Lab 7
Goals
- Develop your skills in secure programming in the C language.
Credits
This lab was developed by Prof. L. Felipe Perrone. Permission to reuse this material in parts or in its entirety is granted provided that this credits note is not removed. Additional students files associated with this lab, as well as any existing solutions can be provided upon request by e-mail to: perrone[at]bucknell[dot]edu
Academic Responsibility
It should go without saying that all the work that you will turn in for this lab will be yours. You should try your best to debug your code on your own, but it’s fine to get help from a colleague as long as that means getting assistance to identify the problem and doesn’t go as far as receiving source code to fix it (in writing or orally).
Set Up
There is no skeleton code that will be given to you for this lab. Instead, you will start from your solutions to previous lab assignments. Feel free to leverage any code given to you and created by you in this class.
Context
In previous labs you have been developing a client-server application for a flight reservation system. So far, you haven’t been told to pay attention to security at all, which is a serious flaw in the development of a robust, secure application. As we now know, security cannot be effectively sprinkled on after the development has concluded, but instead it must be baked in starting from the design of an application.
At this point, you must be asking why we didn’t start with security in mind, which is a very valid question. The answer is simple: we wanted you to a code base developed without that level of care and responsibility so that you had material for a security assessment.
Set Up
Create a Lab7 subdirectory in your directory for this class. Copy into it the complete contents of your code base for the Lab6 assignment, including your Makefile.
Problem 1
It should go without saying that your first order of business is to arrive at a functional state with your Lab 7, that is, it should work to specifications without any kind of segmentation fault or other crash.
Once you have that completed, you will go through your code for Lab 7 and look for any possible instances of any kind of C programming that creates security vulnerabilities, such as:
- Compilation warnings that have not been addressed (if you are indeed compiling with the -Wall gcc flag)
- User input that is taken without validation
- Memory management errors such as pointer mix up
- Dangling pointers
- Null pointer dereferencing
- Use of dynamically allocated memory after a call to free()
- Returning to the caller a pointer to a variable declared inside a function
- Race conditions
In your Lab7 directory, create a file called report.txt into which you will write itemized, organized notes stating all the problems that you have identified in the assessment of your code base. We are looking for you to show samples of code with the errors identified and brief description of how to fix them so that you have documentations of the lessons you learned.
Problem 2
Correct all the issues you identified in your source code in the Lab7 directory. Run valgrind on your code base to identify any memory leaks or pointer problems. Do your best to correct what you find. You can use the AI of your preference to identify and to correct problems with your code base. Note that in this assignment, you are using the AI as a helping tool, not as a crutch for code development. Create a file called lessons.txt in which you explain which AI you used and what lessons about secure programming you have been able to learn from using it.
Once you have everything working, run “make clean” on it to get rid of all editor back up files, object files (.o), and executable code. Create a file called state.txt in which you explain whether the full functionalities of client and server are in correct working condition. Add all the contents of the folder to your local git repository with “git commit” and then do a “git push” so that we can see your final version of the client/server application.