CS 261 Homework 1
Instructions
Briefly sketch answers to each of the following problems.
A few short sentences should be
enough for the first two questions.
Feel free to use incomplete sentences if you like.
This problem set is due Thursday, 30 September.
Turn in your answers, in paper, at the beginning of class that Thursday.
Please include both your name and your WebReview username at the top
of the first page of your solutions.
Work on your own for this homework.
You may use any source you like (including other papers or textbooks),
but if you use any source not discussed in class,
you must cite it.
Question 1
Prof. Beanstalk makes the following claim:
Stack smashing attacks are made
possible by the fact that stacks grow downwards (towards smaller addresses)
on most popular modern architectures.
Therefore, future architectures should ensure that the stack
grows upwards; this would provide a good defense against buffer
overruns.
Do you agree or disagree? Why?
Question 2
As we saw in class, C programs are commonly prone to buffer-overflow attacks.
What changes could be made to the C compiler to help protect against
(or prevent) these attacks?
This is a brainstorming question; give as many good answers as
you can.
Question 3
This question asks you to design and implement a safe HTML filter.
I want some way to safely view HTML pages from the web,
and this method better not harm my machine even through these pages
come from an untrusted source, and even though my web browser is too
complex for me to have full faith in its ability to safely handle
totally untrusted web pages.
You're going to write me a sanitizing filter that I can use
something like this:
./htmlfilter < scarywebstuff.html > safe.html
mozilla safe.html
I have two goals for this composed system:
- Security:
- This procedure must not, under any circumstances, cause any harm
to my system.
Ideally, using this procedure to view web pages should be as harmless
as viewing an ASCII text file with, say, /bin/more;
note that even if an attacker supplies the entire contents of a text file,
viewing it with /bin/more cannot harm my machine,
so /bin/more is in some sense the gold standard.
In particular, viewing untrusted files using your HTML filter and my
favorite web browser should not cause any lasting side effects to my machine,
and it should not leak any confidential information (e.g., the contents of
files on my hard disk; or, information about what I'm viewing in another
window with the same browser).
Your scheme must not only be secure; it must also be verifiably secure.
You will have to provide an assurance argument why it is reasonable to
believe that your filter achieves this goal.
- Functional:
- In an ideal world, your filter would allow me to view as much
of the content on the
web page as possible -- except where this would conflict with the previous
requirement, in which case security is more important than functionality.
For instance, a filter that ignores its input and always outputs the
empty HTML page is not very useful.
Thus, your solution should be at least minimally useful for viewing
the text content of web pages.
However, I don't really care whether I get to see pretty pictures,
dancing pigs and other fancy decorative stuff or not.
Also, feel free to keep your implementation simple and to omit support
for complex functionality.
This is intended only as a proof of concept
exercise -- no need for feature-complete production code.
To keep this tractable as a homework question,
you can err on the side of omitting functionality (though it might
be nice if your approach can be generalized to support as much
functionality as possible).
Security matters more than functionality; my threshold for security will
be pretty high, while my threshold for functionality will be very low.
I want you to come up with a design, implement it, document your basic
architecture and assurance argument, and submit both the document and the
code.
Your submission should contain at least three files:
- README
- Document the basic architecture you've used and the theory of operation
for your scheme.
Sketch the assurance argument why one should expect your scheme
to be secure.
This should be an ASCII text file, and it doesn't have to be too
lengthy; a page or so should be enough.
- Makefile
- A Makefile with everything needed to compile your program.
If I run make, it should do everything needed to compile your
program and finally generate in the current
directory an executable file called htmlfilter.
This program should read an untrusted HTML file from stdin and write a
sanitized HTML file to stdout.
- Source files
- Include any source files needed to build the executable.
Don't include the executable itself; I will run make myself.
You can use pretty much any well-supported language you like
(e.g., C, C++, Java, Perl, Python, ML, OCaml, bash script)
as long as it will work on my Linux system.
However, to avoid any difficulties,
please take care to make your program as portable as possible.
Feel free to keep it simple. If you are writing more than a few hundred
of lines of code, you're probably working too hard.
From within this directory, run
tar cf your-username.tar .
where your-username denotes your two-letter username
for the WebReview system. Then, email me this file as an attachment
by the due date.
Also, print out the README file and attach it to your homework
solution that you turn in to class.
Yes, I will be running your programs.
Because I will be using automated scripts to do so, I ask you to follow
the above instructions carefully.
To help demonstrate the format, here is reference code that demonstrates
the required format: ref.tar.
(Feel free to steal from this code in your implementation, if you like.)