20-CS-5156 Security Vulnerability Assessment Spring 2017
Lab 2

Authentication, Availability, Confidentiality, Integrity, Defense Principles, Intrusion Detection, Attack vectors, more

Analyze Updated Legacy Code
(submit instructions)

You have been provided with an application based upon a data model stored in ABaseClass which was originally written for a 16-bit 80286-based workstation to implement some numeric data retrieval logic. During a recent purchase of that infrastructure through an acquisition by your company, a third-party consultant was brought in to "update" the software. However, an employee reviewing the code has complained that the upgrade job was done in a very sloppy manner. The new code is stored in ANewClass. The program intended to run the service is expl1.c. You're responsible for:

  • Analyzing the old & new code, and identifying memory corruption vulnerabilities
  • Making recommendations for how to rewrite the program so it is not vulnerable
  • Identify the nature of the memory corruption, describing (or diagraming) how it corrupts memory in the application space (possibly usee GDB or another tool)
  • Write a report which documents these findings and also documents your proposed solution
  • You must solve the bug while using -fno-stack-protection for GCC, as the new OS still doesn't support this feature
  • The solution must result in normal, non-crashing, program flow

Source code, including example Makefile: lab2.zip