Meta
« References | Main

Archive

Fall 2010

In the first homework, students are provided a protocol specification document which contains a number of architectural security issues. The objective for the homework is for the students to identify these issues and informally describe as many of them as they can identify (with a goal of three bugs).

The second homework this semester was broken up into two tasks:

The first task is to download a copy of the Apache HTTPD 2.3.8 source code and find a function dealing with authentication or authorization (password management, verification, cookie, etc). This may be a little tricky, since the Apache code often doesn't call functions directly.

  • Provide the full path, name and line number to the authentication or authorization function
  • Provide the full path, name and line number for a file which refers to this function

The second task is to find 3 bugs in htpasswd.c (assuming it is run on Linux and is compiled with gcc).

  • Identify the affected line(s) of code
  • Briefly explain the bug class
  • Trace user-controllable input to the vulnerable code
  • Identify what effect the bug would have on a running application

Background: htpasswd.c is used to update flat-files that store usernames. When you provide the htpasswd application with the correct username/password to authenticate to it, you are allowed to add usernames to a given flat-file userlist. Users in that userlist are then allowed to access whatever service that passwd file applies to.

The third homework was to find and describe three flaws in a sample application. Assume the application runs on Linux and is compiled with gcc.

  • Identify the affected line(s) of code
  • Briefly explain the bug class
  • Trace user-controllable input to the vulnerable code
  • Identify what effect the bug would have on a running application
  • Calculate a CVSS score for each bug

This network service simulates a text-based terminal-application. The general purpose of the application is to act as a "news server," or text file service. There are two types of user: regular and administrator. Administrators can add users and execute back-end system commands. Users can view and contribute articles (aka text files).

Fall 2009

  • Code Audits 101 video and slides
  • Code Audits 102 video (slides not available)
Discussion | |