **identify key memory locations/operations <font color=red>`without`</font> knowing the source code** (Note the **without**). * Hence, while you are given the source code, please try to not use them to solve this homework. * In other words, you should use the source code to understand **how the game works**, and **what patterns** of the operations **you would expect**, but **do not use it to precisely pinpoint the memory locations/functions** to call. ### What to Submit * **(1)** your pin tool's **source code** (e.g., code everything in the icount.cpp, and upload it). * **(2)** a **1-page description** as a **pdf** file (including how you locate the memory/variable and which code is added in the pin tool to modify values/code and so on). * **What to be included in the report?** 1. Identifying instructions setting/defining mines (was in the lecture) * Provide a step-by-step analysis identifying the instructions and getting the information from it. 3. Adding a small code dumping the information (to a file or screen). ### Hints * The minesweeper program **creates the mine-field** with the given number of **rows and columns**. * You would expect that there should be a **function initializes the field**, writing **values into the memory** which **represents** the **mine-field**. * That is, if there is a 5x5 mine-field, there will be 25 memory writes to define the mines. * if it is a 6x6 mine-field, there will be 36 memory writes * if it is 7x7 mine-field, there will be 49 memory writes, and so on. * Typically, representing whether **there exists a mine** at a certain place would be handled by storing a boolean value, with a coordinate. * if there is a mine at (3, 4), * we may expect memory writes with values of 1, 3, and 4. * if there is no mine at (5, 6), * we may expect memory writes with values of 0, 5, and 6. > Note that this is just a guess, and there is no reason that the developer should use such values and store in such a way. * There are different types of memory: **heap**, **stack**, and **global**. * **Stack memory is not persistent** and only alive during the function execution. * Since the information of where the mines exist should be persistent throughout the execution, it is less likely to be on the stack memory. * **Heap and Global are persistent**. * If you use **`malloc`**, you are alloctating a **heap** memory. If you are using a **global variable**, it is on the **global section** of the memory. The mine-field information is likely to be stored in one of the two. ## Homework 3. Running the Hidden Code This homework is to introduce basic skills for the project 2. Please check out the project 2 for detailed motivation and context. ### Preparation * Installation Script: https://yonghwi-kwon.github.io/class/softsec/hw/hw3.sh * The below script will create a directory and download/unzip all the required files. ```shell $ wget https://yonghwi-kwon.github.io/class/softsec/hw/hw3.sh $ chmod +x hw3.sh $ ./hw3.sh ``` ### Brief Background Assume that you obtain a potential malicious payload (e.g., from network logs), you would like to know what they are doing. Executing them on a real machine or VM is a viable option, but it will also harm the entire VM or machine if the exploitation is successful. **Sandboxing** is a technique that can run the program while preventing the target program making any harm to the host system. In practice, sandboxing is commonly used to execute potentially malicious code or program as it can observe malicious actions without harming the host system. This homework asks you to create a **sandboxing tool** that **execute them** safely **using code emulation techniques**. Specifically, give a sequence of code bytes (i.e., instructions), you **run them** and **report what actions they make** (e.g., call a system call, doing a particular computations, etc.). ### Handling Three Shellcodes You are given the below shellcode examples. Your goal is to make your program properly interpret their executions (e.g., what system calls were made with which arguments): * Example 1: `CODE_EXAMPLE1` ``` \x6a\x30\x58\x6a\x05\x5b\xeb\x05\x59\xcd\x80\xcc\x40\xe8\xf6\xff\xff\xff\x99\xb0 \x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x54\xeb\xe1 ``` ![image](https://hackmd.io/_uploads/HJJdvhAFa.png =550x) * Example 2: `CODE_EXAMPLE2` ``` \x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80 ``` * Example 3: `CODE_EXAMPLE3` ``` \x31\xc0\x50\x50\xb0\x17\xcd\x80\xeb\x1f\x5e\x50\x68\x2f\x63\x61\x74\x68\x2f\x62 \x69\x6e\x89\xe3\x50\x56\x53\x89\xe2\x50\x52\x53\xb0\x0b\x50\xcd\x80\x50\x50\xcd \x80\xe8\xdc\xff\xff\xff\x2f\x65\x74\x63\x2f\x6d\x61\x73\x74\x65\x72\x2e\x70\x61 \x73\x73\x77\x64 ``` ### Given Program You are given to a program `emul.py` which leverages the unicorn framework to run a given shellcode and produce executed instructions and results. ### What to do and what to submit 1. Download the unicorn framework. 2. Download the `emul.py` and `emul_util.py`. Put them in the `bindings` folder. * [emul.py](https://yonghwi-kwon.github.io/class/softsec/project/emul.py) * [emul_util.py](https://yonghwi-kwon.github.io/class/softsec/project/emul_util.py) 3. Follow the above description and the lecture video to improve the program so that it can handle all the three example shellcodes. 4. Your report should include what has been additionally added and why. See the project 2's description for the shellcode 1 and 2. * Your report should have a similar level of details in a similar content/format (but in a PDF document).