• Please use ELMS-Canvas to submit your projects.
  • Deadlines are posted in the ELMS-Canvas.
  • Feedback will be available after the grading.

Preparation: Installing Intel Pin

• If your Linux system does not have Intel Pin installed. (If you have downloaded VirtualBox VM, it would have Pin installed, so skip this part).
• Download the https://yonghwi-kwon.github.io/class/softsec/pin/pin.sh and run it.
  ​​​​$ cd
  ​​​​$ wget https://yonghwi-kwon.github.io/class/softsec/pin/pin.sh
  ​​​​$ chmod +x pin.sh
  ​​​​$ ./pin.sh
  

  1. It will download, unzip, and install the Pin.
  2. After the installation, close the terminal and open a new terminal.
  3. If it can run the pin binary in your home folder, the installation is successful.

Documents for Pin

• Intel Pin for Perturbing Program Executions: Examples
• Please see this page to turn off ASLR (Address Space Layout Randomization).
• Intel Official Documents: Pin User Manual, Pin API Reference

Homework 1. Immortal Flappy Bird

Preparation

• Download this Flappy Bird game (Makefile updated; -O3 removed)
• You need to install ncurses library to compile it.

$ sudo apt install ncurses*

• Installation Script: https://yonghwi-kwon.github.io/class/softsec/hw/hw1.sh
  • The below script will create a directory and download/unzip all the required files.
    ​​​​​​​​$ wget https://yonghwi-kwon.github.io/class/softsec/hw/hw1.sh
    ​​​​​​​​$ chmod +x hw1.sh
    ​​​​​​​​$ ./hw1.sh
    

Objectives

• You will make a Pin tool that can make the Flappy Bird immortal. There are two 'game over' conditions:
  1. The Flappy Bird hits the pipe
  2. The Flappy Bird hits the ground
• Basically, you will (1) find how the two conditions are detected and handled in the program and (2) modify the program execution so that the two conditions do not meet.
  • There are multiple ways to achieve.
    1. DATA Modify values of registers/memory in instructions.
    2. CODE Ignore/skip instructions/functions.
       • Pin supports APIs controlling function calls/returns without you going through the instructions.
• All the details will be presented in the class. :)

What to submit?

(1) your pin tool's source code (e.g., code everything in the icount.cpp, and upload it).
(2) a 1-page description as a pdf file (including how you locate the memory/variable and which code is added in the pin tool to modify values/code and so on).

Homework 2. Scanning the Mine Field

Preparation

• Download the Minesweeper game
  • You will be given a simple minesweeper game's source code. Compile it and get a binary and a disassembled code.
    ​​​​​​​​$ chmod +x compile.sh
    ​​​​​​​​$ ./compile.sh
    

  • After the compilation, you should see mine program and should be able to run it with arguments (if you don't provide any arguments, it will create a 5x5 minesweeper game by default).
    ​​​​​​​​$ ./mine
    ​​​​​​​​y 	  0  1  2  3  4 
    ​​​​​​​​x
    
    ​​​​​​​​0	  D  D  D  D  D 
    ​​​​​​​​1	  D  D  D  D  D 
    ​​​​​​​​2	  D  D  D  D  D 
    ​​​​​​​​3	  D  D  D  D  D 
    ​​​​​​​​4	  D  D  D  D  D 
    ​​​​​​​​x y mode(o/f)> 
    
    ​​​​​​​​$ ./mine 3 3 
    ​​​​​​​​y 	  0  1  2 
    ​​​​​​​​x
    
    ​​​​​​​​0	  D  D  D 
    ​​​​​​​​1	  D  D  D 
    ​​​​​​​​2	  D  D  D 
    ​​​​​​​​x y mode(o/f)> 
    ​​​​​​​​...
    

• Installation Script: https://yonghwi-kwon.github.io/class/softsec/hw/hw2.sh
  • The below script will create a directory and download/unzip all the required files.
    ​​​​​​​​$ wget https://yonghwi-kwon.github.io/class/softsec/hw/hw2.sh
    ​​​​​​​​$ chmod +x hw2.sh
    ​​​​​​​​$ ./hw2.sh
    

Objectives

Your task is to identify where are the mines by using your own Pin tool.

The goal of this homework is to experience how you would identify key memory locations/operations without knowing the source code (Note the without).

• Hence, while you are given the source code, please try to not use them to solve this homework.
• In other words, you should use the source code to understand how the game works, and what patterns of the operations you would expect, but do not use it to precisely pinpoint the memory locations/functions to call.

What to Submit

• (1) your pin tool's source code (e.g., code everything in the icount.cpp, and upload it).
• (2) a 1-page description as a pdf file (including how you locate the memory/variable and which code is added in the pin tool to modify values/code and so on).
• What to be included in the report?
  1. Identifying instructions setting/defining mines (was in the lecture)
     • Provide a step-by-step analysis identifying the instructions and getting the information from it.
  2. Adding a small code dumping the information (to a file or screen).

Hints

• The minesweeper program creates the mine-field with the given number of rows and columns.
  • You would expect that there should be a function initializes the field, writing values into the memory which represents the mine-field.
    • That is, if there is a 5x5 mine-field, there will be 25 memory writes to define the mines.
      • if it is a 6x6 mine-field, there will be 36 memory writes
      • if it is 7x7 mine-field, there will be 49 memory writes, and so on.
• Typically, representing whether there exists a mine at a certain place would be handled by storing a boolean value, with a coordinate.
  • if there is a mine at (3, 4),
    • we may expect memory writes with values of 1, 3, and 4.
  • if there is no mine at (5, 6),
    • we may expect memory writes with values of 0, 5, and 6.

  Note that this is just a guess, and there is no reason that the developer should use such values and store in such a way.

• There are different types of memory: heap, stack, and global.
  • Stack memory is not persistent and only alive during the function execution.
    • Since the information of where the mines exist should be persistent throughout the execution, it is less likely to be on the stack memory.
  • Heap and Global are persistent.
    • If you use malloc, you are alloctating a heap memory. If you are using a global variable, it is on the global section of the memory. The mine-field information is likely to be stored in one of the two.

Homework 3. Running the Hidden Code

This homework is to introduce basic skills for the project 2. Please check out the project 2 for detailed motivation and context.

Preparation

• Installation Script: https://yonghwi-kwon.github.io/class/softsec/hw/hw3.sh
  • The below script will create a directory and download/unzip all the required files.
    ​​​​​​​​$ wget https://yonghwi-kwon.github.io/class/softsec/hw/hw3.sh
    ​​​​​​​​$ chmod +x hw3.sh
    ​​​​​​​​$ ./hw3.sh
    

Brief Background

Assume that you obtain a potential malicious payload (e.g., from network logs), you would like to know what they are doing. Executing them on a real machine or VM is a viable option, but it will also harm the entire VM or machine if the exploitation is successful. Sandboxing is a technique that can run the program while preventing the target program making any harm to the host system. In practice, sandboxing is commonly used to execute potentially malicious code or program as it can observe malicious actions without harming the host system.

This homework asks you to create a sandboxing tool that execute them safely using code emulation techniques. Specifically, give a sequence of code bytes (i.e., instructions), you run them and report what actions they make (e.g., call a system call, doing a particular computations, etc.).

Handling Three Shellcodes

You are given the below shellcode examples. Your goal is to make your program properly interpret their executions (e.g., what system calls were made with which arguments):

• Example 1: CODE_EXAMPLE1

\x6a\x30\x58\x6a\x05\x5b\xeb\x05\x59\xcd\x80\xcc\x40\xe8\xf6\xff\xff\xff\x99\xb0
\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x54\xeb\xe1

• Example 2: CODE_EXAMPLE2

\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80

• Example 3: CODE_EXAMPLE3

\x31\xc0\x50\x50\xb0\x17\xcd\x80\xeb\x1f\x5e\x50\x68\x2f\x63\x61\x74\x68\x2f\x62
\x69\x6e\x89\xe3\x50\x56\x53\x89\xe2\x50\x52\x53\xb0\x0b\x50\xcd\x80\x50\x50\xcd
\x80\xe8\xdc\xff\xff\xff\x2f\x65\x74\x63\x2f\x6d\x61\x73\x74\x65\x72\x2e\x70\x61
\x73\x73\x77\x64

Given Program

You are given to a program emul.py which leverages the unicorn framework to run a given shellcode and produce executed instructions and results.

What to do and what to submit

1. Download the unicorn framework.
2. Download the emul.py and emul_util.py. Put them in the bindings folder.
   • emul.py
   • emul_util.py
3. Follow the above description and the lecture video to improve the program so that it can handle all the three example shellcodes.
4. Your report should include what has been additionally added and why. See the project 2's description for the shellcode 1 and 2.
   • Your report should have a similar level of details in a similar content/format (but in a PDF document).