Homework 2

CS5231 – Systems Security
Homework 2: Binary Exploitation and Provenance

Due date and time: 23:59pm, October 18, 2025. This is a firm deadline. This homework
MUST be finished independently.

1. Introduction
In this homework, you will get familiar with vulnerability exploitation and attack provenance
with audit logs.
This assignment is divided into two parts --- PartA and PartB. The PartA consists of a custom
program with a hand-crafted memory corruption bug while the PartB consists of a hand-crafted
malicious program.
2. Environment Setup

2.1. VM
You will reuse the VM in Homework 1 to complete this Homework 2. In the VM, download
and decompress the A2.zip file from Canvas, and put the A2/ directory under
/home/student/. (For the UTM-based VM, please put A2/ under /home/user/)
Then, install the software dependencies via apt:
sudo apt update && sudo apt install -y ssh execstack vim make
gcc gcc-multilib auditd curl
cat ~/A2/GPG-KEY-elasticsearch | sudo apt-key add –
sudo apt-get install apt-transport-https
echo "deb https://artifacts.elastic.co/packages/8.x/apt stable
main" | sudo tee -a /etc/apt/sources.list.d/elastic-8.x.list
sudo apt-get update && sudo apt-get install auditbeat
sudo service auditd stop

2.2. Disable ASLR
Address Space Layout Randomization (ASLR) is enabled by default on the VM which you
received. In order to complete some of the assignments, ASLR will have to be disabled. To do
so, you can execute the following commands as root:
echo 0 > /proc/sys/kernel/randomize_va_space
Homework 2

Note that this option will be reverted every time the VM is restarted so do remember to disable
ASLR again if the system is restarted.
Alternatively, you can execute the following command to make the ASLR setting persistent:
sudo sysctl -w kernel.randomize_va_space=0


3. PartA [8 points]
What is given? For this section, we provide you with a vulnerable program cstarget. The
program is in /home/student/A2/PartA/programs.

There is a memory safety bug in it. We have provided the skeleton for the exploit. The program
cstarget.c is compiled with an executable stack and no stack protector.

What should you do? Your task is to identify the type of vulnerability in the program, write
an exploit code for it. Your exploit code when executed should yield a shell (/bin/sh). You
can use any of the attack techniques like arbitrary code injection, format string vulnerability
exploitation, return address corruption, etc. to exploit the program. In the exploit program, you
should use the actual stack location of the vulnerable program that is corrupted. Note: You are
not allowed to use get_sp function as explained in the reading material “Smashing the stack
for fun and profit”.

3.1. Inputs: /home/student/A2/PartA/programs.
You are given one vulnerable program for the PartA in the ~/A2/PartA/programs folder.
You need to install the program in /tmp directory. Perform the following steps to install it:
Installation. To install the vulnerable program cstarget in /tmp directory:
./install.sh
Every time you reboot the VM, you will need to install the vulnerable program in /tmp
directory by running ./install.sh in the /home/student/A2/PartA/programs
folder.
Note: You MUST NOT recompile the cstarget program by yourself! The source code file
cstarget.c and Makefile are only for your reference.

3.2. Output: /home/student/A2/PartA/exploits
This directory contains the skeleton solution (exploit.c) used to generate exploit for the
respective program (cstarget.c). The purpose of files found in this directory is as follows.
exploit.c. You are given a skeleton exploit program in the PartA/exploits folder.
You need to write the code in this skeleton program to exploit the vulnerable program. This
Homework 2

program executes the corresponding vulnerable program (i.e.: exploit.c will execute program.c)
using execve and passes the argument from the exploit code.
shellcode.h. Included in this directory is shellcode.h file which contains a copy of
Aleph One’s shellcode from “Smashing the stack for fun and profit”. You can use the shellcode
by including shellcode.h in your exploit program. You can use shellcode written by
yourself or elsewhere as well.
Makefile. The Makefile contains instructions used by make to compile the exploit program.
Note: You need to complete the exploit.c file with the Makefile.


4. PartB [10 + 2 points]
What is given? For this section, we provide you with a malicious program
malicious_prog. The program is in /home/student/A2/PartB.

What should you do? Your task is divided into two sub-tasks:
1. Audit log collection. You are asked to use the system service auditbeat to intercept,
collect, and parse audit logs of certain system calls invoked by the malicious program
malicious_prog. The execution of malicious_prog will invoke many system
calls. You need to configure the auditbeat service to monitor and log the following
system calls. The audit logs should capture as much information related to the activities
of the malicious program as possible.
2. Provenance. After you collect the audit logs, you need to write program(s) (in any
language you like) to parse and analyze them. Ultimately, you need to draw a
provenance graph (manually or using techniques, such as Python or neo4j) to
demonstrate the key activities of this malicious program. The figure below (from
elsewhere) serves as a provenance graph example, where the nodes represent processes
or files, and the edges represent syscall(s).


Background Knowledge and Quick Start
Configuring auditdeat. First, you need to properly configure the audit subsystem. To
configure the rules for system auditing, you are required to modify the following file:
/etc/auditbeat/audit.rules.d/audit-rules.conf
This link provides a sample configuration:
https://github.com/Neo23x0/auditd/blob/master/audit.rules
Homework 2

Please refer to the following link on how to define auditing rules: Defining Audit Rules.

Below are useful links for your reference.
1) https://access.redhat.com/documentation/en-
us/red_hat_enterprise_linux/7/html/security_guide/chap-system_auditing
2) https://www.elastic.co/guide/en/beats/auditbeat/current/index.html
Generating Audit Logs. After configuring auditbeat, you can follow below steps to generate
the audit logs.
S1) Start Auditbeat. After configuring auditbeat, you can use the following command to start
the service:
sudo service auditbeat start
S2) Run the Malicious Program. After the auditbeat service is started, you are required to run
the malicious program. (You will the additional 2 points if you run the malicious program
within the shell spawned by the exploit in PartA. You need to provide screenshot in the report
and the provenance graph should include the exploit related nodes and edges.)
./malicious_prog
S3) Collect Audit Logs. When the auditbeat service is stopped, audit logs are generated in JSON
format under the directory /var/log/auditbeat/. You can copy the log file into another directory.
sudo service auditbeat stop
Remarks. Note that each log entry represents a system call event. Specifically, all the original
system call parameters and the return value are contained under the field “auditd”, represented
under subfields “a0”, “a1”, …, “exit”. If the system call is related to a file open event (e.g.,
open, openat), a field “file” will indicate which file it operates on. Also note that audit logs of
read and write only contain system call arguments and the return value, while audit
logs of open will contain the file they operate on. To parse the read and write system
calls, you should get familiar with the meaning of all arguments and return value of every
system call.

Hint
- You can use strace to inspect the syscalls invoked by the malicious program.
- You could run the malicious program for many times if necessary.


5. Submission
For PartA, you need to submit the final exploit.c file with a brief report (1 page) to show
your analysis for the vulnerability and explain your exploitation method.
Homework 2


For PartB, you need to submit a report (no more than 4 pages), which must include:
1. How do you configure the rules and capture the audit logs?
2. Are there any issues during the experiment? How do you solve them?
3. How do you analyze the audit logs and build the provenance graph?
a. You can append key algorithms or code, if necessary.
4. The provenance graph you build for the malicious program.

Please organize your submission as the hierarchy below and compress it into a zip file named
as [YOUR_STUDENT_ID]-hw2.zip:
[YOUR_STUDENT_ID]-hw2/
- exploit.c
- report-a.pdf
- report-b.pdf

Size Limit. Please keep the total size of your files for submission (before compression) within
20 MB.
Time Limit. We limit the execution time of your exploit to 5 seconds (for PartA).


6. Reading Materials
Suggested reading in Phrack, www.phrack.org (You don’t need to read all of them):
Aleph One, “Smashing the Stack for Fun and Profit,” Phrack 49 #14.
Scut, “Exploiting Format String Vulnerabilities,” https://cs155.stanford.edu/papers/formatstring-
1.2.pdf
Saif El-Sherei, “Format String Exploitation-Tutorial,” https://www.exploit-
db.com/docs/english/28476-linux-format-string-exploitation.pdf




学霸联盟