Security Aspects in Software Development

Course Number 705024 and 705025 | Wintersemester 2019/20

Content

The course provides insights into the security aspects of software developed in C and C++. This includes the ability to recognize and classify bugs, (efficiently) find bugs, exploit bugs, fix bugs, and prevent bugs in the first place.

In the lecture part, we provide the theory behind these topics and we learn about state-of-the-art techniques and how they work.

In the first part of the practical exercises, you have to find and exploit bugs in (vulnerable) code we provide (so-called hacklets). In the second part of the practical exercises, you write your own secure code and we will try to find and exploit bugs in your code (Hint: we shall not succeed if you want to pass the course).

Material

The slides are available here after the end of each lecture.

Date Topic Additional Information
04.10.2019 Introduction + Low Level Slides
11.10.2019 Memory Corruption I Slides
18.10.2019 Memory Corruption II & Environment Slides
25.10.2019 Finding Bugs I Slides
08.11.2019 Exploits Slides
22.11.2019 Finding Bugs II Slides
29.11.2019 Slides
06.12.2019 Slides
13.12.2019 Slides
Holidays
10.01.2020 Slides
17.01.2020 Slides
24.01.2020 Slides

Older slides can be found here

Administrative Information

Communication

Newsgroup tu-graz.lv.sicherheitsaspekte

E-mail sicherheitsaspekte@iaik.tugraz.at

 

Lecture Challenges (VO)

During the lecture, we will present small “Lecture Challenges” as a bonus. These challenges are optional, but solving them results in bonus points for the VO exam.

The Challenges

The aim of the challenges is to dig deeper into a certain topic of the respective lecture. Thus, it is advisable to try to complete the challenge soon after the lecture.

The description of the challenges can always be found in the lecture slides as well as in https://sasd.is.attacking.systems.

Submission

All challenges have to be submitted to https://sasd.is.attacking.systems, the SASD CTF platform.

Rules

  • Challenges have to be solved on your own
  • All challenges have to be submitted to https://sasd.is.attacking.systems, only submitted challenges count
  • The bonus points are only valid for the first two exam dates
  • To get the bonus points, you have to write your username on the exam sheet
  • You cannot get positive with bonus points, i.e., bonus points only count if you are already positive

Exam (VO)

Exams are done in writing. The dates for the exams are set in TUGonline; please register there.

Exams consist of both theoretic questions and practical questions. Theoretic questions are basically the theoretic parts of the slides and possibly additional content presented in the lecture which are not part of the slides. Practical questions are, in principle, similar to the tasks given in the lecture challenges as well as in the practicals. However, the complexity of the questions is scaled to make them adequate for the time available during an exam.

All questions of the exam are in English. Answers can be given either in English or in German, at the student’s discretion.

No lecture notes, or any other materials are allowed during an exam. All materials required to solve the practical questions are provided at the exam. The provided material includes an ASCII table, a C function reference for required functions, and a table containing the required syscall parameters.

Sample Exams

We also provide old exams to help you prepare for the exam:

Administrative Information – Practicals (KU)

 

Timetable

Date Topic Additional Information
02.10.2019 Introduction + Assignment 0 – Warmup i12, Slides-00, Slides-01
09.10.2019 Hands-on Tutorial Seminar room, Material
09.10.2019 LosFuzzys Beginner’s Tutorial Seminar room, optional, in the evening
16.10.2019 Assignment 1 – Hacklets + Tutorium ROP I i12, Slides
18.10.2019, 23.59 Deadline Warmup
23.10.2019 Tutorium ROP II i12, Slides
30.10.2019 LosFuzzys i12, optional
06.11.2019 Question Hour Hacklets i12, then moving to small seminar room IFEG052
13.11.2019 Question Hour Hacklets Seminar room
15.11.2019, 23.59 Deadline Hacklets
20.11.2019 Assignment 2 – Defensive Programming i12, Material, Slides
22.11.2019, 23.59 Deadline Hacklets 2nd Chance
27.11.2019 Tutorium Defensive I i12, Material
04.12.2019 Tutorium Defensive II i12, Material, Slides
11.12.2019 Question Hour Defensive Programming Seminar room
Holidays
08.01.2020 Question Hour Defensive Programming Seminar room
10.01.2020, 23.59 Deadline Defensive Programming
17.01.2020, 23.59 Deadline Defensive Programming 2nd Chance
22+23.01.2020 Oral Exams Seminar room, mandatory

 

Grading

The practicals are divided into three parts:

  • assignment0: Warmup
  • assignment1: Hacklets
  • assignment2: Defensive programming

You need to be positive for each assignment individually to pass the course. This means you need to achieve at least 50% of the assignments points.

Your final mark consists of:

  • Points for each assignment
    • Bonus points count only if you have achieved 50% of the assignments points
  • Oral exam performance

Your final grade is calculated by:

(percentage(assignment1) + percentage(assignment2))/2 * percentage(OralExam)

 

Marks

Percentage Grade
> 90% Sehr gut (1)
78.5% – 90% Gut (2)
67.5% – 78.49% Befriedigend (3)
50% – 67.49% Genügend (4)
< 50% Nicht genügend (5)

 

Oral exam

After the deadline of all assignments, there will be an oral exam. The oral exam is mandatory. You will have the option to select one of the multiple time slots where you need to be able to answer questions to each assignment and task that you fulfilled.

However, insufficient answers will yield to point deduction that can even yield to a negative grade. We will provide more information on what you need to know for the oral exam for each assignment individually.

 

Plagiarism

We encourage discussions with other students and really appreciate that. However, we do not tolerate any plagiarism at all. We will check all submissions for plagiarism. All affected students will receive 0 points and a Ungültig/Täuschung with all its consequences.

Thus, do not give away your source code to other students. You are responsible for protecting your source code from unintended access of others. In the end, we do not want you to copy code and solutions. We want you to learn and understand the topics for yourself!

 

Second chance

If you fail one assignment but you pass the other, there is the option to take a second chance. The second chance mode means that you have the possibility to get a positive grade by an extended deadline and an individual, extended oral exam:

  • Only for one assignment
  • Extended deadline
  • Extended oral exam
  • Points above 50% are divided by two for this assignment

We do not recommend the second chance mode and advice you to start early with the assignments to receive a positive grade in the first place.

 

Practicals – Framework

Upstream Repository

All assignments are pushed to the following upstream repository: https://extgit.iaik.tugraz.at/sase/practicals/2019/exercise2019-upstream.git. Merge this upstream repository into your local repository to receive the assignments and optional patches or fixes, as follows:

git remote add upstream https://extgit.iaik.tugraz.at/sase/practicals/2019/exercise2019-upstream.git
git pull upstream master

 

Your Repository

As soon as the deadline for the course registration closes, you are given access to a git repository in our teaching git where you have to push your submission. This will happen around 14.10.2019. Until then, please use an empty local repository by following these instructions:

mkdir sasd2019
cd sasd2019
git init
git remote add upstream https://extgit.iaik.tugraz.at/sase/practicals/2019/exercise2019-upstream.git
git pull upstream master

 

Final submission / Tags

Your final submission must be tagged correctly with a git tag. The tag label starts with the assignment, followed by a dash and a number.

As an example, assignment1-1 is the label for the first assignment. As you are not able to delete tags, you can always update your final submission by increasing the appended number, e.g. assignment1-15. In the end, the tag with the highest number before the deadline counts.

 

Test system

Your submissions will be tested automatically by our test system. Thus, you need to respect and meet file naming constraints of the individual assignments. Otherwise, the tests will all fail and you will receive 0 points for the assignment.

Soon, you will receive binary feedback for each task group that you have submitted. You will know if the project compiles and if your implemented functions will behave correctly or if your submitted solution is correct. The test system will use the reference image for its evaluation.

 

Reference image

We provide you a Docker reference image. The reference image is based on Ubuntu and contains pre-installed tools and compilers that help you throughout the assignments. The Docker image can be used via the docker.sh script located in the upstream repository. To fetch it, execute git pull upstream master

To get the latest Docker image, execute ./docker.sh update

To run Docker in the current directory, execute ./docker.sh run

To run Docker in a different directory named <path>, execute ./docker.sh run <path>

If you run this script inside a hacklet directory, it automatically executes the execute-permission.sh script which runs your exploit with correct permissions.

Practicals – Assignments

Assignment 0 – Warmup

In this assignment, you shall solve an introductory hacklet to get started. While this assignment is mandatory, you do not get any points. Instead, by solving it you show your intent to actually do this course. If you do not solve it, you won’t get a grade.

Submission tag: assignment0

Deadline: 18.10.2019, 23.59

Assignment 1 – Hacklets

In this exercise you take the role of a security consultant, who has been asked to audit multiple small C and C++ applications, let them be called ”hacklets” for the remainder of this document, for potential security issues. After a series of strange incidents, bad news coverage, and an increasing number of bug reports by angry users claiming loss of data and disclosure of private information due to security problems in the hacklets, you have been hired to audit the code. Note that your fictional employer in this scenario currently considers information security as a nice-to-have-butnot-mission-critical-if-missing feature.

Submission tag: assignment1

Deadline: 15.11.2019, 23.59

Organizational

  • You can achieve 22 regular points, which equals 100% for assignment 1.
  • For a positive grade you need to achieve at least 11 points in total AND at least one point in each regular category (except bonus category).
  • You can achieve 3 additional bonus points by solving bonus challenges.
  • The bonus points only count if you are positive using regular points only.

Hacklets: Oral Exam Part 1

  • You have to defend your points during the oral exam at the end of the semester, which is mandatory.
  • During the oral exam, you have to explain for the solved hacklets:
  • Problem statement: Where is the vulnerability? What is the problem? Why is this dangerous? …
  • Exploit: How does your exploit work? Which security mechanisms did you bypass and how? …
  • Mitigation (only if the source code is available, i.e. no reverse-engineering hacklets): How would you fix the vulnerability in the source code? Which other defenses would work/would not work and why? …

Flag format

All hacklets except some hacklets, as indicated below, use the following flag format SASD{[A-Za-z0-9_!]{26}}, e.g. SASD{TH1S_IS_A_local_TEST_FL4G!}.

Test

… your exploit on the provided VM by running ./exploit inside the hacklet directory. On success, it shall print the above demo flag to stdout. In addition, the exploit has to write the flag to a file named solution.txt. We will test your exploit with different flags. You will only get points for a hacklet if the flag is recognized.

Fair Play

  • Do not plagiarize. If you do so, you will get zero points and fail the course.
  • Do not manipulate the hacklets inside your exploit scripts, e.g. disabling ASLR, preloading, etc. where it is not explicitly allowed. Especially, your exploit scripts are not allowed to use root privileges. We expect you to solve the hacklets in the intended way. In case of doubt, ask in the newsgroup.
  • Any attempt to attack our server infrastructure will disqualify you from the course

Hacklets

00_strings

  1. Cryptomaster(1pt):
    • The crazy Cryptomaster hid some hidden secret in his code where he claims that you never crack his code!
      Maybe some hashing skills might help you to defeat him.
  2. Terminator(1pt):
    • Show me your terminator skills!

01_environment

  1. cmacro(1pt):
    • This is a really nice macro which every programmer should use. Maybe you brick the environment to extract the flag.
  2. fast_math(1pt):
    • Race to the condition and prove that you are good at fast math.
  3. pluginsystem(1pt):
    • Can you show us the problem in the plugin system. Hint: You can also write your own plugins ;)
  4. preload_me(1pt):
    • You know what to do!

02_buffer

  1. combined (2pt):
    • Use a format string vulnerability and a stack-based buffer overflow in order to bypass stack protection.
  2. echo_service (1pt):
    • Can you guess to delicious stack cookies in a smarter way? Forket it!
  3. my_first_rop_chain(1pt):
    • In this challenge no pwntools ROP tools are allowed! Just ROP it by hand and use the gathered knowledge to rock your lecture exam ;)
  4. random_pin_generator(1pt):
    • I am really bad at remembering PIN codes, can you find another way to get to my money?

03_integer

  1. callcenter(1pt):
    • There are callcenter employees complaining about some crazy mathematical computations.
      Can you also trigger some of them?
  2. card_game(1pt):
    • Do you like to play cards? Show how to win in this game ;)
  3. nice_sequences(1pt):
    • Who of you does not like integer sequences. Can you show a tremendous flaw in this program?
  4. pgminverter(2pt):
    • This hacklet parses simple images in PGM format and applies the Number Theoretic Transform with user-provided filter-coefficients on 8×8 block in the image.
      Can you find a problem within the code?
  5. rust(1pt):
    • Rust is safe of memory corruption issues and overflow problems, right?

04_heap

  1. calculator(1pt):
    • A friend of mine wrote a nice program which contained a nice debug feature do you know what that is?
  2. heap_overflow(2pt):
    • They told me that there should be a heap overflow inside this binary. Can you show me that?

05_format-strings

  1. guess_a_number(1pt):
    • Are you good at number guessing? Do you even need to guess?#
  2. reveal_the_secret(1pt):
    • Eddie Snowden hid a secret information from the NSA in the binary. Could you reveal it exploiting a format string vulnerability?

06_bonus

  1. 1pt angr_management(1pt):
    • You should really use some symbolic execution to manage your angr my friend!!
  2. turing_completeness(2pt):
    • Turing completeness nowadays is nearly everyday. Did you know that x86-mov is Turing-complete? :) Have fun with reversing this hacklet :)

Assignment 2 – Defensive Programming

Iin this exercise you shall implement a secure ELF parsing library called libtwelf.

Submission tag: assignment2

Deadline: 10.01.2020, 23.59

Organizational

  • You can achieve 100 regular points, which equals 100% for assignment 2.
  • You can earn 12 additional bonus points (if you are already positive):
    • 5 bonus points for having high code coverage in your test cases
    • 4 bonus points if you implement ELF symbol handling functions
    • 3 bonus points if you store the (modified) string tables (.shstrtab and .strtab) in their minimal form
  • You lose -3 points for each of the following issues (even if not exploitable)
    • Program crash
    • Memory corruption, memory leak, use after free, use of uninitialized memory (or other stuff reported by valgrind, address sanitizer & co)
    • Format string vulnerability, integer overflow
  • You lose -3 points for each of the following issues
    • Undefined behavior, e.g. (void*)x + 1
    • Non-portable, hidden assumptions, e.g. sizeof(int) == 4
    • Hard-to-read or dangerous code, e.g. #define FUNC(x) x=x*x
    • Use of global variables. They are not needed for this library.
    • Compiler warnings, e.g. printf("%u", (long long int)x)
  • Plagiarism is not tolerated
    • You are not allowed to copy code snippets (neither from the internet nor from other colleagues)
    • We will do plagiarism tests. Affected students will receive 0 points and get an “Ungültig/Täuschungsversuch

Tasks

The libtwelf provides different functions which you shall implement. The detailed specification for each function can be found in libtwelf.h

Depending on the number of test cases you pass on our test system, you can get points as follows. Please note that manipulation functions depend on libtwelf_write. In order to get full points for e.g. libtwelf_renameSection, the implementation must rename the section in your internal data structures as well as in the final file written with libtwelf_write.

ID Function name Points Dependencies
A libtwelf_open/close 20
B libtwelf_write 11 A
C libtwelf_getAssociatedSegment 5 A
D libtwelf_getSectionData 5 A
E libtwelf_renameSection 9 (+2 bonus for minimal .shstrtab) A,B
F libtwelf_getSegmentData 5 A
G libtwelf_setSegmentData 9 A,B
H libtwelf_setSectionData 9 A,B
I libtwelf_stripSymbols 9 A,B
J libtwelf_removeAllSections 9 A,B
K libtwelf_addLoadSegment 9 A,B
L libtwelf_resolveSymbol 2 bonus A
M libtwelf_addSymbol 2 bonus (+1 bonus for minimal .strtab) A,B

 

Bonus: Code Coverage

For getting coverage bonus points, write your own exhaustive test cases. Branch coverage can be tested with

  • make gcov

Depending on the metric called branch coverage, you can earn the following bonus points

Overall branch coverage Bonus points
75% <= cov < 80% 1
80% <= cov < 85% 2
85% <= cov < 90% 3
90% <= cov < 95% 4
95% <= cov 5

Resources

Lecture Dates

Date Begin End Location Event Type Comment
2020/01/08 10:15 11:00 Seminarraum Abhaltung KU fix/
2020/01/08 10:15 11:00 HS i12 "BearingPoint Hörsaal" Abhaltung KU fix/
2020/01/10 12:00 14:00 HS i12 "BearingPoint Hörsaal" Abhaltung VO fix/
2020/01/15 10:15 11:00 HS i12 "BearingPoint Hörsaal" Abhaltung KU fix/
2020/01/17 12:00 14:00 HS i12 "BearingPoint Hörsaal" Abhaltung VO fix/
2020/01/22 10:00 12:00 Seminarraum Abhaltung KU fix/
2020/01/22 13:00 16:00 Seminarraum Abhaltung KU fix/
2020/01/23 13:00 16:00 Seminarraum Abhaltung KU fix/

Lecturers

Daniel Gruß
Daniel
Gruß

Assistant Professor

View more
Moritz Lipp
Moritz
Lipp

PhD Candidate

View more
Michael Schwarz
Michael
Schwarz

Postdoc

View more
Martin Schwarzl
Martin
Schwarzl

PhD Student

View more
Samuel Weiser
Samuel
Weiser

PhD Candidate

View more
Michael Ehrenreich
Michael
Ehrenreich


View more
Johannes Haring
Johannes
Haring

Teaching Assistant

View more
Marcel Nageler
Marcel
Nageler

Teaching Assistant

View more