Question C In your answers, indicate your level of engagement (e.g. don’t know what it is, know what it is but never used, used once, extensively, installed, and configured) CYBR 555used Information Systems Security Lab: Code Vulnerability (Buffer Overflow) 1. Have you ever used or installed a software hypervisor like VirtualBox or VMWare? 2. Have you ever used or installed Linux (if so, what distribution)? 3 Laboratory 3.1 Description In this lab, you are given a program with a potential buffer-overflow vulnerability and tasked with analyzing, identifying and correcting the vulnerability. A crude description of the occurrence of a buffer overflow is when too much data is either accidentally or maliciously attempted to be stored in an object, causing adverse effects to the program. In this context, “too much data” is relative to the size and capacity of the “object storing the data”. The “object storing the data” can be anything, ranging from a data structure (e.g. array) in modern programming languages to lower level structures like registers when programming in assembly. When this happens, there is an adverse affect that may manifest as a program crash or as a transition of the program to a state that offers an adversary an exploitable vulnerability. 3.2 Tasks 1. Select ONE of the provided code segments. 2. Compile2 and run the code. Questions 1. Program Analysis: (a) (5 pts) Describe the expected behavior of the program by reading the code. (b) (5 pts) Describe the input you used to cause a buffer overflow when you ran the code. (c) (5 pts) How did the buffer overflow manifest? Provide the exact error you received as evidence. 2. (20 pts) Identify and describe the buffer overflow problem in the code. 3. (20 pts) Describe how you would prevent the buffer overflow from occurring in the code. 4. (40 pts) Correct the program to eliminate the buffer overflow problem from occurring. In the provided code, make sure you add comments to indicate what is being changed. 5. (5 pts) Describe the behavior of the corrected program. 2 Compile and run on your own computer or on a lab/classroom/departmental computer. Avoid using a web-based platform for compiling code like: Jdoodle, OnlineGDB, Online-Python, etc. Many of these platforms have built-in security mechanisms that block the execution or obscure messages in cases of buffer overflows because they may consider them as attacks to the website. 3 4 Code The code we will be working with is a very simple program. The pseudocode is listed below while executable code segments in C , Java and Python are provided in subsequent pages. 1 2 3 4 5 6 7 8 9 10 11 12 13 integer tests [ 1 0 ] ; integer test ; i n t e g e r count ; D i s p l a y ’ ’ Enter number o f e l e m e n t s : Input count ’’ f o r ( i n t e g e r i = 0 ; i < count ; i = i 1 ) begin D i s p l a y ’ ’ Enter a number : ’ ’; Input t e s t ; t e s t s [ i ]= t e s t ; end Select only ONE of the code segments (C , Java or Python) to answer the questions. NOTE: Be careful when you copy-paste code, it may introduce unwanted characters or spacing that can cause the compiler or interpreter to generate errors. You are encouraged to type-in the one small code segment you plan to work with. 4 4.1 C