6.858 Fall 2010 Lab 4: Attacking server isolation

Handed out: Monday, October 17, 2011
All parts due: Friday, October 28, 2011 (11:59pm)


In this lab, you will be attacking zoobar's privilege isolation and sandboxing. You will download the source code for the lab 3 submission of another 6.858 student, which includes privilege separation and sandboxing for Python profiles, and examine their code for possible vulnerabilities. Your deliverable for this lab consists of a single text file, called lab4.txt, that should contain your analysis of the zoobar server's security, including any possible weaknesses, and potentially exploits (in Python) for vulnerabilities you have uncovered.

To get started, go to the handin site, click on the "Get lab 4 code" button, and download the source code for the zoobar site you will be attacking. Copy the lab4.tar.gz file into your virtual machine (e.g., using scp, not shown below), and extract it in a separate directory:

httpd@vm-6858:~$ mkdir lab4
httpd@vm-6858:~$ cd lab4
httpd@vm-6858:~/lab4$ tar -zxvf ~/lab4.tar.gz

Now, build and run this zoobar site, as shown below. Because the make handin command does not include the pypy-sandbox.tar.bz2 file in the submission, you will need to copy it out of your own lab directory.

httpd@vm-6858:~/lab4$ make
cc -m32 -g -std=c99 -fno-stack-protector -Wall -Werror -D_GNU_SOURCE   -c -o zookld.o zookld.c
cc -m32 -g -std=c99 -fno-stack-protector -Wall -Werror -D_GNU_SOURCE   -c -o http.o http.c
cc -m32  zookld.o http.o  -lcrypto -o zookld
cc -m32 -g -std=c99 -fno-stack-protector -Wall -Werror -D_GNU_SOURCE   -c -o zookfs.o zookfs.c
cc -m32  zookfs.o http.o  -lcrypto -o zookfs
cc -m32 -g -std=c99 -fno-stack-protector -Wall -Werror -D_GNU_SOURCE   -c -o zookd.o zookd.c
cc -m32  zookd.o http.o  -lcrypto -o zookd
cc -m32 -g -std=c99 -fno-stack-protector -Wall -Werror -D_GNU_SOURCE   -c -o zooksvc.o zooksvc.c
cc -m32  zooksvc.o  -lcrypto -o zooksvc
httpd@vm-6858:~/lab4$ cp ~/lab/pypy-sandbox.tar.bz2 ./
httpd@vm-6858:~/lab4$ sudo make setup
[sudo] password for httpd: 6858
+ grep -qv uid=0
+ id
httpd@vm-6858:~/lab4$ sudo ./zookld
zookld: Listening on port 8080

Now that you have the zoobar code you need to review up and running, look at the code and understand how it works before proceeding to the next part.

Part 1: Code review

For the code review process, you do not need to comment on (or exploit) any buffer overflow vulnerabilities in the zookws web server from lab 1, or any attacks that involve a victim's web browser (such as exploiting a cross-site scripting vulnerability), which will be the focus of subsequent labs.

Exercise 1: Attack privilege isolation. Evaluate the security of the privilege isolation design in the zoobar code you are reviewing. Look for possible ways to violate the guarantees that privilege separation was supposed to provide. You may want to look back at the lab 2 description to review what the privilege separation was trying to achieve.

One possible approach may be to examine the RPC interfaces exposed by each service; are there ways to trick the RPC interface into performing an unintended operation? Another approach may be to examine the permissions on files in /jail.

Write down your review in lab4.txt. Comment on any particularly good or bad aspects of the design. How did your design differ: was it any better or worse? For possible weaknesses, explain why they may be a bad design, even if you cannot immediately exploit them. For extra credit, develop working exploits that take advantage of any vulnerabilities you may have discovered. Include the Python code for any exploits you developed in lab4.txt.

Exercise 2: Attack the Python sandbox. Evaluate the security of the sandbox used to execute Python profile code. Try to look for ways in which code running in one Python sandbox may be able to interfere with the rest of the system, or with code from another user's Python profile.

Comment on the design in much the same way as for the above exercise. Write down your code review in lab4.txt. For extra credit, include Python code for any working exploits you may have constructed in lab4.txt.

Submit the resulting code review, in lab4.txt, via the handin site.

You are now done with lab 4.