Security is Your Duty!The Secure Programming module is taught by Hayo Thielecke and I am the TA. This page will list announcements and I will list the exercises for this module (including solutions) as soon as the deadline is crossed. This year we have chosen to keep the students in shape and prepare them along the way for the exam. We will be issuing both homework and classwork consisting of short exercise that everybody should be able to do.

The exercises and solutions will be posted here in order. If you have any questions regarding the exercises, please feel free to e-mail me. If you have any general questions regarding the module, please address them to Hayo Thielecke.

This is the list of exercises we have so far:

Talk on Buffer Overflows

I will hold a talk during Hayo Thielecke's Secure Programming module on the topic of buffer overflows by giving a simple example how one can redirect the execution flow to a particular point in a program. Time-allowing, we will be using two different programs: a silly example and a more advanced example with a proper authentication mechanism. The first example will give a short introduction to basic concepts about the GNU compiler, the GNU debugger and explain what can be achieved in terms of jumping and in the second example we will try to bypass an authentication mechanism entirely by using a custom crafted buffer overflow exploit. You can download the slides for further reference. Also,  I provide the code to test for yourself if you have an older version of gcc (gcc-3.4.6 was tested). We tested the following two examples silly.c and auth.c and we built two exploits exploit-silly.pl (and the C version although it continuously repeats the 4 byte return address), and the second exploit exploit-auth.pl.

Using FindBugs with Eclipse

Installing FindBugs

In order to get FindBugs to work with Eclipse, you will need to specify an install URL. This is done by starting Eclipse and going to the menu item "Help" and selecting "Install software..." (this may vary depending on the Eclipse version you have installed). Once there, a screen pops up asking for an URL. You will see something along the lines of "Work with: type or select a site" and an "Add..." button next to it. Click the "Add..." button and in "Name:" type FindBugs and in "Location:" type the following URL: http://findbugs.cs.umd.edu/eclipse. You should have something similar to this screenshot.

After that, it should retrieve the latest copies available for FindBugs. FindBugs should appear in the box below. You don't need to expand the whole tree, just tick the box next to FindBugs and select next. The very first time you try installing it, it might crash. If it does just relaunch Eclipse again and try the steps above again. After that, Elipse should start downloading and installing FindBugs. If you get a prompt about unsigned software, accept it and go through the rest of the wizard.

To verify your program using FindBugs, you need to right click the project folder and select "Find bugs...". The menu item should be roughly half way down and by clicking it FindBugs will analyse the code for you and you can display the results in the bottom pane by expanding the "Warning" and "Error" sections.

Asiri Rathnayake has created a screencast on how to do this.

Converting the JavaBot to Eclipse

Now you need to get the JavaBot 0.3.5 package. You can find a copy on Hayo Thielecke's website. Next is getting the JavaBot converted to an Eclipse project. You can check out this screencast by Asiri Rathnayake which should help you convert the project to Eclipse.