Telecommunications software and multimedia laboratory

TML / Studies / T-110.402 / Homeworks

2002: Homework 3

The deadline is Tuesday 19.11. 2002 at 15:45.


Remember to acknowledge your sources!

Software security

  1. Terms and concepts (12 points)

    1. Explain the following concepts and what they have to do with security:
      • input validation (2 p)
      • format string vulnerability (3 p)
      • buffer overflow (2 p)
      • race condition (3 p)
    2. Explain shortly what do buffer overflow and format string vulnerabilities basically have in common. (2 p)

  2. Example (10 points)

    1. What is wrong in the following program? (5 p)
    2. What can happen if this program is installed by the administrator and the suid bit is set? (2 p)
    3. How to make the program better? (just explain, no need to write any code) (3 p)

    /* do_something.c  */
    #include <stdio.h>
    #include <stdlib.h>
    void do_something(char* tmp) {
    /* does something, not relevant for this assignment */
    int main(int argc, char** argv) {
        char uname[64];
        if (argc == 2)
        else {
          strcpy( uname, getenv("USER") );
          printf("Hi %s, you gave wrong number of arguments.\n\n", uname);
        return 0;
  3. Another example (8 points)

    Here is a form that Random L. User has on his website so that he can get feedback:

    <p>Send me a message!<p>
    <form METHOD="POST" ACTION="">
    <INPUT TYPE="hidden" NAME="my_address" VALUE="">
    <INPUT TYPE="text" NAME="message" SIZE="160">
    <input TYPE="submit" NAME="submit" VALUE="Submit"> 
    <input TYPE="reset" NAME="reset" VALUE="Clear"> 
    The following program ( sends the feedback onwards as email. The program is executed by the account cgi-bin which has only minimal rights.
    # Remove encoding 
    my $input = <>;
    $input =~ s/\+/ /g;
    $input =~ s/%40/\@/g;
    # Collect data
    %inputs = map{split('=', $_)} split('&', $input);
    # Add mail headers to the beginning of the message, store in temporary file
    open (TMP,">/tmp/message");
    print TMP "To: %inputs{my_address}\nFrom: my webform\n%inputs{message}\n\n";
    close TMP;
    # Mail message
    exec("/usr/lib/sendmail -t %inputs{my_address} < /tmp/message");
    1. What is the security hole in the script and what does it allow an attacker to do? (5 p)
    2. What does an attacker need to do to exploit the hole? (3 p)

  4. Feedback (max. 2 p bonus)

    How long did it take to do this assignment? Was the assignment too easy or too difficult? How could the assignment be made better?


The answers should be written to a text file (not e.g. a MS Word document). In the beginning of your answer file you should write your name and your student number. The answer file is signed and then returned by e-mail. You can also encrypt the file with the course public key if you want to.

One way to sign the answer file is clearsigning, which does not compress the text. The can be done in following way:
gpg --clearsign -u 'my_username' ans_3.txt
where ans_3.txt is the answer file. (If you want, you can alternatively use the normal signing, i.e. the option -s instead of --clearsign)

The signed file is then sent to the address with the subject ASSIGNMENT 3
This can be done e.g. from the command line like this:
mailx -s "ASSIGNMENT 3" < ans_3.txt.asc
(Note that in the command above, the quotes are not part of the subject but they tell the shell that the subject consists of several words.)

NB: There is no automatic comfirmation for returns. Save your answer files, at least until you get results, preferably 'til the end of the course.

This page is made by assistants of the course. Newsgroup of the course: opinnot.tik.verkkoturva
Last updated 30.10.2002.