UP23 HW1 Secured API Call

Description

The homework aims to practice library injection, API hijacking, and GOT rewriting. You have to implement a sandbox.so by following the specification given below. Please read it carefully before you implement your homework.

Specification

 

Program Launcher

 

You don’t have to implement the launcher. Please use our launcher to invoke commands and load the required shared object.

You can download our launcher from here (https://up23.zoolab.org/up23/hw1/launcher).
We use a launcher program to execute a command and load your sandbox.so using

. The launcher executes the command and passes the required environment

variables to an invoked process. The environment variables include:

SANDBOX_CONFIG : The path of the configuration file for

LOGGER_FD : the file descriptor (fd) for logging messages.

The usage of the launcher program is as follows

Usage: ./launcher sandbox.so config.txt command arg1 arg2 …

Sandbox

You have to implement the sandbox.so that supports the following features.

Implement a __libc_start_main to hijack the process’s entry point.

In the __libc_start_main , you should perform the necessary initializations and then call the real __libc_start_main .

Your sandbox.so cannot have a function with the same function name listed in the API function list. To hijack an API function, you must perform GOT hijacking in the

of sandbox.so . The functions you have to hijack are listed in the API

 

 

All functions listed below should be logged to the file descriptor (fd) passed by the environment variable LOGGER_FD (check the examples for the detailed format).

1. open

Allow a user to set the file access blacklist so that files listed in the blacklist cannot be opened. If a file is in the blacklist, return -1 and set errno to EACCES. Note that for handling symbolic linked files, your implementation has to follow the links before performing the checks.

2. read

Your implementation must log all content into a file. The log file should be named in the

format and be created at read function on this fd be called first time.

(If an fd is used more than one time in a process, keep logging the content into the same log file.)

Furthermore, your implementation has to allow a user to filter the read content based on a keyword blacklist. The filter should be active for all read operations. If the filter detects a matched keyword in a read content, close the fd and return -1 with an errno setting to EIO. Do not log the content if it is filtered.

Suppose the blacklist contains the keyword S3CR3T . The following cases should be detected by the filter.

Reading gets abcd , def , S3CR3T

Reading gets abcd , S3C , R3T (should be detected on read of the R3T )

3. write

Your implementation must log all content into a file. The log file should be named in the

format and be created at write function on this fd be called first

time. (If an fd is used more than one time in a process, keep logging the content into the same log file.)

4. connect

Allow a user to block connection setup to specific IP addresses and PORT numbers. If the IP and PORT is blocked, return -1 and set errno to ECONNREFUSED.

5. getaddrinfo

Allow a user to block specific host name resolution requests. If a host is blocked, return EAI_NONAME.

6. system

Commands invoked by system function should also be hijacked and monitored by your sandbox. Note that you cannot invoke the launcher again in your implementation. The correct and incorrect relationship for the invoked process should look like the example below.

Correct example: process1 calls system(“/bin/sh”)

– launcher

|- process1

|- /bin/sh

Incorrect example: process1 calls system(“/bin/sh”)

– launcher

|- process1

|- launcher

|- /bin/sh

Configuration File Format

The configuration file is a text file containing blocked content for each API function. For each API, the general form is as follows.

BEGIN <API>-blacklist

rule1

rule2

…

END <API>-blacklist

A sample configuration is given below.

BEGIN open-blacklist

/etc/passwd

/etc/shadow

END open-blacklist

BEGIN read-blacklist

—–BEGIN CERTIFICATE—–

END read-blacklist

BEGIN connect-blacklist

www.nycu.edu.tw:4433

google.com:80

END connect-blacklist

BEGIN getaddrinfo-blacklist

www.ym.edu.tw

www.nctu.edu.tw

END getaddrinfo-blacklist

Note that there are multiple lines between BEGIN and END tags except the read-blacklist .

Examples

Here we provide some running examples. Please notice that the results presented here could be different from your runtime environment. You may simply ensure that the behavior is expected and the output format is correct. All the running examples use the same configuration given below.
BEGIN open-blacklist

/etc/passwd

/etc/group

END open-blacklist

BEGIN read-blacklist

—–BEGIN CERTIFICATE—–

END read-blacklist

BEGIN connect-blacklist

www.nycu.edu.tw:443

google.com:80

END connect-blacklist

BEGIN getaddrinfo-blacklist

www.ym.edu.tw

www.nctu.edu.tw

google.com

END getaddrinfo-blacklist

Example1

command: ./launcher ./sandbox.so config.txt cat /etc/passwd

output:

 

[logger] open(“/etc/passwd”, 0, 0) = -1

cat: /etc/passwd: Permission denied

Example2

command: ./launcher ./sandbox.so config.txt cat /etc/hosts

output:

 

[logger] open(“/etc/hosts”, 0, 0) = 5

[logger] read(5, 0x7fb7b2db2000, 131072) = 177

127.0.0.1
localhost
::1
localhost ip6-localhost ip6-loopback
fe00::0
ip6-localnet
ff00::0
ip6-mcastprefix
ff02::1
ip6-allnodes
ff02::2
ip6-allrouters
192.168.208.2
00fd90b988c7

[logger] write(1, 0x7fb7b2db2000, 177) = 177

[logger] read(5, 0x7fb7b2db2000, 131072) = 0
Example3

command: ./launcher ./sandbox.so config.txt cat /etc/ssl/certs/Amazon_Root_CA_1.pem

output:

 

[logger] open(“/usr/share/ca-certificates/mozilla/Amazon_Root_CA_1.crt”, 0, 0) = 5

[logger] read(5, 0x7f6a9c486000, 131072) = -1

cat: /etc/ssl/certs/Amazon_Root_CA_1.pem: Input/output error

cat: /etc/ssl/certs/Amazon_Root_CA_1.pem: Bad file descriptor

 

 

Example4

Deleted because duplicated to Example1.

Example5

command: ./launcher ./sandbox.so config.txt wget http://google.com -t 1

output:

 

–2023-03-29 15:07:09– http://google.com/

Resolving google.com (google.com)… [logger] getaddrinfo(“google.com”,”(null)”,0x7f failed: Name or service not known.
wget: unable to resolve host address ‘google.com’

 

 

Example6

command: ./launcher ./sandbox.so config.txt wget https://www.nycu.edu.tw -t 1

output:

–2023-03-29 15:08:12– https://www.nycu.edu.tw/

Resolving www.nycu.edu.tw (www.nycu.edu.tw)… [logger] getaddrinfo(“www.nycu.edu.tw

203.66.32.225, 203.66.32.227,
203.66.32.231, …

Connecting to www.nycu.edu.tw
(www.nycu.edu.tw)|203.66.32.225|:443… [logger] conne
failed: Connection refused.

Connecting to www.nycu.edu.tw
(www.nycu.edu.tw)|203.66.32.227|:443… [logger] conne
failed: Connection refused.

Connecting to www.nycu.edu.tw
(www.nycu.edu.tw)|203.66.32.231|:443… [logger] conne
failed: Connection refused.

Connecting to www.nycu.edu.tw
(www.nycu.edu.tw)|203.66.32.233|:443… [logger] conne
failed: Connection refused.

Connecting to www.nycu.edu.tw
(www.nycu.edu.tw)|203.66.32.226|:443… [logger] conne
failed: Connection refused.

Connecting to www.nycu.edu.tw
(www.nycu.edu.tw)|203.66.32.234|:443… [logger] conne
failed: Connection refused.

Connecting to www.nycu.edu.tw
(www.nycu.edu.tw)|203.66.32.228|:443… [logger] conne
failed: Connection refused.

Connecting to www.nycu.edu.tw
(www.nycu.edu.tw)|203.66.32.229|:443… [logger] conne
failed: Connection refused.

 

 

 

 

 

Example7

command: ./launcher ./sandbox.so config.txt wget http://www.google.com -q -t 1

output:

 

[logger] getaddrinfo(“www.google.com”,”(null)”,0x7ffd88b905f0,0x7ffd88b905b8) = 0

[logger] connect(5, “142.251.43.4”, 16) = 0

[logger] write(5, 0x56126a865840, 129) = 129

[logger] read(5, 0x56126a8658d0, 511) = 511

[logger] read(5, 0x56126a865acf, 512) = 512

[logger] read(5, 0x56126a865ccf, 129) = 129

[logger] read(5, 0x56126a865840, 6) = 6

[logger] read(5, 0x56126a866610, 8192) = 8192

[logger] read(5, 0x56126a866610, 6408) = 4650

[logger] read(5, 0x56126a866610, 1758) = 1758

[logger] read(5, 0x56126a865840, 2) = 2

[logger] read(5, 0x56126a865840, 3) = 3

[logger] read(5, 0x56126a865840, 2) = 2

Note:

You should find an index.html that contains the HTML content. And you should also find the same content in the log file.

Example8

command: ./launcher ./sandbox.so config.txt python3 -c ‘import os;os.system(“wget http://www.google.com -q -t 1”)’

output:

[logger] read(5, 0x560ce341c5e0, 3908) = 3907

[logger] read(5, 0x560ce341d523, 1) = 0

[logger] read(5, 0x560ce341cad0, 33180) = 33179

[logger] read(5, 0x560ce3424c6b, 1) = 0

[logger] read(5, 0x560ce3428530, 10922) = 10921

[logger] read(5, 0x560ce342afd9, 1) = 0

[logger] read(5, 0x560ce3429540, 1598) = 1597

[logger] read(5, 0x560ce3429b7d, 1) = 0

[logger] read(5, 0x560ce342b990, 3664) = 3663

[logger] read(5, 0x560ce342c7df, 1) = 0

[logger] read(5, 0x560ce342fd60, 6752) = 6751

[logger] read(5, 0x560ce34317bf, 1) = 0

[logger] read(5, 0x560ce3433b00, 17923) = 17922

[logger] read(5, 0x560ce3438102, 1) = 0

[logger] read(5, 0x560ce3434b10, 31557) = 31556

[logger] read(5, 0x560ce343c654, 1) = 0

[logger] read(5, 0x560ce3435af0, 4274) = 4273

[logger] read(5, 0x560ce3436ba1, 1) = 0

[logger] read(5, 0x560ce3404330, 32838) = 32837

[logger] read(5, 0x560ce340c375, 1) = 0

[logger] read(5, 0x560ce340c3f0, 10516) = 10515

[logger] read(5, 0x560ce340ed03, 1) = 0

[logger] read(5, 0x560ce3408d20, 3908) = 3907

[logger] read(5, 0x560ce3409c63, 1) = 0

[logger] read(5, 0x560ce340bf40, 3548) = 3547

[logger] read(5, 0x560ce340cd1b, 1) = 0

[logger] read(5, 0x7f7bafc41150, 226) = 225

[logger] read(5, 0x7f7bafc41231, 1) = 0

[logger] system(“wget http://www.google.com -q -t 1”)

[logger] getaddrinfo(“www.google.com”,”(null)”,0x7ffd704a8120,0x7ffd704a80e8) = 0

[logger] connect(9, “142.251.43.4”, 16) = 0

[logger] write(9, 0x55f9bb917110, 129) = 129

[logger] read(9, 0x55f9bb9171a0, 511) = 511

[logger] read(9, 0x55f9bb91739f, 512) = 512

[logger] read(9, 0x55f9bb91759f, 129) = 129

[logger] read(9, 0x55f9bb917110, 6) = 6

[logger] read(9, 0x55f9bb925990, 8192) = 8192

[logger] read(9, 0x55f9bb925990, 6383) = 4650

[logger] read(9, 0x55f9bb925990, 1733) = 1733

[logger] read(9, 0x55f9bb917110, 2) = 2

[logger] read(9, 0x55f9bb917110, 3) = 3

[logger] read(9, 0x55f9bb917110, 2) = 2

Homework Submission

Please provide a Makefile to compile your source code. Make sure your code can be compiled by make . We use the following command to test your program.

make

./launcher {your sandbox.so} {config file name} command arg1 arg2 …
Please pack your files into a single tar.gz archive and submit your homework via the E3 system.

Grading

1. [30%] Your program has the correct output for all test cases listed in the examples section.

2. [60%] We use N additional test cases to evaluate your implementation. You get 60 points for

each correct test case.

N

3. [10%] If you can perform GOT hijacking without an external program, you get 10% * {ratio of the score you got from the above two items}.

You may leverage external libraries that can be installed from the official Ubuntu package repository using the apt command. In this case, please list your library dependencies as comments in the Makefile and ensure you use the correct parameters to link against the required libraries.

Demo Steps

https://md.zoolab.org/s/gLXd81Myi (https://md.zoolab.org/s/gLXd81Myi)

Hints

You don’t need to consider the non-PIE binary. We will use PIE binary to test your program only.

You can use readelf -r to find the GOT offset of the binary.