Final Project Report



Final Project Report

For INFSCI2470

Integer Security Application

Submitted by Group 6

Njankeu, Guy, Park, Jongdo & Pawlikowsky, Derek

May 2, 2006

Table of Contents

1. Introduction 1

2. Interface and Program Design 3

3. The Prototype of the System 6

4. Simulation Design 9

5. User Study 11

6. Redesign and the Final System 13

Appendix A. Initial Problem Examples 16

Appendix B. Content Test 18

Appendix C. Current System 26

Appendix D. Survey Results 30

1. Introduction

Group Six decided to do an application that teaches the concept of how to properly deal with integers in C/C++ to avoid creating vulnerabilities.  The faculty client was Dr. Spring.  The main goal of the application is to teach users how to spot potential problems with integer based on how the programming language stores them in memory.

The Beginning

Our goal was laid out simply.  Dr. Spring gave us a list of ten questions taken from solutions for code puzzles published in the Communications of the ACM during the second half of 2005.  He identified four problems that dealt specifically with integers.  These problems can be found in Appendix A.  We were also referred to chapter five of the book Secure Coding in C and C++ by Robert C. Seacord (details available at ).  Luckily chapter five was available online at . 

Dr. Spring was under the impression that the average MSIS student would look at code problems similar to these and be unable to spot the errors in integer execution.  The goal was that, after using the application, users would be able to spot 100% of the errors. 

Client Requirement

When we met the Client, he briefly mentioned his requirement by showing a sample of tree type of errors while dealing with integer in C/C++. Based on the sample we summarized following requirement.

o Provide the user with codes that may cause integer security errors.

o Request the user to determine the value that will be printed by the code.

o Show the number of bits necessary to represent each integer in a memory.

o Show the binary representation of each integer after executing of each line.

o Provide step-by-step explanation of the code

Perspective Users

Two groups of people are the perspective users of the system. One is instructors who teach C/C++ in a class. The other group is students who learn C/C++ in a class. The instructors must provide lesson contents and questions whereas students must study the lecture and answer the following questions.

The System

The system is accessible with the following URL.



Group Contribution

Jong-do – Modification and development of prototype

Layout design

Clock-like integer visualization

General Application Tune-up

Final paper

Guy - Design Interface, Modeling & implementation of simulation of integer type errors

Collected codes and added explanation

Outline of Presentation

Final Paper

Derek - Presentation

Developed lecture materials

2. Interface and Program Design

The design for the program interface was built off of our redesign for the Rampos problet dealing with C++ pointers. This interface was developed from various user studies. It was modified for the integer problems. A copy of this design is available in Apendix B.

The Rampos problets were designed basically to quiz the user on concepts they were relatively familiar with. Our application, on the other hand would have to teach the concept to the user, then be able to test the user’s new knowledge. At the same time, we didn’t want to penalize users that are already familiar with the material. We developed a modular system that users could jump from concept to concept at their own paces, or dive straight into the assessment portion.

The contents were distilled from Seacord’s book. It’s one of the very few to actually tackle the subject. Several images used in the application came from the book, simply because they were that effective.

Task Modeling

The task model for the application is developed based on the results of the previous study, USTAD project for the class, because it was designed to quiz the user on the concepts of C/C++ pointer [Figure 1].

[pic]

Figure 1. Task Model of C++ Pointer Problet

Since the client wanted similar educational software, we modify the above task model accordingly to take into account the constraint inherent to the integer security problette. We removed ‘check time’ task because, the purpose of the new applet is not to quiz students. It’s only for the self-study of the students who want to understand those concepts. ‘Modify selection’ task is also removed because the question type is different. In the new system, the user can submit only one answer in a given text field. This is one of the client’s requirements: He wanted the user to determine the result of given code. New task model for the system is shown in figure 2.

[pic]

Figure 2. New Task Model of the New System

Scenarios of Usage

To build the prototype, we developed scenarios of usage as follows. These scenarios were come from the users’ tasks which were articulated by the client and resulted from the previous USTAD project.

Scenario 1: Learn the concepts from the lecture

1. Select lecture tab

2. Choose a topic from table of contents

3. Read the content

4. In some cases, play with simulations

Scenario 2: Practice the concepts with questions

Case 1: The user knows the answer

1. Select questions tab

2. Choose a question

3. Examine the code

4. Answer the question and submit the answer

5. Read explanation

6. Click each line and see the simulation and its explanation

7. Go to the next question

Case 2: The user doesn’t know the answer

1. Select question tab

2. Choose a question

3. Examine the code

4. Click ‘I don’t know’ button

5. Read explanation

6. Click each line and see the simulation and its explanation

7. Go to the next question

Scenario 3: Read lecture and take the exercise

1. Follow scenario 1

2. Follow scenario 2

3. The Prototype of the System

The primitive prototype of the system is come from the results of the previous USTAD project [Picture 1] as we discussed above.

Layout

Based on the design, we developed primitive prototype as [Picture 2] and [Picture 3]. The prototype inherits main characteristics of the previous model. We provided two tabbed panels: one is for lecture and the other is for questions. In the lecture panel, [Picture 3], table of contents is provided with JTree components. On the right pane is reserved to show each contents of a selected topic. To separate the screen, we uses split pane that enable the user to hide or show the table of contents as they wants. [Picture 3] shows the prototype for questions. In the panel the user can practice the concepts of integer security by solving the questions, by debugging the provided codes, and by simulating the process. So, we placed four main panes: in the code pane, direction and codes are shown; with the answer pane, the user can input answer and submit it; the binary representation pane provides simulation of binary processing in the memory by steps; in explanation pane, explanations on each line of the codes are displayed in a text field.

[pic]

Picture 1.

[pic]

Picture 2. Primitive Prototype - Lecture

[pic]

Picture 3. Primitive Prototype - Question

Lecture Part

Lecture part is designed for instructors who teach integer security problems in C in a class. In the previous USTAD project, we figured out that it is difficult to use the C/C++ pointer problette for users who have no knowledge of pointer in C no matter what the system has good interface and is designed well. So, we added lecture panel not only for instructors but also for students. With the lecture part, students who want to understand the topic of integer security can refer the contents of the lecture so that they can understand the concepts more clearly. Finally, this can help the user to use and understand the application well.

We designed the lecture panel to accommodate html files. So, the instructors who want to provide information on the topics can easily publish the information within the applet.

Question Part

The question was developed for students. For each question, students would have to determine the value returned by the program, see the step by step simulation and explanation. This will help students to master concept pertains by each question.

The question panel is consists of four sub-panes as we mentioned above.

1. Code pane: direction and codes are provided.

2. Answer pane: the user can input answer and submit it.

3. Binary representation pane: show the contain of each integer during step-by-step execution of the code.

4. Explanation pane: explanations on each line of the codes are displayed in a text field.

4. Simulation Design

To have the users understand the concepts, we used two metaphors: binary representation and clock-like representation of integer.

Binary Representation

The binary representation simulated each integer type by providing the number of blocks (octets) that declared integer needs. We also provide each binary representation for each integer in the code. For example, I and j are operands for a binary operator, k contains the intermediate result if appropriate, 1 contains the final result. Those variables have to be manipulated according to the question provided. Each block represents 8bits and each integer has to be represented by 8 blocks at most in this current version. The type of each integer determines the number of blocks (octets) needed to represent the integer.

[pic]

Picture 4. Prototype – Binary Representation for Variables.

Clock-like Representation

The clock-like representations is for simulating integer representation (4bit, two’s complements). This idea is come from Seacord’s book that we referred. Seacord presents a circular diagram of integer representations. However, we implemented the representations as interactive and dynamic process. By playing the representation, the user can figure out the difference in decimal value of binaries.

[pic]

Picture 5. Clock-like Representation for Integer

5. User Study

With the system, we did user study to verify its usability and redesigning. The survey was executed from April 30 to May 1, in 2006.

Methods

For the user study, we did questionnaire survey to collect data. Since the system is accessible on the Web, we provided online questionnaire form to the subjects. To provide online questionnaire, we used SurveyMonkey[1] that provides online survey service. One of the features of the online survey is that the subject can participate in the survey at their location so that we can collect data from scattered locations. With the help of SurveyMonkey, we could easily design and publish the online questionnaire form.

Sample Size

As a result, we could collect 14 subjects in two days. Some of them did survey at the school and the others did survey at their home.

Questionnaire

We designed the questionnaire to collect information on:

5. General information (Q1)

6. Programming language skill (Q2 - Q3)

7. System evaluation (Q4 - Q10)

We provided 10 questions:

1. What is your final education level?

2. Please indicate your knowledge with computer programming languages except C (Java, PHP, C#, Perl, etc). (3 scale)

3. Please indicate your knowledge with C or C++ language. (3 scale)

4. Please indicate how you feel about the layout? (5 scale)

5. Please indicate how easy it is to interact with the system in terms of navigation, question selection, and answering to the question. (5 scale)

6. In the demo system how do you feel about the binary representation of variable and the step-by-step simulation of the code? (5 scale)

7. Do those explanations help you to understand the security problem while manipulating integer? (5 scale)

8. In the lecture part, you can see a clock-like representation of integer types in the “integer types” topic. This representation is for simulating integer types. (Currently, only for unsigned) Could you provide your opinion on the representation? (open question)

9. Please, list the most negative aspect(s) and your suggestion(s). (open question)

10. Please, list the most positive aspect(s) and your suggestion(s). (open question)

Results Analysis

Through the survey Q9 and Q10 help us to gather some useful information. The novice in C/C++ language finds almost everything difficult while taking sample question. They suggest that we emphasize on the semantic aspects. This means that a novice must study the lesson first in order to be familiar with the terms being used, then the novice can answer those sample questions. Therefore, lesson should be an import aspect of our educational aspect.

Surveyor also wanted us to add more questions, to increase the complexity of questions in order to really assess the behavior of the system. This must be done in a future work.

Surveyor didn’t know those errors impact the security of application, they suggest to add more comment and to show how those errors are related to security issues.

The clock-like representation was not quite understandable at first glance they suggest that we put more label. What we did in the new design.

They really appreciate the layout and the simulation process.

6. Redesign and the Final System

Redesign

Our user model, a graduate student in SIS suggested removing tab3 panel since for the moment it has not yet implemented what we did. He raised another point namely a user need to navigate among the questions. Moreover, he was surprised by the fact that we gave the possibility to the user to modify the dimension of the different panel although information contained in each panel has fixed size. Therefore we redesign the interface accordingly.

[pic]

Picture 6.

The survey helps to improve the clock-like representation of two complement. Based on the users’ complains, we modified the old one [Picture 7] as new one [Picture 8].

[pic]

Picture 7. Old Clock-like Representation

[pic]

Picture 8. Modified Clock-like Representation

Features of the System

Can provide Lecture

An instructor can provide lecture within lecture panel. The panel supports html files so that an instructor can easily make his/her lecture in html files and publish it with the system.

Easy to add codes and their explanation

We implemented a class to add codes. An instructor can add more codes simply add string arrays that have line-based codes and the explanation on each code. This seems to be easier than xml file.

Simulation of Integer Overflow

It simulates integer overflow with interactive clock-like integer visualization. The user can interact with the visualization and check the value difference in binary and decimal number. This simulation is provided in the lecture panel. You can see it at integer overflow in the chapter of integer error conditions.

Binary Representation

It simulates step-by-step integer changes of a code. User can follow those steps and see memory allocation and value changes with the visualization.

Integer Type Errors

Deal with three most serious problems of integer type errors: integer overflow, integer truncation error, and integer sign error.

Appendix A. Initial Problem Examples

Problem #3

bool func(size_t cbSize) {

if (cbSize < 1024) {

// we never deal with a string trailing null

char *buf = new char[cbSize-1];

memset(buf,0,cbSize-1);

// do stuff

delete [] buf;

return true;

} else {

return false;

}

}

But what if cbSize is zero? Look at the code that allocates the buffer—it subtracts one from the buffer size request. Subtracting one from zero causes a size_t variable, which is an unsigned integer, to wrap under to 0xFFFFFFFF (assuming a 32-bit value), or 4GB. Your application just died—or worse!

Problem #4

bool func(char *s1, size_t len1,

char *s2, size_t len2) {

if (1 + len1 + len2 > 64)

return false;

// accommodate for the trailing null in the addition

char *buf = (char*)malloc(len1+len2+1);

if (buf) {

StringCchCopy(buf,len1+len2,s1);

StringCchCat(buf,len1+len2,s2);

}

// do other stuff with buf

if (buf) free(buf);

return true;

}

This code suffers from an integer overflow. What if len1 is 64, and len2 is 0xFFFFFFFF? The code that determines whether the buffer size is legal adds 1, 64, and 0xFFFFFFFF together, which yields 64, because the addition operation wraps around. Next, the code allocates only 64 bytes in length, and then concatenates 0xFFFFFFFF bytes to the string. Once again, the application dies, and in some cases, some code when attacked with carefully crafted sizes can lead to exploitable buffer overrun attacks.

There’s a lesson here—safe string handling functions are not safe if you get the buffer size calculation incorrect.

Problem #5

bool func(byte *name, DWORD cbBuf) {

unsigned short cbCalculatedBufSize = cbBuf;

byte *buf = (byte*)malloc(cbCalculatedBufSize);

if (buf) {

memcpy(buf, name, cbBuf);

// do stuff with buf

if (buf) free(buf);

return true;

}

return false;

}

What if cbBuf is 0x00010020? cbCalculatedBufSize is only 0x20 because only the lower 16-bits from 0x00010020 are copied. Hence only 0x20 bytes are allocated, and 0x0010020 bytes are copied into the newly allocated target buffer.

Problem #7

bool DoSomething(const char* server)

{

unsigned char namelen = strlen(server) +2;

if (namelen < 255)

{

char* UncName = malloc(namelen);

if(UncName !=0)

sprintf(UncName, “\\\\%s”);

//some other stuff

}

…

}

You're looking at a heap overrun waiting to happen. I've used an 8-bit integer type to keep the math simple, but larger integers still run into the same problems. If the length of the input string is 254 or 255, we have a problem. We'll either be putting 255 bytes into a 1-byte buffer, or if the length is 254, we'll end up calling malloc(0), which then returns a valid heap pointer, and again you write data to the wrong location.

An underflow occurs when a subtraction operation yields a result that isn't accurate. For example, if you have unsigned 8-bit values, 0 – 1 = 255!

Appendix B. Content Test

[pic]

[pic]

[pic]

[pic]

[pic]

[pic]

[pic] [pic]

[pic]

[pic]

[pic]

[pic]

[pic]

[pic]

[pic]

Appendix C. Current System

[pic]

[pic]

[pic]

[pic]

Appendix D. Survey Results and Analysis

-----------------------

[1]

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download