Assignment 3, due Feb 19

Part of the homework for 22C:169, Spring 2010
by Douglas W. Jones
THE UNIVERSITY OF IOWA Department of Computer Science

Always, on every assignment, please write your name legibly as it appears on your University ID and on the class list! All assignments will be due at the start of class on the day indicated (usually a Friday), and unless there is what insurance companies call "an act of God" - something outside your control; the only exceptions to this rule will be by advance arrangement.

  1. Background: Unix and its descendants let any program pass an array of strings as parameters when it launches an application using the execve() system call. Parameter validity checking would be far easier if the system could do some checking when it passed the strings instead of leaving checking to the launched application.

    There are two issues: how parameter types are encoded, and how the application goes about providing the encodings to the system. Here, we focus on the former. Suppose parameter types are specified as BRE POSIX regular expressions. For background, check the Wikipedia entry for Regular expression.

    a) Give a regular expression that specifies a numeric parameter or explain why it cannot be done. (0.5 points)

    b) Give a regular expression that specifies a Unix-style file name with slashes separating pathname components, or explain why it cannot be done. (0.5 points)

    c) Give a regular expression that specifies a string where any parentheses in the string are balanced, or explain why it cannot be done. (0.5 points)

  2. Background: Now, we turn our attention to the second issue: How the application specifies the parameter types. Consider these three options:

    1. If the application file name is x, then the parameter types are specified by the regular expressions on consecutive lines of the file x.par.

    2. Every object file contains a parameter type segment that contains an array of strings giving the expected regular expression types.

    3. A standard library routine is provided that an application may call to check its parameters. You pass it argv, argc and an array of strings containing the regular expressions for the parameters.

    a) Which of the above schemes would help you protect a shell script from an injection attack? (0.5 points)

    b) Which of the above schemes would allow the shell to offer useful error messages to an interactive user when the user makes a typo in the parameter list of an application? (0.5 points)

    c) Which of the above schemes would allow applications the freedom to include variable-length argument lists? (0.5 points)

  3. Background: Consider this shell script:
    #!/bin/tcsh
    @ params = $#argv
    @ count = 1
    while ($count <= $params)
            if ($argv[$count] == -)
                    echo '- option encountered'
            else
                    echo "normal argument"
            endif
    end
    

    This is a skeleton for a shell script that recognizes options among its argument list and processes each of its arguments in sequence. In a real application, the echo commands would be replaced by useful application code.

    a) Identify how this code could be vulnerable to an injection attack. A complete solution should include a demonstration attack that will force the script to execute an arbitrary shell command. (1.0 point)

    b) Modify the script to deter the attack, and comment on whether the modification is itself vulnerable or whether there are further possible attacks. (1.0 point)