计算机系统代写 | CS166 Computer Systems Security
CS166 Computer Systems Security
You will break cs666’s course infrastructure by creating exploits that take advantage of distinct vulnerabilities.
Exploits must allow you to perform a normally unauthorized action in the system or discover information that
unprivileged users should not have access to. For example, viewing other students’ grades, accessing other
students’ handins, or running arbitrary code with TA group permissions would all count as exploits.
An exploit’s “distinct-ness” is defined as a tuple over a file from the source code of the cs666 course infrastructure and one or more vulnerability categories. Two exploits take advantage of distinct vulnerabilities
if (1) both exploits take advantage of vulnerabilities in different files or (2) both exploits take
advantage of vulnerabilities in the same file, but rely on non-overlapping sets of vulnerability
The source code of cs666’s course infrastructure can be found at /course/cs1660/pub/handin on the
department machines—you should refer to the files in this directory when determining if two exploits satisfy
the distinct vulnerability definition above. You should also consult Appendix B, which contains the list of
possible vulnerability categories that we’ll accept on this project.
1.1 Severity Categories
Each exploit receives points for its severity category, which describes the impact of the exploit on the system.
The values of each category are outlined in the following table:
1.2 Vulnerability Reports
In a README.pdf file, you should document the following for each of the exploits you discover:
• Metadata: The severity category of the exploit (see Section 1.1), the vulnerability categories that the
exploit takes advantage of (see Appendix B), and the name(s) of the file(s) that these vulnerabilities
manifest in (see the source code).
• Discovery: An explanation of how you came to this plan of attack (what the system does that makes
it vulnerable to this specific attack; references to relevant sections of the handin system’s source code;
any tools you used to make these findings; etc.).
• Impact: An explanation of how and why your attack works (what it does and why; references to
portions of your exploit script, etc.) and a justification for why it works (including how the output of
the script makes it clear that the attack was successful).
• Mitigation: Explain (from a technical perspective) how to repair the vulnerability without compromising intended functionality and justify why this fix blocks your exploit (and exploits similar to it).
You should include specific references to the source code as to where fixes should be applied.
You should also include any additional files needed to perform your exploit (code, payloads, etc.) in your
final handin. Your report should allow us to easily recreate your attack from only your verbal (and written)
explanations and submitted files.
2 Hints, Tips, and Tricks
There’s a binary in your VM at /home/whoami which is essentially a more powerful version of the normal
whoami command. It prints the uid, euid, gid, and egid of the process that it runs as (and thus, by default,
that its parent process runs as). This may be useful in testing some of your exploits.
2.2 Tools and man Pages
You may find the environ(5), proc(5), credentials(7), and symlink(7) man pages helpful for this assignment. In addition to those resources, you may find the following tools on your VMs useful (refer to their
man pages for usage information):
• lsof — lists open file descriptors
• strace — traces system calls
• gdb — binary debugger
• objdump — displays binary information
• strings — prints strings in binary
• ps — lists processes
• htop — live process viewer
• watch — execute a program periodically
• id -u <user> — gets user id
• getent group <group> — gets group id
2.4 Resetting the VM
If you would like to refresh the /course/cs666 directory to its original state, you can do so by running the
command reset-cs666 (located at /bin/reset-cs666) on your VM. This will delete the /course/cs666
directory and recreate it. You are not allowed to use the reset-cs666 command in your actual exploits,
though feel free to use it to verify that your exploit scripts work on unmodified versions of the /course/cs666
directory after you’ve made some progress.
If you find that you have have broken the infrastructure to the point where you think you need a full reset
of your VM, please email the TA list and we’ll create a new VM for you. This will change your VM’s IP
address and credentials needed to access the VM and will delete all files you’ve stored on the machine, so
make sure to save all of the work you want to keep elsewhere before asking for a hard reset.